So the only way to operate OSPF between a L3 switch and another device is to use L3 ports

on L3 switch? (no switchport command and IP under the interface)

Then how would you virtualize routing protocols? I mean the main goal here is to create multiple VRFs on one device and extend it to another device using VLAN to VRF mapping (802.1Q trunking) and running separate OSPF processes in each VRF.

Saman

So the only way to operate OSPF between a L3 switch and another device is to use L3 ports

on L3 switch? (no switchport command and IP under the interface)

You can use SVIs, they don't have to be physical L3 ports. OSPF simply starts up on the SVI just as it would a physical L3 interface and neighborships/adjacencies are formed using the SVI.

Then how would you virtualize routing protocols? I mean the main goal here is to create multiple VRFs on one device and extend it to another device using VLAN to VRF mapping (802.1Q trunking) and running separate OSPF processes in each VRF

Just as you have done ie. you put each SVI into it's own VRF. If you allocate vlan 10 into a VRF then i assume any other L3 devices in vlan 10 reachable via either trunk link should be in the same VRF. It is a trunk link but that doesn't mean all vlans on the trunk link are in the same VRF because you have only allocated vlan 10 into the test VRF.

So if you also had a vlan 11 SVI on the L3 switch and vlan 11 was allowed on the trunk link any routes received from another vlan 11 L3 device would be in the global routing table because you haven't assigned vlan 11 to any VRF.

If however you want the vlan 10 L3 devices reachable by one trunk link to be in the test VRF but the vlan 10 L3 devices reachable via the other trunk link not to be in the test VRF then that won't work. You would need to move the non VRF L3 devices off vlan 10.

In terms of a physical L3 interface you definitely don't want that because the interface can only be in one VRF. That is why on a L3 switch it is better to use a L2 trunk link (or links) and assign the SVIs into the VRFs.

Hope that makes sense.

Jon

Jon, everything you are saying makes sense. I think the confusion is coming from my original question. Let me put it this way:

I create 2 SVI interface at both sides (vlan 10 and 20). I put each VLAN interface in their own VRFs (Red and Blue respectively) at both sides. Next, I run a trunk link in between and allow both VLANs in trunk. Finally I run one OSPF process per VRF and everything should be ok. I have the separation I needed. No question there. Are we good here?

Here is the question:

Let’s say one of those two devices, has another trunk interface connected to another segment of the network. As a requirement, the same VLANs are allowed in that trunk and we have other devices in those VLANs. There is no need of OSPF in this segment. All I need is to make sure no OSPF multicast packets are being sent that way. Ho do I achieve that? If I go under OSPF configuration in each VRF, I'm not able to make this other trunk interface passive.

Jon,

Thanks for your response.

jon.marshall wrote:
Can i ask why you want to do this ie. what you are trying to achieve as understanding exactly what it is you want may help us come up with a solution for you. 

Basically those L3 switches are at the edge of the network having OSPF connectivity with provider's MPLS routers. Inside of our network, we have Virtual L3 Firewalls at VMware level. I was trying to put outside interface of those firewalls in the same subnet as the edge switches and MPLS routers, but not running OSPF below the switches. I admit that is an uncommon design. Logically it's like having a multi-access broadcast OSPF network and then trying to exclude one device from participating in OSPF! 

However, I decided to split subnets at the edge. That is, one subnet between edge switches and MPLS routers with OSPF enabled, another subnet facing inside of the network with no OSPF and just static default routing. That looks a lot better to me!