Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2407
Views
0
Helpful
3
Replies

VRF SVI to Global SVI Routing

Vishal Kolamkar
Level 1
Level 1

‎06-28-2016 02:41 PM - edited ‎03-08-2019 06:24 AM

Hi,

We have created a DMZ zone for server  with VRF DMZ with subnet 192.168.100.0/24 with SVI 400 as below

int vlan400

ip vrf forwarding DMZ

ip add 192.168.100.1 255.255.255.0

For user traffic we have deafult data VLAN 2 with subnet 10.180.2.0/24 as below

int vlan2

ip add 10.180.2.1 255.255.255.0

This setup was perfect till now. Now we have requirement for user on VLAN 2 wants to communciate to one of teh DMZ server 192.168.100.50 which is DMZ zone. Is this communication possible on same switch between global SVI2 & DMZ SVI 400?

I cant leak the routes as there is no Rd/rt in global table :) How to acheive this locally on switch using SVI & static routes? I was thinking of creating a Loopback0 in Global which will be used a nexthop for global  vlan2 & DMZ vlan 400.

Please suggest this is 6500 switch collapsed core, we have SVI based routing only.

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎06-28-2016 05:56 PM

Hi

What you want to achieve is called route leaking.

You can do it by using BGP with other dynamic protocols (EIGRP/OSPF) with import/export or by using static routes.

Based on your input, static routes should be ok and easier.

Let's say that users want to access a dmz server with ip 192.168.100.3

the config would look likes:

ip route 192.168.100.3 255.255.255.255 vlan 400

ip route vrf DMZ 10.180.2.0 255.255.255.0 10.180.2.1 global

All users will be able to ping your srv 192.168.100.3.

Just an advice, don't do a static route with all subnet in order to keep the security to not allow users to reach all hosts on DMZ vrf except if you have a firewall behind that filters but in that case VRF would be useless.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Vishal Kolamkar
Level 1
Level 1
In response to Francesco Molino

‎06-29-2016 02:27 PM

Hi,

This is not working on local SVIs.

ip route vrf DMZ 10.180.2.0 255.255.255.0 10.180.2.1 global--- fails throws error  nexthop is local to router for VPNs

This apporach will work for nexthop routers, not on collapsed core as we have

Please suggest further,thanks for the useful info

Regards,

Vishal

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Vishal Kolamkar

‎06-29-2016 06:24 PM

Hi

It's not working on the device you're using, You have a Catalyst switch?

What is your design?

You can try with the same command except that you will specify the interface instead of next-hop IP and without the global keyword. I'm quite sure it won't work.

If you don't have a next-hop to specify by using the static routes then you will need to do it by using BGP, I don't have other solutions. Those are the 2 solutions I'm playing with every days.

Sorry. Let me know your design and maybe I can find out another solution for you.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card