VRF-Lite to emulate Routers on 3750E

Unanswered Question
Apr 19th, 2010
User Badges:

Hi All,

I am looking at emulating a system similar to the following using VRF-lite on a 3750.  Please see the attached diagram.



To expain:

1) The hosts share "Virtual IP addresses" and announce which ones they have to the upstream routers, then on up to the firewall and the rest of the nwtwork.  These routers are responsible for informing the firewall so it knows the precise path to any VIP.  Any VIP coud be on any host at any time.

2) There are always two paths to each host.  Each interface on each host is in a small subnet with the router interface it is connected to.

3) The routers and hosts are geographically separate.  The firewall joins them together.

The whole idea is to ensure there is always a path to the VIPs, and that there is at least always one path to any host.


Basically, this is an emulation of a redundant pair of layer 3 switches at each site.


What I want to try and do is create this inside a single layer 3 switch for testing and development purposes.


I would imagine that to do this would require say 4 VRFs, two for each site.  Each one running BGP to communicate to the hosts, and EIGRP to communicate to the firewall (needed because it doesn't support BGP, go figure)


I have  stack of 3750s in the network that can accomplish this.  They are however production and I would not want to play around with them until I have a plausable plan documented.


Can someone please look over this and let me know if it is plausable, and any apparent pitfalls?


I understand it is a crazy scenario, but I am stuck with it.

Cheers

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 04/19/2010 - 22:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello John,

generally speaking doing testing on production network is not recommended.


In this specific case the use of 4 VRFs can emulate the presence of 4 VRFs on 4 different PE nodes with the only difference that all the BGP activity is confined on the single node.


The capability to interconnect different VRFs require the import and export of multiple route targets.


ip vrf VRFA

rd 100:1

route-target export 100:101

route-target import 100:101

! for the other VRFs

route-target import 100:102

route-target import 100:103

route-target import 100:104


ip vrf VRFB

rd 100:2

route-target export 100:102

route-target  import 100:102

! for the other VRFs

route-target import  100:101

route-target import 100:103

route-target import  100:104


and so on


under BGP an address-family for each VRF is needed


router bgp 100


address-family ipv4 vrf VRFA

red connected

no auto-summary

!

address-family ipv4 vrf VRFB

red connected

no auto-summary

!


and so on


notice that you need an appropriate feature set to support VRF-lite and also the SDM template may need to be changed.


>> To use multi-VRF CE, you must have the IP services  image installed on your switch.

A Catalyst 3750 switch supports one global network  and up to 26 VRFs.


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swiprout.html#wp1319235



So even if by technology properties VRF-lite can be zero-impact the need for example for an IOS upgrade or the need to change the SDM template both require a reload





Hope to help

Giuseppe

jstevensunico Mon, 04/19/2010 - 23:14
User Badges:

Thanks Giuseppe,

I guess what I wasn't clear on is our Production Network supports hosts and systems that are mostly used for testing and development.  We (I) created an emulation of the required structure using a Linux host, but during load testing the hoste becomes unstable, impacting delivery timelines.  As we cannot afford (space as well as financial reasons) to purchase and install 4 routers in the network, I am hoping to be able to accomplish this in our existing network.


Thanks for your response, it is quite enlightening.  We are running universal IOS, not IP services, so it looks like a small outage on the core switches.


Cheers

Actions

This Discussion

Related Content