Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
2
Replies

Multiple VRFs on LAN

coder2501
Level 1
Level 1

‎02-11-2015 11:23 AM - edited ‎03-05-2019 12:46 AM

Dear all,

I am fairly new to this forum, and would like to introduce myself first. My name is Michael and I am a network consultant.

One of our client has a challenge with local LAN separation, the scenario is like following:

 

  • Hub and spoke IPSEC/GRE
  • Spokes need complete separation of 3 x LAN subnets (Voice, Data, Video) from each other.
  • The traffic between these subnets should only be allowed/filtered by the Hub router.

 

What I wanted to propose is on the Spokes: 3 x VRF lite

So far so good, but how am I going to deal with uplink/WAN. Would that mean, that I would need three Tunnels as well?

 

Ideal would be 3 VRFs for LAN and One single Uplink to the Hub where all VRFs are send over. Any idea how to achieve this?

 

Best

Mike

 

 

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎02-11-2015 12:12 PM

Mike

Ideal would be 3 VRFs for LAN and One single Uplink to the Hub where all VRFs are send over. Any idea how to achieve this?

I don't think this is possible or at least I don't know of a way to do it because the hub device tunnel interface would be in the global routing table or one of the VRFs which wouldn't work.

If you have 3 VRFs at each spoke and you want to maintain that segregation at the hub then you need three tunnels at the hub ie. effectively you have 3 DMPVN clouds, one per VRF.

Just to clarify, when you say isolation at the spokes you mean that the 3 vlans cannot communicate with each other within each spoke site.

But the data vlan at one spoke site can communicate with the data vlan at another spoke site for example.

Is that correct ?

Edit - forgot to say, welcome to the forums :-)

Jon

0 Helpful

coder2501
Level 1
Level 1
In response to Jon Marshall

‎02-11-2015 02:08 PM

Hi Jon,

 

thx for your comments:

 

<Just to clarify, when you say isolation at the spokes you mean that the 3 vlans cannot communicate with each other within each spoke site.

But the data vlan at one spoke site can communicate with the data vlan at another spoke site for example.>

Yes, data on spoke (A) can talk to data on spoke (B). And within spoke (A) none of the VRF can talk to each other.

 

Hope that clarifies the picture

 

cheers

Mike

0 Helpful
Customers Also Viewed These Support Documents