04-19-2010 09:31 PM - last edited on 03-09-2022 10:50 PM by smallbusiness
Hi All,
I am looking at emulating a system similar to the following using VRF-lite on a 3750. Please see the attached diagram.
To expain:
1) The hosts share "Virtual IP addresses" and announce which ones they have to the upstream routers, then on up to the firewall and the rest of the nwtwork. These routers are responsible for informing the firewall so it knows the precise path to any VIP. Any VIP coud be on any host at any time.
2) There are always two paths to each host. Each interface on each host is in a small subnet with the router interface it is connected to.
3) The routers and hosts are geographically separate. The firewall joins them together.
The whole idea is to ensure there is always a path to the VIPs, and that there is at least always one path to any host.
Basically, this is an emulation of a redundant pair of layer 3 switches at each site.
What I want to try and do is create this inside a single layer 3 switch for testing and development purposes.
I would imagine that to do this would require say 4 VRFs, two for each site. Each one running BGP to communicate to the hosts, and EIGRP to communicate to the firewall (needed because it doesn't support BGP, go figure)
I have stack of 3750s in the network that can accomplish this. They are however production and I would not want to play around with them until I have a plausable plan documented.
Can someone please look over this and let me know if it is plausable, and any apparent pitfalls?
I understand it is a crazy scenario, but I am stuck with it.
Cheers
04-19-2010 10:39 PM
Hello John,
generally speaking doing testing on production network is not recommended.
In this specific case the use of 4 VRFs can emulate the presence of 4 VRFs on 4 different PE nodes with the only difference that all the BGP activity is confined on the single node.
The capability to interconnect different VRFs require the import and export of multiple route targets.
ip vrf VRFA
rd 100:1
route-target export 100:101
route-target import 100:101
! for the other VRFs
route-target import 100:102
route-target import 100:103
route-target import 100:104
ip vrf VRFB
rd 100:2
route-target export 100:102
route-target import 100:102
! for the other VRFs
route-target import 100:101
route-target import 100:103
route-target import 100:104
and so on
under BGP an address-family for each VRF is needed
router bgp 100
address-family ipv4 vrf VRFA
red connected
no auto-summary
!
address-family ipv4 vrf VRFB
red connected
no auto-summary
!
and so on
notice that you need an appropriate feature set to support VRF-lite and also the SDM template may need to be changed.
>> To use multi-VRF CE, you must have the IP services image installed on your switch.
A Catalyst 3750 switch supports one global network and up to 26 VRFs.
So even if by technology properties VRF-lite can be zero-impact the need for example for an IOS upgrade or the need to change the SDM template both require a reload
Hope to help
Giuseppe
04-19-2010 11:14 PM
Thanks Giuseppe,
I guess what I wasn't clear on is our Production Network supports hosts and systems that are mostly used for testing and development. We (I) created an emulation of the required structure using a Linux host, but during load testing the hoste becomes unstable, impacting delivery timelines. As we cannot afford (space as well as financial reasons) to purchase and install 4 routers in the network, I am hoping to be able to accomplish this in our existing network.
Thanks for your response, it is quite enlightening. We are running universal IOS, not IP services, so it looks like a small outage on the core switches.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide