Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
0
Helpful
5
Replies

Static Routing with VLANs and VRFs

Ben Squire
Level 1
Level 1

‎07-17-2018 11:55 AM - edited ‎03-08-2019 03:42 PM

I'm preparing to deploy a new WLAN setup across a few locations, where each location has the same SSIDs and those networks are isolated from the rest of the production network.  I set up a lab environment to learn VRF (well, VRF-Lite, I suppose).  I have a attached a basic network diagram.  At this point, I'm mainly concerned with the right side of the picture.  I have two VLANs that should be isolated from each other and the rest of the network, but they both need to connect to a DHCP server in a third VLAN, which will give out addresses from different pools to each one.  So, how can I route traffic from VLANs 500 and 501 to VLAN 505 in the HQ router?  I tried rd and route-target statements in the VRFs, but it hasn't worked so far.  Also, my next step will be to get traffic coming from the branch to VLAN 505, also.  So, if it can be done in the VRF, that would probably be simplest in the long run.  

 

So, the succinct version:  In the HQ router, how to route traffic between Host A and the DHCP server?

 

Any ideas?  Thanks in advance.

Labels:
Preview file
47 KB
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎07-17-2018 12:09 PM

Hello,

 

in order to isolate inter-Vlan traffic and still allow DHCP requests, use an extended access list. Post the configs of your routers so we can help you with the access list...

0 Helpful

Ben Squire
Level 1
Level 1
In response to Georg Pauwen

‎07-17-2018 01:08 PM

Thanks, Georg.

 

HQ Router:

Current configuration : 2801 bytes
!
! Last configuration change at 19:22:05 UTC Tue Jul 17 2018
! NVRAM config last updated at 19:22:06 UTC Tue Jul 17 2018
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hq-r
!
boot-start-marker
boot-end-marker
!
!
vrf definition VRF_500
description VRF_500
rd 1234:500
route-target export 1234:500
route-target import 1234:505
!
address-family ipv4
exit-address-family
!
vrf definition VRF_501
rd 1234:501
route-target export 1234:501
route-target import 1234:505
!
address-family ipv4
exit-address-family
!
vrf definition VRF_505
rd 1234:505
route-target export 1234:505
route-target import 1234:500
route-target import 1234:501
!
address-family ipv4
exit-address-family
!
enable secret 5
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid
license boot module c2900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.500
vrf forwarding VRF_500
encapsulation dot1Q 500
ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet0/0.501
vrf forwarding VRF_501
encapsulation dot1Q 501
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
ip address 10.10.0.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1.500
vrf forwarding VRF_500
encapsulation dot1Q 500
ip address 192.168.0.50 255.255.255.0
ip helper-address 192.168.5.2
!
interface GigabitEthernet0/1.501
vrf forwarding VRF_501
encapsulation dot1Q 501
ip address 192.168.1.50 255.255.255.0
ip helper-address 192.168.5.2
!
interface GigabitEthernet0/1.505
vrf forwarding VRF_505
encapsulation dot1Q 505
ip address 192.168.5.50 255.255.255.0
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
shutdown
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0/1/4
shutdown
!
interface GigabitEthernet0/1/5
shutdown
!
interface GigabitEthernet0/1/6
shutdown
!
interface GigabitEthernet0/1/7
shutdown
!
interface Vlan1
no ip address
shutdown
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
logging esm config
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password adm
login
transport input all
!
scheduler allocate 20000 1000
end

 

Branch Router:

Current configuration : 3362 bytes
!
! Last configuration change at 19:31:56 UTC Tue Jul 17 2018
! NVRAM config last updated at 19:31:58 UTC Tue Jul 17 2018
! NVRAM config last updated at 19:31:58 UTC Tue Jul 17 2018
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname branch-r
!
boot-start-marker
boot-end-marker
!
!
vrf definition VRF_500
!
address-family ipv4
exit-address-family
!
vrf definition VRF_501
!
address-family ipv4
exit-address-family
!
enable secret 5
enable password
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.500
encapsulation dot1Q 500
vrf forwarding VRF_500
ip address 172.16.0.2 255.255.255.0
!
interface GigabitEthernet0/0.501
encapsulation dot1Q 501
vrf forwarding VRF_501
ip address 172.16.1.2 255.255.255.0
!
interface GigabitEthernet0/1
ip address 10.20.0.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1.500
encapsulation dot1Q 500
vrf forwarding VRF_500
ip address 192.168.100.50 255.255.255.0
ip helper-address 192.168.5.2
!
interface GigabitEthernet0/1.501
encapsulation dot1Q 501
vrf forwarding VRF_501
ip address 192.168.101.50 255.255.255.0
ip helper-address 192.168.5.2
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
no ip address
shutdown
!
interface GigabitEthernet0/1/1
no ip address
shutdown
!
interface GigabitEthernet0/1/2
no ip address
shutdown
!
interface GigabitEthernet0/1/3
no ip address
shutdown
!
interface GigabitEthernet0/1/4
no ip address
shutdown
!
interface GigabitEthernet0/1/5
no ip address
shutdown
!
interface GigabitEthernet0/1/6
no ip address
shutdown
!
interface GigabitEthernet0/1/7
no ip address
shutdown
!
interface GigabitEthernet0/3/0
no ip address
shutdown
!
interface GigabitEthernet0/3/1
no ip address
shutdown
!
interface GigabitEthernet0/3/2
no ip address
shutdown
!
interface GigabitEthernet0/3/3
no ip address
shutdown
!
interface GigabitEthernet0/3/4
no ip address
shutdown
!
interface GigabitEthernet0/3/5
no ip address
shutdown
!
interface GigabitEthernet0/3/6
no ip address
shutdown
!
interface GigabitEthernet0/3/7
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route vrf VRF_500 192.168.0.0 255.255.255.0 172.16.0.1
ip route vrf VRF_500 192.168.5.0 255.255.255.0 172.126.0.1
ip route vrf VRF_501 192.168.1.0 255.255.255.0 172.126.1.1
ip route vrf VRF_501 192.168.5.0 255.255.255.0 172.126.1.1
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password adm
login
transport input all
!
scheduler allocate 20000 1000
end

0 Helpful

Georg Pauwen
VIP
VIP
In response to Ben Squire

‎07-17-2018 01:36 PM

Hello,

 

the below isolates your VLANs from each other and also the rest of your network. You also do not have any outside (Internet) connectivity when you apply this access list, is this what you want ? All the clients have access to is the DHCP server:

 

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 host 192.168.5.2
access-list 101 permit ip host 192.168.5.2 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 192.168.5.2
access-list 101 permit ip host 192.168.5.2 192.168.1.0 0.0.0.255

 

interface GigabitEthernet0/1
ip address 10.10.0.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1.500
vrf forwarding VRF_500
encapsulation dot1Q 500
ip address 192.168.0.50 255.255.255.0
ip access-group 101 in
ip helper-address 192.168.5.2
!
interface GigabitEthernet0/1.501
vrf forwarding VRF_501
encapsulation dot1Q 501
ip address 192.168.1.50 255.255.255.0
ip access-group 101 in
ip helper-address 192.168.5.2

0 Helpful

Ben Squire
Level 1
Level 1
In response to Georg Pauwen

‎07-18-2018 01:54 PM

Thank you, Georg.  

 

I haven't worked much with networking for quite some time and I'm pretty rusty.  Right now, I'm just trying to understand connecting the VLANs and VRFs through the network while isolating them.

 

I created the access-list you suggested and applied it to the two interfaces, but I still can't ping between the hosts in VLANs 500 and 501 and the DHCP server in VLAN 505.  Is permitting the traffic enough, or do I need to add some kind of routing between the VRFs and/or VLANs?

 

Thanks,

-Ben

0 Helpful

a.alekseev
Level 7
Level 7
In response to Ben Squire

‎07-17-2018 02:08 PM

HQ Router:
int lo0
ip address 1.1.1.1 255.255.255.255
router bgp 6500
address-family ipv4 vrf RF_500
redistribute connected
redistribute static
address-family ipv4 vrf RF_501
redistribute connected
redistribute static
address-family ipv4 vrf RF_505
redistribute connected
redistribute static
0 Helpful
Customers Also Viewed These Support Documents