Solved: Routing through a Layer 3 switch

Bab L · ‎03-21-2016

Hi.

We have a scenario that the customer has asked for connectivity between two environment in Azure through one switch in and out.

There's two networks:

10.18.xx.xx and 10.19.xx.xx

These network are two different express route from Azure. They physically connect to one switch which we manage.

The switch is connected to the provider router and then the router is connected to a provider firewall.

What the client wants is when toe 10.18.xx.xx network connects to the 10.19.xx.xx, it will need to go via the switch, on the router then the firewall, then back to the router, to the switch and out the other express route interface.

Is this possible to be configured with static routing only?

If no, what is the solution here.

The switch is an IP Services switch.

Please see attachment.

Thank you

Richard Bradfield · ‎03-21-2016

on The switch it is just 2 vlans say 18 and 19

then trunked thru to the router,

trunk port configured something like

R1(config-subif)#int fa0/0.18
R1(config-subif)#encapsulation dot1Q 18            
R1(config-subif)#ip vrf forwarding red              
R1(config-subif)#ip address 10.18.0.1 255.255.255.0

R1(config-subif)#int fa0/0.19
R1(config-subif)#encapsulation dot1Q 19             
R1(config-subif)#ip vrf forwarding blue             
R1(config-subif)#ip address 10.19.0.1 255.255.255.0

then the VRFs configured to be leaky so can route between them
something like

ip vrf blue
rd 1:1
route-target export 1:1
route-target import 1:1
route-target import 1:2

ip vrf red
rd 1:2
route-target export 1:2
route-target import 1:2
route-target import 1:1

HTH

Richard

View solution in original post

milan.kulik · ‎03-22-2016

Hi Richard,

I'm afraid your config would not force the traffic to pass through the FW?

I guess it would be necessary to advertise the 10.19.xx.xx prefix to the red VRF (VPN to be more precise) and the 10.18.xx.xx prefix to the blue VRF/VPN from the site where the FW is placed?

Best regards,

Milan

View solution in original post

Richard Bradfield · ‎03-21-2016

So you want devices on the 10.18 network to able to communicate with devices on the 10.19. network. Are the 2 networks on a separate VRF on the router? if not the router should route between the 2. But if you need to go via the Firewall, then the Firewall would need to do the routing between the 2. in that case the Firewall will be the gateway for both networks.

Bab L · ‎03-21-2016

Hi Richard,

thanks for your reply.

Yes. The 10.18 network needs to communicate with devices on the 10.19 network. They do exist in different VRF's in the router.

How will the routing work on the switch though?

Richard Bradfield · ‎03-21-2016

on The switch it is just 2 vlans say 18 and 19

then trunked thru to the router,

trunk port configured something like

R1(config-subif)#int fa0/0.18
R1(config-subif)#encapsulation dot1Q 18            
R1(config-subif)#ip vrf forwarding red              
R1(config-subif)#ip address 10.18.0.1 255.255.255.0

R1(config-subif)#int fa0/0.19
R1(config-subif)#encapsulation dot1Q 19             
R1(config-subif)#ip vrf forwarding blue             
R1(config-subif)#ip address 10.19.0.1 255.255.255.0

then the VRFs configured to be leaky so can route between them
something like

ip vrf blue
rd 1:1
route-target export 1:1
route-target import 1:1
route-target import 1:2

ip vrf red
rd 1:2
route-target export 1:2
route-target import 1:2
route-target import 1:1

HTH

Richard

milan.kulik · ‎03-22-2016

Hi Richard,

I'm afraid your config would not force the traffic to pass through the FW?

I guess it would be necessary to advertise the 10.19.xx.xx prefix to the red VRF (VPN to be more precise) and the 10.18.xx.xx prefix to the blue VRF/VPN from the site where the FW is placed?

Best regards,

Milan

Bab L · ‎03-22-2016

Hi Milan,

thanks for your reply.

The firewall is managed by third party so we do not have access to it.

We'll run a test run this week and see how we go.