Solved: Re: Routing VRF on Existing L3 Port-Channel?

greyfox · ‎01-24-2024

Hello,

I am tasked with helping to configure a VRF across a campus area network for a specific system by an Engineer. I was wondering if there perhaps is a way to route VRF traffic through existing L3 port-channels? My initial thought process would potentially use subinterface port-channels in order to do so though I am not sure how exactly to work that out. I am aware that creating sub interfaces within interfaces with assigned channel-groups is not possible. I have also experimented with GRE tunnels (which worked) but this made the configuration a bit messy as I'd have to create GRE tunnels for each connection per distribution switch with source and destinations on each tunnel configuration (unless there is a way to configure mGRE?). Apologies for my lack of knowledge on this subject as I am a bit of a novice. Many thanks.

Below is an example (apologies if there are any errors):

Core Switch

!
interface GigabitEthernet0/0
desc Distribution Switch A
no switchport
no ip address
negotiation auto
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet0/1
desc Distribution Switch A
no switchport
no ip address
negotiation auto
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet1/0
desc Distribution Switch B
no switchport
no ip address
negotiation auto
channel-protocol lacp
channel-group 2 mode active
!
interface GigabitEthernet1/1
desc Distribution Switch B
no switchport
no ip address
negotiation auto
channel-protocol lacp
channel-group 2 mode active
!
interface Port-channel1
desc Distribution Switch A
no switchport
ip address 10.1.1.1 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 300 area 0
!
interface Port-channel2
desc Distribution Switch B
no switchport
ip address 10.1.2.1 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 300 area 0
!
!
router ospf 300
router-id 10.0.0.1
passive-interface default
no passive-interface Port-channel1
no passive-interface Port-channel2
!
ip vrf TEST
exit
!
router ospf 42 vrf TEST
router-id 192.168.0.1
passive-interface default

Distro Switch A
!
interface GigabitEthernet0/0
desc CORE
no switchport
no ip address
negotiation auto
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet0/1
desc CORE
no switchport
no ip address
negotiation auto
channel-protocol lacp
channel-group 1 mode active
!
!
interface Port-channel1
desc CORE
no switchport
ip address 10.1.1.2 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 300 area 0
!
!
router ospf 300
router-id 10.0.0.2
passive-interface default
no passive-interface Port-channel1
!
ip vrf TEST
exit
!
router ospf 42 vrf TEST
router-id 192.168.0.2
passive-interface default
!

Distro Switch B
!
interface GigabitEthernet0/0
desc CORE
no switchport
no ip address
negotiation auto
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet0/1
desc CORE
no switchport
no ip address
negotiation auto
channel-protocol lacp
channel-group 1 mode active
!
!
interface Port-channel1
desc CORE
no switchport
ip address 10.1.2.2 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 300 area 0
!
!
router ospf 300
router-id 10.0.0.3
passive-interface default
no passive-interface Port-channel1
!
ip vrf TEST
exit
!
router ospf 42 vrf TEST
router-id 192.168.0.3
passive-interface default
!

greyfox · ‎01-30-2024

Hey fellas, I've tried using subinterface port-channels as @gagat.b and @balaji.bandi reccomended and it worked! Part of me was afraid employing this technique due to it crashing my virtual switches in EVE-NG but it seemed to work perfectly fine on our production network! I just wanted to say thanks!

I believe the configuration goes similarly as follows:

CORE SWITCH
!
interface Port-channel1.10
encapsulation dot1q 10
ip vrf forwarding TEST
no switchport
ip address 192.168.1.1 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
!
interface Port-channel2.10
encapsulation dot1q 10
ip vrf forwarding TEST
no switchport
ip address 192.168.2.1 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
!
router ospf 42 vrf TEST
router-id 192.168.0.1
passive-interface default
no passive-interface Port-channel1.10
no passive-interface Port-channel2.10
!

Distro Switch A
!
interface Port-channel1.10
encapsulation dot1q 10
ip vrf forwarding TEST
no switchport
ip address 192.168.1.2 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
!
router ospf 42 vrf TEST
router-id 192.168.0.1
passive-interface default
no passive-interface Port-channel1.10
!

Distro Switch B
!
interface Port-channel1.10
encapsulation dot1q 10
ip vrf forwarding TEST
no switchport
ip address 192.168.2.2 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
!
router ospf 42 vrf TEST
router-id 192.168.0.1
passive-interface default
no passive-interface Port-channel1.10
!

View solution in original post

MHM Cisco World · ‎01-24-2024

You config ospf vrf aware but I dont see any interface use this vrf ?

MHM

greyfox · ‎01-24-2024

Ah yes, there are no interfaces with ip vrf forwarding configured. I was mainly looking for ideas on ways to route this VRF using already existing port-channels that are on the global routing table.

Again, I was able to get this to work on a GRE tunnel that had destination and source addresses as below. Would there be a way to possibly configure this in a way without the many interface tunnels per each switch downstream from the Core? Maybe some sort of multicast routing over GRE? Thank you for your response

Configs from Core to Distro Switch A that formed OSPF neighbors (similar configs would be set up the same between Core to Distro B as well):
!
interface Tunnel1
ip vrf forwarding TEST
ip address 192.168.1.1 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
tunnel source 10.1.1.1
tunnel destination 10.1.1.2
!
interface Tunnel2
ip vrf forwarding TEST
ip address 192.168.1.2 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
tunnel source 10.1.1.2
tunnel destination 10.1.1.1
!

MHM Cisco World · ‎01-24-2024

MHM

balaji.bandi · ‎01-24-2024

configure a VRF across a campus area network for a specific system by an Engineer

First what is the need of VRF ? do you have different system and department in place you like to separate them ?

You have not told us what is this switch models and IOS code running on it.

Some new Model Cat 9K do support Layer 3 sub-interface and VRF

or you can convert Layer 2 port-channel and let Layer 3 SVI VLAN in VRF that should work four purpose ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

greyfox · ‎01-25-2024

First what is the need of VRF ? do you have different system and department in place you like to separate them ?

Yes, it is a requirement from this department to have layer 3 separation. We are running Cisco C9404Rs with IOS XE 17.9.3 for our L3 backbone. I have since found some documentation regarding multicast routing over GRE tunneling and will experiment with this in my labs before trying it out on our production network and try posting to see if it works!

Here is the documentation:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_0100100.pdf

I could potentially use layer 2 port-channel with VRF for the L3 SVI but it is a bit risky for our production network but will take note of that. Thank you for your response!

balaji.bandi · ‎01-26-2024

New code 17.X do support Layer 3 sub interface VRF support.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/16-10/configuration_guide/vlan/b_1610_vlan_9400_cg/configuring_layer_3_subinterfaces.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gagat.b · ‎01-26-2024

Use subinterfaces on L3 PC. Put subint into vrfs.

greyfox · ‎01-26-2024

So that's one of the first things I tried a few days ago before this question on my EVE-NG lab and it crashed my switches and I'm too scared to do the same thing in our production network, haha.

MHM Cisco World · ‎01-27-2024

Friend

So you have l3 port-channel and you want to config subinterface in port-channel

You can use l2 port-channel and use SVI VLAN instead of subinterface. And config vrf for each vlan svi.

This make you separate traffic by vrf.

Check this in lab

MHM

greyfox · ‎01-30-2024

Hey fellas, I've tried using subinterface port-channels as @gagat.b and @balaji.bandi reccomended and it worked! Part of me was afraid employing this technique due to it crashing my virtual switches in EVE-NG but it seemed to work perfectly fine on our production network! I just wanted to say thanks!

I believe the configuration goes similarly as follows:

CORE SWITCH
!
interface Port-channel1.10
encapsulation dot1q 10
ip vrf forwarding TEST
no switchport
ip address 192.168.1.1 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
!
interface Port-channel2.10
encapsulation dot1q 10
ip vrf forwarding TEST
no switchport
ip address 192.168.2.1 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
!
router ospf 42 vrf TEST
router-id 192.168.0.1
passive-interface default
no passive-interface Port-channel1.10
no passive-interface Port-channel2.10
!

Distro Switch A
!
interface Port-channel1.10
encapsulation dot1q 10
ip vrf forwarding TEST
no switchport
ip address 192.168.1.2 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
!
router ospf 42 vrf TEST
router-id 192.168.0.1
passive-interface default
no passive-interface Port-channel1.10
!

Distro Switch B
!
interface Port-channel1.10
encapsulation dot1q 10
ip vrf forwarding TEST
no switchport
ip address 192.168.2.2 255.255.255.252
ip ospf network point-to-point
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf 42 area 0
!
router ospf 42 vrf TEST
router-id 192.168.0.1
passive-interface default
no passive-interface Port-channel1.10
!

MHM Cisco World · ‎01-30-2024

believe me I dont understand anything here
the original post the PO is L3 and you can add vrf under it ???
then you use sub-interface when you use only one subinterface not multi ???
and lastly use same dot1q 10 for different subnet ??
anyway hope this solution work
and update me if you face anything
thanks
have a nice day
MHM

greyfox · ‎01-30-2024

The original post was if there was a way to route VRF over an already existing network on the same physical interfaces. Having no experience in doing so, I had originally believed that some sort of multicasting tunnel would work considering that I had managed to use very simple GRE tunnel configurations to form ospf neighbors but doing so would have to include creating several GRE tunnels per distribution switch (we have over five in our production network). Sorry for the confusion if I did not make myself clear previously.

The different subnet was simply an example to differentiate it from the normal port-channel (ie po1 + po2 and po1.10 and po2.10 on the "Core Switch" and po1 + po1.10). In doing so, I was able to form OSPF adjacencies for port-channels and sub port-channels. Thanks again. Have a good day

balaji.bandi · ‎01-30-2024

Glad our suggestion helped to resolve the issue, appreciated your feedback and sharing your config also for benefit for the community members - so we mark as resolved now.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help