Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3222
Views
0
Helpful
8
Replies

How to prevent communication between 2 subnets in Same VRF.

capgemini-network
Level 1
Level 1

‎11-14-2018 02:18 AM - edited ‎03-05-2019 11:03 AM

Hello,

 

I have as much as 90 subnets in a single VRF (each subnet is assigned to a building). From security point of view, I don't want my one building subnet to talk to another building subnet, even though they are part of same VRF. ACL is one of the option but not practical with soo many Subnets.

 

Please suggest if there is some way to control the communication between 2 subnets in Same VRF.

0 Helpful
8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

‎11-14-2018 02:59 AM

 

If you don't want them to talk to each other then why are they in the same VRF ? 

 

If they have to be then you have to use access-lists practical or otherwise. 

 

Jon

0 Helpful

capgemini-network
Level 1
Level 1
In response to Jon Marshall

‎11-14-2018 10:34 PM

Because they all are part of same service. Lets call it a Home CCTV service, I don't want them to see each other due to security concerns.

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni

‎11-14-2018 03:29 AM

As @Jon Marshall mentions an ACL is your best option. Assuming you have allocated your building subnets with aggregation in mind, so in contiguous blocks, you should be able to create very brief ACLs with sufficiently large netmasks to cover the entire building.

 

cheers,

Seb.

0 Helpful

capgemini-network
Level 1
Level 1
In response to Seb Rupik

‎11-14-2018 10:17 PM

That might be little difficult to use large subnet mask.

Example I have 10.74.1.0 - 10.74.150.0 - i.e. 150 /24 subnets in 150 buildings. I may have to deny all /24 subnets for each building.

0 Helpful

dbeattie
Level 1
Level 1
In response to capgemini-network

‎11-15-2018 12:28 AM

Try thinking about what you want to allow rather than what you want to prohibit. That may end up as a simpler ACL.

 

Hope this helps

 

Dave

0 Helpful

paul driver
VIP
VIP

‎11-14-2018 03:38 AM - edited ‎11-14-2018 03:38 AM

Hello

 

@capgemini-network wrote:

Hello,

I don't want my one building subnet to talk to another building subnet

You don't have to apply the Racl to every subnet. at most your looking at two (assuming each subnet equates an svi or sub-interface)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

dbeattie
Level 1
Level 1
In response to paul driver

‎11-14-2018 04:03 AM

I would tend to create a single ACL:

permit any to server subnet(s)

deny any

 

and apply it to all access vlan SVIs. You may need a few more addresses in the ACL, but I hope you get the idea.

 

That means you only have to maintain one ACL.

 

Hope this helps

 

Dave

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎11-14-2018 07:03 AM

In addition to what the other posters have already mentioned, another possible approach might be to partition your network using routing protocol(s), i.e. you would determine what you redistribute between routing topologies. (One advantage of VRF, you can keep topologies separate on the same router, i.e. they don't automatically go into the same global routing table on that device.)
0 Helpful
Customers Also Viewed These Support Documents