Solved: can we use IPs from same subnet on Cisco 2911 ethernet ports using IP VRF?

m-abooali · ‎08-06-2018

HI FOLKS,

client has two Sonicwalls on same subnets which was connected to a Switch (Cisco 3550). now, that Switch has been replaced with Cisco 2911 router. one ether port to provider, one ether port to main Sonicwall and all working fine. they need the second Sonicwall to be connected to the third and last Ethernet port on this router but same subnet. router doesn't accept same sublet and rightly so. they cannot change IPs and Subnets on their firewalls.

can IP vrf help in this situation?

Best Regards,

Masood

Richard Burts · ‎08-08-2018

I am not particularly expert on Sonicwall but based on what I do know and on the diagram that you posted I am assuming that the Sonicwall are operating as a failover pair. Can you provide any information about the IP addressing configured on the Sonicwalls? If they are a failover pair I am assuming that the Sonicwall expects to be able to communicate directly with its peer (arp for the peer address and communicate directly) and may want to try to track reachability of the peer interface (perhaps some type of heart beat). Since vrf is designed to keep things separated my guess is that vrf is not an appropriate solution.

I agree that the suggestion about using a switch module is the optimum solution. But if that is not feasible then I would suggest that you use Integrated Routing and Bridging. IRB will allow you to put both physical interfaces into a bridge group and to bridge between the interfaces. It will allow you to put an IP address onto the BVI virtual interface. This should allow both Sonicwall units to communicate with each other and with the router, to monitor each other reachability, and to fail over while it allows the router to communicate directly with both Sonicwall units.

HTH

Rick

HTH

Rick

View solution in original post

Georg Pauwen · ‎08-06-2018

Hello,

indeed VRFs would work:

ip vrf RED
rd 1:1
!
ip vrf GREEN
rd 2:2
!
interface GigabitEthernet0/0
ip vrf forwarding RED
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip vrf forwarding GREEN
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
media-type rj45

m-abooali · ‎08-06-2018

THANK YOU!

if this solves my issue then would be great.

thank you. i will test the solution tonight.

best Regards,

Masood

m-abooali · ‎08-06-2018

Hi,

would machines connected to Sonicwall 1 would talk to machine connected to Sonicwall 2 using this Red and Green vrf?

best Regards,

Masood

Georg Pauwen · ‎08-06-2018

m-abooali · ‎08-06-2018

I'm afraid I did not follow your response.

Best Regards,

Masood

Georg Pauwen · ‎08-06-2018

It depends...you would have to do some sort of route leaking. Can you provide a schematic drawing of what your topology should look like ?

m-abooali · ‎08-06-2018

Hi,

Please see Drawing:

Best Regards,

Masood

m-abooali · ‎08-06-2018

Please see drawing.

I have no any other options but to get this vfr solution work with same subnets on each ethernet interfaces on this Cisco 2911 router.

Best Regards,

Masood']

Georg Pauwen · ‎08-06-2018

I'll have to lab this...will get back with you...

Harold Ritter · ‎08-06-2018

I am not sure you have the right module on the 2911, but wouldn't it be easier to connect the 2 Sonicwall devices into the 2911 using two L2 ports and create a vlan interface with one IP address?

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

m-abooali · ‎08-06-2018

Hi,

I do not have a Switching module in this router. That is the problem. I am also waiting on a Cisco 3750G L3 Switch but it will be here next week. Meanwhile, I need to get these working using the vfr config for now. Pressure. I have not been involved in any off previous configurations and IP assignment. I was just pulled into this.

I hope the vrf example you sent me will do the trick!?

Best Regards,

Masood

m-abooali · ‎08-06-2018

unfortunately, I do not have my GNS3 Lab PC with me here otherwise I would have lab test this vrf solution before adding to the router.

I was wondering if I need an IP route or default gateway statement under each vrf?

Best Regards,

Masood

Georg Pauwen · ‎08-06-2018

Hello,

below is a sample config:

ip vrf GREEN
rd 2:2
!
ip vrf RED
rd 1:1
!
ip dhcp excluded-address vrf RED 192.168.1.1
ip dhcp excluded-address vrf GREEN 192.168.1.2
!
ip dhcp pool RED
vrf RED
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool GREEN
vrf GREEN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
!
interface GigabitEthernet0/0
description Link to ISP
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip vrf forwarding RED
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip vrf forwarding GREEN
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip route vrf GREEN 0.0.0.0 0.0.0.0 10.10.10.2 global
ip route vrf RED 0.0.0.0 0.0.0.0 10.10.10.2 global

m-abooali · ‎08-06-2018

Hi George,

I hope you don;t mind my question below:

We do not have DHCP and all is static, so, this dhcp statements are just for the sake of internal use between the two vrfs?
Best Regards,

Masood