Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco VRF-Lite on 3750 issues

Hello, I have a switch with some VM's hanging off of it. I want to isolate VLAN 888 which is to be used for malware, so I therefore want it isolated BUT I want it to be able to access the Internet to download malware etc.


I have set-up VRF on interface VLAN888 and given it an IP address,

I just want hosts on 20.0.0.x to be able to get to the internet, download malware, surf the net, etc. I do not want this subnet talking to anything but the gateway. I am trying to limit my exposure from malware (I am doing malware analysis) I have several other vlans which I have taken out of this config for this post.


If I don't use the GLOBAL keyword at the end of the ip route vrf red global command than it will simply not work at all

However, it IS "working" configured like this but I can ping other subnets within the switch. I would of thought, without the global command that this would have worked and everything is sweet and that vrf red would know about the gateway. The gateway also has a route pointing back to

Is this correct? not correct? Any tips? Thanks - Geoff

Config below>>


CYBDKNSW001# show ip route vrf red

Routing Table: red
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is to network

C is directly connected, Vlan888
S* [1/0] via



ip routing
no ip domain-lookup


ip vrf red
 rd 45:1

interface Vlan500
 ip address
 ip helper-address
 ip accounting output-packets
 ip accounting access-violations

interface Vlan800
 description Firewall-Gateway_VLAN
 ip address
interface Vlan888
 description MALWARE
 ip vrf forwarding red
 ip address
ip classless
ip route (gateway to internet)
ip route Vlan888
ip route vrf red global

Cisco Employee

Hi,Since you are using


Since you are using default static route, it will end up looking for any destination in the global routing table and will work. 

From your description, I assume you need 20.x.x.x to NOT talk to 10.x.x.x but should talk to internet.


You can configure the below to blackhole the traffic destinated to 10.x.x.x from vlan 888,


"ip route vrf red null0" (without global)

So when vlan 888 receives any traffic destinated to 10.x.x.x, it will be blackholed while any other destination will be looked up in global routing table.



New Member

Thanks Nagendra, I'll give

Thanks Nagendra, I'll give this a try and report back the results. Many thanks for your help,



CreatePlease to create content