VRF Lite return traffic

Unanswered Question
Feb 24th, 2010


My current setup is as below:

PE - Internal Switch - Firewall - DMZ switch - Internet

Between the PE and Internal Switch , I am running eBGP with multiple VRF.

As there is a need for some VRF customers to reach the DMZ switch, I have inputted the following routes on the switch

ip route vrf A 0.0.0 "Firewall IP" global

ip route vrf B 0.0.0 "Firewall IP" global

I am wondering if the return traffic from the firewall knows how to reach individual vrf range on the Internal Switch?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
njangale Wed, 02/24/2010 - 13:38


I think this should not work. The reason i am saying is that the traffic from individual vrf's will be routed to the firewall, however the return traffic, even though there is return route, it would not enter the the VRF's. It means it will end up in Global routing table.You need to have individual links for each VRF from the internal switch to the firewall.

The info provided is limited. If elaborate then the picture would be clear.



Marwan ALshawi Wed, 02/24/2010 - 19:51

i think the information provided not detailed enough to give you the

e exact answer

however based on what did you provided you could use one of the fowling ways

1- use vrf aware nating ( you have switch not sure if its ssupported)!!

2- use VLAN interface for each VRF and in the FW use two separate interface or sub interfaces and make the communication of each VRF direct using the corresponding SVI/VRF interface

3- in the switch for returning traffic you can use the following concept vlan 10 and vrf A internal switch

ip route vlan 10

this network need to be added to the firewall as well through a static route point to the switch interface for returning traffic

good luck

if helpful rate

Giuseppe Larosa Thu, 02/25/2010 - 00:49

Hello Noobiee,

>> I am wondering if the return traffic from the firewall knows how to reach individual vrf range on the Internal Switch?

it is not only a question of routing knowledge, you need to provide a return path in the forwarding plane.

Probably the best solution is to propagate VRFs to the firewall using Vlan and subinterfaces, one vlan for each VRF.

the firewall can use multiple contexts to match with the multiple VRFs and on each context it can have a static route for return traffic that will use the Vlan associated to the VRF.

Hope to help


noobieee7 Thu, 02/25/2010 - 06:08

Hi all,

Many thanks for your suggestions.

I am thinking of introducing another VRF switch and server with dual nic cards to route between the Private Cloud and the Internet. Any issue with this setup. Its seems to be cleaner.

PE - VRF switch - (nic 0) Internal Server (nic 1) - Internal Switch - Firewall - DMZ switch - Internet


Giuseppe Larosa Thu, 02/25/2010 - 11:23

Hello noobie,

>> Any issue with this setup.

you are going to use a server with two NICs to perform interworking not the best solution in terms of reliability.

what if the server OS crashes?

no redundancy is present in the solution and the server is a single point of failure.

Hope to help



This Discussion