cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1335
Views
0
Helpful
5
Replies

Prevent routing at upstream device

Arshad Safrulla
VIP Alumni
VIP Alumni

Attached diagram represents my network. At the Cisco 9500 core switch I have each SVI in its own VRF. I have created 2 VRF's for Internet & MPLS. I am using VRF-lite route leaking to control inter-vlan traffic at core switch level. Also using iBGP to exchange routes with Fortigate, ILL routers and MPLS routers. But as I understand once the MPLS routers or ILL routers are in iBGP they are routing the traffic between VLAN's which I have prevented at the Core switch level.

For eg: VLAN A-VRF A, VLAN B-VRF B, VLAN C-VRF C. VLAN A & B are leaked in to the MPLS VRF which should have connectivity to MPLS networks advertised over the MPLS routers. But VLAN A & B intervlan routing is prevented at the core switch level, but when the traffic reaches MPLS routers, it is actively routing and I can reach VLAN A from VLAN B trough MPLS routers. How can I prevent this. Presentation1.jpg

5 Replies 5

Hello

I assume the reason for the path via the mpls to reach the vlan A -B is due to a global rib default route being advertied in the vrf ribs?
May i ask is it ibgp from the cisco to the fortigate and onwards to the ILL and MPLS rtrs or do you have any ebgp peering?

Is it poosible you can post the VRF and global rib tables for the cores switches and a summary of the bgp VRF's


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

Fortigate, ILL & MPLS routers has iBGP peering at the moment. Fortigate doesn't support BGP with VRF. So all of my routes will be there in the Global routing table of Fortigate. Also as I said before Lets say VLAN A wants to access Internet, I will leak that route in to Internet VRF using import & export so VLAN A can access Internet. But the problem is when VLAN B wants to access internet & I leak the routes to Internet VRF, VLAN A & VLAN B can communicate with each other. traffic is hair pinning from Internet router. I want to understand whether I can use any BGP feature to avoid this or even any design changes are welcome. My ultimate aim is prevent inter-vlan communication and have access to Internet and MPLS while the VLAN gateways are in Core switches.

 

Unfortunately just noticed that I haven't taken at least show run from the switches and routers. I will provide you with logs once i am back in the site.

Hello


@Arshad Safrulla wrote:

Hi Paul,

 

Fortigate, ILL & MPLS routers has iBGP peering at the moment. Fortigate doesn't support BGP with VRF. So all of my routes will be there in the Global routing table of Fortigate. Also as I said before Lets say VLAN A wants to access Internet, I will leak that route in to Internet VRF using import & export so VLAN A can access Internet. But the problem is when VLAN B wants to access internet & I leak the routes to Internet VRF, VLAN A & VLAN B can communicate with each other.


Surely with a specific import map then this shouldnt occur, As you would only import internet prefixes not VLAN A/B networks?

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

As of now Internet router is not VRF'd. so all the routes are installed in the Global routing table. Do you mean that Internet routers also should be segregated using VRF's? and then use import maps at Internet router level.

Hello

I mean your vrf import maps for the cores switches, each vlan vrf will have an import map only allowing internet routes etc that you wish to be installed in their ribs that is however not each other vlans networks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul