Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VRF lite

We have 3750 switches as L2 access switches, which is dually homed to two 6509 with MSFC as the distribution layer. The 6509s are connected to the core.

We are using two ranges of IPs, for users vlans connected to the 3750s. The first range is 10.1.x.x, and 172.16.x.x. All these VLANs are terminated on the 6509s.

We want to stop the two IP ranges (10.1.x.x. and 172.16.x.x) from reaching each other directly via the 6509s. So, in order for a user from 10.1.x.x range to access user from 172.1.6.x.x, the packet has to go through the core. Right now, because the two ranges are defined on the 6509s, so the packet just jumps between VLANs on the 6509.

The only way I could think of to do that is using VRF lite, where I can create two VPNs, one for 10.1 range and one for 172.16 range.

My question, is there any other solutions? If not, who is going to be CE and who is going to be PE? We will need CE-PE-CE

Thanks in advance


Re: VRF lite


if i understand you correct you like to seperate the traffic up to the core.

what is you core? Mpls?

i would implement vrf lite on the 6509 where you terminate the user vlan's. From the 6509 to the core i would again implement a trunk with two vlans to seperate the traffic up to the core. Each vlan terminating on the 6509 on a different vrf.

This way traffic from one subnet to an other has to go via the core.

Hope that helps


CreatePlease to create content