Local router, FR DLCI to VLAN mapping

BudEWiser · ‎02-14-2006

On a CE router I need to ensure that inbound traffic from a serial interface (FR encap. local DLCI 100) is mapped to local logical VLAN 100. I need to this for multiple DLCIs.

I need to inspect all traffic at a firewall before it is permitted out another DLCI.

Thanks,

Rob

thisisshanky · ‎02-14-2006

Are there subinterfaces on the ethernet side of this router that routes for various vlans ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

BudEWiser · ‎02-14-2006

Yes, sorry I left that info off.

Subinterface on a q-trunk.

thisisshanky · ‎02-14-2006

On the FR DLCI side, are they point to point or multipoint subinterfaces ? You can use policy routing on each subinterface on FR side to be send to a particular outgoing subinterface on ethernet side.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

BudEWiser · ‎02-14-2006

The FR DLCI side will most likely be p-t-p. PBR does appear to be the most likely solution. What other option are there?

Thanks,

Rob

thisisshanky · ‎02-14-2006

You may optionally try bridging between the respective sub interfaces. Even though this is not a very recommended solution.

HTH

PS: Please remember to rate replies!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

BudEWiser · ‎02-14-2006

I agree, bridging would not be my first choice.

PBR may be the way to go.

Thanks,

Rob

mheusinger · ‎02-14-2006

Hello,

I do see two possibilities to achieve your requirements.

First you could enable Policy based routing on each interface. This way you can send the incoming traffic to an outgoing interface of your choice. In my opinion this gets somewhat messy and not too easy to implement from an administrative point of view.

Second you could implement Multi-VRF in your router. Each VRF works like a separate, single (virtual) router. You would create a set of VRFs containing one FR subinterface and one VLAN subinterface each. All IP traffic would then be routed in each VRF (static or dynamic) from FR to VLAN and vice versa.

Assuming it is your firewall trunking (dot1Q) to your FR router, the only allowed path between the FR DLCIs would be through your firewall. This solution would be my definate favourite also with respect to security. An example config would look like this:

ip cef

ip vrf Cust1

rd 65000:1

ip vrf Cust2

rd 65000:2

interface Serial0/0

encapsulation frame-relay

interface Serial0/0.1 point-to-point

ip address 10.1.1.1 255.255.255.252

ip vrf forwarding Cust1

frame-relay interface-dlci 100

interface Serial0/0.2 point-to-point

ip address 10.2.1.1 255.255.255.252

ip vrf forwarding Cust2

frame-relay interface-dlci 200

interface FastEthernet1/1.100

encapsulation dot1Q 100

ip address 10.10.1.1 255.255.255.0

ip vrf forwarding Cust1

interface FastEthernet1/1.200

encapsulation dot1Q 200

ip address 10.20.1.1 255.255.255.0

ip vrf forwarding Cust2

ip route vrf Cust1 0.0.0.0 0.0.0.0 FastEthernet1/1.100 10.10.1.2

ip route vrf Cust1 10.1.0.0 255.255.0.0 Serial0/0.1 10.1.1.2

ip route vrf Cust2 0.0.0.0 0.0.0.0 FastEthernet1/1.200 10.20.1.2

ip route vrf Cust2 10.2.0.0 255.255.0.0 Serial0/0.2 10.2.1.2

You need to adjust the ip addresses, interfaces and so on to your environment. It will also be possible to use dynamic IP routing across your FR DLCIs.

As you can see you need FR subinterfaces and also a WAN router supporting Multi-VRF (aka vrf-lite).

Hope this helps! Please rate all posts.

Regards, Martin

BudEWiser · ‎02-14-2006

Hello,

I guess I need to read up on Multi-VRF. It does appear to be a nice solutions.

Thanks,

Rob