VRF between multiple VDCs

zscaringello · ‎12-27-2012

I am currently planning out a secure multi-tenant solution using a Nexus 7010 (which I have no hands on experience with).

I will be having four separate VDCs and need to configure them as follows:

CORE SERVERS<--------V-------------V-----------V

| | |

Tenant 1 | |

| |

Tenant 2 |

|

Tenant 3

All tenants need to be able to communicate with the Core Servers, but they should not be able to communicate with each other.

This is the configuration that I have worked out so far. Please let me know if you see any issues with it that may cause it to not function or function incorrectly.

CORE SERVERS:

n7000(config)#vrf context core

n7000(config)#interface ethernet 1/1

n7000(config-if)#vrf member core

n7000(config-if)#ip address 10.1.1.1

ip vrf core

rd 100:1

route-target export 100:1

route-target import 100:2

route-target import 100:3

route-target import 100:4

!

Tenant 1

n7000(config)#vrf context tenant1

n7000(config)#interface ethernet 2/1

n7000(config-if)#vrf member tenant1

n7000(config-if)#ip address 10.2.1.1

ip vrf tenant1

rd 100:2

route-target export 100:2

route-target import 100:1

!

Tenant 2

n7000(config)#vrf context tenant2

n7000(config)#interface ethernet 3/1

n7000(config-if)#vrf member tenant2

n7000(config-if)#ip address 10.3.1.1

ip vrf tenant2

rd 100:3

route-target export 100:3

route-target import 100:1

!

Tenant 1

n7000(config)#vrf context tenant3

n7000(config)#interface ethernet 4/1

n7000(config-if)#vrf member tenant3

n7000(config-if)#ip address 10.4.1.1

ip vrf tenant3

rd 100:4

route-target export 100:4

route-target import 100:1

!

Also I have been unable to locate the command to manually set the rd for a vrf.

Thoughts, comments, telling me I am wildly off base...all are appreciated, especially if you have an idea of how to either correct the issue or do it better.

Reza Sharifi · ‎12-27-2012

I will be having four separate VDCs and need to configure them as follows

Just to be clear that the above statement does not much with your config.

You have one VDC and within that VDC you have multiple VRFs.

If you put each vrf in a separate VDC, the only way to connect the VDCs together is by physically connecting one port from one VDC to another port to a different VDC. If you are planning to use one VDC and multiple VRFs within that VDC, than your config above should work.

HTH

zscaringello · ‎12-28-2012

You are correct. I forgot to post that.

Tenant 1, 2 & 3will each have a physical connection to the CORE VDC.

n7000(config)#vdc core

n7000(config-vdc)#end

n7000(config)#vdc tenant1

n7000(config-vdc)#end

n7000(config)#vdc tenant2

n7000(config-vdc)#end

n7000(config)#vdc tenant3

n7000(config-vdc)#end

Will be performed. Each VDC will have two physical connections to the CORE VDC.

Tenant1 to CORE 1/26 to 1/6 & 2/26 to 2/6

Tenant2 to CORE 1/34 to 1/5 & 2/34 to 2/5

Tenant2 to CORE 1/42 to 1/8 & 2/42 to 2/8

Reza Sharifi · ‎01-03-2013

Ok, in this case since you are putting each tenant in a different VDC, then you don't need to configure any VRFs. Each VDC is like having a separate switch. Remember, you would need to allocate your portr per VDC and also configure a management interface per VDC.

HTH

zscaringello · ‎01-03-2013

Okay. However if I leave it as just VDCs connected to VDCs, i.e. switch to switch, what is the best way to prevent data from flowing to where it shouldn't? Would it be through the use of VRFs or the use of ACLs on the ingress and egress ports for each VDC?

Also, I am not sure if it makes a difference or not, but I will be running FabricPath across the data center.

Reza Sharifi · ‎01-03-2013

The easiest way to prevent vlan communication is by using ACLs.

HTH

zscaringello · ‎01-03-2013

Thanks for the assistance.