10-12-2009 11:05 PM - edited 03-06-2019 08:05 AM
Hi all,
I am a new vrf-lite user, in my labs, i want to isolate traffic on the same routing equipment that is a C3750.
See below my network schema attached.
this is a new network so i have to create this, i have 3 security contexts and four areas on 2 contexts. I want to virtualize all the routers on the schema using only one 3750, i think vrf-lite is the best. My problem is how to create what i call in the schema "interco" network in AREA3, AREA4, AREA3 and AREA4B because 3 L3 interfaces should be in the same vlan ?
Thank you for your help
10-13-2009 01:35 AM
Hello Yann,
I don't see any attached file.
However, VRF-lite allows also to configure forms of VRF communication.
Some of these forms don't need a direct link but works on the route-target level.
Attach the file with your schema and then it is possible to go on on this discussion.
Hope to help
Giuseppe
10-13-2009 04:34 AM
10-26-2009 11:50 PM
Hi,
anybody can give me some help to configure my network. I want to create routing context on my 3750.
Thx
10-28-2009 01:14 PM
Yann.
I'll try a suggestion for you to try out. I have not verified it myself in testlab.
Make a VRF for each router and assign the appropriate amount of physical interfaces to each VRF. E.g. the router interconnecting area 2 to the firewall would need a L3 interface ("no switchport" and IP address) facing the firewall and a L3 interface to each LAN in area 2. This is in total three physical ports in one VRF.
Likewise with the other routers.
Then you could make separate VLAN for interconnecting the various pieces. This can be done in one VRF per link in order to make sure that you don't get any shortcuts.
Then interconnect it all with a lot of short RJ45 cables.
I hope you have a 48-port Cat3750 because you will use quite a lot of ports!
And remember to put all the port numbers on your drawing or you will lose track of what you have made.
There might be other ways, but this should give you what you want in a basic way. Post back the results.
HTH, Ingolf
10-28-2009 02:21 PM
Yann,
Here is a sample config for VRF:
ip vrf cust-A
rd 101:101
export map to-cust-b
route-target import 101:101
route-target import 201:202
!
ip vrf cust-B
rd 201:201
export map to-cust-a
route-target import 201:201
route-target import 101:102
interface Loopback101
ip vrf forwarding cust-A
ip address 101.101.101.101 255.255.255.255
interface Loopback201
ip vrf forwarding cust-B
ip address 201.201.201.201 255.255.255.255
router bgp 65222
address-family ipv4 vrf cust-B
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf cust-A
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
HTH
Reza
11-02-2009 01:51 AM
Hello Reza,
just to add one note
Yann would like to have some inter VRF communication.
To be able to do this in a "logical way" a subset of routes or VRFA that should be seen on VRFB has to exported with an additional route-target so that it can be imported on VRFB.
let's use route-target
201:5555 as the route-target for the inter-VRFs communication
so we need to add to Reza's template:
ip vrf VRFA
route-target import 201:5555
export-map VRFAtoALL
ip vrf VRFB
route-target import 201:5555
export-map VRFBtoALL
these are route-maps route-filters that decide what routes have to be visible on the other VRFs
access-list 11 permit 10.10.10.0 0.0.0.255
route-map VRFAtoALL permit 10
match ip address 11
set extcommunity rt 201:5555
similar for the other ones.
note: no empty final block is needed in the route-maps
All this performs at the logical level (in multi protocol BGP) what Ingolf is suggesting you to perform with wires.
That can be an acceptable solution if VRFs are only 3 but it is not scalable.
PS:
Yann: sorry I had missed your update to the thread.
Hope to help
Giuseppe
11-01-2009 09:42 PM
Hi all,
thank you for your replies.
My question is for Ingolf, your proposal is to dedicate physical switch interface like if I had a physical router with physical interfaces, it could be a solution but it's a 24 ports so I will use a lot of ports as you mean and it's not very scalable. I don't know why I can't use vlans to do that?
For Reza, What is the goal of loopback interfaces why does this interfaces not belong to vlans ?
I want to use vrf to create routing contexts on the same equipment it will be my router for everything except for the default router for each Areas which will be the firewall.
If I have this : LAN A --> ROUTER A IF1 --> ROUTER A IF2 --> ROUTER B IF1 --> ROUTER B IF2 --> physical FIREWALL B IF1
In my configuration i should have :
- LAN A + ROUTER A IF1 = L3 VLAN
- ROUTER A IF2 = L3 VLAN
- ROUTER B IF1 = L3 VLAN
- ROUTER A IF2 + ROUTER B IF1 = SAME VLAN because directy connected how can I manage on the same physical equipment two virtual L3 interfaces on the same LAN ?
for the last interface it should be :
ROUTER B IF2 = L3 VLAN
physical FIREWALL B IF2 = BELONG to ROUTER B IF2 VLAN.
thank you.
11-02-2009 08:27 AM
Hi Giuseppe,
Sorry, I had forgotten to post the route-map, access list and the static routes in my original post.
Here they are:
route-map to-cust-b permit 5
match ip address 100
set extcommunity rt 101:101 101:102
!
route-map to-cust-a permit 5
match ip address 101
set extcommunity rt 201:201 201:202
access-list 100 permit ip 103.103.103.0 0.0.0.255 any
access-list 101 permit ip 203.203.203.0 0.0.0.255 any
ip route vrf cust-A 101.101.101.0 255.255.255.0 Null0
ip route vrf cust-A 102.102.102.0 255.255.255.0 Null0
ip route vrf cust-A 103.103.103.0 255.255.255.0 Null0
ip route vrf cust-B 201.201.201.0 255.255.255.0 Null0
ip route vrf cust-B 202.202.202.0 255.255.255.0 Null0
ip route vrf cust-B 203.203.203.0 255.255.255.0 Null0
So, with this configuration
cust-A can see its own routes and only 203.203.203/24.
cust-B can see its own routes and only 103.103.103/24 and not the other subnets
Thanks,
Reza
11-02-2009 11:05 AM
Hello Reza,
>> Sorry, I had forgotten to post the route-map, access list and the static routes in my original post.
don't worry I had totally missed the thread follow-up ...
Best Regards
Giuseppe
11-02-2009 10:29 AM
Hi Yann.
As I said, it was a simple suggestion which does not scale well. I am glad to see suggestions as the one from Giuseppe because it looks much more elegant and easier to implement, so I'd strongly advise to follow that one.
HTH, Ingolf
11-02-2009 10:53 PM
Hi all,
many thanks to all for your replies this community is very helpfull !!
thank you for the vrf configuration but it does not reply to one question how can I manage this on the same physical equipment :
VLAN1 is a layer 3 vlan with the default router for this LAN this router which is a virtual one has a second interface connected to a L3 VLAN2 it has to communicate with another router in the same L3 VLAN2 so how can I have TWO L3 virtual interfaces in the same VLAN ? what is the goal of loopback interfaces if it cannot belong to a vlan ?
to decribe it : FW1 (route 0.0.0.0) --> R2 IF2 --> R2 IF1 (vlan2) --> R1 IF2 --> R1 IF1 --> (vlan1)
Thank you once again
11-03-2009 12:44 AM
Hello Yann,
we may have misunderstood your needs.
if there is an external firewall that is part of the picture the role of inter-VRFs communication can be given to the FW and all you need are the appropriate static routes in each VRF context.
the FW can act as a bridge joining two broadcast domains:
one VRF uses vlan 2 and has a specific ip subnet like 10.2.2.2/24
second VRF uses vlan 22 and has an ip address like 10.2.2.3/24
or simply as suggested by Ingolf you can use a crossover cable to join vlan2 and vlan22.
be aware that for successful communication one SVI needs to use a modified MAC address
int vlan 22
mac-address
We have done this on C6500 with FWSM firewall blade used as a transparent bridge.
Hope to help
Giuseppe
11-04-2009 02:57 AM
Hi Giuseppe,
thank you for your reply I start to understand what you mean I thought it was not possible to have same IP network on two different vlan ID.
I upload a schema of my Labs with a focus can you give some help on how to configure what is in red colour it's just to start my configuration.
You can consider that for all the router I will have only one physical C3750 default gateway is managed by ASA.
Thank you
11-05-2009 10:47 PM
Hi all,
if someboday can give some help ton configure my network. I don't understand something, I just want to have some help on the beginning.
Thank you
My network schema is attached in the previous message.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide