Inter-vrf Communication

Unanswered Question
Sep 22nd, 2009

I have access switch connected to two 6509 switches.i am creating vrf for each vlan to avoid intervlan communication.now i want to allow managment vlan to access to non management vlans but non management vlans should not communicate with each other.HSRP configured for each vlan in aggrgation switch. (vlan 100 is management,vlan 101,102,103,104 are other vlan.only vlan 100 should communicate with 101,102,103,104 but other vlans should not communicate with each other)

can i get any sample config for this inter vrf communication.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Giuseppe Larosa Tue, 09/22/2009 - 22:47

Hello Sameer,

if the number of non-management vlans is only a few like in your example you can use an approach with route targets.

management VRF:

ip vrf management

rd 65000:100

route-target export 65000:100

route-target import 65000:100

route-target import 65000:101

route-target import 65000:102

...

route-target import 65000:104

other VRFs

ip vrf VRF101

rd 65000:101

route-target import 65000:101

route-target import 65000:100

route-target export 65000:101

ip vrf VRF102

rd 65000:102

route-target import 65000:102

route-target import 65000:100

route-target export 65000:102

in this way you should achieve the desired result that is an extranet.

if the number of non management vlans is high a different approach is possible using import and export maps in VRF configuration.

Hope to help

Giuseppe

sameermunj Tue, 09/22/2009 - 22:59

Hi

Thanks for your input.So considering single access switch with vlan100,101,102 connected to 2 L3 switches (6509) running hsrp the below configuration should work right.pl check.

6509-1

ip vrf management

rd 65000:100

route-target export 65000:100

route-target import 65000:100

route-target import 65000:101

route-target import 65000:102

ip vrf VRF101

rd 65000:101

route-target import 65000:101

route-target import 65000:100

route-target export 65000:101

ip vrf VRF102

rd 65000:102

route-target import 65000:102

route-target import 65000:100

route-target export 65000:102

interface Vlan100

description Mgmt_VLAN

ip vrf forwarding managemewnt

ip address 192.168.100.1

standby 1 ip 192.168.100.3

standby 1 priority 110

!

interface Vlan101

description vlan_101

ip vrf forwarding VRF101

ip address 192.168.101.1

standby 1 ip 192.168.101.3

standby 1 priority 110

!

interface Vlan102

description vlan_102

ip vrf forwarding VRF102

ip address 192.168.102.1

standby 1 ip 192.168.102.3

standby 1 priority 110

6509-2

ip vrf management

rd 65000:100

route-target export 65000:100

route-target import 65000:100

route-target import 65000:101

route-target import 65000:102

ip vrf VRF101

rd 65000:101

route-target import 65000:101

route-target import 65000:100

route-target export 65000:101

ip vrf VRF102

rd 65000:102

route-target import 65000:102

route-target import 65000:100

route-target export 65000:102

interface Vlan100

description Mgmt_VLAN

ip vrf forwarding managemewnt

ip address 192.168.100.2

standby 1 ip 192.168.100.3

!

interface Vlan101

description vlan_101

ip vrf forwarding VRF101

ip address 192.168.101.2

standby 1 ip 192.168.101.3

interface Vlan102

description vlan_102

ip vrf forwarding VRF102

ip address 192.168.102.2

standby 1 ip 192.168.102.3

*Trunk Connecting 2 switches will have all vlans spanned.(100,101,102)

Giuseppe Larosa Tue, 09/22/2009 - 23:17

Hello Sameer,

this looks like fine.

perform some tests. the solution is good if there are only a few of vlans/VRFs you want to reach from management.

Hope to help

Giuseppe

sameermunj Tue, 09/22/2009 - 23:21

Hi

I would have around 100 vlans of this type.could you let me know the way to address this considering scalability what you mentioned in your 1st post.

sameermunj Wed, 09/23/2009 - 01:28

Hi Giuseppe

Can you please share with me any example scenario using import export map in vrf for inter vrf communication.

sameermunj Wed, 09/23/2009 - 03:37

Hi Giuseppe

I have created the config file for vrf communication using Import export map.please check and let me know if anything is missing.

Setup

Management Vlan 100===192.168.100.0/24

Non Management vlan 101 to 200===

192.168.101-200.0/24

ip prefix-list customer seq 5 permit 192.168.101.0/24

ip prefix-list customer seq 10 permit 192.168.102.0/24

…..

…..

….

ip prefix-list customer seq 500 permit 192.168.200.0/24

ip prefix-list management seq 5 permit 192.168.100.0/24

ip vrf management

rd 65000:100

route-target export 65000:100

route-target import 65000:100

import ipv4 unicast map customer

ip vrf VRF101

rd 65000:101

route-target import 65000:101

route-target export 65000:101

import ipv4 unicast map management

…

…

….

ip vrf VRF200

rd 65000:200

route-target import 65000:200

route-target export 65000:200

import ipv4 unicast map management

route-map customer permit 10

match ip address prefix-list customer

route-map management permit 10

match ip address prefix-list management

interface Vlan100

description Mgmt_VLAN

ip vrf forwarding managemewnt

ip address 192.168.100.1

standby 1 ip 192.168.100.3

standby 1 priority 110

!

interface Vlan101

description vlan_101

ip vrf forwarding VRF101

ip address 192.168.101.1

standby 1 ip 192.168.101.3

standby 1 priority 110

….

…

….

interface Vlan200

description vlan_200

ip vrf forwarding VRF200

ip address 192.168.200.1

standby 1 ip 192.168.200.3

standby 1 priority 110

6509-2

ip prefix-list customer seq 5 permit 192.168.101.0/24

ip prefix-list customer seq 10 permit 192.168.102.0/24

ip prefix-list customer seq 500 permit 192.168.200.0/24

ip prefix-list management seq 5 permit 192.168.100.0/24

ip vrf management

rd 65000:100

route-target export 65000:100

route-target import 65000:100

import ipv4 unicast map customer

ip vrf VRF101

rd 65000:101

route-target import 65000:101

route-target export 65000:101

import ipv4 unicast map management

…

…

….

ip vrf VRF200

rd 65000:200

route-target import 65000:102

route-target export 65000:102

import ipv4 unicast map management

route-map customer permit 10

match ip address prefix-list customer

route-map management permit 10

match ip address prefix-list management

interface Vlan100

description Mgmt_VLAN

ip vrf forwarding managemewnt

ip address 192.168.100.2

standby 1 ip 192.168.100.3

!

interface Vlan101

description vlan_101

ip vrf forwarding VRF101

ip address 192.168.101.2

standby 1 ip 192.168.101.3

….

…

….

interface Vlan200

description vlan_200

ip vrf forwarding VRF200

ip address 192.168.200.2

standby 1 ip 192.168.200.3

standby 1 priority 110

Giuseppe Larosa Thu, 09/24/2009 - 10:43

Hello Sameer,

it took me some time to think of a possible example.

the problem of current approach is that it is not possible to put one hundred route targets import in VRF management.

to get scalability:

each VRF VRF1, VRF2 needs to use an export-map where we decide what prefixes in the VRF have a little change that is the addition of a specific route-target.

example

VRF1

route-map export-to-managementVRF permit 10

match ip address X

set extcommunity rt 100:1234 additive

where X is an ACL that specifies what IP subnets need to exported to management vlan.

ip vrf VRF1

rd 100:1001

route-target import 100:1022

route-target import 100:1111

route-target export 100:1022

export map export-to-managementVRF

on VRF management we simply have

ip vrf management

rd 100:100

route-target import 100:1111

route-target export 100:1111

route-target import 100:1234

! that is a single line of import for all VRFs

to be able to apply the same route-map to all VRFs access-list X needs lines for all the ip subnets.

Then each VRF will compare the ip subnets in its VRF routing table with the ACL lines in processing the export map.

This should work well if there is no address overlapping.

Actually only one route-target is needed from other VRFs to managements.

And this should solve the scalability issue.

If you want only some prefixes of management VRF to be seen in other VRFs you can use a similar approach on VRF management itself.

Hope to help

Giuseppe

sameermunj Thu, 09/24/2009 - 20:52

Hi

concept wise this is clear but seems some doubts on config u mentioned below

ip vrf VRF1

rd 100:1001

route-target import 100:1022

route-target import 100:1111

route-target export 100:1022

export map export-to-managementVRF

here the RD is 1022 and we are adding RT as 1234 which is imorted by management vlan.what i understood is for multiple networks i can have access list X which can match all the networks to be matched and same Route map applied all vrfs and paerticular network in the access list will be matched for that network.RT is something differnt as u mentioned which can be same for all vrfs.do u have any document to understand it better.

on VRF management we simply have

ip vrf management

rd 100:100

route-target import 100:1111

route-target export 100:1111

route-target import 100:1234

i think here the RD should be 100:1111

please correct me if i am going wrong.

my last doubt here is suppose i have management vlan and customer vlan all in same vrf can i put some access list to have only communication between management vlan and customer vlan but customer vlans should not communicate with each other.(Reason for doing this is for actually data traffic of each customer we are using differnt vrf and for management we have separate NIC connectivity with diffrent vlan.now considering VRF limitation of 1024 on Cat 6509 we are makning different vlan for management for each customer which will be mapped to same vrf where we have management vlan)

==in nutshell is there any way to block communication between diffrent networks within single vrf by using some access list.

Giuseppe Larosa Thu, 09/24/2009 - 22:10

Hello Sameer,

>> ==in nutshell is there any way to block communication between diffrent networks within single vrf by using some access list.

This is possible if they are in different subnets/SVIs/L3 interfaces you can apply the usual access-list with access-list group command.

However, the design may be reviewed by associating VRFs to functional role (front end, back end, management) instead of having one or two VRFs for customer.

I understand that if you are worried of the 1024 VRF limit on Cat6509 this means you have already hundred(s) of customers.

I would put all management vlans/ip subnets of all customers in a single VRF.

That VRF can be implemented with an hub and spoke or central services design so that all VRF sites (the customer mgmt vlans) can talk only with Central site management site.

This requires the usage of multiple route-targets values but it can be done and can avoid the access-list need.

central site VRF:

import RT1

export RT2

customer mgmt VRF

import RT2

export RT1

this is hub and spoke

central sites would use 3 RTs

Hope to help

Giuseppe

sameermunj Thu, 09/24/2009 - 22:25

Hi

Little confusing..

suppose my NOC managemnet station subnet is 192.168.100.0/24 (vlan 100) and my customer1 management networks is 192.168.101.0/24(vlan 101)customer2 management networks is 192.168.102.0/24(vlan 102).All vlan 100-102 mapped to say VRF 10.Now only 100.0/24 shoule talk with 101.0/24 & 102.0/24 but 101.0/24 should not talk with 102.0/24 and vice versa.can you pelase let me know how the config will look like..it will help me to understand it better.

sameermunj Thu, 09/24/2009 - 23:33

Hi

small change in above design.

suppose my NOC managemnet station subnet is 192.168.100.0/24 (vlan 100) and my customer1 management networks is 192.168.101.0/24(vlan 101)customer2 management networks is 192.168.102.0/24(vlan 102).All vlan 100 mapped to vrf 10 and vlan 101-102 mapped to say VRF 11.Now only 100.0/24 shoule talk with 101.0/24 & 102.0/24 but 101.0/24 should not talk with 102.0/24 and vice versa.can you pelase let me know how the config will look like..it will help me to understand it better

Actions

This Discussion