cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1671
Views
5
Helpful
28
Replies

can we use IPs from same subnet on Cisco 2911 ethernet ports using IP VRF?

m-abooali
Level 4
Level 4

HI FOLKS,

 

client has two Sonicwalls on same subnets which was connected to a Switch (Cisco 3550). now, that Switch has been replaced with Cisco 2911 router. one ether port to provider, one ether port to main Sonicwall and all working fine. they need the second Sonicwall to be connected to the third and last Ethernet port on this router but same subnet. router doesn't accept same sublet and rightly so. they cannot change IPs and Subnets on their firewalls.

 

can IP vrf help in this situation?

 

Best Regards,

 

Masood

28 Replies 28

Hello,

 

the DHCP part is optional, you don't have to use it. Here is the config without the DHCP:

 

ip vrf GREEN
rd 2:2
!
ip vrf RED
rd 1:1
!
interface GigabitEthernet0/0
description Link to ISP
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip vrf forwarding RED
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip vrf forwarding GREEN
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip route vrf GREEN 0.0.0.0 0.0.0.0 10.10.10.2 global
ip route vrf RED 0.0.0.0 0.0.0.0 10.10.10.2 global

 

 

 

Thank you. I will keep you posted on the result.

 

Best Regards,

 

Masood

 

thisa is my default Gatway IP i.e. provider

 

10.10.10.2

Ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip route vrf GREEN 0.0.0.0 0.0.0.0 10.10.10.2 global
ip route vrf RED 0.0.0.0 0.0.0.0 10.10.10.2 global

correct?

 

Best Regards,

 

Masood

hi,

 

i can ping vrf interfaces but I do not see those Ips undr sh ip route cmd output. also, i do not have Internet connectivity. i can ping provider from router.

 

any thoughts please?

 

Regards,

 

Masood

Hello,

 

post the full config of the router, I need to see how your NAT is set up...

sure, will do.

 

I did not have NAT!?

if I put NAT in there then the Sonicwall will think double NATing and that would be a nightmare. I will post the config for you to see.

 

I was able to ping interfaces under each vrf but I could not see those subnets under sh ip route cmd. it was a routing problem for sure but I could not figure out why> I thought about NAT but I cannot add NAT because of the Sonicwalls (Someone else manages the Sonicwallls).

 

Best Regards,

 

Masood

 

hello,

 

this is what  added to configs for vrf:

 

ip vrf Blue
rd 2:2
!
ip vrf Yellow
rd 1:1
!
interface GigabitEthernet0/0
description Link to ISP
ip address 10.10.10.1 255.255.255.252
duplex full
speed 100
media-type rj45
!
interface GigabitEthernet0/1
no ip vrf forwarding Blue
ip address 192.168.1.129 255.255.255.128
duplex full
speed 100
media-type rj45
!
interface GigabitEthernet0/2
ip vrf forwarding Yellow
no ip address 192.168.1.2 255.255.255.128
duplex full
speed 100
!
!
!10.10.10.2is the provider side.
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip route vrf Blue 0.0.0.0 0.0.0.0 10.10.10.2 global
ip route vrf Yellow 0.0.0.0 0.0.0.0 10.10.10.2 global
!

show commands:

hostname#show ip vrf detail Blue
VRF Blue (VRF Id = 1); default RD 2:2; default VPNID <not set>
  Old CLI format, supports IPv4 only
  Flags: 0xC
  Interfaces:
    Gi0/1                   
Address family ipv4 unicast (Table ID = 0x1):
  Flags: 0x0
  No Export VPN route-target communities
  No Import VPN route-target communities
  No import route-map
  No global export route-map
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix

 

Hostname-BR1#show ip vrf detail Yellow
VRF Yellow (VRF Id = 2); default RD 1:1; default VPNID <not set>
  Old CLI format, supports IPv4 only
  Flags: 0xC
  Interfaces:
    Gi0/2                   
Address family ipv4 unicast (Table ID = 0x2):
  Flags: 0x0
  No Export VPN route-target communities
  No Import VPN route-target communities
  No import route-map
  No global export route-map
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix

 

I was able to ping the provider.

I was able to go under each vrf and ping IPs under each Interface

Router did not object to same Mask IPs under two gi Interfaces

BUT

 

I here was no Internet connectivity to the LAN. I reverted to solution to restore operation. I still need to do this when I figure out what routing problem was there and/or missing in this vrf config.

 

Best Regards,

 

Masood

 

hi, I am posting the config here.

 

i was able to ping the provider and I could ping my Gi0/1 and gi0/2 when I was under the vrf Blue and Yellow.

 

yet, I could not see IP address of the interfaces under ip route statement except the Provider's IP.

 

Best Regards,

 

Masood

 

sorry< I also hate to respond to my own link:

 

I think I needed to do some route leaking which I did not do!?

I am not particularly expert on Sonicwall but based on what I do know and on the diagram that you posted I am assuming that the Sonicwall are operating as a failover pair. Can you provide any information about the IP addressing configured on the Sonicwalls? If they are a failover pair I am assuming that the Sonicwall expects to be able to communicate directly with its peer (arp for the peer address and communicate directly) and may want to try to track reachability of the peer interface (perhaps some type of heart beat). Since vrf is designed to keep things separated my guess is that vrf is not an appropriate solution.  

 

I agree that the suggestion about using a switch module is the optimum solution. But if that is not feasible then I would suggest that you use Integrated Routing and Bridging. IRB will allow you to put both physical interfaces into a bridge group and to bridge between the interfaces. It will allow you to put an IP address onto the BVI virtual interface. This should allow both Sonicwall units to communicate with each other and with the router, to monitor each other reachability, and to fail over while it allows the router to communicate directly with both Sonicwall units.

 

HTH

 

Rick

HTH

Rick

Correct! - I also researched and found that bridging should work for this scenario. I do not have access to SonicWalls. I am also positive that BVI Interface will work. I have been reading:

 

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/200650-Understanding-Bridge-Virtual-Interface.html

 

and

 

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/17054-741-10.html

 

thank you so much for your help and insight. very helpful.

 

Best Regards,

 

Masood

Masood

 

I am glad that my suggestion about IRB confirms what you had found in your research. Have you implemented it yet? Does it work for you as expected? Thank you for marking this question as solved. This will help other participants in the forum to identify discussions which have helpful information.

 

HTH

 

Rick

HTH

Rick

Thanks to you.

It does work. This is a feature on Cisco routers that my old knowledge had not come across it!

This was an operational network and not a practice and my time was short.
Best Regards,

Masood

Masood

 

Thanks for confirming that you have implemented it in a production network and that it works. It is my perspective that IRB with bridging and with the BVI is not widely used. But there are places where it is appropriate and is used and you have one of those situations. Glad to know that you have it working and that our advice was helpful.

 

HTH

 

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card