I have two networks (net1 & net2) in one site (Site A) and two networks (net3 & net4) in another site (site B), I want to connect the two sites but by isolating the access so net1 can access net3, and net2 can access net4.
Leased line of 300Mbps will be used to connect the two sites, a backup link will provided as passive line in case of failure of the main line.
I read about VRF lite that can be used to make virtual tables. (example here http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/)
I am thinking to install two 3750 in each site and connect each of the leased lines (main and backup) to each switch.
My question is does the catalyst 3750 support the VRF lite feature? And does the interface support the creation of subinterfaces of dot1q (like if I connected the service provide Giga link to the 3750 switch and create two dot1q sub interfaces each one with two different IP one for VRF-A and one for VRF-B)?
Or do u suggest any other solution?
A brief drawing is attached.
Solved! Go to Solution.
vrf lite is definitely supported on 12.2(25)SEC2 but I doubt dot1Q subif are.
you can use trunk from provider and have to SVIs terminated in separate VRFs.
Thank you Sam,
do you mean that i need to configure two VLANs on the WAN link "one for each circuit".
what is the required IOS "Base or service..."?
i dont have MPLS eqperiance, but i only understand the example in the link above"
Is that enough? (like i will create on the first switch VRF for customer A and VRF on the VLAN of the WAN link)?
do i need BGP? or just VRFs and routing protocol like between the VRFs?
full image is c3750-advipservicesk9-mz.122-25.SEC2.bin u need to check if its still supported. in any case it supports vrf lite.
I assume in your drawing. 3560's are really the 3750 where u need vrf lite and the 300Mb is offered over Gigabit Ethernet port ?
I would use BGP (remember route reflectors).
yes the 300Mb is offered over Giga Ethernet.
yes i will use the 3750 switches.
why do i need BGP?
i am thinking to use VRF in the switches with ospf
ip vrf Net1
route-target export 1:1
route-target import 1:1
description connection to LAN1
ip vrf forwarding Net1
ip address 172.16.1.1 255.255.255.0
switchport mode trunk
description connection to the 300M
ip vrf forwarding Net1
ip address 172.16.7.1 255.255.255.0
router ospf 1 vrf Net1
network 172.16.1.0 0.0.0.255 area 0
network 172.16.7.0 0.0.0.255 area 0
OSPF is fine for PE-CE routing, what about PE-PE ? Unless you will have one PE for primary line and one for backup line.
take a look at this document:
you also need to decide how you will manage your CPEs (if they are managed by you). One method is to have an additional management vrf.
The provider will just provide layer 2 leased lines to the two location, i will provide the 3750 switches and configure the VRF-lite on it.
so i think the 3750 will work as a PE's and the LAN switches 6509's will work as a CE's.
i am thinking as you suggest to configure the WAN links as a trunks and terminate the the VLANs on separate VRFs on the 3750 switches.
but the confused thing is why do i need BGP in this case.
Thanks and regards,
configuring trunk, and SVI PE terminated in a vrf is a must. I think you agree on this.
this will take care of routing between CE and PE...but how will routes from CE1 been propagated to CE2 ? you need PE1 to advertise them to PE2, which leads to how will you route between PE1 and PE2.
as stand corrected, as far as I know you need to have MPLS based VRF between PE1 and PE2 and therefore BGP to carry VPN4 prefixes and this is how I have implemented.
However if you have following setup, u will not need BGP.
make 3750-B PE and use 3750A and 3750-C as switching vlan from CE1 to CE2. so 3750-B has routes for both locations withing it vrf table.
i think if i configure BGP then the network will be as a full MPLS.
i think without BGP, the routes from CE's in the two locations will be propagated using OSPF, because OSPF adjacency will be built as follow:
CE(first site)---VRF (3750-1)---VRF of WAN(3750-1)--- VRF of WAN(3750-2)--- VRF (3750-2)--- CE(second site)
Is that right, or the BGP is must configured