cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2828
Views
5
Helpful
5
Replies

How to leak routes between vrf VLANs and global VLANs on same switch

2ndcongress
Level 1
Level 1

I have a 3850 L3 core switch with VLANs in three different routing domains (global, vrf Inside and vrf DMZ). My DNS servers and other resources are in global VLANs. Hosts in each of the two vrf's need to be able to connect to DNS servers in a global VLAN.

 

Having difficulty finding a clear example of how leaking of routes can be accomplished with the above scenario.

 

Here's my basic configuration:

ip vrf DMZ
!
ip vrf Inside
!

interface Vlan6
description Inside VLAN
ip vrf forwarding Inside
ip address 10.6.1.1 255.255.255.0
end

!

interface Vlan7
description DMZ VLAN
ip vrf forwarding DMZ
ip address 10.7.1.1 255.255.255.0
end

!

interface Vlan10
description DNS Server VLAN
ip address 10.10.1.1 255.255.255.0
end

!

DNS server host in VLAN 10: 10.10.1.5

 

Using static routes, how can I allow all hosts in vrf VLANs 6 & 7 access to a DNS server in VLAN 10 with IP address 10.10.1.5 ?

 

Thank you!!

1 Accepted Solution

Accepted Solutions

Hello


@2ndcongress wrote:

 

 

Using static routes, how can I allow all hosts in vrf VLANs 6 & 7 access to a DNS server in VLAN 10 with IP address 10.10.1.5 ?

 


You need to tell the rtr/switch how to reach each vrf subnet which reside in their own route vrf route table and tell the vrf subnets how to reach vlan 10 which resides in the global route table.

so try adding:

ip route 10.6.1.0 255,255.255.0 vlan 6
ip route 10.7.1.0 255,255.255.0 vlan 7
ip route vrf inside 10.10.1.0 255.255.255.0 vlan 10 10.1.5 global
ip route vrf DMZ  10.10.1.0 255.255.255.0 vlan 10 10.1.5 global


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

5 Replies 5

Hello


@2ndcongress wrote:

 

 

Using static routes, how can I allow all hosts in vrf VLANs 6 & 7 access to a DNS server in VLAN 10 with IP address 10.10.1.5 ?

 


You need to tell the rtr/switch how to reach each vrf subnet which reside in their own route vrf route table and tell the vrf subnets how to reach vlan 10 which resides in the global route table.

so try adding:

ip route 10.6.1.0 255,255.255.0 vlan 6
ip route 10.7.1.0 255,255.255.0 vlan 7
ip route vrf inside 10.10.1.0 255.255.255.0 vlan 10 10.1.5 global
ip route vrf DMZ  10.10.1.0 255.255.255.0 vlan 10 10.1.5 global


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

That worked beautifully, thank you very much!

 

 

bgp is the right way to do route leaking between vrfs....

a.alekseev
Level 7
Level 7
if you need leaking why do you need vrfs?

The VRFs were needed for a complex migration of a vmware farm where the old and new environments have completely different ingress/egress but share the same core switch (until the old environment can be fully decommissioned). There were a few host servers that need to be accessible to both environments temporarily. Whereas for everything else, total separation is needed. Loving the vrfs... They have greatly simplified the routing and will prevent all kinds of potential disasters during the migration. The DMZ vrf makes for a terrific alternative to a separate switch stack for DMZ hosts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco