Howto control/filter traffic between VRF-(lite) using route leaking?
Hi,
does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?
Scenario 1:
I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.
Scenario 2:
Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns
Kind Regards,
Thorsten
Thanks.
That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.
Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.
Does cisco offer software for managing this?
Similar Messages
-
Hello,
I have a simple scenario, where there is a 6500 connected to a router (ISP end), which we have planned to implement vrf-lite on.... there are basically 2 VLANs on the LAN, one production and one guest... we need to isolate the routing table instances between the production and guest.. we have planned to configure trunk between the 6500 and PE router at the ISP end. 6500 acts as a CE here.
Now, I want to extend the VRF information from the PE to the 6500 CE, since the layer 3 VLANs terminate on the 6500. i will define the same VRF information on the 6500 and isolate VRF routing tables for the guest/production vlan on the LAN also.. I know we will require to configure VRF, RD, BGP etc on the PE router and do a "ip vrf forwarding" on the subinterface of the router. What is the configuration required on the 6500 to extend the VRF-lite information to the end vlans ????? does anyone have any sample configs or links to which i can refer ?
RajWell,
first a sample config (not from a 6500, but you should be able to get the idea):
ip vrf Cust1
rd 65000:1
ip vrf Cust2
rd 65000:2
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip vrf forwarding Cust1
ip address 10.1.1.1 255.255.255.252
interface FastEthernet0/0.200
encapsulation dot1Q 200
ip vrf forwarding Cust1
ip address 10.1.2.1 255.255.255.252
interface FastEthernet0/0.300
encapsulation dot1Q 300
ip vrf forwarding Cust2
ip address 10.20.1.1 255.255.255.252
interface FastEthernet0/0.333
encapsulation dot1Q 333
ip vrf forwarding Cust2
ip address 10.1.1.1 255.255.255.252
!On a 6500 you could also have:
interface vlan 400
ip vrf forwarding Cust2
ip address 10.1.123.1 255.255.255.252
router rip
address-family ipv4 vrf Cust1
version 2
network 10.0.0.0
no auto-summary
exit-address-family
address-family ipv4 vrf Cust2
version 2
network 10.0.0.0
no auto-summary
exit-address-family
The separation in the control plane (routing etc.) is achieved through the normal VRF configuration. Overlapping IPs and such are supported by having separate IP routing tables per VRF and VRF aware routing protocols like RIP, OSPF, etc.
In the data plane traffic is sorted by layer2 encapsulation. In the example above, the dot1Q VLAN tag will deliver the same functionality as the MPLS VPN labels. If f.e. an IP packet with destination 10.1.1.1 arrives, the VLAN tag 100 or 333 will allow the VRF-lite CE to determine, whether it belongs to Cust1 or Cust2. The same differentation will take place for traffic from the CE to the PE. So the PE config is practically the same, BUT in addition MP-BGP and route-targets and MPLS towards the core is used.
So no MPLS is needed on the VRF-lite CE router, no labels will be used, hence VRF-lite.
The PE will not be the PHP LSR in the MPLS sense, because it is the LAST router in the MPLS network.
Instead of the FastEthernet also VLAN interfaces can be used. The number of interfaces per VRF or the number of VRFs are limited by memory.
Hope this helps! Please use the rating system.
Regards, Martin -
Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.
I've ip overlapping issue, so i'm trying to use nat aware vrf.
The shared service is on a vrf also.
I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.
This is my configuration :
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
mpls label protocol ldp
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat enable
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.
network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
ip nat outside
ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy
tried also with
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
but it didn't work...
any suggestion ?
any help will be appreciated
MaxHi Mohammed, now all works well.
I understand my error, basically when i tried to ping, i pinged a router on my
own vrf, because i imported the network, so the packet didn't came across
interfaces and nat was not in place.Now i tried static host and network
natting and dymanic natting and all works well.
here there is a complete working configuration
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
mpls label protocol ldp
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip nat outside
ip address 172.31.50.1 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
Many thanks for the help, now all works well and i understand the way to
configure it. -
I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?you could do one of the following ways to implement Internet access for L3 MPLS VPN
1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your VRFs.
inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
good luck
if helpful Rate -
Which is the correct way to filter/block traffic between vlans?
Hi all. My question is: Which is the correct way to filter/block traffic between vlans?
i have a more than 15 vlans. I want to block traffic between them except 2 vlans.
source vlan 3 deny destination vlan 4
#access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
and the oposite:
#access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
I have to do this for all VLANs, ono by one. Is that right?
Thanks.There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.
Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.
For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Using VRF-Lite in 6509 as Really Expensive IPS ByPass
I have an IPS (Intrustion Prevention) unit that is causing me some problems with some of my servers in my ServerFarm. I would like to route most of my to/from ServerFarm traffic through the IPS, but use some policy-based routing with an ACL (preferably, a policy-based ACL) to allow some servers to bypass the IPS.
So, I thought of taking my Cisco 6509 and making it into a Really Expensive Optical ByPass switch for this small group of servers. The challenge is that the IPS runs strictly at Layer 2. So if I connect the IPS in a loop to the 6509, I must change the MAC addresses on these interfaces on the 6509 so that each address is unique -- as well as assign unique IPs to each of the two interfaces, but the addresses must share the same L3 subnet. Of course, this leads to overlapping addresses on the 6509, which it does not like. So, I want to see if I can try a little VRF-lite to remove the overlapping address problem.
To accomplish the bypass segment, I take a piece of fiber and just connect two ports together on the 6509, changing the MAC addresses and assigning the "overlapping" IPs (which is "solved" by placing the different ports in different VRFs, on just one port in the Global table and the other port in a standalone VRF). If I can do this without running this piece of fiber, I'd be welcome to the idea.
I can fire up OSPF on all of my interfaces, raising the cost of the IPS Bypass link, and use the route-maps to try to route the Bypass traffic correctly. Unfortunately, the route-maps are not behaving. The traffic moves across the two links (one with IPS, one without) assymetrically, which isn't what I want.
I am uploading a diagram that will show a simplified example of what I am doing. Here is my config below. Does anyone have any ideas on what I am doing wrong, or a better way to do this? (I tried a VACL approach, but I could not redirect the traffic properly):
ip vrf Srv
description ServerNets
rd 65000:10
object-group ip address IPS-Ignore
host 192.168.20.2
interface GigabitEthernet1/3
ip address 192.168.200.1 255.255.255.0
ip policy route-map ServerNetIngress
interface GigabitEthernet1/9
description ServerNets
no ip address
ip flow ingress
interface GigabitEthernet1/9.20
description PublicServerNet
encapsulation dot1Q 20
ip vrf forwarding Srv
ip address 192.168.20.1 255.255.255.128
ip flow ingress
ip policy route-map ServerNetEgress
interface GigabitEthernet1/15
description IPS-ByPass-Global
mac-address 0015.c7c9.c10f
ip address 192.168.15.73 255.255.255.252
ip flow ingress
ip ospf cost 100
interface GigabitEthernet1/17
description IPS-ByPass-Srv-VRF
mac-address 0015.c7c9.c111
ip vrf forwarding Srv
ip address 192.168.15.74 255.255.255.252
ip flow ingress
ip ospf cost 100
interface GigabitEthernet1/19
description IPS-Scrub-Global
mac-address 0015.c7c9.c113
ip address 10.0.0.2 255.255.255.252
ip flow ingress
interface GigabitEthernet1/21
description IPS-Scrub-Srv-VRF
mac-address 0015.c7c9.c115
ip vrf forwarding Srv
ip address 10.0.0.1 255.255.255.252
ip flow ingress
router ospf 10 vrf Srv
router-id 192.168.10.1
log-adjacency-changes
capability vrf-lite
network 192.168.0.0 0.0.255.255 area 0
router ospf 1
router-id 192.168.0.1
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
ip access-list extended IPS-Bypass
permit ip addrgroup IPS-Ignore any
permit ip any addrgroup IPS-Ignore
route-map ServerNetIngress permit 100
description ByPassIPS
match ip address IPS-Bypass
set global
set ip next-hop 192.168.15.74 10.0.0.1
route-map ServerNetEgress permit 100
description ByPassIPS
match ip address IPS-Bypass
set ip vrf Srv next-hop 192.168.15.73 10.0.0.2
I obfuscated my addresses, so don't let that throw you off too much.
Clarke Morledge
College of William and MaryThank you for the suggestion. Just using the "set ip next-hop" in the respective route-map is sufficient and gets the job done. Unfortunately, my problem is more with how the policy-based ACLs (PBACLs) work; i.e. the lines with the object-group syntax in the config. My contact with the TAC tells me that PBACLs are not really supported to do policy-based routing. So because the PBACL is not working correctly all of the time, things don't get matched properly in the route-map for the policy-based route to get correctly applied.
This is really too bad since the PBACL looks to be a quite handy feature. In my example -- at least in theory -- I should be able to make but one change to the "object-group" in order to properly handle the policy-based routing involving the two different route-maps. Alas, this is not as easy as I hoped for since making changes to the PBACL apparently produces unpredictable results -- and the TAC just tells me that the feature is not supported for what I want to do. -
VRF-Lite on one 6509; How to route traffic from global to VRF.
To anyone that can lead me in the right direction:
I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin" on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch. I am using EIGRP for the global network and route table and static routing within the the VRF. Any suggestions or recommendations? Thanks in advance for your help in this matter...Hello,
You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
Example:
Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
interface G0/1
IP address 1.1.1.1 255.255.255.0
inteface G0/2
ip vrf forwarding X
ip address 2.2.2.2 255.255.255.0
Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
configure this: (ip route vrf X y.y.y.y y.y.y.y.y G0/1 Global)
Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
You Can then redistribute the Global static into the Eigrp as below:
router Eigrp 1
no auto summary
redistribute static metric 1.1.1.1.1
HTH
Mohamed -
Using Xserve to route traffic between LANs
A couple of years ago Camelot posted a response on how to set up an Xserve to route network traffic between the Xserve's internal NICs (http://discussions.apple.com/thread.jspa?threadID=1193839&tstart=127). In that situation, both LANs were 192.168.x.x. Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work? Addresses on the 172.16 are dished out from a Cisco PIX501 which I don't control. The Xserve has a fixed IP of 172.16.128.241 (DHCP with manual address) on en0. The 192.168 LAN is on en1 and the XServe does the DHCP for that side. NAT is on with IP forwarding. I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
Xserve is running Server 10.5.4Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work?
You can route between any connected networks. There doesn't have to be any common elements in the IP address subnets.
I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
You say you're running NAT on this system. NAT is not needed (or, in fact, desired) since it's designed for one way traffic (e.g. traffic from LAN 1 is translated to an address in LAN2 before forwarding). To have traffic flow the other way you need to setup port forwarding, which isn't practical for a large number of machines.
My earlier suggestion doesn't suggest enabling NAT at all, just IP Forwarding. IP Forwarding should work both ways provided the relevant devices in each LAN know where to route the traffic (e.g. devices in the 192.168.x.x LAN need to have a route that sends traffic for 172.16.x.x to the 192.168.x.x address of the XServe). -
How do I use the time capsule to share itunes music between multiple apple devices? Also, is it possible to control the music on one device using another, and how do you set this up?
unless i'm missing something, i think you got mixed up, this is easy google for walk throughs
i'm assuming this is the new 3tb tc AC or 'tower' shape, if so, its wifi will run circles around your at&t device
unplug the at&t box for a minute and plug it back in
factory reset your tc - unplug it, hold down reset and keep holding while you plug it back in - only release reset when amber light flashes in 10-20s
connect the tc to your at&t box via eth in the wan port, wait 1 minute, open airport utility look in 'other wifi devices' to setup the tc
create a new wifi network (give it a different name than your at&t one) and put the tc in bridge mode (it may do this automatically for you, but you should double check) under the 'network' tab
login to your at&t router and disable wifi on it
add new clients to the new wifi network, and point your Macs to the time machine for backups -
Could someone tell me how to control a small dc motor by using labeled and a NI 6008 daq. The motor is adjustable by using a pot that ranges between 0-V if that is of any additional benefit.
Read the second thread you have a link to. While both of these will produce PWM signals, the first one is a couple of orders of magnitude too slow to do anything useful in control the speed of a motor, what you would see would be the motor run at the full speed, then stop for a period, then run at full speed, rather than at the "average of on and off" as the Pulse Widths will be very long relative to the motor's response. The second one has a better chance, IF all you want to do is run the motor. If there is any other calculations ... Look at both and try and get an understanding of what they are doing. For PWM speed control of a motor you really need a pretty fast pulse width, and probably some filtering to smooth out the resulting "harsh" waveform, giving you the "average" voltage resulting from the PWM.
Putnam
Certified LabVIEW Developer
Senior Test Engineer
Currently using LV 6.1-LabVIEW 2012, RT8.5
LabVIEW Champion -
Can i use developer6 with Ora8i Lite? Whats the diff between 8i lite and personal8i
Can anyone tell me if i can use Oracle8i Lite in conjunction with Developer6? I am running my computer on a Win98 operating system. Also, what are the differences between Oracle8i lite and Personal Oracle8i?
i have only 64mb RAM and am therefore below the minimum requirements to install Peronal oracl8i (which requires 128mb of RAM), is there any way around this?
Thank you in advance for your help in this matterThere is a hope of Installing Personal Oracle on 64MB machine by increasing the Cache for the machine. I have done it for Oracle Server and it works
Go to : Contron Panel
then : System
Select : Performance tab
Specify Virtual Mem to 200 MB minimun for succesfully install the Database.
I tried using Oralite for Personal Oracle but came to know that it is mostly ment for CE devices and other such things for having connectivity between PC Database and Oracle Server Database(I may be wrong).
Using Personal Oracle with Developer6.0 will also give you some trouble in configuring the TNSNAMES for TCP/IP and Developer uses connect string and without that you probably will not be able to connect to database. Try it I tried but failed, take the help of ODBC.
Good Luck
null -
Filter Traffic using ISDM-2 Inline Mode and Inline VLAN Pairs
Hi Everyone,
I have a new ISDM-2 Module (Version 6.0(1)E1) and I?m thinking use Inline VLAN Pairs to bridge two vlans, in my case vlan 100 and vlan 101. Vlan 100 is the vlan used by MSFC and Vlan 101 is the vlan used by the outside of my FWSM . In this way, I think I can monitor all the traffic into and from Internet. My question is: can I choose what traffic I will analyze using this configuration ? Maybye with VACL or another way.
Thanks in Advanced
Andre LomonacoIf I understand your question correctly, I do not think you have the ability to selectively inspect the traffic with only a single pair of vlans. The IPS module is going to bridge your vlans together and you would want all traffic to go through that bridge...I don't know what mechanism you'd use to selectively direct traffic through some other bridge/route function.
Within the IPS software you can turn off (disable AND retire) signatures that inspect traffic that you wish to ignore, the IPS will just forward the traffic through, but you don't have a fine level of granularity there.
Scott -
I am working with a customer who would like to utilize path isolation in their network using VRF-Lite. I am currently debating between the use of GRE tunnels vs. VLANs between 3 core switches they currently have in place today. This is going to be overlay network on top of what they currently have. The core is all L2 today with 802.1q trunks between each of 3 cores in a ring topology. Closets are single homed into the core throughout.
My question is regarding GRE vs. VLANs. Currently, we are looking at having to deploy 12 VRFs to support 12 seperate network types they would like to isolate. The Access layer switches will trunk to the cores where the core will apply VRFs to specific VLANs based on their role.
Which is going to be a more scalable solution from a performance and adminstration standpoint. GRE, VLANs, or MPLS?
Currently the GRE implementation is going to require that we configure many loopbacks and tunnels on each core in order to get the VRFs talking to each other in each core. The VLAN approach will require 24 VLANs per core (assuming we would go with PTP vs Multipoint for routing inside the VRF).
Any thoughts on which way to proceed? From what i have read GRE is more appropriate when you have multiple hops between VRF tables, which in this case we do not. I am just concerned with loopbacks,tunnels, and then routing on top of that the GRE solution will lack scalability as they add more VRFs. A PTP VLAN will pose a similar problem without the need for loopbacks which should simplify the solution.
Can we use MPLS here and just do PE to PE MPLS and still get the VRF segmentation we need between cores?
I would like eventually migrate the entire core to L3 completely but today we are stuck with having to support legacy networks (DEC/LAT/SNA) and have to keep some L2 in place.
Whats the best approach here?Shine,
I actually ended up with basically the same design you are talking about here except that I ended up adding a couple 6500 +FWSM and NAC L3/L2 CAM/CAS into the mix.
Here is the high level overview
1. Every Closet had a minimum of 6 VLANs - unique to the stack or closet switch - Subnets were created for each VLAN as well - no spanning of L2 VLANs across switch stacks.
2. VLANs were assigned for - Voice, Data, LWAPP VLAN, Guest/Unauthorized, Switch/Device Management, and at least 1 special purpose VLAN - (Lab, Building Controls, Security, etc).
3. Then we trunked all the VLANs back to 1 of 3 cores - 6509s with Sup-720s
4. Each Core 6509 was configured for each L2 VLAN with a L3 SVI (The VLANs configured here were not configured on any other cores - we didn't have available fiber runs to do any type of redundant pathing across multiple cores so it wasn't valid in this design to configure VLAN SVIs on more than one core).
5. Each L3 SVI was assigned to the appropriate VRF based on use - Voice, Data, LWAPP, etc
6. Spanning-Tree Roots for all VLANs trunked to a core were specific to that core - they did not trunk between Cores - no loops
7. Each Core was connected via a L2 Trunk that carried Point to Point VLANs for VRFs traffic - We had an EIGRP AS assigned to each VRF on the link - so we had 6 VRFs and 6 EIGRP AS per trunk.
8. This design occurred on each core x2 as it connected to the other cores in a triangle core fashion.
9. Each of the Cores had a trunk to to 6500 with a FWSM configured - VRF/L3 PTP VLAN design continued here as well
10. The 6500+FWSM was configured with multiple SVIs and VRFs - we had to issue mult-vlan mode on the FWSM to get it to work.
11. Layer 2 NAC was configured with VLAN translation coming into the Core 6500/FWSM for Wireless in L2 InBand Mode - the L3 SVIs were configured on the clean side of the NAC CAM so traffic was pulled through the CAM from from the dirty side - where the controller mapped host SSIDs to appropriate VLANs. We only had to configure a couple host VLANs here - Guest and Private so this was not much of an issue - Private was NAC enabled, Guest VLAN/SVI was mapped to a DMZ on the firewall
12. For Layer 3 NAC we justed used an out of band CAM configurations with ACLs on the Unauthorized VLAN
It worked like a charm.
If I had to do it all over again I would go with MPLS/BGP for more scalability. Configuring trunks between the cores and then having the mulitple EIGRP AS/PTP VLANs works well in networks this small but it doesn't scale indefinately. It sounds like your network is quite large. I would look into MPLS between a set of at least 3-4 Core PE/CE devices. Do you plan on building a pure MPLS core for tagged switched traffic only? Is your campus and link make up significant enough to benefit from such a flexible design? -
VRF Lite running in the enterprise network
Hello everybody
Altough VRF lite (or Mulit VRF) seems to be a Service Provider Tecnology.
Does it make sense to use it in an Enterprise Network to isolate Networks from others ?
I cant find any design paper which describes if this would make sense.
What do you think. Is someone using it ? Does Cisco recommend it ?Yes, VRF-lite SHOULD be used in an Enterprise environment to isolate the different security classes of devices.
In the past you would isolate different groups of users using Layer1, i.e. separate hubs either totally isolated or connected together by a router with ACLs. Since the PCs were only connected at shared 10 Mbit and the routers were such low performance and worms weren't really prevalent, this was not a big security issue at the time.
Then we migrated to VLANs, which essentially allowed Layer2 isolation within the same switch to provide the same functionality of separating different classes of users and to break up broadcast domains. Unfortunately, everyone connected the VLANs together at Layer3 with a router (or SVI) which essentially connected everything together again! And almost no one gets the ACLs right (if at all) to isolate the VLANs from each other. In fact, in most cases every VLAN can automatically reach every other VLAN from a Layer3 or IP perspective. This is a huge security problem.
Enter VRF-lite, essentially created by Cisco as their tag switching migrated to standards based MPLS and had a need to isolate Layer3 security domains from each other within the same switch (or router). Think of VLANs for routing tables. VRF stands for 'Virtual Route Forwarding', which basically means separate routing tables. Since VRF-lite is a per-switch feature (running locally to the switch) you will need to use other technologies to connect multiple VRF-lite switches together and keep the traffic isolated, see below.
What makes this so secure is that there is no command within the switch to connect different VRFs together within the same switch. You would need to connect a cable between two ports on the same switch configured in different VRFs to be able to communicate between them (recent IOS 12.2SR allows tunnels with different source VRFs but that is a corner case). The reason for this is simple, remember the basis for VRF (and VRF-lite) is for a service provider to isolate multiple customers from each other within the same switch. Just like an ATM, Frame-Relay, SONET, or Optical switch, the command line makes it very difficult (or impossible) to accidentally connect 2 different customers together.
Think about that. Even if someone was able to get ssh enable access to your switch (you aren't running telnet anymore, right?!), they CAN'T connect 2 VRFs together with any command.
And, yes, this is highly recommended by Cisco Engineers and is actually deployed far more than you think. I have VRF-lite running on at least 10 client's networks and those are LARGE networks. VRF-lite was integrated into the environment purely to solve a Layer3 security class isolation issue. I have used Layer3 dot1q trunks on c6500 switches and tunnels to keep isolated connectivity between VRFs between switches.
In Cisco speak, VRF-lite falls under the topic of 'Path Isolation' which is combined with other features that isolate traffic within the same network such as dot1q trunking, tunneling, VPN, policy-routing, and MPLS. Do a search on Cisco's web site for 'path isolation' and you will find a bunch of info.
See the following URLs for a good start:
http://www.cisco.com/en/US/netsol/ns658/networking_solutions_design_guidances_list.html
http://www.cisco.com/en/US/netsol/ns658/netbr0900aecd804a17db.html
http://www.cisco.com/en/US/netsol/ns658/networking_solutions_white_paper0900aecd804a17c9.shtml
As always, rate all posts appropriately, particularly those that provide value and don't be shy about following up with additional questions or comments.
Good luck! -
Native Multi-VRF-Lite Design with EIGRP Question
Hello,
we think about to implement a VRF-Lite design (no MPLS and MBGP) in our campus network (10,000 ports, 20x 6500Sup720, 400x L2-Switches). MPLS is from our point of view oversized for our requirements. We need only a segmentation from different departments. Our IGP is eigrp.
In the latest IOS-Release for the cat6500 (12.2.18SXD) is finally a VRF-Lite support for EIGRP inside.
We could test successful a design with different VRFs in our lab, the division workes fine. But we didn't found a way to implement shared service. These are in our case DHCP, DNS, InternerAccess and some others. We thought about a redistribution between our global EIGRP routing table and the EIGRP-vrf tables, but we didn't found a way to do this.
How can we do this?
ThanksUse a crossover cable to connect a port belonging to the global routing table to a port belonging to a VRF. This way you can leak EIGRP routes from the global routing table into the VRF (through that physical connection). The drawback is that you use 2 ports (that could instead be used for other things...).
Another way to this, would be to use static routing; use ip route vrf VRF x.x.x.x m.m.m.m n.n.n.n global to allow traffic to go from the VRF into the global routing table.
Hope that helps...
Maybe you are looking for
-
CS6 Design Standard Student and Teacher Edition Problem
I have recieved verifictaion and a remdemtion code but when I go to use it I continue to get the error: Oops! This code doesn't seem to be active. Please contact the retailer you purchased the card from, or use a different code. For more information
-
How can I create my own shortcuts in Adobe Bridge?
Hey everyone, This is my first post here on the Adobe forum and I've been searching for my question without an adequate answer, therefor I turn to you. My question is if it's possible to create my own shortcuts in Adobe Bridge. I would like to get a
-
Creative Cloud desktop app issue
Just signed up for CC last week. I'm using a PC with Windows 7. Downloaded Photoshop, Dreamweaver and Bridge and all work ok. The CC desktop app was working perfectly but now it is not. Each time I try to sign in the message 'You've been signed out'
-
I have a problem with buying apps in itunes Store. When you purchase the application fails payment. Asked to update the map. I have 2 credit cards with a positive balance. In what could be the reason?
-
Hi. I am in the middle of java bean development. As I have to test the java bean I often change the java code, comple it, jar compress it, sign the jar file and put it on to the application server $OH/forms/java directory. The problem I am facing is