Are the interfaces connecting the routers together also in the VRF ? No.

Do you want them in the VRF or do you have global subnets that also need to route via site C. I do not want them in the VRF. Site A B & C are all part of the global network.

Need to understand what else, if anything, needs to route between site A and site B. I put the drawing together to quick John. Site A and Site B are the switches sitting behind the routers and are the third party connections.. The router at site A is a 6807 and Site B is a 3750-12 and both sites have local networks that are part of the global rib and all 3 sites connect Via CWDM on dark fiber.

The third party needs to be on their own network at site B and access servers etc on their network in site C.

Jon

The simple way to do this would have been to use GRE tunnels from site A and B routers and you put the tunnel into the VRF as well and either run a dynamic routing protocol or use static routes for the remote subnets.

But you can't do that obviously as the 6807 "may" support GRE (6500 did but not sure about 6800s) but 3750s won't and even if they did the performance would be terrible.

Presumably you are not running BGP anywhere ?

The other obvious solution is to create subinterfaces on the links between the routers or as you as you actually have switches use trunk links and create SVIs on each switch.

Then you can in effect extend the VRF all the way across from site A to site B via C but that would mean a fair amount of reconfiguration.

I'm not sure what other options there are but i am not necessarily aware of them all.

I'll have a think about it and if get time lab a few things up but maybe someone else can suggest a better solution.

Just to clarify though because of you last sentence do you need the VRF to be in all three sites or just two of them.

And what is the router at site C ?

Jon

Thanks for taking the time John. The tunnel option was a thought but I never looked at it further. I thought the VRF could be routed into the global somehow from site A to site B.

IBGP is running at site C where we have a 6500 VSS. The links connecting each site are L3 ospf point-to-points.

Yeah I am not aware of the options either this is my first VRF Design and learning along the way. And I need a solution for a move this weekend. Fun times :-)

i just just need the VRF at site A and B so the two are on the same network.

Thanks

Bret

Bret

You can route the VRF into the global at both sites if you want but then it's not in it's own VRF anymore.

I thought you wanted to extend the VRF between site A and B to keep the separation all the way across but if you don't then you can use the global routing table to get you between sites.

You can add static routes to the VRF pointing to the global table and routes in the global pointing to the VRF.

But then you have in effect allowed clients in the global routing table to access the VRF.

Which I'm not sure is what you really want or else why have VRFs ?

What are your options in terms of configuration ie. I'm not sure BGP will help here but if it could can you run it on both the 6800 and the 3750 ?

And what about subinterfaces on the routed links ?

Note the 6500  (and probably the 6800) do support subinterfaces on L3 routed ports but your 3750 doesn't.

The only way to emulate that is a trunk link and use SVIs instead of subinterfaces but that would mean a trunk link between site B and C.

Jon

I would like to keep the VRF extended between the sites, so adding the routes into the global would be my last resort key.

Sounds like the VRF may not work here. My goal was to move a third party company and its equipment into 2 locations and allow them to still access their servers like they do today. At the same time keeping there machines from accessing other networks within our company. Looks like I may have to rethink this and hit the drawing board again.

Thanks for your help Jon!

Bret

Bret

I have some spare time today and access to a lab so I can try out a few things but are you saying either using subinterfaces or running BGP at site A and B are not options.

If so I'm not sure what I can test.

Jon

Jon,

Bgp is an option. However, if the sub interfaces are a requirement to work with BGP, then I may have to come up with another option. Im just not sure what that other option is yet, but Im sure I will come up with a plan.

Pictures are worth a thousand words. Third party connects to an SVI on the existing network and controls traffic in and out via their firewall. The planned move relocates their servers and internet to data center. The clients are moving to our corporate office where they will plug into a seperate switch, or possibly an SVI on the 6807. I guess PBR with route maps could be used Im just not a 100% sure.

Bret

As luck would have it I can't access the online lab at the moment but if I get the chance to I will try a few things out.

PBR using a recursive next hop should get you to the other site's main router.

You would still need to use routes to get in and out of the VRF though.

Unless you simply remove the VRF and use acls on the customer SVI on each switch temporarily to only allow traffic from the remote subnet.

If the customer using a firewall anyway that may be a viable solution if nothing else is aviailable.

Jon

Jon,

Thanks for all your time. I have decided to scratch the VRF design in lieu of a tunnel between the two sites, using dedicated 2811's. In the end this was a great learning experience and have a better understanding of VRF's.

Bret