I have two 3845 routers having 6M WAN links towards the MPLS cloud. Both these routers are running EBGP with the service provider. We have taken 2 VRFs for our Internal DMZ 1 & DMZ 2 traffic. And all other corporate applications run on the Corp VRF.
As per the diagram, the DMZ 1and DMZ 2 VRF subnets are routed between the Routers and the FW through the MPLS switches. MPLS switches are being used in this environment for deploying Multi VRFs.
1) From the router, there are static routes pointing to the DMZ subnets through the FWs on DMZ 1 and DMZ 2 VRFs. There is a sub-interface created on the routers for VLAN 10 and vlan 20 for routing to happen. These DMZ 1 and DMZ 2 VRFs go into the MPLS cloud and to other branches.
2) There is Eigrp between the core switches and the Routers for advertising the corporate block (let's say 22.214.171.124/24 in this scenario).
Now, the problem is on the Tools/Server zone, there are certain servers which are given IPs from the global corporate block of my company (for ex 126.96.36.199/16). These servers need to access the corporate applications which are on 1.x.x.x subnet.
But all the routes inside to DMZ and Tools subnet from the routers is via the DMZ 1 and DMZ 2 VRF. This means, these routes will stay in that VRF all the way upto the MPLS cloud.
I need these Tools subnets to get into the Corp VRF on my routers. How do i advertise them?
I hope the setup makes sense to you guys. Please ask me for clarifications if any.
As this setup seems to me there is VRF-Lite Happening on the 3845 Routers..The Link to the ISPs are MPLS VPN Links whereby we have 3 VPNs configured at ISP side also..Is that correct ?
We would require controlled route leaking on the 3845 Routers between the DMZ1 & DMZ2 VRF and Corp VRF for the required source and destination subnets..This will involve identifying the Tools/Servers Subnets assigned from Global Corporate Block and all remaining corporate subnets which need access to the Tools/Servers..I think this will lead to lot of leaked corporate subnets into the DMZ VRFs..Hope this will be fine in the current setup.
Are the VRFs configured on the routes have the RD/RT defined and MP-BGP configuration present..The Inter-VRF routing will require them as a prerequisite..
As an alternate(if its feasible in your setup) we can try to create another routing subnet between the FW and Routers and make it part of Corporate VRF on the Routers and then easily we can create reverse static routes for the Tools/Servers under that VRF and it can easily talk to other corporate blocks without any need of route leaking..
Hope this helps to provide some insight in your query..
Yes we have 3 VPNs configured on the ISP end. In regards to the first option, as you have mentioned there will be a lot of route leakage happening between the Corp and DMZ VRFs. I don't want this to happen, as this would be way out of standard for our setups across branches, and also it would be a nightmare to troubleshoot for the Operations team.
The seond option seems pretty much feasible to me. So, in this case, I just have to create a new VLAN on the router and float it across to the DMZ zone. right?
For DMZ routing, we define the static routes in the following way
ip route static vrf DMZ1
We have RD/RT defined only for the DMZ 1 and DMZ 2 VRFs. Corp VRF is just defined under the address family under BGP.
How will the static route to the tools (corporate block) be from the Routers in this case?
Yes in the 2nd option we need to create one new VLAN ( say 100) and extend it till DMZ Zone..
The New VLAN 100 should be configured under the Corp VRF same as for the existing Corp Switches Connectivity ((assuming that currently the Corp Switches connect to the routes under Corp VRF on the routers)) ..We need to put a VRF Specific Static Route pointing back to the Tools(Corporate Block) with the New VLAN 100 as exit point towards DMZ..
ip route static vrf Corp
The above Static Route will be under Corp VRF and now we can redistribute this into EIGRP towards Core Switches and in the eBGP towards ISPs..
Note: If the Current connectivity from Core-Switches to 3845 Routers is not under VRF then Static routes will be non-VRF specific.
Currently, the connectivity between the routers and the core switches is through Eigrp, and these corp subnets get advertised outside through the Corp VRF.
Look at the config below.
router bgp xxx
address-family ipv4 -----> There is no VRF name or RD/RT values defined for Corp network.
network 1.x.x.x (corporate block)
address-family ipv4 vrf DMZ 1
neighbor remote-as xxx
address-family ipv4 vrf DMZ 2
neighbor remote-as xxx
As you can see, there is no VRF name defined (no RD/RT values either) for advertising Corp network in MPLS (only address family), can we just put a normal static route towards the Tools subnet via the FW then? Will it work?
ip route static < next hope of Firewall VLAN 100 IP> ?
If we want to do route-leaking from DMZ VRF to Corp Global Routing Table Subnets it will be a case similar to providing Internet Access to MPLS VPN Customer using Route-Leaking as mentioned in below good cisco doc
With XR 4.2.0 the ASR9000 is releasing a new line of hardware models. This amongst others is the RSP440, the next generation RSP with faster switch fabric along with Typhoon based Linecards, the next generation network processor.
The Cisco EPN system incorporates a network architecture designed to consolidate multiples services on a single Multiprotocol Label Switching (MPLS) transport network. This network is designed primarily based on...
Internet security is important with the increasing attacks that are happening every day. Many internet and browsing security solutions exist, but some are not very easy to use or maybe the question is how can I enable them?