Re: Question about VRF (Virtual Routing & Forwarding)

WangSteven02215 · ‎10-04-2021

Hi everyone,

I always appreciate for technical support.

As shown in the picture below, Network A and Network B must be connected to the destination server to exchange data.

Also, we must prohibit the communication between Network A and Network B. So, we are going to configure them by using VRF.

There was a problem of duplication of network address and IP address for Network A and B. Thus, I'm wondering if there will be any problem in the communication. (Please note that the IP address cannot be changed.)

Is there any problem? If there is any problem, please give your opinion or explanation.

balaji.bandi · ‎10-04-2021

If you are using, there is no communication required between VRF you can have duplicate address space.

if you need then you need to some NAT on overlap addressing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mlund · ‎10-04-2021

Hi

As Balaji said, if traffic is only within each vrf there are no problem with overlapping adresses.

But in your example, for return traffic from the server, there will be a problem. Where should it be sent ? to network A or B.

So in this example you have to do nat on one of the networks so server can distinguished between them

/Mikael

MHM Cisco World · ‎10-04-2021

follow

Georg Pauwen · ‎10-04-2021

Hello,

looking at your picture, you don't really have overlapping (identical) addresses, they are just on the same subnet. If that is right, you can use static host routes and/or policy based routing. What router do you have the VRF configured on, can you post the config ?

Joseph W. Doherty · ‎10-04-2021

"looking at your picture, you don't really have overlapping (identical) addresses, they are just on the same subnet."

Has the picture been revised? What about IPs 192.168.1.7 and .8?

Even if there were no actual duplicate host IPs, supporting such a design would be "messy" and likely will create future problems.

Pursuing what Georg suggests would be a great learning experience, but I would suggest it be avoided for any production network.

Joseph W. Doherty · ‎10-04-2021

Yes, you have a problem.

By default, VRF defines L3 networks much like VLANs do for L2 networks, i.e. they are isolated from each other.

Your problem isn't having duplicate IPs in VRFs 1 and 2 UNTIL you add your distribution server to the topology. How would it "know" which host to communicate to if you have overlapping IPs? (BTW, normally, your distribution server is also defined to VRF, which might be VRF 1 OR 2.)

As other posters have already noted, if your distribution server must support hosts on both VRFs, and they have overlapping IPs, you'll need NAT on at least one VRF (between its hosts and the distribution server) to make it appear you don't have overlapping IPs.

paul driver · ‎10-04-2021

Hello

Nat the vrfs subnets at the router, using the destination servers subnet as a "public" network for the server to be able to reach each vrf, To accomplish this you would need to use NVI (domainless) NAT as it perfroms rib lookups before and aftter nat translation something domain nat doesnt do with its nat order of operation

Example:Nat rtr
ip vrf A
ip vrf B

int x/x
ip nat enable

ip access-list extended VRF_ACL
permit ip 192.168.1.0 0.0.0.255 any

ip nat pool NATPOOL-A 10.10.0.10 10.10.0.10 prefix-length 24
ip nat pool NATPOOL-B 10.10.0.11 10.10.0.11 prefix-length 24

ip nat source list VRF_ACL pool NATPOOL-A vrf A
ip nat source list VRF_ACL pool NATPOOL-B vrf B

ip route vrf A 0.0.0.0 0.0.0.0 <interface> 10.10.0.x global <default route to global rib from vrf A rib)
ip route vrf B 0.0.0.0 0.0.0.0<interface> 10.10.0.x global < default route to global rib from vrf B rib )

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul