VRF on 3560

Muzzamil Hussain · ‎05-07-2012

hello all:

I have the folowing setup:

•1. Cisco 3560 x1
•2. Cisco 2960 x2
•3. Juniper SSG 140

And I have 4 environments:

•1. DR_UAT_AIX
•2. DR_DEV_AIX
•3. DR_UAT_WIN
•4. DR_DEV_WIN

Accordingly I configured 4 VRFs as shown in the Attached pictures:

•1. VRF: AIX UAT
•2. VRF: AIX_DEV
•3. VRF: WIN_UAT
•4. VRF: WIN_DEV

Moreover I’ve configured 4 Pcs as follow:

NAME IP/CIDR GATEWAY

PCS1 172.19.1.100/24 172.19.1.241

PCS2 172.19.8.100/24 172.19.8.241

PCS3 172.19.16.100/24 172.19.16.241

PCS4 172.19.24.100/24 172.19.24.241

The aim of the setup is to isolate each environment from the others and have full control of the subnet

E.g. someone from VRF: AIX UAT can access any vlan within his VRF but if he want to access any other vlan out of his VRF he will not be able to do so and the routing to be provided by the FW SSG140

I am attaching the config for the same I’ve done in GNS3

The thing is each of the PCS is able to ping his gateway and other vlan interfaces in his own VRF but when i came to pinging other VLANS interfaces it should be routed through the FW (which is just a router in my lab configured with 802.1Q and sub interfaces connected to SW01 through trunk)

Pig Examples:

PC1> ping 172.19.1.241

172.19.1.241 icmp_seq=1 ttl=255 time=19.000 ms

!

PC1> ping 172.19.2.241

172.19.2.241 icmp_seq=1 ttl=255 time=42.000 ms

!

Ping is successful for all the members of the VRF a

!

Here we are crossing to the second VRF members so ping is getting drops :

PC1> ping 172.19.8.241

*172.19.1.241 icmp_seq=1 ttl=255 time=22.000 ms (ICMP type:3, code:1, Destination host unreachable)

!

PC1> ping 172.19.16.241

*172.19.1.241 icmp_seq=1 ttl=255 time=4289347.296 ms (ICMP type:3, code:1, Destination host unreachable)

!

PC1> ping 172.19.24.241

*172.19.1.241 icmp_seq=1 ttl=255 time=4289053.296 ms (ICMP type:3, code:1, Destination host unreachable)172.1

Here is a trace route from PC1 to unreachable VRF IPs:

PC1 tracert 172.19.8.241

traceroute to 172.19.8.241, 64 hops max, press Ctrl+C to stop

1 *172.19.1.241 3968903.296 ms (ICMP type:3, code:1, Destination host unreachable)

And all are the same for the rest of the PCs

one last thing:

below is PING from SW01 to FW01 and as you can see its not working

W01#ping 172.19.8.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.8.254, timeout is 2 seconds:

...

Success rate is 0 percent (0/3)

SW01#ping 172.19.1.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.1.254, timeout is 2 seconds:

..

Success rate is 0 percent (0/2)

also i am attaching the running config of all the devices, please let me know how can i route all the vlans and make this work

Muzzamil Hussain · ‎07-31-2012

wow

2 month and no ANSWER ? :'(

Edison Ortiz · ‎07-31-2012

one last thing:

below is PING from SW01 to FW01 and as you can see its not working

W01#ping 172.19.8.254

Success rate is 0 percent (0/3)

SW01#ping 172.19.1.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.1.254, timeout is 2 seconds:

..

Success rate is 0 percent (0/2)

Try:

ping vrf AIX_DEV 172.19.8.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.8.254, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 4/25/52 ms

ping vrf AIX_UAT 172.19.1.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.1.254, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 4/36/68 ms

You need to include the VRF when pinging from a VRF interface, omitting this value will force the router to use the global routing table.

As far as your other problem, each VRF must have a route to the other subnets pointing to the FW.

If you inspect each VRF on SW01, you will see only has routes for that VRF. How would it know to respond to packets from other VRFs?