Is it the correct assumption that VRF lite needs to be configured with the same VRFs all through the network for traffic to be routed properly? I'm playing with gns3, and I'm using 3600 series routers. While these support VRFs, I was unable to get traffic out of the "network." I later found documentation that shows vlans and vrfs all the way to the exiting router, and even that router had the vrfs and subinterfaces for vlans configured on them. This seems to be something that you wouldn't haphazardly want to configure without very careful planning.
"This seems to be something that you wouldn't haphazardly want to configure without very careful planning."
No you definitely wouldn't. Basically vrf's allows you to create multiple virtual networks which are isolated from one another on top of the same physical infrastructure so when you look at it like that it makes sense that you need consistency across your network per vrf. So if you were to create a guest access network using vrf's then you would want the guest vrf on all the network devices that traffic would need to cross and this vrf mapping would need to be consistent.
Generally speaking the whole concept of vrf is not to get traffic out of the virtual network expect for the entry and exit points.
So with that said, how do you think the ASA would handle vrfs? I was looking at this after Edison posted it last night, and I thought it would be great for my guest wireless side, but after playing with it I'm not so sure. I see a couple of problems in my network using it, but I also don't know enough about it to really make an educated decision. :-)
I am not quite sure about what you mean by "configured with the same VRFs".
Generally speaking VRF names are locally significant. What matters is the route descriptor(RD) value. You don't even have to worry about the RD if you are doing vrf lite with out BGP. You can use differnt vrf name on your routers to represent the same address space .
I would still use the same name just to keep everything consistent.
the difference between VRF lite and full featured MPLS VRFs and VPN is that the second is able to use MPLS for the forwarding plane.
VRF lite has only VRF access links and it needs to use them both for connecting CE nodes and for building the desired topology.
to deploy correctly multiple VRF lite topologies you need to provide a collection of back to back links between nodes.
Actually each topology requires its own collection of logical links between network devices to work well.
This can be done for example using 802.1Q vlan subinterfaces or FR or ATM p-t-p subinterfaces.
The name of the VRF is locally significant as noted by Rakesh.
Of course this is a great limitation to scalability: as the number of VRFs to be implemented grows the effort is bigger then compared to a full MPLS VPN solution that can use a single backbone link to support multiple VRF traffic (using an MPLS stack of two labels).
ASA can be multicontext as FWSM and roughly one context can be equated to a VRF lite instance.
If the design requires to go via one of them the front end device needs to expose N logical interfaces to the ASA/FWSM.
If you want traffic to cross between the VRFs then you would not be configuring VRF on the ASA or PIX. Instead you would connect interfaces from the ASA/PIX into ports/VLANs associated with each VRF needing to talk. Think of the concept of inside and outisde interfaces, you could put your PIX inside interface on the production network and the PIX outside interface on the guest VRF network and configure your rules to allow somehting specific you may need.
If you want the VRF network to only use the same physical ASA/PIX for internet access but not be able to touch the other networks then you would need to setup multiple contexts on the firewall. Not necessarily configure VRF but you do need to virtualize the firewall.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...