cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1153
Views
0
Helpful
5
Replies

VRF Lite return traffic

noobieee7
Level 1
Level 1

Hi,

My current setup is as below:

PE - Internal Switch - Firewall - DMZ switch - Internet

Between the PE and Internal Switch , I am running eBGP with multiple VRF.

As there is a need for some VRF customers to reach the DMZ switch, I have inputted the following routes on the switch

ip route vrf A 0.0.0.0 0.0.0 "Firewall IP" global

ip route vrf B 0.0.0.0 0.0.0 "Firewall IP" global

I am wondering if the return traffic from the firewall knows how to reach individual vrf range on the Internal Switch?

5 Replies 5

njangale
Cisco Employee
Cisco Employee

Hi,

I think this should not work. The reason i am saying is that the traffic from individual vrf's will be routed to the firewall, however the return traffic, even though there is return route, it would not enter the the VRF's. It means it will end up in Global routing table.You need to have individual links for each VRF from the internal switch to the firewall.

The info provided is limited. If elaborate then the picture would be clear.

Thanks

Nishant

Marwan ALshawi
VIP Alumni
VIP Alumni

i think the information provided not detailed enough to give you the

e exact answer

however based on what did you provided you could use one of the fowling ways

1- use vrf aware nating ( you have switch not sure if its ssupported)!!

2- use VLAN interface for each VRF and in the FW use two separate interface or sub interfaces and make the communication of each VRF direct using the corresponding SVI/VRF interface

3- in the switch for returning traffic you can use the following concept

10.1.1.0 vlan 10 and vrf A internal switch

ip route 10.1.1.0 255.255.255.0 vlan 10

this network need to be added to the firewall as well through a static route point to the switch interface for returning traffic

good luck

if helpful rate

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Noobiee,

>> I am wondering if the return traffic from the firewall knows how to reach individual vrf range on the Internal Switch?

it is not only a question of routing knowledge, you need to provide a return path in the forwarding plane.

Probably the best solution is to propagate VRFs to the firewall using Vlan and subinterfaces, one vlan for each VRF.

the firewall can use multiple contexts to match with the multiple VRFs and on each context it can have a static route for return traffic that will use the Vlan associated to the VRF.

Hope to help

Giuseppe

noobieee7
Level 1
Level 1

Hi all,

Many thanks for your suggestions.

I am thinking of introducing another VRF switch and server with dual nic cards to route between the Private Cloud and the Internet. Any issue with this setup. Its seems to be cleaner.

PE - VRF switch - (nic 0) Internal Server (nic 1) - Internal Switch - Firewall - DMZ switch - Internet

Regards,

Hello noobie,

>> Any issue with this setup.

you are going to use a server with two NICs to perform interworking not the best solution in terms of reliability.

what if the server OS crashes?

no redundancy is present in the solution and the server is a single point of failure.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: