Wireless traffic and VRF

iores · ‎06-16-2022

Hi,

APs are at a branch site and the WLC is at a remote location.

APs are getting their IP addresses from a DHCP server which is at a remote location, as well.

APs ethernet interfaces are in VLAN 20 on access switches and on the EDGE device (router or L2/L3 switch) there is VRF to separate the VLAN 20 traffic.

Does this mean that the same VLAN/VRF will be used for CAPWAP traffic when sending Wi-Fi traffic to WLC, as well as for sending DHCP messages to a remote locations?

balaji.bandi · ‎06-16-2022

Depends on deployment, new SD-Access does Local switching, only control plane traffic to WLC.

if this deployed normal deployment, all the Traffic will use same VLAN and VRF for all the traffic here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flavio Miranda · ‎06-16-2022

Hi

If AP is in Access mode with the switch (not in trunk), interface placed on the vlan 20, and vlan 20 on the L3 belong to a VRF, and you have no leak from this VRF to another VRF on the L3, then yes, all traffic will flow inside this VRF up to the Remote location.

If you share config from both switch we can say for sure.

iores · ‎06-16-2022

@Flavio Miranda

I don't have actual configs, I am talking about hypothetical scenario.

One more thing.

Because of the VRF, links from the edge device towards distribution and access switches are trunks. In such case, since the default gateway would be the edge device which is connected with the remote location, right?

What if I want to have management access to every switch? My guess is that I would need to create SVI interface, add additional L3 links between switches.

Flavio Miranda · ‎06-16-2022

"Because of the VRF, links from the edge device towards distribution and access switches are trunks. In such case, since the default gateway would be the edge device which is connected with the remote location, right? "

Links between Edge device and switches are trunk because you need to pass more then one vlan and not because the VRF.

VRF not necessarily have a default gateway, it can have only specific routes. You decide how the VRF will look like. But, you can have a default route inside the VRF pointing to a gateway.

"What if I want to have management access to every switch? My guess is that I would need to create SVI interface, add additional L3 links between switches."

It is always a good idea to have a management network. You can use a VRF for that or not. If you look at newer switch running IOS XE, you can see that by default is already have a Mgmt-intf VRF created for manament.

But you can also create loopbacks interfaces and add it to a VRF of your preference.

iores · ‎06-16-2022

@Flavio Miranda

But if VRF-lite is used, aren't 802.1q tags used to maintain the separation of traffic between different VRFs and that is why we use trunk links?

For example, please refer to the first image from this link: https://packetlife.net/blog/2009/apr/30/intro-vrf-lite/ . Let's imagine that this is a branch office, with APs connected to the access switches (S1-S3), and that R1, R2 and R3 are multilayer switches with all links below R1 being trunks. WLC is in the Corporate Access cloud and APs are in the BLUE VLAN. APs will receive the IP address range predetermined for this location. Then the default gateway would be on R1 which would be used to send traffic from APs to the WLC or not? Between R1 and Corporate access cloud there is a tunnel which as well belongs to the BLUE VRF.

Flavio Miranda · ‎06-16-2022

If the R1 is the gateway for the AP, then, yes, it must have connectivity to the WLC and send traffic to the WLC.

But, Let me explain my point and make to you a suggestion.

First, what I mentioned is that, if you go to a switch, L2 or L3 and do this:

int gi 1/0

swtichport mode trunk

switchport trunk allow vlan x,y,x,w

This config is meant to seggregate traffic indo vlans and has nothing to see with VRF.

Second, if you go to a L3 switch and do this:

interface FastEthernet1/0

description RX
ip vrf forwarding RED
ip address 192.168.0.2 255.255.255.252

This is totally different. this is a Layer 3 interface. You are also seggregating traffic. But, you can not do it with a Layer 2 interface.

The suggestion I´d like to make is get the Cisco PacketTracer program or even better the GNS3 program and start building this topology and play with VRF.