10-21-2019 03:08 PM
Attached diagram represents my network. At the Cisco 9500 core switch I have each SVI in its own VRF. I have created 2 VRF's for Internet & MPLS. I am using VRF-lite route leaking to control inter-vlan traffic at core switch level. Also using iBGP to exchange routes with Fortigate, ILL routers and MPLS routers. But as I understand once the MPLS routers or ILL routers are in iBGP they are routing the traffic between VLAN's which I have prevented at the Core switch level.
For eg: VLAN A-VRF A, VLAN B-VRF B, VLAN C-VRF C. VLAN A & B are leaked in to the MPLS VRF which should have connectivity to MPLS networks advertised over the MPLS routers. But VLAN A & B intervlan routing is prevented at the core switch level, but when the traffic reaches MPLS routers, it is actively routing and I can reach VLAN A from VLAN B trough MPLS routers. How can I prevent this.
10-22-2019 01:00 AM - edited 10-22-2019 01:01 AM
Hello
I assume the reason for the path via the mpls to reach the vlan A -B is due to a global rib default route being advertied in the vrf ribs?
May i ask is it ibgp from the cisco to the fortigate and onwards to the ILL and MPLS rtrs or do you have any ebgp peering?
Is it poosible you can post the VRF and global rib tables for the cores switches and a summary of the bgp VRF's
10-22-2019 01:51 AM
Hi Paul,
Fortigate, ILL & MPLS routers has iBGP peering at the moment. Fortigate doesn't support BGP with VRF. So all of my routes will be there in the Global routing table of Fortigate. Also as I said before Lets say VLAN A wants to access Internet, I will leak that route in to Internet VRF using import & export so VLAN A can access Internet. But the problem is when VLAN B wants to access internet & I leak the routes to Internet VRF, VLAN A & VLAN B can communicate with each other. traffic is hair pinning from Internet router. I want to understand whether I can use any BGP feature to avoid this or even any design changes are welcome. My ultimate aim is prevent inter-vlan communication and have access to Internet and MPLS while the VLAN gateways are in Core switches.
Unfortunately just noticed that I haven't taken at least show run from the switches and routers. I will provide you with logs once i am back in the site.
10-22-2019 02:09 AM - edited 10-22-2019 02:10 AM
Hello
@Arshad Safrulla wrote:
Hi Paul,
Fortigate, ILL & MPLS routers has iBGP peering at the moment. Fortigate doesn't support BGP with VRF. So all of my routes will be there in the Global routing table of Fortigate. Also as I said before Lets say VLAN A wants to access Internet, I will leak that route in to Internet VRF using import & export so VLAN A can access Internet. But the problem is when VLAN B wants to access internet & I leak the routes to Internet VRF, VLAN A & VLAN B can communicate with each other.
Surely with a specific import map then this shouldnt occur, As you would only import internet prefixes not VLAN A/B networks?
10-22-2019 02:24 AM
Hi Paul,
As of now Internet router is not VRF'd. so all the routes are installed in the Global routing table. Do you mean that Internet routers also should be segregated using VRF's? and then use import maps at Internet router level.
10-22-2019 02:51 AM
Hello
I mean your vrf import maps for the cores switches, each vlan vrf will have an import map only allowing internet routes etc that you wish to be installed in their ribs that is however not each other vlans networks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: