cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1117
Views
0
Helpful
5
Replies

VRF-Lite how-to-do

alain-bhend
Level 1
Level 1

Hello altogether,


I have an design issue with VRF-Lite but I'm not really familiary with this topic.
Please see the attached schematic layout.


I have two companies with different subnets. Both companies must be able to communicate among each other via the Core.

If they will communicate with other companies then they pass via the PE Router.
In this case there are some given facts:
- I must split this two companies in two different VRFs.
- The traffic from red subnets has first to pass the Firewall on Core A because their source IP's will be NATed.
- The blue subnets can be routed directly to the PE

Now my questions:
- Is there a possibility to define on the Coreswitch A which subnet belong to which VRF?
- If yes, any idea how I can do this?
- If no, any idea how I can do this whitout rising the complexity?

Many thanks for your tips and ideas.

Regards,
Alain

1 Accepted Solution

Accepted Solutions

Mahesh Gohil
Level 7
Level 7

Hi alain,

From the description given by you below is the higher level design

                      --------CompanyA

PE---Switch A

                      --------CompanyB

If your requiremt is

1- Keep traffic from both company separate

2- Inter communication between them should be via. PE.

If so you can create three vrf

1- vrf companyA: MESH with companyA subnets

2- vrf companyB: MESH with companyB subnets

3- Core vrf For inter communication: Hub-spoke between core and companyA/B

So you will configure link between PE and SwitchA as part of Core vrf where you will import routes from both companies. And from switch A to company A will be one vrf and other link of other vrf.

Apart from above there is need for default route at companyA and CompanyB to reach to PE for communication with company B and company A.

This is like higher level design. Things are different if we go step by step config.

Please feel free to put query.

Regards

Mahesh

View solution in original post

5 Replies 5

Mahesh Gohil
Level 7
Level 7

Hi alain,

From the description given by you below is the higher level design

                      --------CompanyA

PE---Switch A

                      --------CompanyB

If your requiremt is

1- Keep traffic from both company separate

2- Inter communication between them should be via. PE.

If so you can create three vrf

1- vrf companyA: MESH with companyA subnets

2- vrf companyB: MESH with companyB subnets

3- Core vrf For inter communication: Hub-spoke between core and companyA/B

So you will configure link between PE and SwitchA as part of Core vrf where you will import routes from both companies. And from switch A to company A will be one vrf and other link of other vrf.

Apart from above there is need for default route at companyA and CompanyB to reach to PE for communication with company B and company A.

This is like higher level design. Things are different if we go step by step config.

Please feel free to put query.

Regards

Mahesh

Hello Mahesh,

Unfortunately the VRFs terminates at the other end of the cloud. So I have no Layer3 interconnection between the the VRFs on the PE at my side and the PE is managed by third company and they will have only two VRFs.

Therefore the plan is to interconnect the company A and company B in our Core. They will define then on the firewalls which traffic is allowed and which traffic will be droped.

Do you think it would be a good solution if I put an additional Router between my core and the PE. On this additional Router I define the VRFs and then I forward this two VRFs to the PE?

I heard that with MPLS VRF it's possible to define based on the source, which subnet will be added to which VRF. Do you know if with VRF-Lite this is also possible?

Regards,

Alain

Hi alain,

Hmmm.

Unfortunately the VRFs terminates at the other end of the cloud. So I have no Layer3 interconnection between the the VRFs on the PE at my side and the PE is managed by third company and they will have only two VRFs

Can you please rephrase the above statement.  I can see two vrf extended from PE to the switch A which is conflicting with above statement.

and one more

which subnet will be added to which VRF

are you telling something about importing subnets from global table to vrf table ? If so it is

possible with vrf import ipv4 map which is part of mpls vrf along with BGP..

anyway if you put more clarity on l2/l3 connectivity we can have more focus on how to achieve this

Regards

Mahesh

danrya
Level 1
Level 1

This is confusing me a bit.  Your saying that traffic from Customer B can be sent directly to the provider, but Customer B has a firewall.  Where will the "inter-company" Firewall rules be located?  Only on the company A firewall?  If so, then Company A will be able to access anything on Company B's network without restriction.  I think that all traffic should be routed to the firewalls for both companies so that they both have "control" over traffic.

But if not, then you only need two VRF's.

VRF 1 would include all Customer B networks and the "outside" interface of Company A's firewall and both VRF interfaces from the PE.

VRF 2 would include all Customer A networks and the "inside" interface of Company A's firewall.

Again, this will allow Company A to control access between the two companies, and Company B would be "wide open".  The other option is to have three VRF's.

VRF 1 would include both PE links and the "outside" interface of both Company A's firewall and company B's firewall.

VRF 2 would include all Customer A networks and the "inside" interface of Company A's firewall.

VRF 3 would include all Customer B networks and the "inside" interface of Company B's firewall.

With this config, all traffic is required to pass through the firewalls.  To create a "local" or VRF-lite VRF on the switch, you can use "ip vrf xxxx".  And you assign it to an interface with the "ip vrf forwarding xxxx" command.

Dan

Hello Mahesh and Dan,

Many thanks for your replies.

I know it's a little confusing.

The first idea was that the VRFs on the PE are only Layer2 (not routing instance on the PE) and ends at the other side of the cloud on Layer3.

Yesterday I had a very loooooong discussion with the Provider.

One of the results is that the VRFs ends on the PE on Layer3 and the Provider agree to have more than two VRFs. That means that for the interconnection between the two companies I can use additional VRFs and therefore I can use the setup that Mahesh mentioned in his first posting.

Does someone can recommends a good documentation or a Book which describes the theme of VRF-Lite and which can be helpful when designing and implementing VRF-Lite?

Many thanks.

Regards,

Alain

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: