cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
192
Views
0
Helpful
5
Replies
Highlighted
Beginner

Prevent routing at upstream device

Attached diagram represents my network. At the Cisco 9500 core switch I have each SVI in its own VRF. I have created 2 VRF's for Internet & MPLS. I am using VRF-lite route leaking to control inter-vlan traffic at core switch level. Also using iBGP to exchange routes with Fortigate, ILL routers and MPLS routers. But as I understand once the MPLS routers or ILL routers are in iBGP they are routing the traffic between VLAN's which I have prevented at the Core switch level.

For eg: VLAN A-VRF A, VLAN B-VRF B, VLAN C-VRF C. VLAN A & B are leaked in to the MPLS VRF which should have connectivity to MPLS networks advertised over the MPLS routers. But VLAN A & B intervlan routing is prevented at the core switch level, but when the traffic reaches MPLS routers, it is actively routing and I can reach VLAN A from VLAN B trough MPLS routers. How can I prevent this. Presentation1.jpg

Everyone's tags (2)
5 REPLIES 5
VIP Advisor

Re: Prevent routing at upstream device

Hello

I assume the reason for the path via the mpls to reach the vlan A -B is due to a global rib default route being advertied in the vrf ribs?
May i ask is it ibgp from the cisco to the fortigate and onwards to the ILL and MPLS rtrs or do you have any ebgp peering?

Is it poosible you can post the VRF and global rib tables for the cores switches and a summary of the bgp VRF's



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: Prevent routing at upstream device

Hi Paul,

 

Fortigate, ILL & MPLS routers has iBGP peering at the moment. Fortigate doesn't support BGP with VRF. So all of my routes will be there in the Global routing table of Fortigate. Also as I said before Lets say VLAN A wants to access Internet, I will leak that route in to Internet VRF using import & export so VLAN A can access Internet. But the problem is when VLAN B wants to access internet & I leak the routes to Internet VRF, VLAN A & VLAN B can communicate with each other. traffic is hair pinning from Internet router. I want to understand whether I can use any BGP feature to avoid this or even any design changes are welcome. My ultimate aim is prevent inter-vlan communication and have access to Internet and MPLS while the VLAN gateways are in Core switches.

 

Unfortunately just noticed that I haven't taken at least show run from the switches and routers. I will provide you with logs once i am back in the site.

VIP Advisor

Re: Prevent routing at upstream device

Hello


@Arshadsaf wrote:

Hi Paul,

 

Fortigate, ILL & MPLS routers has iBGP peering at the moment. Fortigate doesn't support BGP with VRF. So all of my routes will be there in the Global routing table of Fortigate. Also as I said before Lets say VLAN A wants to access Internet, I will leak that route in to Internet VRF using import & export so VLAN A can access Internet. But the problem is when VLAN B wants to access internet & I leak the routes to Internet VRF, VLAN A & VLAN B can communicate with each other.


Surely with a specific import map then this shouldnt occur, As you would only import internet prefixes not VLAN A/B networks?

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: Prevent routing at upstream device

Hi Paul,

As of now Internet router is not VRF'd. so all the routes are installed in the Global routing table. Do you mean that Internet routers also should be segregated using VRF's? and then use import maps at Internet router level.

VIP Advisor

Re: Prevent routing at upstream device

Hello

I mean your vrf import maps for the cores switches, each vlan vrf will have an import map only allowing internet routes etc that you wish to be installed in their ribs that is however not each other vlans networks.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards