[c-nsp] Logical Router Segmentation

Chris Burwell cburwell at gmail.com
Sat Jan 10 09:57:36 EST 2009 

Brad & Doug,

The information provided helps me understand how everything would be
setup a bit better. The problem I think I will run into will be the
fact that our "district router" is an HP Procurve 8212zl.

I am fairly certain the 8212zl can accomplish what was described here,
the problem will be finding documentation on how to configure
everything.

- Chris

On Sat, Jan 10, 2009 at 1:55 AM, Douglas C. Stephens
<stephens at ameslab.gov> wrote:
> Chris,
>
> Does your switch or router have VRF-lite in its feature set?
>
> I had a similar problem wrapping my brain around layer-3 segmentation.  What
> you describe seems similar in concept to problems I faced in the past couple
> of years.  I found some docs at Cisco that were close to what I wanted to,
> and they covered Policy-Based Routing and VRF as two solutions.  A lot of
> what those documents talked about re. VRF was using either MPLS or GRE
> tunnels.  That seemed a bit heavy for my campus LAN.  So I found instead
> VRF-lite, which worked without all that MPLS and GRE stuff.  I implemented
> VRF-lite in my core switch/routers because it was going to be easier to
> implement and maintain than PBR and traditional VRF.
>
> Basically, VRF and VRF-lite create alternate independent RIBs (route tables)
> in your switch or router.  Unless you configure some way to explicitly share
> or leak routes between each of them and your global table, they won't.
> So you could create a totally separate routing process (OSPF, BGP, static
> routes, whatever) that is independent of your main OSPF IGP.  As far as your
> existing internal OSPF, your switch/router's OSPF area 0 is an ASBR with a
> default route leading out to your content filter and firewall.
>
> What you might do with this is to create a VRF definition for your external
> connections, including the one coming back from the "outside" of your
> firewall.
>
> ip vrf externalzone
>  rd 111:222
>
> Then put your group of "external zone" interfaces into
>
> int fa1/0
>  ip vrf forwarding externalzone
>  ip address 10.0.0.1 255.255.255.0
>  exit
> int fa2/0
>  ip vrf forwarding externalzone
>  ip address 10.0.1.1 255.255.255.0
>  exit
> int fa3/0
>  ip vrf forwarding externalzone
>  ip address 10.0.2.1 255.255.255.0
>  exit
>
> Then you set up your routing for the VRF.  I'll show you OSPF and static
> routes.
>
> router ospf 333 vrf externalzone
>  log-adjacency-changes
>  capability vrf-lite
>  area 0 stub no-summary
>  passive-interface default
>  network 10.0.0.0 0.0.0.255 area 0
>  network 10.0.1.0 0.0.0.255 area 0
>  network 10.0.2.0 0.0.0.255 area 0
>  distribute-list deny-def-route out
>
> ip route vrf externalzone 0.0.0.0 0.0.0.0 <uplink-1-farside-ip>
> ip route vrf externalzone 0.0.0.0 0.0.0.0 <uplink-2-farside-ip> 20
> ip route vrf externalzone <internal nets> 10.0.2.2
>
>
> It works for VLAN SVIs as well as L3 routed physical ports.  Just make sure
> your switch/router has VRF-line in its feature set.
>
> If you have this feature available, here are some links to other web pages
> that can help you understand it better.
>
> http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/net_qanda0900aecd804a16ae.html
>
> http://www.cisco.com/en/US/netsol/ns658/networking_solutions_package.html
>
> http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080851cc6.pdf
>
> http://www.ciscosystems.com/en/US/docs/optical/15000r4_0/ethernet/454/guide/vrf.pdf
>
> http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
>
> http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
>
> http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
>
> http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/cheatsheet.shtml
>
>
>
> At 05:52 PM 1/9/2009, Chris Burwell wrote:
>>
>> I am looking for a bit of guidance on logically segmenting an existing
>> router. Currently I have a core network router that has fiber
>> connections to all of our buildings. Each building is in it's own
>> VLAN. We run OSPF on the router and all VLANS are in the same area
>> 0.0.0.1.
>>
>> In the future things are going to change, one of which will be our
>> ISP. So we will have two fiber connections to the outside world. One
>> will go to the internet VIA a yet to be named ISP, while the other
>> will go to an external entity that provides some services to us. Since
>> money is tight right now, I want to try to use our current hardware
>> for the new setup.
>>
>> What I am unsure about is how everything would be setup. I know that
>> the two external connections will be in their own VLAN, but it is the
>> routing part that I am trying to wrap my head around. Would we have to
>> run a separate routing instance for the two external connections? I
>> ask this because once the outbound traffic makes it past our firewall,
>> the router is going to have to make a decision on if the traffic
>> should be routed to the external entity or to the internet. Would we
>> be able to accomplish this with our current routing setup?
>>
>> The setup will be the two external connections on their own VLAN. A
>> third connection will also be a part of that VLAN, and this will
>> provide the "outside" link on our firewall. From there the firewall
>> will connect to another port on our internal network (which is again
>> on it's own VLAN, but this VLAN is part of our internal OSPF area). SO
>> outbound traffic would travel into the internal interface on the
>> firewall, out the external interface and back into our core router.
>> >From here the decision needs to be made on what link the packet should
>> be forwarded out of.
>>
>> I appreciate any help!
>>
>> - Chris
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
> Douglas C. Stephens             | UNIX/Windows/Email Admin
> System Support Specialist       | Network/DNS Admin
> Information Systems             | Phone: (515) 294-6102
> Ames Laboratory, US DOE         | Email: stephens at ameslab.gov
>

More information about the cisco-nsp mailing list