- Posts: 251
- Thank you received: 0
VRF Light
16 years 1 month ago #29794
by Chojin
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
Hi all,
Any of you any experience with VRF Light?
Currently I have the following challenge.
I would like to seperate a couple of VLAN's from other VLAN's and would route them to a seperates firewall. They are not allowed to communicate outsite these VLAN-group.
[Core-Switch]
VLAN1
VLAN2
VLAN3
VLAN4
VLAN5
VLAN6
VLAN7
VLAN 1-2-3-4 are able to communicate with eachother and the rest of the network (routed)
VLAN 5-6-7 may communicate with eachtother, but NOT with the rest of the network.
Now, i would like to attach an interface of the Firewall on the Core-switch in VLAN-8
Have VLAN 5-6-7 communicatie with 5-6-7-8.
For this I think VRF-Light is a nice way to distinguish these.
Thanks for the responses in advance
greetings Chojin
Any of you any experience with VRF Light?
Currently I have the following challenge.
I would like to seperate a couple of VLAN's from other VLAN's and would route them to a seperates firewall. They are not allowed to communicate outsite these VLAN-group.
[Core-Switch]
VLAN1
VLAN2
VLAN3
VLAN4
VLAN5
VLAN6
VLAN7
VLAN 1-2-3-4 are able to communicate with eachother and the rest of the network (routed)
VLAN 5-6-7 may communicate with eachtother, but NOT with the rest of the network.
Now, i would like to attach an interface of the Firewall on the Core-switch in VLAN-8
Have VLAN 5-6-7 communicatie with 5-6-7-8.
For this I think VRF-Light is a nice way to distinguish these.
Thanks for the responses in advance
greetings Chojin
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
16 years 1 month ago #29855
by Chojin
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
Replied by Chojin on topic Re: VRF Light
As always things will work ..
Got VRF-Light working at the moment, see below the config of my 3750:
[code:1]
Current configuration : 3975 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch2
!
boot-start-marker
boot-end-marker
!
enable secret 5 show_me_the_money
!
username cisco password 0 cisco <-- this is a secret
no aaa new-model
switch 1 provision ws-c3750-24p
system mtu routing 1500
!
ip subnet-zero
ip routing
no ip domain-lookup
!
!
ip vrf test
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf test2
rd 2:2
route-target export 2:2
route-target import 2:2
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface Loopback1
ip vrf forwarding test
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
no switchport
no ip address
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip vrf forwarding test
ip address 192.168.10.3 255.255.255.0
standby 1 ip 192.168.10.254
standby 1 priority 90
standby 1 preempt
standby 1 track GigabitEthernet1/0/1 25
!
interface Vlan20
ip vrf forwarding test2
ip address 192.168.10.2 255.255.255.0
!
interface Vlan999
ip address 192.168.99.2 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
!
!
control-plane
!
alias exec s show ip int brief | e unas
alias exec si show int status | e notcon
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco <-- this is a secret, don't tell anyone plz
login
line vty 5 15
password cisco <-- this is a secret, don't tell anyone plz
login
!
end
[/code:1]
..Got VRF-Light working at the moment, see below the config of my 3750:
[code:1]
Current configuration : 3975 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch2
!
boot-start-marker
boot-end-marker
!
enable secret 5 show_me_the_money
!
username cisco password 0 cisco <-- this is a secret
no aaa new-model
switch 1 provision ws-c3750-24p
system mtu routing 1500
!
ip subnet-zero
ip routing
no ip domain-lookup
!
!
ip vrf test
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf test2
rd 2:2
route-target export 2:2
route-target import 2:2
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface Loopback1
ip vrf forwarding test
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
no switchport
no ip address
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip vrf forwarding test
ip address 192.168.10.3 255.255.255.0
standby 1 ip 192.168.10.254
standby 1 priority 90
standby 1 preempt
standby 1 track GigabitEthernet1/0/1 25
!
interface Vlan20
ip vrf forwarding test2
ip address 192.168.10.2 255.255.255.0
!
interface Vlan999
ip address 192.168.99.2 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
!
!
control-plane
!
alias exec s show ip int brief | e unas
alias exec si show int status | e notcon
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco <-- this is a secret, don't tell anyone plz
login
line vty 5 15
password cisco <-- this is a secret, don't tell anyone plz
login
!
end
[/code:1]
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
Time to create page: 0.125 seconds