vrf lite single rtr

frediegiza · ‎11-01-2017

Hello Experts

I am trying to segregate two networks using vrf lite with one router and single wan connection.

The topology is very small so using "router on stick"

I wish for my two internal networks not able to speak to each other but both have access to the internet/wan connection which is via a single interface

I DONT wish to use access-list to accomplish this, but vrf lite if possible.-Ive tested this in gns and cannot seem to be able to segregate the two internal networks?

VRF RTR
ip vrf 10
rd 1:10

ip vrf 20
rd 1:20

int fa0/0
description WAN
ip address 30.30.30.1 255.255.255.252

int fa1/0
description LAN
no shut
int fa1/0.10
encap dot 10
ip vrf forwarding 10
ip address 10.10.10.1 255.255.255.0

int fa1/0.20
encap dot 20
ip vrf forwarding 20
ip address 20.20.20.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 fa0/0 30.30.30.2 < default route
ip route vrf 10 0.0.0.0 0.0.0.0 30.30.30.2 global < to tell vrf next hop is via global route table
ip route vrf 20 0.0.0.0 0.0.0.0 30.30.30.2 global < to tell vrf next hop is via global route table
ip route 10.10.10.0 255.255.255.0 fa1/0.10 < to tell route table where to go for vrf subnet
ip route 20.20.20.0 255.255.255.0 fa1/0.20 < to tell route table where to go for vrf subnet

FYI - The wan rtr has static routes back to the vrf rtr and all hosts in either internal network can gain access to the wan, however at present they can also speak to each other.

cheers
Freedie

frediegiza · ‎11-01-2017

Hiya

Help anyone???

regards
Freddie

Julio E. Moisa · ‎11-01-2017

Hi

You can isolate subnets using VRF lite, please correct me if Im understanding wrong, you want to provide internet access to both subnets using the global default route, is that correct?

It can be made, example:

ip route vrf A 0.0.0.0 0.0.0.0 <Local Interface connected to Provider> <IP address nexthop/Provider> global

it could be

ip router vrf A 0.0.0.0 0.0.0.0 fa0/0 1.1.1.1 global

ip router vrf B 0.0.0.0 0.0.0.0 fa0/0 1.1.1.1 global

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

frediegiza · ‎11-01-2017

Hello Julio

No I already have those default vrf static routes applied and also the routes for the return path from the global route table into each vrf -

What I would like to do if applicable is to provide internet/wan access to each vrf (which I already have) but NOT to allow communication between each vrf lan WITHOUT using any access-list or pvlans etc, otherwise whats the point of the vrf's, as I could just use access-lists to filter instead?

I think I am missing something fairly simple or that I'm not understanding the nature of VRF Lite correctly?

regards
Freddie

paul driver · ‎11-02-2017

Hello

Humm . this has got me.

The static routes applied into the global rib for your internal networks is I guess to allow internet/wan return traffic otherwise the vrf rtr would not know about the vrf subnets to route to, but when you do apply them it would allow the vrf subnet to see each other.

This is interesting has it throws up a senario that if you share a wan rtr and a wan interface with different clients then you need to segrated their traffic from each other, it can be done via route filtering but as you said it will negate haing vrf's in the first place.

Maybe others on this forum can share their knowledge on this- I need to think my head hurts!

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

frediegiza · ‎11-02-2017

Hello Paul

That is correct in what you are saying - Would like a solution if possible?

Anyone else have any ideas?

frediegiza · ‎11-03-2017

Hello experts!
I guess no one is able to provide a solution to this?

Joseph W. Doherty · ‎11-03-2017

The problem is VRFs using a default route.

Global, to route into each VRF, needs to know each VRF's address space.

If each VRF has a default to global, it will send packets not addressed within the VRF to global, and global, if the packet uses the other VRF's IP space, will forward the packet.

If you restrict VRFs to only obtaining specific global address space, without a default, then the VRFs won't intercommunicate.

frediegiza · ‎11-03-2017

Hello Joesph

@Joseph W. Doherty wrote:
The problem is VRFs using a default route.

Global, to route into each VRF, needs to know each VRF's address space.

If each VRF has a default to global, it will send packets not addressed within the VRF to global, and global, if the packet uses the other VRF's IP space, will forward the packet.

If you restrict VRFs to only obtaining specific global address space, without a default, then the VRFs won't intercommunicate.

So by design this cannot be accomplished using vrf lite - having two separate networks on the same router sharing same wan interface/ip which are both using default routes to the wan unless that is i use filtering?

.
Freddie

Joseph W. Doherty · ‎11-03-2017

I would say so.

Same issue if you used full VRF or a routing protocol or protocols controlling their route distribution.