Solved: Leaking global connected route to vrf

Graham Murison · ‎06-30-2023

This is my first entry into VRFs.
I have been asked to separate each user section by floor and separate VLANs. The printers VLAN is separated as well for security and control as defined by business rules.

I have a 3850 (stackwise virtual) acting as the

default gateway

for all VLANs and has an SVI in each VLAN. Each VLAN has a dedicated VRF to control the route paths. I want to avoid sending print traffic to my upstream firewall, but all other traffic need to go there.

I am able to get this working with the Printers and User1 svi are both in the same VRF, but I assume that is a given and by design.

My config is below attached.

<fw> ---- <C3850vs> ---- <C2960>  ---- <client>

I am using static right now, but intend tyo move to protocols when I have a better understand.

Edited for more info.

Graham Murison · ‎07-19-2023

Thought I would update this post with my solution. I realize that this may be unique use case, but...



I added "route-replicate from vrf" to the ipv4 address family under the vrf definition:
========
vrf definition Users1-vrf
!
address-family ipv4
route-replicate from vrf Printers-vrf unicast connected
exit-address-family
!
address-family ipv6
exit-address-family
!
interface Vlan110
vrf forwarding Users1-vrf
ip address 10.96.x.1 255.255.254.0
!
ip route vrf Users1-vrf 0.0.0.0 0.0.0.0 10.0.z.1 global permanent
!
========
vrf definition Printers-vrf
description Printers VLAN Virtual Routing and Forwarding
!
address-family ipv4
route-replicate from vrf Users1-vrf unicast connected
route-replicate from vrf Users2-vrf unicast connected
route-replicate from vrf Users3-vrf unicast connected
route-replicate from vrf Users4-vrf unicast connected
route-replicate from vrf IT-vrf unicast connected
exit-address-family
!
address-family ipv6
exit-address-family
!
interface Vlan60
description SVI for Printers VLAN
vrf forwarding Printers-vrf
ip address 10.96.y.1 255.255.255.0
!
ip route vrf Printers-vrf 0.0.0.0 0.0.0.0 10.0.z.1 global permanent
!
========

View solution in original post

Flavio Miranda · ‎06-30-2023

Hi

I see some possibilities but need to be tested.

Route map and VRF Receive configuration

would be one possibiity but would create a lot of coding as you need to share all the VRF but only the

IT-vrf

can not go out to Global.

I believe maybe a simpler way would you change the routing using the switch as gateway instead the firewall

ip route vrf Printers-vrf 0.0.0.0 0.0.0.0 10.0.5.2 global
ip route vrf Users1-vrf 0.0.0.0 0.0.0.0 10.0.5.2 global
ip route vrf Users2-vrf 0.0.0.0 0.0.0.0 10.0.5.2 global
ip route vrf Users3-vrf 0.0.0.0 0.0.0.0 10.0.5.2 global
ip route vrf Users4-vrf 0.0.0.0 0.0.0.0 10.0.5.2 global

Now, the traffic between VRF would stay on the switch only. But then, you have a default route to firewall, which would give connectivity from

IT-vrf

to firewall anyway. To fix this, you could use an ACL dening the traffic from

IT-vrf

to Firewall.

ip access-list extended 100

 deny  ip 10.96.60.0  255.255.255.0 host 10.0.5.1

 permit ip any any




!
interface Vlan60
description SVI for Printers VLAN
vrf forwarding IT-vrf
ip address 10.96.60.1 255.255.255.0
ip helper-address vrf Printers-vrf 10.96.20.20

ip access-group 100 in


!

Graham Murison · ‎07-17-2023

Thank you for the replies. Apologies for my posted config, it was missing some actual config on the switches.

I am sure I can get it working fine by sending all traffic to the firewall, however I need to avoid sending print traffic to firewall since the risk is minimal.

I will look and test

route maps

as an option.

MHM Cisco World · ‎07-01-2023

you separate the prefix with VRF and then you use leaking, where is security? VRF use to complete separate the traffic in L3.
can you more elaborate ?

Graham Murison · ‎07-17-2023

Good point, however I hope to control which routes get leaked between VRFs.

Route maps

may be best, but I have to do some significant testing.

MHM Cisco World · ‎07-17-2023

Yes sure you can use vrf leaking with

route-map

Import or export

route-map

let you control which

vrf prefix

exactly can leak into other vrf.

But let me note here something

In vrf we build what we called shared vrf' this vrf includes all service like

dns dhcp

and in your case printer'

All other vrf can access to this share vrf only

I.e. there is no need vrf leaking between other vrf.

Graham Murison · ‎07-06-2023

Thanks I will look at this and elaborate further when I return from vacation in a couple weeks.

Graham Murison · ‎07-19-2023

Thought I would update this post with my solution. I realize that this may be unique use case, but...



I added "route-replicate from vrf" to the ipv4 address family under the vrf definition:
========
vrf definition Users1-vrf
!
address-family ipv4
route-replicate from vrf Printers-vrf unicast connected
exit-address-family
!
address-family ipv6
exit-address-family
!
interface Vlan110
vrf forwarding Users1-vrf
ip address 10.96.x.1 255.255.254.0
!
ip route vrf Users1-vrf 0.0.0.0 0.0.0.0 10.0.z.1 global permanent
!
========
vrf definition Printers-vrf
description Printers VLAN Virtual Routing and Forwarding
!
address-family ipv4
route-replicate from vrf Users1-vrf unicast connected
route-replicate from vrf Users2-vrf unicast connected
route-replicate from vrf Users3-vrf unicast connected
route-replicate from vrf Users4-vrf unicast connected
route-replicate from vrf IT-vrf unicast connected
exit-address-family
!
address-family ipv6
exit-address-family
!
interface Vlan60
description SVI for Printers VLAN
vrf forwarding Printers-vrf
ip address 10.96.y.1 255.255.255.0
!
ip route vrf Printers-vrf 0.0.0.0 0.0.0.0 10.0.z.1 global permanent
!
========