Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2166
Views
5
Helpful
7
Replies

VRF Lite Routing

Go to solution
Simon Young
Level 1
Level 1

‎09-18-2015 07:23 AM - edited ‎03-08-2019 01:51 AM

I would like some advice on how I might limit traffic visibilty within a datacentre environment.

My basic topology is as follow

I would like to be able to do the following

1. Ensure that traffic in the blue vlans can communicate with one another without going via the Palo Alto firewall

2. Ensure that traffic in the red vlans must go through the firewall for all communications and not touch the blue

3. Connections external to the firewall must be able to reach all vlans

 

I believe that VRFs will allow me to segregate my traffic. The Nexus switches I have support VRF lite

I would like my firewall to peer with both switches using OSPF and be aware of all routes from both VRFs.

How do I achieve this. Do i create 2 VRFs as stated, add my interfaces connected to the servers, blades etc the relevant VRF

Then how do I get both vrf routing tables instances into the Palo Altos routing table?

 

Thanks in advance.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Simon Young

‎09-21-2015 09:26 AM

Yes exactly.

Any traffic between VRFs, if needed, goes via the firewalls and the red vlans don't need a VRF because their L3 interfaces are on the firewall anyway.

The only thing to consider is whether in future you want traffic between the VRFs to go direct on the Nexus switches because of potential bottleneck issues on the firewall but you can always then do route import and export to allow this.

But at the moment based on your description there doesn't seem to be a need for this.

Jon

View solution in original post

7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-18-2015 08:38 AM

Can you just clarify a few points -

1) are there multiple blue vlans which you want to be able to route between on the Nexus switches ?

2) are there multiple red vlans and if so does each red vlan have to go via the firewall to get to any other vlan including any other red vlans ?

3) I am not familiar with your firewalls but can you confirm whether they support subinterfaces ?

Jon

 

0 Helpful

Go to solution
Simon Young
Level 1
Level 1
In response to Jon Marshall

‎09-18-2015 09:05 AM

Hi Jon

1. Yes there would be multiple blue vlans, routing between each other

2. Multiple reds as well with all needing firewall as gateway

3. Subinterfaces are supported on the firewall

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Simon Young

‎09-18-2015 09:09 AM

Simon

Really sorry to be so pedantic but I am trying to work out whether you need VRFs or not.

For the red vlans, can they route between other freely or does each red vlan need to have it's gateway on the firewall ie. even red to another red vlan traffic has to go via the firewall ?

I suspect you have answered it but it's just not entirely clear and I don't want to give you bad information.

Also, should have asked, are there any other vlans other than the ones you have mentioned ?

Jon

0 Helpful

Go to solution
Simon Young
Level 1
Level 1
In response to Jon Marshall

‎09-21-2015 03:13 AM

Hi Jon

After some discussion with my infrastructure team, the design is more likely to be as follows

So red must go through the firewall

Blue can talk to blue but not green

Green to green but no blue

 

This probably changes what you were thinking. I am assuming

Trunks to the firewalls, subinterfaces for red vlans and blue vlans having SVIs on the switches

The green VLAN grop would break this model and any additional vlans that follow.

So does this confirm VRFs and how if this is the case, would I get all routes upto the firewall, do I need to export the VRF tables into the global routing table on the firewall?

Thanks

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Simon Young

‎09-21-2015 07:05 AM

Simon

Now you have added green then yes you need VRFs although before I didn't think you had to.

You will need subinterfaces on the firewall but you do not need to export routes unless I am misunderstanding because the firewall will route between the different VRFs.

But I am still not clear exactly what can talk to what ie.

blue vlans can talk amongst themselves so they need SVIs on the Nexus placed into the same VRF and then a subinterface on the firewall.

Green vlans the same assuming you have multiple vlans.

The red vlans you still haven't answered my question ie. if even traffic between one red vlan and another red vlan is meant to go via the firewall then there is no need for SVIs on the Nexus switches, you simply extend the vlans to the firewall subinterfaces.

As I say there is no need, at least as far as I can see, to import or export any VRF routes ie. you simply control traffic between the different groups of vlans via the firewall.

Does this make sense ?

Jon

 

0 Helpful

Go to solution
Simon Young
Level 1
Level 1
In response to Jon Marshall

‎09-21-2015 09:10 AM

Red would need to go through the firewall as per your suggestion.

So I just need to create my VRFs, add the interfaces to the VRFs, apply an ip address

Then I create a subinterface on the firewall

Peer the firewall sub interface and the VRF interface, with OSPF (blue, green)

Red will be on the firewall anyway, so acting more like layer 2

Thanks again for your responses
 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Simon Young

‎09-21-2015 09:26 AM

Yes exactly.

Any traffic between VRFs, if needed, goes via the firewalls and the red vlans don't need a VRF because their L3 interfaces are on the firewall anyway.

The only thing to consider is whether in future you want traffic between the VRFs to go direct on the Nexus switches because of potential bottleneck issues on the firewall but you can always then do route import and export to allow this.

But at the moment based on your description there doesn't seem to be a need for this.

Jon

Customers Also Viewed These Support Documents