Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7173
Views
0
Helpful
2
Replies

VRF on switchports

Go to solution
seegomaa
Level 1
Level 1

‎06-14-2015 05:27 AM - edited ‎03-08-2019 12:32 AM

Hi All,

  My customer is  having two networks terminated on one 6500. He wants to isolate these two network from each other. He was thinking in  creating two VRFs but the  quiestion is hwo we can do this on ports configured as L2 ?. 

If VRF can't be configured on L2 ports what are other solutions he can use ? 

 

Thank you 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rasmus Kiilerich
Level 1
Level 1

‎06-14-2015 09:24 AM

Hi

VRFs are to be considered as separate routing tables (Layer 3) on the same device.

It might be part of your solution to separate to networks but you properly also need to consider VLA or even private VLAN.

 

Switch(config)#ip vrf Network1
Switch(config-vrf)#rd 11:22
Switch(config)#ip vrf Network2
Switch(config-vrf)#rd 33:44

Switch(config)#vlan 100
Switch(config-vlan)#name Network1vlan100 
Switch(config)#vlan 120
Switch(config-vlan)#name Network1vlan120 
Switch(config)#vlan 200
Switch(config-vlan)#name Network1vlan200 
Switch(config)#vlan 220
Switch(config-vlan)#name Network1vlan220 

Switch(config)#Interface vlan 100
Switch(config-if)#ip vrf forwarding Network1
Switch(config-if)#ip address 100.100.100.254 255.255.255.0

Switch(config)#Interface vlan 120
Switch(config-if)#ip vrf forwarding Network1
Switch(config-if)#ip address 120.120.120.254 255.255.255.0

Switch(config)#Interface vlan 200
Switch(config-if)#ip vrf forwarding Network2
Switch(config-if)#ip address 200.200.200. 255.255.255.0

Switch(config)#Interface vlan 220
Switch(config-if)#ip vrf forwarding Network2
Switch(config-if)#ip address 220.220.220.254 255.255.255.0

Switch(config)#Interface gigabitethernet 2/1
Switch(config-if)#description "VLAN 100 for Network1"
Switch(config-if)#switchport access vlan 100

Switch(config)#Interface gigabitethernet 2/2
Switch(config-if)#description "VLAN 120 for Network1"
Switch(config-if)#switchport access vlan 120

Switch(config)#Interface gigabitethernet 3/1
Switch(config-if)#description "VLAN 200 for Network1"
Switch(config-if)#switchport access vlan 200

Switch(config)#Interface gigabitethernet 2/2
Switch(config-if)#description "VLAN 220 for Network1"
Switch(config-if)#switchport access vlan 220

ip route vrf Network1 0.0.0.0 0.0.0.0 100.100.100.1
ip route vrf Network2 0.0.0.0 0.0.0.0 200.200.200.1

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-15-2015 05:24 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If the two sets of ports are in different VLANs, then they are isolated.  However, if the two VLANs have SVIs, on the same device, by default a 6500 will route between them as connected networks.  To preclude the latter, you could place the SVIs into different VRFs.

Depending on how you want to isolate the two networks, other options might be to use ACLs or private VLANs.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rasmus Kiilerich
Level 1
Level 1

‎06-14-2015 09:24 AM

Hi

VRFs are to be considered as separate routing tables (Layer 3) on the same device.

It might be part of your solution to separate to networks but you properly also need to consider VLA or even private VLAN.

 

Switch(config)#ip vrf Network1
Switch(config-vrf)#rd 11:22
Switch(config)#ip vrf Network2
Switch(config-vrf)#rd 33:44

Switch(config)#vlan 100
Switch(config-vlan)#name Network1vlan100 
Switch(config)#vlan 120
Switch(config-vlan)#name Network1vlan120 
Switch(config)#vlan 200
Switch(config-vlan)#name Network1vlan200 
Switch(config)#vlan 220
Switch(config-vlan)#name Network1vlan220 

Switch(config)#Interface vlan 100
Switch(config-if)#ip vrf forwarding Network1
Switch(config-if)#ip address 100.100.100.254 255.255.255.0

Switch(config)#Interface vlan 120
Switch(config-if)#ip vrf forwarding Network1
Switch(config-if)#ip address 120.120.120.254 255.255.255.0

Switch(config)#Interface vlan 200
Switch(config-if)#ip vrf forwarding Network2
Switch(config-if)#ip address 200.200.200. 255.255.255.0

Switch(config)#Interface vlan 220
Switch(config-if)#ip vrf forwarding Network2
Switch(config-if)#ip address 220.220.220.254 255.255.255.0

Switch(config)#Interface gigabitethernet 2/1
Switch(config-if)#description "VLAN 100 for Network1"
Switch(config-if)#switchport access vlan 100

Switch(config)#Interface gigabitethernet 2/2
Switch(config-if)#description "VLAN 120 for Network1"
Switch(config-if)#switchport access vlan 120

Switch(config)#Interface gigabitethernet 3/1
Switch(config-if)#description "VLAN 200 for Network1"
Switch(config-if)#switchport access vlan 200

Switch(config)#Interface gigabitethernet 2/2
Switch(config-if)#description "VLAN 220 for Network1"
Switch(config-if)#switchport access vlan 220

ip route vrf Network1 0.0.0.0 0.0.0.0 100.100.100.1
ip route vrf Network2 0.0.0.0 0.0.0.0 200.200.200.1

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-15-2015 05:24 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If the two sets of ports are in different VLANs, then they are isolated.  However, if the two VLANs have SVIs, on the same device, by default a 6500 will route between them as connected networks.  To preclude the latter, you could place the SVIs into different VRFs.

Depending on how you want to isolate the two networks, other options might be to use ACLs or private VLANs.

0 Helpful
Customers Also Viewed These Support Documents