cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11512
Views
0
Helpful
10
Replies

Same vlan / subnet in different vrfs

Fabrizio Nurra
Level 1
Level 1

Hi everybody.
I have to configure - on the same router - two different layer 3 gateways for the same subnet / vlan. The two layer 3 interfaces have to be in different VRFs.

The first layer 3 already exists: it is a SVI interface in vrf XYZ and ip address X.Y.Z.1/24.
Now I have to configure the second layer 3 interface on the same router. Obviously I can't use the same vlan id (I can't configure two interface vlan X),
so I thought to configure a routed interface with ip address in the same subnet (X.Y.Z.10/24) but in a different vrf (see attached file). Unfortunately it seems it's not working:
the switch connected to 7600 "sees" the routed interface mac-address from the 7600 switch access port on vlan X. I think it depends on the system-wide vlans
used by 7600.
 
Any suggestion about how to meet the goal?

 

Thanks!

10 Replies 10

Elliott Willink
Level 1
Level 1

I have re-read this a few times and I can't quite picture what you are trying to do. Is this a test/hypothetical question or is there an real-world networking outcome you want to achieve?

Hi Elliot,

 unfortunately this is a real case: a request from a client of my company. It's a bit difficoult to explain how and why we arrived at this foolish requirement, but the heart of the matter is that I have to achieve this architecture.

Edwin Matos
Level 1
Level 1

Sipser,

Even though it sees the same mac address it is on a difference vlan.

 

SW---VlanX----VRFA|-------192.168.1.1

SW---VlanY----VRFB|-------192.168.1.1

 

Vlan X Should be able to ping 192.168.1.1 and Vlan Y should be able to ping 192.168.1.1 on each respective VRF. They are two different broadcast domain, and mac address should be isolated. Even though you probably will see the same mac address.

Question though are you using Access port on the Switch or trunk? if you are using trunk make sure you allow only the right vlan.

 

Hi Edwin,

 the vlan is the same! Or better, the broadcast domain is the same! So, a server in vlan X mast be able to ping 192.168.1.1 in VRF A, and a server in the same vlan X must be able to ping 192.168.1.10 in vrf B. As you can see from the picture I attached, the broadcast domain is realized by two access switches.

As the broadcast domain is the same, I had to configure a SVI interface and a routed interface (as I can't configure the same SVI two times, one time in vrf A and one time in vrf B).

 

Sipser,

And there's where the problem exists, same broadcast domain with same Mac address. Would you be able to use a separate physical interface for each VRF? or at least separate the sub interfaces on a another physical interface. Sub interfaces inherit the mac address from the physical interface and since you are landing on the same broadcast domain you will get the same mac-address on the same vlan.

Here is my research.

Known facts: We are not able to change sub interface mac address.

1) I Plugged interface g0/0 and g0/1 of  a router into the same Vlan 1 of a switch, and only one of interface will obtain and IP Address. This is because they are on the same domain and 2 interface can not have the same subnet without a VRF setup.

2) I Created SITE1, and SITE2  VRF into two separate interface G0/0 G0/1 or could be sub interfaces as long as they are on a separate physical interface, and landing on the same vlan of the switch. Both Received an IP address from the same subnet DHCP(vlan1).

3) This won't work with they are sub interface with different VRF on the same physical interface, this is due to the fact you are landing on the same broadcast domain, basically you are separating the layer three on the router but no the layer 2 on the switch which depend on mac addresses

From Switch VIEW.

SW0-MAT#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
RIKEV2.edwinmatos.rocks
                 Fas 0/9            139        R B S I    CISCO1941/Gig 0/0
RIKEV2.edwinmatos.rocks

                 Fas 0/4            151        R B S I    CISCO1941/Gig 0/1

 

TO ROUTER

 

RIKEV2#show vrf
  Name                             Default RD            Protocols   Interfaces
  SITE1                            101:101               ipv4        Gi0/0
  SITE2                            102:102               ipv4        Gi0/1
 

 

RIKEV2#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 192.168.29.1    YES NVRAM  initializing          down
GigabitEthernet0/0         192.168.28.140  YES manual up                    up
GigabitEthernet0/1         192.168.28.141  YES manual up                    up
 

Back to Switch

 

SW0-MAT#ping 192.168.28.140

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.28.140, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
SW0-MAT#ping 192.168.28.141

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.28.141, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
SW0-MAT#

 

 

Hi Edwin,

 did you test it on a 7600 platform?

 

mfurnival
Level 4
Level 4

Is it not possible to use dot1q subinterfaces? Something like:

 

inter g0/1.10

encapsulation dot1q 10

ip address 192.168.1.1 255.255.255.0

ip vrf forwarding dot10

 

inter g0/1.20

encapsulation dot1q 20

ip address 192.168.1.1 255.255.255.0

ip vrf forwarding dot20

Hi mfurnival,

 in this case, I shuld configure the access switches with a trunk interface. But that's not possible, as the server are in the same vlan. Refer to the picture I attached.

 This configuration could work, but I'm sure I would use at least one physical interface, something like:

 

inter g0/1

encapsulation dot1q 10

ip address 192.168.1.10 255.255.255.0

ip vrf forwarding dot10

 

inter g1/1.20

encapsulation dot1q 20

ip address 192.168.1.20 255.255.255.0

ip vrf forwarding dot20

!

 

Unfortunately, this is an operating environment, with critical services, so I can't do many tests

Can you explain what requirement leads u in this type of setup. May be we can think of some other way

jachim
Level 1
Level 1

Hello

Maybe you need secondary IP address on same SVI interface?

Best Regards,

Review Cisco Networking for a $25 gift card