I am a new vrf-lite user, in my labs, i want to isolate traffic on the same routing equipment that is a C3750.
See below my network schema attached.
this is a new network so i have to create this, i have 3 security contexts and four areas on 2 contexts. I want to virtualize all the routers on the schema using only one 3750, i think vrf-lite is the best. My problem is how to create what i call in the schema "interco" network in AREA3, AREA4, AREA3 and AREA4B because 3 L3 interfaces should be in the same vlan ?
Thank you for your help
I don't see any attached file.
However, VRF-lite allows also to configure forms of VRF communication.
Some of these forms don't need a direct link but works on the route-target level.
Attach the file with your schema and then it is possible to go on on this discussion.
Hope to help
I'll try a suggestion for you to try out. I have not verified it myself in testlab.
Make a VRF for each router and assign the appropriate amount of physical interfaces to each VRF. E.g. the router interconnecting area 2 to the firewall would need a L3 interface ("no switchport" and IP address) facing the firewall and a L3 interface to each LAN in area 2. This is in total three physical ports in one VRF.
Likewise with the other routers.
Then you could make separate VLAN for interconnecting the various pieces. This can be done in one VRF per link in order to make sure that you don't get any shortcuts.
Then interconnect it all with a lot of short RJ45 cables.
I hope you have a 48-port Cat3750 because you will use quite a lot of ports!
And remember to put all the port numbers on your drawing or you will lose track of what you have made.
There might be other ways, but this should give you what you want in a basic way. Post back the results.
Here is a sample config for VRF:
ip vrf cust-A
export map to-cust-b
route-target import 101:101
route-target import 201:202
ip vrf cust-B
export map to-cust-a
route-target import 201:201
route-target import 101:102
ip vrf forwarding cust-A
ip address 126.96.36.199 255.255.255.255
ip vrf forwarding cust-B
ip address 188.8.131.52 255.255.255.255
router bgp 65222
address-family ipv4 vrf cust-B
address-family ipv4 vrf cust-A
just to add one note
Yann would like to have some inter VRF communication.
To be able to do this in a "logical way" a subset of routes or VRFA that should be seen on VRFB has to exported with an additional route-target so that it can be imported on VRFB.
let's use route-target
201:5555 as the route-target for the inter-VRFs communication
so we need to add to Reza's template:
ip vrf VRFA
route-target import 201:5555
ip vrf VRFB
route-target import 201:5555
these are route-maps route-filters that decide what routes have to be visible on the other VRFs
access-list 11 permit 10.10.10.0 0.0.0.255
route-map VRFAtoALL permit 10
match ip address 11
set extcommunity rt 201:5555
similar for the other ones.
note: no empty final block is needed in the route-maps
All this performs at the logical level (in multi protocol BGP) what Ingolf is suggesting you to perform with wires.
That can be an acceptable solution if VRFs are only 3 but it is not scalable.
Yann: sorry I had missed your update to the thread.
Hope to help
thank you for your replies.
My question is for Ingolf, your proposal is to dedicate physical switch interface like if I had a physical router with physical interfaces, it could be a solution but it's a 24 ports so I will use a lot of ports as you mean and it's not very scalable. I don't know why I can't use vlans to do that?
For Reza, What is the goal of loopback interfaces why does this interfaces not belong to vlans ?
I want to use vrf to create routing contexts on the same equipment it will be my router for everything except for the default router for each Areas which will be the firewall.
If I have this : LAN A --> ROUTER A IF1 --> ROUTER A IF2 --> ROUTER B IF1 --> ROUTER B IF2 --> physical FIREWALL B IF1
In my configuration i should have :
- LAN A + ROUTER A IF1 = L3 VLAN
- ROUTER A IF2 = L3 VLAN
- ROUTER B IF1 = L3 VLAN
- ROUTER A IF2 + ROUTER B IF1 = SAME VLAN because directy connected how can I manage on the same physical equipment two virtual L3 interfaces on the same LAN ?
for the last interface it should be :
ROUTER B IF2 = L3 VLAN
physical FIREWALL B IF2 = BELONG to ROUTER B IF2 VLAN.
Sorry, I had forgotten to post the route-map, access list and the static routes in my original post.
Here they are:
route-map to-cust-b permit 5
match ip address 100
set extcommunity rt 101:101 101:102
route-map to-cust-a permit 5
match ip address 101
set extcommunity rt 201:201 201:202
access-list 100 permit ip 184.108.40.206 0.0.0.255 any
access-list 101 permit ip 220.127.116.11 0.0.0.255 any
ip route vrf cust-A 18.104.22.168 255.255.255.0 Null0
ip route vrf cust-A 22.214.171.124 255.255.255.0 Null0
ip route vrf cust-A 126.96.36.199 255.255.255.0 Null0
ip route vrf cust-B 188.8.131.52 255.255.255.0 Null0
ip route vrf cust-B 184.108.40.206 255.255.255.0 Null0
ip route vrf cust-B 220.127.116.11 255.255.255.0 Null0
So, with this configuration
cust-A can see its own routes and only 203.203.203/24.
cust-B can see its own routes and only 103.103.103/24 and not the other subnets
>> Sorry, I had forgotten to post the route-map, access list and the static routes in my original post.
don't worry I had totally missed the thread follow-up ...
As I said, it was a simple suggestion which does not scale well. I am glad to see suggestions as the one from Giuseppe because it looks much more elegant and easier to implement, so I'd strongly advise to follow that one.
many thanks to all for your replies this community is very helpfull !!
thank you for the vrf configuration but it does not reply to one question how can I manage this on the same physical equipment :
VLAN1 is a layer 3 vlan with the default router for this LAN this router which is a virtual one has a second interface connected to a L3 VLAN2 it has to communicate with another router in the same L3 VLAN2 so how can I have TWO L3 virtual interfaces in the same VLAN ? what is the goal of loopback interfaces if it cannot belong to a vlan ?
to decribe it : FW1 (route 0.0.0.0) --> R2 IF2 --> R2 IF1 (vlan2) --> R1 IF2 --> R1 IF1 --> (vlan1)
Thank you once again
we may have misunderstood your needs.
if there is an external firewall that is part of the picture the role of inter-VRFs communication can be given to the FW and all you need are the appropriate static routes in each VRF context.
the FW can act as a bridge joining two broadcast domains:
one VRF uses vlan 2 and has a specific ip subnet like 10.2.2.2/24
second VRF uses vlan 22 and has an ip address like 10.2.2.3/24
or simply as suggested by Ingolf you can use a crossover cable to join vlan2 and vlan22.
be aware that for successful communication one SVI needs to use a modified MAC address
int vlan 22
We have done this on C6500 with FWSM firewall blade used as a transparent bridge.
Hope to help
thank you for your reply I start to understand what you mean I thought it was not possible to have same IP network on two different vlan ID.
I upload a schema of my Labs with a focus can you give some help on how to configure what is in red colour it's just to start my configuration.
You can consider that for all the router I will have only one physical C3750 default gateway is managed by ASA.
if someboday can give some help ton configure my network. I don't understand something, I just want to have some help on the beginning.
My network schema is attached in the previous message.
I like your new network schema.
I think we are going to the following scenario:
the C3750 provides VRFs and separation of ip subnets.
A one to one corrispondence of a VRF and an ASA context is possible but using a single context can be easier.
A) single context and ASA performing inter-VRF communications
the ASA can be used for both:
inter-VRF communication in a controlled way
the C3750 in each VRF has a default static route pointing to ASA address in the corresponding vlan subinterface.
ip route vrf vrf-name 0.0.0.0 0.0.0.0 next-hop-ip-address vlan 2202
The controlled inter-VRF communication if using a single context on ASA becomes a question of ACLs and nat or static commands.
B) ASA multicontext and C3750 performing inter VRF communication
The alternate way to do this is:
using the more complex configuration on C3750 as described in previous posts to perform inter-VRF communication without going to the ASA.
On the ASA a security context for each VRF is configured and they are separated from the point of view of ASA.
(actually also a single context using the same level of trust on interfaces to VRFs could be used)
so it is up to you to make a choice.
probably design A provides a better control because you can limit by using ACLs what type of traffic can be exchanged on the different VRFs.
design B moves all the complexity to C3750 and could be preferred for other reasons (like my lack of expertise on ASA..)
Hope to help
my choice depends on you answer, if I take vlan 2270 and 2271 is it possible if I choose the A proposal to let those two networks communicate directly through the 3750 ? or do I have to implement all my slave networks at the same level in the ASA ?
My other question is if I use the B proposal how can I configure vlans 2271 and 2203 and vlan 2202 in the same equipment, there is something I miss understand for vlan 2203 on my schema I have the same equipment with same vlan id in the same ip network and I can't configure it ? so where is the problem or what do I need to configure well ?
can you just help me for the beginning ? I'm stuck at the moment for the vrf configuration and the interconnection between two routers in same vlan and same ip network how can they communicate ?
I know that Giuseppe is busy but somebody else can give some advices I wan to know if it's possible to have this configuration using cisco equipment without using physicables interfaces and physical wires ?
sorry for your endless waiting.
in the option a) you just need to setup
L2 trunk from C3750 to ASA
over the link you permit one vlan per VRF,
the same is done on the ASA side.
you don't need dedicated per VRF links.
another reason I couldn't answer is that I wished to find a good config example to start with.
And we try to help here but each of us has his/her main job the one for which we are payed.
Hope to help
I know that you don't have a lot of time and I know when I use this forum everybody take on his working time to help others people like me :) and I am very grateful about your help.
I understand your proposal but I think I miss something, can you confirm to me that I can't have in the same switch 2 IP interfaces in the same vlan and same IP network ?
because If I use ASA to manage the vrf all my networks will be at the same level and all the networks will be routed through the ASA, is it correct ?
>> can you confirm to me that I can't have in the same switch 2 IP interfaces in the same vlan and same IP network ?
yes this is true
>> because If I use ASA to manage the vrf all my networks will be at the same level and all the networks will be routed through the ASA, is it correct ?
partially correct only inter-VRF communication will go through the ASA.
Hope to help
OK so I can't configure my network as in the schema with only one L3 switch ? because It will mean that 2 IP interfaces would be in the same ip network and it's not possible. so If you take my schema it means that I can use the ASA to route everyhting or I can't remove the vlan that interconnects my routers and I won't have any interfaces in the same IP network, I am right ?
Thanks once again giuseppe :)
you can use a single L3 switch with VRFs but the neighbor on each VRF exit logical point is the ASA.
with option B you configure inter-VRF communication on the L3 switch itself as explained in first posts of this thread.
the drawback of option B design is that if you want to enable inter-VRF communication only for specific types of traffic or between subsets of hosts you need to configure ACLs on VRF interfaces pointing to client Vlans.
Actually, option A would require to configure ACLs and other firewall specific commands on the ASA.
if we make the case of single context to enable communication between different interfaces in same context you need commands for global, nat and static and also the ACLs.
to see this aspect you can read the following document taken from config guide 7.2 of ASA
Hope to help