Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1499
Views
4
Helpful
18
Replies

VRF and BGP on Catalyst 9k

ericdavishop
Level 1
Level 1

‎11-02-2023 04:50 AM

I have 2 Catalyst 9k's being used an WAN routers to terminate links to our other offices into our data center.  Upstream from the Cat9k's is a firewall running BGP.  The 9k's are running BGP and I want to force the routes to go through the firewall so that each site cannot reach the other directly without having to go through the firewall policy.  I was thinking VRF might be the way to go but I am not sure I understand how to setup VRF and BGP on the 9k to make this work. I was also thinking I can add SVI's on the 9k's for each site/VRF and that way each site will only be able to share routes with the firewall.  I have setup something similar on a NX9k but the Cat9k seems a bit different with respect to VRF and BGP. Anyone have any ideas that may help?   I attached a diagram for reference.

Labels:
Preview file
92 KB
0 Helpful
18 Replies 18

MHM Cisco World
VIP
VIP
In response to ericdavishop

‎11-04-2023 05:29 AM

Screenshot (62).png

 

check this notes 

Thanks A Lot
MHM

0 Helpful

ericdavishop
Level 1
Level 1
In response to MHM Cisco World

‎11-05-2023 07:23 AM

@MHM Cisco World 
The layer 1/2 links from the WAN switches is through a NEXUS switch pair...those are VPC'd and have layer 1/2 connections to the firewall.   

MHM Cisco World
VIP
VIP
In response to ericdavishop

‎11-05-2023 08:01 AM

the site is direct connect to both NSK(C9K)
so traffic from one site to other is always prefer connect, here as you mention we need to separate the routing table via VRF for each site in such that each site routing table (VRF table) have no route direct connect for other sites. 
we need to config VRF for each sites and config VRF for FW. 
we use RT which 
from sites to FW we export route from sites and import in FW
from FW to sites we export route from FW and import into sites

this make each site routing table have next-hop FW for all other sites. 

this is way you need to go with 

Thanks A Lot
MHM

0 Helpful

M02@rt37
VIP
VIP
In response to ericdavishop

‎11-02-2023 05:53 AM

@ericdavishop,

By structuring your BGP configuration with address families, you can use a single BGP instance to handle multiple VRFs. Each VRF's routes are advertised separately through the respective address family, and the firewall's BGP configuration will need to accommodate these separate address families. This setup provides isolation and control over routing for each remote site's traffic.

Example:

router bgp <your ASN>
address-family ipv4
network <your public IP block>
neighbor <Firewall-IP> remote-as <Firewall-AS>
redistribute connected
exit-address-family

address-family ipv4 vrf SITE1
network <Site1 VRF IP block>
neighbor <Firewall-IP> remote-as <Firewall-AS>
redistribute connected
exit-address-family

address-family ipv4 vrf SITE2
network <Site2 VRF IP block>
neighbor <Firewall-IP> remote-as <Firewall-AS>
redistribute connected
exit-address-family

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card