cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2820
Views
0
Helpful
23
Replies

multi vrf-lite same switch (3750)

yann.boulet
Level 1
Level 1

Hi all,

I am a new vrf-lite user, in my labs, i want to isolate traffic on the same routing equipment that is a C3750.

See below my network schema attached.

this is a new network so i have to create this, i have 3 security contexts and four areas on 2 contexts. I want to virtualize all the routers on the schema using only one 3750, i think vrf-lite is the best. My problem is how to create what i call in the schema "interco" network in AREA3, AREA4, AREA3 and AREA4B because 3 L3 interfaces should be in the same vlan ?

Thank you for your help

23 Replies 23

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Yann,

I don't see any attached file.

However, VRF-lite allows also to configure forms of VRF communication.

Some of these forms don't need a direct link but works on the route-target level.

Attach the file with your schema and then it is possible to go on on this discussion.

Hope to help

Giuseppe

i post again my network schema, can you please give me some advice ?

Hi,

anybody can give me some help to configure my network. I want to create routing context on my 3750.

Thx

Yann.

I'll try a suggestion for you to try out. I have not verified it myself in testlab.

Make a VRF for each router and assign the appropriate amount of physical interfaces to each VRF. E.g. the router interconnecting area 2 to the firewall would need a L3 interface ("no switchport" and IP address) facing the firewall and a L3 interface to each LAN in area 2. This is in total three physical ports in one VRF.

Likewise with the other routers.

Then you could make separate VLAN for interconnecting the various pieces. This can be done in one VRF per link in order to make sure that you don't get any shortcuts.

Then interconnect it all with a lot of short RJ45 cables.

I hope you have a 48-port Cat3750 because you will use quite a lot of ports!

And remember to put all the port numbers on your drawing or you will lose track of what you have made.

There might be other ways, but this should give you what you want in a basic way. Post back the results.

HTH, Ingolf

Yann,

Here is a sample config for VRF:

ip vrf cust-A

rd 101:101

export map to-cust-b

route-target import 101:101

route-target import 201:202

!

ip vrf cust-B

rd 201:201

export map to-cust-a

route-target import 201:201

route-target import 101:102

interface Loopback101

ip vrf forwarding cust-A

ip address 101.101.101.101 255.255.255.255

interface Loopback201

ip vrf forwarding cust-B

ip address 201.201.201.201 255.255.255.255

router bgp 65222

address-family ipv4 vrf cust-B

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf cust-A

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

HTH

Reza

Hello Reza,

just to add one note

Yann would like to have some inter VRF communication.

To be able to do this in a "logical way" a subset of routes or VRFA that should be seen on VRFB has to exported with an additional route-target so that it can be imported on VRFB.

let's use route-target

201:5555 as the route-target for the inter-VRFs communication

so we need to add to Reza's template:

ip vrf VRFA

route-target import 201:5555

export-map VRFAtoALL

ip vrf VRFB

route-target import 201:5555

export-map VRFBtoALL

these are route-maps route-filters that decide what routes have to be visible on the other VRFs

access-list 11 permit 10.10.10.0 0.0.0.255

route-map VRFAtoALL permit 10

match ip address 11

set extcommunity rt 201:5555

similar for the other ones.

note: no empty final block is needed in the route-maps

All this performs at the logical level (in multi protocol BGP) what Ingolf is suggesting you to perform with wires.

That can be an acceptable solution if VRFs are only 3 but it is not scalable.

PS:

Yann: sorry I had missed your update to the thread.

Hope to help

Giuseppe

Hi all,

thank you for your replies.

My question is for Ingolf, your proposal is to dedicate physical switch interface like if I had a physical router with physical interfaces, it could be a solution but it's a 24 ports so I will use a lot of ports as you mean and it's not very scalable. I don't know why I can't use vlans to do that?

For Reza, What is the goal of loopback interfaces why does this interfaces not belong to vlans ?

I want to use vrf to create routing contexts on the same equipment it will be my router for everything except for the default router for each Areas which will be the firewall.

If I have this : LAN A --> ROUTER A IF1 --> ROUTER A IF2 --> ROUTER B IF1 --> ROUTER B IF2 --> physical FIREWALL B IF1

In my configuration i should have :

- LAN A + ROUTER A IF1 = L3 VLAN

- ROUTER A IF2 = L3 VLAN

- ROUTER B IF1 = L3 VLAN

- ROUTER A IF2 + ROUTER B IF1 = SAME VLAN because directy connected how can I manage on the same physical equipment two virtual L3 interfaces on the same LAN ?

for the last interface it should be :

ROUTER B IF2 = L3 VLAN

physical FIREWALL B IF2 = BELONG to ROUTER B IF2 VLAN.

thank you.

Hi Giuseppe,

Sorry, I had forgotten to post the route-map, access list and the static routes in my original post.

Here they are:

route-map to-cust-b permit 5

match ip address 100

set extcommunity rt 101:101 101:102

!

route-map to-cust-a permit 5

match ip address 101

set extcommunity rt 201:201 201:202

access-list 100 permit ip 103.103.103.0 0.0.0.255 any

access-list 101 permit ip 203.203.203.0 0.0.0.255 any

ip route vrf cust-A 101.101.101.0 255.255.255.0 Null0

ip route vrf cust-A 102.102.102.0 255.255.255.0 Null0

ip route vrf cust-A 103.103.103.0 255.255.255.0 Null0

ip route vrf cust-B 201.201.201.0 255.255.255.0 Null0

ip route vrf cust-B 202.202.202.0 255.255.255.0 Null0

ip route vrf cust-B 203.203.203.0 255.255.255.0 Null0

So, with this configuration

cust-A can see its own routes and only 203.203.203/24.

cust-B can see its own routes and only 103.103.103/24 and not the other subnets

Thanks,

Reza

Hello Reza,

>> Sorry, I had forgotten to post the route-map, access list and the static routes in my original post.

don't worry I had totally missed the thread follow-up ...

Best Regards

Giuseppe

Hi Yann.

As I said, it was a simple suggestion which does not scale well. I am glad to see suggestions as the one from Giuseppe because it looks much more elegant and easier to implement, so I'd strongly advise to follow that one.

HTH, Ingolf

Hi all,

many thanks to all for your replies this community is very helpfull !!

thank you for the vrf configuration but it does not reply to one question how can I manage this on the same physical equipment :

VLAN1 is a layer 3 vlan with the default router for this LAN this router which is a virtual one has a second interface connected to a L3 VLAN2 it has to communicate with another router in the same L3 VLAN2 so how can I have TWO L3 virtual interfaces in the same VLAN ? what is the goal of loopback interfaces if it cannot belong to a vlan ?

to decribe it : FW1 (route 0.0.0.0) --> R2 IF2 --> R2 IF1 (vlan2) --> R1 IF2 --> R1 IF1 --> (vlan1)

Thank you once again

Hello Yann,

we may have misunderstood your needs.

if there is an external firewall that is part of the picture the role of inter-VRFs communication can be given to the FW and all you need are the appropriate static routes in each VRF context.

the FW can act as a bridge joining two broadcast domains:

one VRF uses vlan 2 and has a specific ip subnet like 10.2.2.2/24

second VRF uses vlan 22 and has an ip address like 10.2.2.3/24

or simply as suggested by Ingolf you can use a crossover cable to join vlan2 and vlan22.

be aware that for successful communication one SVI needs to use a modified MAC address

int vlan 22

mac-address

We have done this on C6500 with FWSM firewall blade used as a transparent bridge.

Hope to help

Giuseppe

Hi Giuseppe,

thank you for your reply I start to understand what you mean I thought it was not possible to have same IP network on two different vlan ID.

I upload a schema of my Labs with a focus can you give some help on how to configure what is in red colour it's just to start my configuration.

You can consider that for all the router I will have only one physical C3750 default gateway is managed by ASA.

Thank you

Hi all,

if someboday can give some help ton configure my network. I don't understand something, I just want to have some help on the beginning.

Thank you

My network schema is attached in the previous message.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: