08-30-2009 02:39 PM - edited 03-06-2019 07:30 AM
I want to use VRF lite to route "guest" traffic out a separate internet link I have. I'm currently running OSPF..now, do I have to config separate VRF OSPF instances for every router and L3 switches?
08-30-2009 03:08 PM
Depends how much of your guest subnet is L2 vs. L3.
08-30-2009 03:13 PM
HI,
Your describtion is not quite clear. Could you tell us moe about your topology and what are you trying to achieve?
You could place a customer traffic in a VRF using VRF-lite , are you running OSPF with the customer?
As for Internet Access, you could use normal static routing through the global routing table.
We need more information about your setup in order to have better answer.
Mohamed
08-30-2009 03:35 PM
08-31-2009 03:59 AM
Perhaps it might assist your thinking if you consider VRF as a method to provide virtual L3 network since VLANs support only a virtual L2 network.
For your guest network, if the network was a small as this diagram (which I suspect it's not), you might only need a single L2 VLAN for your guest subnet. However, as the network grows where L2 starts to have scalability issues, VRF allows you to route within it. This doesn't mean you have to route across every device, you could just route across a few.
For example, assume you didn't want one single guest L2 VLAN to run across all your devices in your network diagram. You could define two guest only subnets on your 6500 cores, one facing (and running across) the 7600s, the other facing (and running across) the 3750s. Once you provide the VLANs, you need to route between them, but to keep them L3 isolated from the existing L3 routing domain, you could define VRF just on the 6500s to devide the routing domains.
08-31-2009 04:22 AM
Joseph,
this will require separate links correct?
Also, I can move the "guest internet link" down one layer to the CORE if that would make things easier.
I which the 3750s were GRE capable...
08-31-2009 04:50 AM
"this will require separate links correct? "
No.
"Also, I can move the "guest internet link" down one layer to the CORE if that would make things easier. "
???
"I which the 3750s were GRE capable..."
If reference to VRF; why?
PS:
On the campus, you can use VLANs to support VRF(-lite).
08-31-2009 08:27 AM
joseph, i just sent you an email.
08-31-2009 03:48 PM
Yes I received it, regarding the "easiest way".
Well, since you have a separate Internet interface, and your network diagram shows switches, and if your topology is small enough, you could extend a single "guest" VLAN across you topology making the gateway for this subnet the Internet. If the guest VLAN is not addressed on your L3 switches, traffic shouldn't be able to flow between the "guest" VLAN and you other production networks. The problem arises, though, if you feel it's undesireable to run the guest network as a single subnet. If you start to implement multiple guest VLAN subnets and route between them, you now have the risk of leaking traffic between corporate subnets and the guest subnets. One traditional solution might have been to implement ACLs to block traffic between corporate and guest subnets, although they know of each others subnets from a routing perspective (this also assumes you don't have an addressing overlap issue).
What VRF allows you to do, is define virtual routing domains (somewhat in concept as VLANs do for L2 domains).
Within the campus, on your L3 switches, that need to route for both corporate and guest subnets (again, could be none, could be some, could be all - depends how you allocate your L2 domains), you place corporate interfaces in one VRF and guest interface in another VRF and do likewise for multiple routing (in your case probably OSPF) configurations. Each routing configuration would only, by default, "know" of L3 routes within its only routing domain.
If this is all new to you, besides consulting information on VRF that can be found on Cisco's site, if you have the equipment, you might want to lab up a sample first to see it in action.
08-31-2009 12:30 AM
Hi,
Yes , you could achieve what you are looking for by implementing "Path Isolation using VRF with GRE" at the edge.
please have a look into the bellow document for more information:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html#wp80366
HTH
Mohamed
08-31-2009 04:29 AM
Mohamed, I can't configure GRE on 3750
08-31-2009 04:34 AM
Hello Alex,
VRF lite has no MPLS backbone links to carry VPN traffic in MPLS frames, so the answer is that you need to build a complete topology made of interfaces in the guest VRF in all devices on the path to this secondary internet link including redundant links as well.
You need one instance of VRF and eventually an OSPF instance in each device.
Typically you can use vlan subinterfaces on routers and SVIs or routed ports on multilayer switches to build the VRF-lite dedicated topology:
physical links can be shared and can host multiple logical links each of them mapped to a different VRF topology or global routing table.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: