09-22-2009 09:42 PM - edited 03-06-2019 07:50 AM
I have access switch connected to two 6509 switches.i am creating vrf for each vlan to avoid intervlan communication.now i want to allow managment vlan to access to non management vlans but non management vlans should not communicate with each other.HSRP configured for each vlan in aggrgation switch. (vlan 100 is management,vlan 101,102,103,104 are other vlan.only vlan 100 should communicate with 101,102,103,104 but other vlans should not communicate with each other)
can i get any sample config for this inter vrf communication.
09-22-2009 10:47 PM
Hello Sameer,
if the number of non-management vlans is only a few like in your example you can use an approach with route targets.
management VRF:
ip vrf management
rd 65000:100
route-target export 65000:100
route-target import 65000:100
route-target import 65000:101
route-target import 65000:102
...
route-target import 65000:104
other VRFs
ip vrf VRF101
rd 65000:101
route-target import 65000:101
route-target import 65000:100
route-target export 65000:101
ip vrf VRF102
rd 65000:102
route-target import 65000:102
route-target import 65000:100
route-target export 65000:102
in this way you should achieve the desired result that is an extranet.
if the number of non management vlans is high a different approach is possible using import and export maps in VRF configuration.
Hope to help
Giuseppe
09-22-2009 10:59 PM
Hi
Thanks for your input.So considering single access switch with vlan100,101,102 connected to 2 L3 switches (6509) running hsrp the below configuration should work right.pl check.
6509-1
ip vrf management
rd 65000:100
route-target export 65000:100
route-target import 65000:100
route-target import 65000:101
route-target import 65000:102
ip vrf VRF101
rd 65000:101
route-target import 65000:101
route-target import 65000:100
route-target export 65000:101
ip vrf VRF102
rd 65000:102
route-target import 65000:102
route-target import 65000:100
route-target export 65000:102
interface Vlan100
description Mgmt_VLAN
ip vrf forwarding managemewnt
ip address 192.168.100.1
standby 1 ip 192.168.100.3
standby 1 priority 110
!
interface Vlan101
description vlan_101
ip vrf forwarding VRF101
ip address 192.168.101.1
standby 1 ip 192.168.101.3
standby 1 priority 110
!
interface Vlan102
description vlan_102
ip vrf forwarding VRF102
ip address 192.168.102.1
standby 1 ip 192.168.102.3
standby 1 priority 110
6509-2
ip vrf management
rd 65000:100
route-target export 65000:100
route-target import 65000:100
route-target import 65000:101
route-target import 65000:102
ip vrf VRF101
rd 65000:101
route-target import 65000:101
route-target import 65000:100
route-target export 65000:101
ip vrf VRF102
rd 65000:102
route-target import 65000:102
route-target import 65000:100
route-target export 65000:102
interface Vlan100
description Mgmt_VLAN
ip vrf forwarding managemewnt
ip address 192.168.100.2
standby 1 ip 192.168.100.3
!
interface Vlan101
description vlan_101
ip vrf forwarding VRF101
ip address 192.168.101.2
standby 1 ip 192.168.101.3
interface Vlan102
description vlan_102
ip vrf forwarding VRF102
ip address 192.168.102.2
standby 1 ip 192.168.102.3
*Trunk Connecting 2 switches will have all vlans spanned.(100,101,102)
09-22-2009 11:17 PM
Hello Sameer,
this looks like fine.
perform some tests. the solution is good if there are only a few of vlans/VRFs you want to reach from management.
Hope to help
Giuseppe
09-22-2009 11:21 PM
Hi
I would have around 100 vlans of this type.could you let me know the way to address this considering scalability what you mentioned in your 1st post.
09-23-2009 01:28 AM
Hi Giuseppe
Can you please share with me any example scenario using import export map in vrf for inter vrf communication.
09-23-2009 03:37 AM
Hi Giuseppe
I have created the config file for vrf communication using Import export map.please check and let me know if anything is missing.
Setup
Management Vlan 100===192.168.100.0/24
Non Management vlan 101 to 200===
192.168.101-200.0/24
ip prefix-list customer seq 5 permit 192.168.101.0/24
ip prefix-list customer seq 10 permit 192.168.102.0/24
â¦..
â¦..
â¦.
ip prefix-list customer seq 500 permit 192.168.200.0/24
ip prefix-list management seq 5 permit 192.168.100.0/24
ip vrf management
rd 65000:100
route-target export 65000:100
route-target import 65000:100
import ipv4 unicast map customer
ip vrf VRF101
rd 65000:101
route-target import 65000:101
route-target export 65000:101
import ipv4 unicast map management
â¦
â¦
â¦.
ip vrf VRF200
rd 65000:200
route-target import 65000:200
route-target export 65000:200
import ipv4 unicast map management
route-map customer permit 10
match ip address prefix-list customer
route-map management permit 10
match ip address prefix-list management
interface Vlan100
description Mgmt_VLAN
ip vrf forwarding managemewnt
ip address 192.168.100.1
standby 1 ip 192.168.100.3
standby 1 priority 110
!
interface Vlan101
description vlan_101
ip vrf forwarding VRF101
ip address 192.168.101.1
standby 1 ip 192.168.101.3
standby 1 priority 110
â¦.
â¦
â¦.
interface Vlan200
description vlan_200
ip vrf forwarding VRF200
ip address 192.168.200.1
standby 1 ip 192.168.200.3
standby 1 priority 110
6509-2
ip prefix-list customer seq 5 permit 192.168.101.0/24
ip prefix-list customer seq 10 permit 192.168.102.0/24
ip prefix-list customer seq 500 permit 192.168.200.0/24
ip prefix-list management seq 5 permit 192.168.100.0/24
ip vrf management
rd 65000:100
route-target export 65000:100
route-target import 65000:100
import ipv4 unicast map customer
ip vrf VRF101
rd 65000:101
route-target import 65000:101
route-target export 65000:101
import ipv4 unicast map management
â¦
â¦
â¦.
ip vrf VRF200
rd 65000:200
route-target import 65000:102
route-target export 65000:102
import ipv4 unicast map management
route-map customer permit 10
match ip address prefix-list customer
route-map management permit 10
match ip address prefix-list management
interface Vlan100
description Mgmt_VLAN
ip vrf forwarding managemewnt
ip address 192.168.100.2
standby 1 ip 192.168.100.3
!
interface Vlan101
description vlan_101
ip vrf forwarding VRF101
ip address 192.168.101.2
standby 1 ip 192.168.101.3
â¦.
â¦
â¦.
interface Vlan200
description vlan_200
ip vrf forwarding VRF200
ip address 192.168.200.2
standby 1 ip 192.168.200.3
standby 1 priority 110
09-24-2009 10:43 AM
Hello Sameer,
it took me some time to think of a possible example.
the problem of current approach is that it is not possible to put one hundred route targets import in VRF management.
to get scalability:
each VRF VRF1, VRF2 needs to use an export-map where we decide what prefixes in the VRF have a little change that is the addition of a specific route-target.
example
VRF1
route-map export-to-managementVRF permit 10
match ip address X
set extcommunity rt 100:1234 additive
where X is an ACL that specifies what IP subnets need to exported to management vlan.
ip vrf VRF1
rd 100:1001
route-target import 100:1022
route-target import 100:1111
route-target export 100:1022
export map export-to-managementVRF
on VRF management we simply have
ip vrf management
rd 100:100
route-target import 100:1111
route-target export 100:1111
route-target import 100:1234
! that is a single line of import for all VRFs
to be able to apply the same route-map to all VRFs access-list X needs lines for all the ip subnets.
Then each VRF will compare the ip subnets in its VRF routing table with the ACL lines in processing the export map.
This should work well if there is no address overlapping.
Actually only one route-target is needed from other VRFs to managements.
And this should solve the scalability issue.
If you want only some prefixes of management VRF to be seen in other VRFs you can use a similar approach on VRF management itself.
Hope to help
Giuseppe
09-24-2009 08:52 PM
Hi
concept wise this is clear but seems some doubts on config u mentioned below
ip vrf VRF1
rd 100:1001
route-target import 100:1022
route-target import 100:1111
route-target export 100:1022
export map export-to-managementVRF
here the RD is 1022 and we are adding RT as 1234 which is imorted by management vlan.what i understood is for multiple networks i can have access list X which can match all the networks to be matched and same Route map applied all vrfs and paerticular network in the access list will be matched for that network.RT is something differnt as u mentioned which can be same for all vrfs.do u have any document to understand it better.
on VRF management we simply have
ip vrf management
rd 100:100
route-target import 100:1111
route-target export 100:1111
route-target import 100:1234
i think here the RD should be 100:1111
please correct me if i am going wrong.
my last doubt here is suppose i have management vlan and customer vlan all in same vrf can i put some access list to have only communication between management vlan and customer vlan but customer vlans should not communicate with each other.(Reason for doing this is for actually data traffic of each customer we are using differnt vrf and for management we have separate NIC connectivity with diffrent vlan.now considering VRF limitation of 1024 on Cat 6509 we are makning different vlan for management for each customer which will be mapped to same vrf where we have management vlan)
==in nutshell is there any way to block communication between diffrent networks within single vrf by using some access list.
09-24-2009 10:10 PM
Hello Sameer,
>> ==in nutshell is there any way to block communication between diffrent networks within single vrf by using some access list.
This is possible if they are in different subnets/SVIs/L3 interfaces you can apply the usual access-list with access-list group command.
However, the design may be reviewed by associating VRFs to functional role (front end, back end, management) instead of having one or two VRFs for customer.
I understand that if you are worried of the 1024 VRF limit on Cat6509 this means you have already hundred(s) of customers.
I would put all management vlans/ip subnets of all customers in a single VRF.
That VRF can be implemented with an hub and spoke or central services design so that all VRF sites (the customer mgmt vlans) can talk only with Central site management site.
This requires the usage of multiple route-targets values but it can be done and can avoid the access-list need.
central site VRF:
import RT1
export RT2
customer mgmt VRF
import RT2
export RT1
this is hub and spoke
central sites would use 3 RTs
Hope to help
Giuseppe
09-24-2009 10:25 PM
Hi
Little confusing..
suppose my NOC managemnet station subnet is 192.168.100.0/24 (vlan 100) and my customer1 management networks is 192.168.101.0/24(vlan 101)customer2 management networks is 192.168.102.0/24(vlan 102).All vlan 100-102 mapped to say VRF 10.Now only 100.0/24 shoule talk with 101.0/24 & 102.0/24 but 101.0/24 should not talk with 102.0/24 and vice versa.can you pelase let me know how the config will look like..it will help me to understand it better.
09-24-2009 11:33 PM
Hi
small change in above design.
suppose my NOC managemnet station subnet is 192.168.100.0/24 (vlan 100) and my customer1 management networks is 192.168.101.0/24(vlan 101)customer2 management networks is 192.168.102.0/24(vlan 102).All vlan 100 mapped to vrf 10 and vlan 101-102 mapped to say VRF 11.Now only 100.0/24 shoule talk with 101.0/24 & 102.0/24 but 101.0/24 should not talk with 102.0/24 and vice versa.can you pelase let me know how the config will look like..it will help me to understand it better
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: