03-13-2018 10:06 AM - edited 03-08-2019 02:14 PM
Hi,
I have 4500X-32 in VSS running 3.6.0E that serves as the core LAN L3 Switch. I am trying to create 2 subnets that are isolated from the rest of the VLANs -- they only need to talk to each other and get out to the Internet through the 4500X's default route through the Firewall.
I have read this post and I believe I am close...
https://supportforums.cisco.com/t5/lan-switching-and-routing/route-leaking-vrf-to-global/m-p/3062753
I just can't seem to get it to work completely. Traceroutes on the client die on the VRF's VLAN SVI. The firewall has Static routes to send the return traffic of the VRF subnets to the SVI of its VLAN.
I am testing on the "trcu" VRF...
!
ip vrf telemed
rd 100:32
route-target export 100:32
route-target import 100:30
!
ip vrf trcu
rd 100:30
route-target export 100:30
route-target import 100:32
!
ip dhcp pool WLAN_TRCU
vrf trcu
network 10.30.0.0 255.255.255.0
dns-server 8.8.8.8 4.4.4.4
default-router 10.30.0.254
!
ip dhcp pool WLAN_telemed
vrf telemed
network 10.30.2.0 255.255.255.0
dns-server 8.8.8.8 4.4.4.4
default-router 10.30.2.254
!
!
interface Vlan30
description TRCU Subnet
ip vrf forwarding trcu
ip address 10.30.0.254 255.255.255.0
!
interface Vlan32
description telemed WLAN Subnet
ip vrf forwarding telemed
ip address 10.30.2.254 255.255.255.0
!
router bgp 100
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
address-family ipv4 vrf telemed
redistribute connected
exit-address-family
!
address-family ipv4 vrf trcu
redistribute connected
exit-address-family
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.90.253 name Default_Route_to_Firewall
ip route vrf trcu 0.0.0.0 0.0.0.0 192.168.90.253 global name Default_Route_to_Firewall
ip route vrf telemed 0.0.0.0 0.0.0.0 192.168.90.253 global name Default_Route_to_Firewall
4500X# sh bgp vrf trcu
BGP table version is 5, local router ID is 192.168.254.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:30 (default for vrf trcu)
*> 10.30.0.0/24 0.0.0.0 0 32768 ?
*> 10.30.2.0/24 0.0.0.0 0 32768 ?
4500X#sh ip route vrf trcu
Routing Table: trcu
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.90.253 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.90.253
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.30.0.0/24 is directly connected, Vlan30
L 10.30.0.254/32 is directly connected, Vlan30
B 10.30.2.0/24 is directly connected (telemed), 3d21h, Vlan32
L 10.30.2.254/32 is directly connected, Vlan32
What is missing????
TIA - Perry
Solved! Go to Solution.
03-14-2018 05:12 AM
Hello,
I am just thinking, if all you want is isolate traffic from those two VLANs, why not simply use an access list on the SVIs ?
03-13-2018 12:49 PM
Hello,
is the problem that the VRFs cannot talk to each other, or that the VRFs are not routed out properly to the firewall ?
03-13-2018 01:19 PM
I have not tested routing between the 2 VRFs. The "trcu" VRF is most critical as the subnet needs to be shared between wired and wireless clients that are connected thru 5508 WLC. Wireless clients are not pulling IPs from DHCP, but I'll tackle that later.....
I have a wired PC connected to switchport in VLAN 30. It pulls 10.30.0.1 from the DHCP and I see the google DNS 8.8.8.8 and 4.4.4.4 assigned to the client along with the gateway 10.30.0.254 (IP addr of VLAN 30 SVI). But I can not access anything on the internet. Traceroute from the PC "dies" on the VLAN SVI 10.30.0.254.
On the 4500X, I can ping the PC....
4500X#ping vrf trcu 10.30.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.0.1, timeout is 2 seconds:
!!!!!
On the Firewall devices, I have static routes that point 10.30.0.0/24 to the SVI of the VLAN that has the Firewall LAN interfaces. I can NOT ping the SVI of the VRF from the firewall.
This is my Global default gateway on the 4500X:
ip route 0.0.0.0 0.0.0.0 192.168.90.253
From what I've read, this is supposed to inject the global default route into the VRF:
ip route vrf trcu 0.0.0.0 0.0.0.0 192.168.90.253 global
The .253 IP is the Firewall's interface.....
03-13-2018 03:44 PM
Hello,
try the VRF receive feature. This essentially puts the directly connected network to your firewall in the trcu VRF:
interface Vlan30
description TRCU Subnet
ip vrf forwarding trcu
ip address 10.30.0.254 255.255.255.0
!
interface FastEthernet0/0
description To_Firewall
ip vrf select source
ip vrf receive trcu
ip address 192.168.90.254 255.255.255.252
!
ip route 10.30.0.0 255.255.255.0 Vlan30
03-14-2018 04:57 AM
03-14-2018 05:12 AM
Hello,
I am just thinking, if all you want is isolate traffic from those two VLANs, why not simply use an access list on the SVIs ?
03-14-2018 06:11 AM
04-25-2018 11:57 AM
after getting really deep in the vrf / bgp leaking, went back to the ACL on the SVI. May not be the most efficient method, but is sure easier to implement.
Thx to everyone who offered comments....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide