vrf lite

Ahmede · ‎10-28-2005

We have 3750 switches as L2 access switches, which is dually homed to two 6509 with MSFC as the distribution layer. The 6509s are connected to the core.

We are using two ranges of IPs, for users vlans connected to the 3750s. The first range is 10.1.x.x, and 172.16.x.x. All these VLANs are terminated on the 6509s.

We want to stop the two IP ranges (10.1.x.x. and 172.16.x.x) from reaching each other directly via the 6509s. So, in order for a user from 10.1.x.x range to access user from 172.1.6.x.x, the packet has to go through the core. Right now, because the two ranges are defined on the 6509s, so the packet just jumps between VLANs on the 6509.

The only way I could think of to do that is using VRF lite, where I can create two VPNs, one for 10.1 range and one for 172.16 range.

My question, is there any other solutions? If not, who is going to be CE and who is going to be PE? We will need CE-PE-CE

thanks

olorunloba · ‎10-28-2005

Well, you could disable ip routing, then the switch will not be able to route between vlans. If this will hinder some other functionality then the VRF lite is another good solution.

But you do not need MPLS in your situation since you are only looking for traffic seperation. Hence no concept of PE.

On your 6500 create two vrfs to correspond to the networks. Apply the vrfs to the appropriate vlan interfaces on the 6500. I think that is all that is needed to achieve your scenario.