Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
4
Replies

Getting VRF routes into global route table with global

Steven Williams
Level 4
Level 4

‎03-06-2019 10:39 AM

I have switch 1 and it has 4 VRFs, (VRF1, VRF2, VRF3, VRF4) and a layer 3 interface northbound to a firewall that doesn't belong to a VRF, I can leak the default route from the global route table to each VRF, which would tell each VRF to take the layer 3 link to the firewall. Now the issue is when VRF1 needs to get to VRF2 from the firewall it would need to send it back down the same layer 3 interface to switch 1, but then I would have to leak all the routes from VRF2 to the global route table correct? I assume this would be fine since the traffic would have to be inspected and allowed through the firewall north bound anyway.

0 Helpful
4 Replies 4

paul driver
VIP
VIP

‎03-06-2019 12:14 PM

Hello

@Steven Williams wrote:

. Now the issue is when VRF1 needs to get to VRF2 from the firewall it would need to send it back down the same layer 3 interface to switch 1, but then I would have to leak all the routes from VRF2 to the global route table correct? 

Why not just put these two networks in the same vrf if they need to communicate with each other?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Steven Williams
Level 4
Level 4
In response to paul driver

‎03-07-2019 06:05 AM

Because only certain servers need to communicate and also all server to server communication needs to be inspected, and noone wants to pay the money for NSX and east to west inspection.
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-06-2019 04:05 PM

You have a few options. The design depends on your requirement. Is the requirement to have all traffic traverse the firewall? If not, why not just leak between the VRFs on your L3 switch? You also have the option if you have proper licensing to run multi-context and route leak at the firewall. Multi-context would be more secure. However, to Paul's point you may be better off just putting the two networks in the same VRF in all hosts require communication.
0 Helpful

Steven Williams
Level 4
Level 4
In response to Mike.Cifelli

‎03-09-2019 01:25 PM

The goal is to inspect as much traffic as possible without doing something like NSX. So all users networks are in a VRF and Server networks are in separate VRFs because your client to server traffic is greater than client to client. So static routes is going to be the method of achieving this unless I want to run a single link from the core to the firewall northbound for every VRF in the core switch and then route that traffic back down to another link belonging to another VRF. But I have trying to achieve 40G links from core to Firewalls so running multiples will get costly.

So without running BGP, static routes from vrf to the global route table is about the only option unless I want to do crazy things like GRE tunnels between VRFs.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card