cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2421
Views
0
Helpful
4
Replies

Vrf-lite Data Center deployment

chipsch21
Level 1
Level 1

We are currently upgrading our Data Center and in the process I would like to implement some form of traffic isolation for this multi-tenant environment. It is a small-medium cloud based environment that currently "lacks" for better words proper traffic isolation for each customer vlan. The design is very simple and straightforward from a high level. Two 6509's with sup7203b that then feed out to 4948's at the access layer. There are also a few seperate routers that peer with carriers to bring customers in via mpls as well. The two 6509's will be tied together with a 20gig port-channel at layer 2 with routing passing over that via an SVI.

I know there is the option of acl's on each vlan interface but that can really be an administrative nightmare in my eyes. VRF-lite seems to be the perfect answer for something like this since it is only going to be one hop from 6500 to 6500. HSRP is also implemented at the 6500's with the active of course being the root for STP. With all of that being said is VRF-lite the way to go? Would it be as simple as just configuring the vrf's and letting them ride across the trunk without the need for subinterfaces? I partially tested this is GNS3 but am looking for some real world experience on a scenario like this. Thanks in advance!

1 Accepted Solution

Accepted Solutions

Hello chipsch21,

if you can use Vlan based subinterfaces on the shared firewall you can separate the traffic on each customer VRF even if there is no per customer FW context. If the firewall is a Cisco ASA is enough to give the same security level to each vlan based subinterface to isolate customers between each others (with default settings without allowing traffic between same security level interfaces)

Otherwise, as you noted, you need to create a new VRF Shared for the link to the shared firewall and using route-targets you will import from the Shared VRF the default route in each of the customer VRFs and you need to import the customer specific routes in the Shared VRF.

ip vrf SHARED

rd 1000:1111

route-target export 1000:1001

route-target import 1000:1002

ip vrf CUSTXXX

rd 1000:1234

route-target export 1000:1002

route-target import 1000:1001

+

router bgp

address-family ipv4 vrf SHARED

red conn

red static

no sync

!

address-family ipv4 vrf CUSTXXX

red conn

red static

no sync

The use of two different route targets will give you the desired behaviour but each VRF has to be configured within router BGP process in its own address family ipv4 vrf in order to perform the route leakage between VRFs

Hope to help

Giuseppe

View solution in original post

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Chipsch21,

VRF lit is the right  tool for achieving traffic isolation.

The only requirement is that each VRF will have its own end to end logical topology:

access vlan (s) ----  C6500 ---    customer associated WAN router

On C6500 both the client vlan facing SVI(s) and the link to the corresponding WAN router has to be member of the same VRF

If no customers share the same WAN router you are fine and VRF lite is a clean solution

Hope to help

Giuseppe

Thank you for the input Giuseppe. I see exactly what you are saying but my topology feeds a large number of customers directly into a shared firewall, no contexts. In a case like that would I have to then implement MP-BGP and use route targets to export the vrf that the default route vlan resides in to the firewall into each customer vrf? Would I then in turn have to import all of those customers routes into that same vrf?

Hello chipsch21,

if you can use Vlan based subinterfaces on the shared firewall you can separate the traffic on each customer VRF even if there is no per customer FW context. If the firewall is a Cisco ASA is enough to give the same security level to each vlan based subinterface to isolate customers between each others (with default settings without allowing traffic between same security level interfaces)

Otherwise, as you noted, you need to create a new VRF Shared for the link to the shared firewall and using route-targets you will import from the Shared VRF the default route in each of the customer VRFs and you need to import the customer specific routes in the Shared VRF.

ip vrf SHARED

rd 1000:1111

route-target export 1000:1001

route-target import 1000:1002

ip vrf CUSTXXX

rd 1000:1234

route-target export 1000:1002

route-target import 1000:1001

+

router bgp

address-family ipv4 vrf SHARED

red conn

red static

no sync

!

address-family ipv4 vrf CUSTXXX

red conn

red static

no sync

The use of two different route targets will give you the desired behaviour but each VRF has to be configured within router BGP process in its own address family ipv4 vrf in order to perform the route leakage between VRFs

Hope to help

Giuseppe

Giuseppe,

Thank you very much for all of the assistance. Did some testing and also found where I could potentially keep that "shared" vlan from being in a vrf and using the global statement to leak from customer vrf's but then would need to also add static routes into the global table pointing to the respective customer vrf. That seems like more administrative burden and would also mess up the traffic isolation. Your solution is definitely the way to go. Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: