10-04-2012 01:56 PM
We are currently upgrading our Data Center and in the process I would like to implement some form of traffic isolation for this multi-tenant environment. It is a small-medium cloud based environment that currently "lacks" for better words proper traffic isolation for each customer vlan. The design is very simple and straightforward from a high level. Two 6509's with sup7203b that then feed out to 4948's at the access layer. There are also a few seperate routers that peer with carriers to bring customers in via mpls as well. The two 6509's will be tied together with a 20gig port-channel at layer 2 with routing passing over that via an SVI.
I know there is the option of acl's on each vlan interface but that can really be an administrative nightmare in my eyes. VRF-lite seems to be the perfect answer for something like this since it is only going to be one hop from 6500 to 6500. HSRP is also implemented at the 6500's with the active of course being the root for STP. With all of that being said is VRF-lite the way to go? Would it be as simple as just configuring the vrf's and letting them ride across the trunk without the need for subinterfaces? I partially tested this is GNS3 but am looking for some real world experience on a scenario like this. Thanks in advance!
Solved! Go to Solution.
10-06-2012 07:28 AM
Hello chipsch21,
if you can use Vlan based subinterfaces on the shared firewall you can separate the traffic on each customer VRF even if there is no per customer FW context. If the firewall is a Cisco ASA is enough to give the same security level to each vlan based subinterface to isolate customers between each others (with default settings without allowing traffic between same security level interfaces)
Otherwise, as you noted, you need to create a new VRF Shared for the link to the shared firewall and using route-targets you will import from the Shared VRF the default route in each of the customer VRFs and you need to import the customer specific routes in the Shared VRF.
ip vrf SHARED
rd 1000:1111
route-target export 1000:1001
route-target import 1000:1002
ip vrf CUSTXXX
rd 1000:1234
route-target export 1000:1002
route-target import 1000:1001
+
router bgp
address-family ipv4 vrf SHARED
red conn
red static
no sync
!
address-family ipv4 vrf CUSTXXX
red conn
red static
no sync
The use of two different route targets will give you the desired behaviour but each VRF has to be configured within router BGP process in its own address family ipv4 vrf
Hope to help
Giuseppe
10-05-2012 03:53 AM
Hello Chipsch21,
VRF lit is the right tool for achieving traffic isolation.
The only requirement is that each VRF will have its own end to end logical topology:
access vlan (s) ---- C6500 --- customer associated WAN router
On C6500 both the client vlan facing SVI(s) and the link to the corresponding WAN router has to be member of the same VRF
If no customers share the same WAN router you are fine and VRF lite is a clean solution
Hope to help
Giuseppe
10-05-2012 07:20 AM
Thank you for the input Giuseppe. I see exactly what you are saying but my topology feeds a large number of customers directly into a shared firewall, no contexts. In a case like that would I have to then implement MP-BGP and use route targets to export the vrf that the default route vlan resides in to the firewall into each customer vrf? Would I then in turn have to import all of those customers routes into that same vrf?
10-06-2012 07:28 AM
Hello chipsch21,
if you can use Vlan based subinterfaces on the shared firewall you can separate the traffic on each customer VRF even if there is no per customer FW context. If the firewall is a Cisco ASA is enough to give the same security level to each vlan based subinterface to isolate customers between each others (with default settings without allowing traffic between same security level interfaces)
Otherwise, as you noted, you need to create a new VRF Shared for the link to the shared firewall and using route-targets you will import from the Shared VRF the default route in each of the customer VRFs and you need to import the customer specific routes in the Shared VRF.
ip vrf SHARED
rd 1000:1111
route-target export 1000:1001
route-target import 1000:1002
ip vrf CUSTXXX
rd 1000:1234
route-target export 1000:1002
route-target import 1000:1001
+
router bgp
address-family ipv4 vrf SHARED
red conn
red static
no sync
!
address-family ipv4 vrf CUSTXXX
red conn
red static
no sync
The use of two different route targets will give you the desired behaviour but each VRF has to be configured within router BGP process in its own address family ipv4 vrf
Hope to help
Giuseppe
10-08-2012 11:16 AM
Giuseppe,
Thank you very much for all of the assistance. Did some testing and also found where I could potentially keep that "shared" vlan from being in a vrf and using the global statement to leak from customer vrf's but then would need to also add static routes into the global table pointing to the respective customer vrf. That seems like more administrative burden and would also mess up the traffic isolation. Your solution is definitely the way to go. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide