Escolar Documentos
Profissional Documentos
Cultura Documentos
Overview
The Customer has requested Layer 2 and Layer 3 separation in the campus networks between the AA and BB user groups. Common access for all users to centralized applications should be maintained.
Solution In this solution, we will create Layer 2 boundaries with VLANs and Layer 3 boundaries with VRFs. The benefit of VRFs is that a separate routing table is created for each and no routing or communication exists between VRFs. However, this benefit is also a drawback as applications must reside within the same VRF as the users who access it. To solve the VRF limitation, we will use the import function of VRF route targets and Multiprotocol BGP (MBGP). The Data Center router will use MBGP to advertise the selected route targets into its own local VRF routing tables; no MBGP peering is required. We will then use OSPF (EIGRP, RIP will also work) to advertise the selected routes to adjacent Campus Routers. VRF AA and BB will have full access to VRF CC without any access to each other.
VRF AA VL 101:192.168.101.1
VRF AA VL 101:192.168.101.2
MPLS Site A
VL 201:192.168.201.1 VRF BB VL 201:192.168.201.2 VRF BB
VRF AA VL 11:192.168.11.1
Site B
VL 22:192.168.22.1 VRF BB
Secure Boundary
No local connectivity
VRF BB VL 201:192.168.201.254
Users in VRF AA cannot communicate with those in VRF BB, though Users in each VRF can access Applications in VRF CC.
VRF AA: export 1:1 | import 1:1,99:99 VRF BB: export 2:2 | import 2:2,99:99 VRF CC: export 99:99 | import 1:1,2:2,99:99
Data Center
VRF CC VL 99:192.168.99.254
Applications in VRF CC, are accessible by both VRF AA and VRF BB. This does not create a bridge or security loophole for VRF AA or VRF BB.
Page 1 of 6
Reference Some quick reference notes. Route Distinguisher (RD) is a 64-bit identifier that is pre-pended to the customers 32-bit IPv4 prefix to create a globally unique 96-bit VPNv4 prefix. The RD is configured per VRF on the PE router. Route Target (RT) identifies the VPN membership of routes. RTs allow selective import and export of VPNv4 prefixes from a VRF. Route-Targets are encoded in a 64 bit BGP extended community (16 bits of Type and 48 bits of Value).
ip vrf AA << create virtual routing and forwarding table rd 1:1 << globally unique 64 bit identifier route-target export 1:1 << export routes with an RT of 1:1 route-target import 1:1 << import routes with an RT of 1:1 route-target import 99:99 << import/export routes with RT of 99:99
Configuration IOS configuration for routers at Site A, Site B, and the Data Center.
Site A Router
VRF AA VL 1:192.168.1.1 VL 2:192.168.2.1 VRF BB VRF AA VL 101:192.168.101.1
MPLS Site A
VL 201:192.168.201.1 VRF BB
ip vrf AA rd 1:1 ! ip vrf BB rd 2:2 ! interface VLAN 1 description AA User VLAN 1 ip vrf forwarding AA ip address 192.168.1.1 255.255.255.0 ! interface VLAN 2 description BB User VLAN 2 ip vrf forwarding BB ip address 192.168.2.1 255.255.255.0 ! interface Vlan 101 description AA WAN ip vrf forwarding AA ip address 192.168.101.1 255.255.255.0 ! interface Vlan 201 description BB WAN ip vrf forwarding BB ip address 192.168.201.1 255.255.255.0 !
Page 2 of 6
router ospf 101 vrf AA network 192.168.1.1 0.0.0.0 area 1 network 192.168.101.1 0.0.0.0 area 0 ! router ospf 201 vrf BB network 192.168.2.1 0.0.0.0 area 1 network 192.168.201.1 0.0.0.0 area 0
Site B Router
VRF AA VL 101:192.168.101.2 VRF AA VL 11:192.168.11.1
MPLS
VL 201:192.168.201.2 VRF BB
Site B
VL 22:192.168.22.1 VRF BB
ip vrf AA rd 1:1 ! ip vrf BB rd 2:2 ! Interface Vlan11 description AA User VLAN 11 ip vrf forwarding AA ip address 192.168.11.1 255.255.255.0 ! interface Vlan22 description BB User VLAN 22 ip vrf forwarding BB ip address 192.168.22.1 255.255.255.0 ! interface Vlan101 description AA WAN ip vrf forwarding AA ip address 192.168.101.2 255.255.255.0 ! interface Vlan201 description BB WAN ip vrf forwarding BB ip address 192.168.201.2 255.255.255.0 ! router ospf 101 vrf AA network 192.168.11.1 0.0.0.0 area 2 network 192.168.101.2 0.0.0.0 area 0 ! router ospf 201 vrf BB network 192.168.22.1 0.0.0.0 area 2 network 192.168.201.2 0.0.0.0 area 0
Page 3 of 6
Page 4 of 6
Site B Router SB#sh ip ro vrf AA Routing Table: AA C 192.168.11.0/24 is directly connected, Vlan11 O E2 192.168.99.0/24 << vrf CC route available in vrf AA routing table [110/1] via 192.168.101.254, 03:08:38, Vlan101 O IA 192.168.1.1 [110/2] via 192.168.101.1, 03:08:38, Vlan101 C 192.168.101.0/24 is directly connected, Vlan101 SB#sh ip ro vrf BB Routing Table: BB C 192.168.201.0/24 is directly connected, Vlan201 O E2 192.168.99.0/24 << vrf CC route available in vrf BB routing table [110/1] via 192.168.201.254, 03:08:42, Vlan201 C 192.168.22.0/24 is directly connected, Vlan22 O IA 192.168.2.1 [110/2] via 192.168.201.1, 03:08:42, Vlan201 SB# ping vrf AA 192.168.99.254 Sending 5, 100-byte ICMP Echos to 192.168.99.254, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms SB# ping vrf BB 192.168.99.254 Sending 5, 100-byte ICMP Echos to 192.168.99.254, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms Data Center Router DC#show ip bgp vpnv4 all
Page 5 of 6
Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:1 (default for vrf AA) *> 192.168.1.1/24 192.168.101.1 2 32768 ? *> 192.168.11.1/24 192.168.101.2 2 32768 ? *> 192.168.99.0 0.0.0.0 0 32768 ? << vrf CC route available in vrf AA routing table *> 192.168.101.0 0.0.0.0 0 32768 ? Route Distinguisher: 2:2 (default for vrf BB) *> 192.168.2.1/24 192.168.201.1 2 32768 ? *> 192.168.22.1/24 192.168.201.2 2 32768 ? *> 192.168.99.0 0.0.0.0 0 32768 ? << vrf CC route available in vrf BB routing table *> 192.168.201.0 0.0.0.0 0 32768 ? Route Distinguisher: 99:99 (default for vrf CC) *> 192.168.1.1/24 192.168.101.1 2 32768 ? << vrf AA route available in vrf CC routing table *> 192.168.2.1/24 192.168.201.1 2 32768 ? << vrf BB route available in vrf CC routing table *> 192.168.11.1/24 192.168.101.2 2 32768 ? << vrf AA route available in vrf CC routing table *> 192.168.22.1/24 192.168.201.2 2 32768 ? << vrf BB route available in vrf CC routing table *> 192.168.99.0 0.0.0.0 0 32768 ? *> 192.168.101.0 0.0.0.0 0 32768 ? << vrf AA route available in vrf CC routing table *> 192.168.201.0 0.0.0.0 0 32768 ? << vrf BB route available in vrf CC routing table DC#sh ip ro vrf AA Routing Table: AA O IA 192.168.11.1 [110/2] via 192.168.101.2, 03:03:50, Vlan101 B 192.168.99.0/24 is directly connected, 03:04:25, Vlan99 << vrf CC route available in vrf AA routing table O IA 192.168.1.1 [110/2] via 192.168.101.1, 03:03:50, Vlan101 C 192.168.101.0/24 is directly connected, Vlan101 DC#sh ip ro vrf BB Routing Table: BB C 192.168.201.0/24 is directly connected, Vlan201 B 192.168.99.0/24 is directly connected, 03:04:29, Vlan99 << vrf CC route available in vrf BB routing table O IA 192.168.22.1 [110/2] via 192.168.201.2, 03:03:54, Vlan201 O IA 192.168.2.1 [110/2] via 192.168.201.1, 03:03:54, Vlan201 DC#sh ip ro vrf CC Routing Table: CC B 192.168.11.1 [20/2] via 192.168.101.2 (AA), 03:03:49, Vlan101 << vrf AA route available in vrf CC routing table B 192.168.201.0/24 is directly connected, 03:04:34, Vlan201 << vrf BB route available in vrf CC routing table C 192.168.99.0/24 is directly connected, Vlan99 B 192.168.22.1 [20/2] via 192.168.201.2 (BB), 03:03:49, Vlan201 << vrf BB route available in vrf CC routing table B 192.168.1.1 [20/2] via 192.168.101.1 (AA), 03:03:49, Vlan101 << vrf AA route available in vrf CC routing table B 192.168.2.1 [20/2] via 192.168.201.1 (BB), 03:03:49, Vlan201 << vrf BB route available in vrf CC routing table B 192.168.101.0/24 is directly connected, 03:04:34, Vlan101 << vrf AA route available in vrf CC routing table
DC#ping vrf CC 192.168.1.1 Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms DC#ping vrf CC 192.168.2.1 Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Page 6 of 6