06-28-2016 02:41 PM - edited 03-08-2019 06:24 AM
Hi,
We have created a DMZ zone for server with VRF DMZ with subnet 192.168.100.0/24 with SVI 400 as below
int vlan400
ip vrf forwarding DMZ
ip add 192.168.100.1 255.255.255.0
For user traffic we have deafult data VLAN 2 with subnet 10.180.2.0/24 as below
int vlan2
ip add 10.180.2.1 255.255.255.0
This setup was perfect till now. Now we have requirement for user on VLAN 2 wants to communciate to one of teh DMZ server 192.168.100.50 which is DMZ zone. Is this communication possible on same switch between global SVI2 & DMZ SVI 400?
I cant leak the routes as there is no Rd/rt in global table :) How to acheive this locally on switch using SVI & static routes? I was thinking of creating a Loopback0 in Global which will be used a nexthop for global vlan2 & DMZ vlan 400.
Please suggest this is 6500 switch collapsed core, we have SVI based routing only.
06-28-2016 05:56 PM
Hi
What you want to achieve is called route leaking.
You can do it by using BGP with other dynamic protocols (EIGRP/OSPF) with import/export or by using static routes.
Based on your input, static routes should be ok and easier.
Let's say that users want to access a dmz server with ip 192.168.100.3
the config would look likes:
ip route 192.168.100.3 255.255.255.255 vlan 400
ip route vrf DMZ 10.180.2.0 255.255.255.0 10.180.2.1 global
All users will be able to ping your srv 192.168.100.3.
Just an advice, don't do a static route with all subnet in order to keep the security to not allow users to reach all hosts on DMZ vrf except if you have a firewall behind that filters but in that case VRF would be useless.
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-29-2016 02:27 PM
Hi,
This is not working on local SVIs.
ip route vrf DMZ 10.180.2.0 255.255.255.0 10.180.2.1 global--- fails throws error nexthop is local to router for VPNs
This apporach will work for nexthop routers, not on collapsed core as we have
Please suggest further,thanks for the useful info
Regards,
Vishal
06-29-2016 06:24 PM
Hi
It's not working on the device you're using, You have a Catalyst switch?
What is your design?
You can try with the same command except that you will specify the interface instead of next-hop IP and without the global keyword. I'm quite sure it won't work.
If you don't have a next-hop to specify by using the static routes then you will need to do it by using BGP, I don't have other solutions. Those are the 2 solutions I'm playing with every days.
Sorry. Let me know your design and maybe I can find out another solution for you.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide