[c-nsp] Question about VRF
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Tue Aug 21 01:18:55 EDT 2007
Dean Perrine <> wrote on Tuesday, August 21, 2007 3:32 AM:
> Hello,
>
> Can anyone advise on this situation?
>
> Topology:
> Picture a Firewall at the Top of the network, this has 3 interfaces
> on it. each interface goes to a router (logical) so 2 VRF's and one
> native routing domain.
> So theres 3 logical routers, each router has a VLAN on it which is
> trunked to a switch, that is divided into those 3 vlans...(3 logical
> switches)
>
> If you draw this out it's all separate right. Is this a valid setup?
> It seems if you dont physically separate each VRF'ed VLAN you get
> stuck.
Yes, this is a valid setup, sort of "firewall on a stick".
> The switch tries to send the traffic to its native router and not the
> VRF'ed Vlans, or its default gateway. Theres no way to specify i want
> traffic to be sent to a different gateway. Although it should send
> the traffic within its VLAN.
What do you mean by "the switch tries to send the traffic"? Which
traffic? If the firewall sends traffic over Interface10 in Vlan10, it
will be forwarded across the trunk encapsulated with dot1q tag 10.
Traffic originated by the switch, however (i.e. when you ping from the
switch itself) is sent over its management vlan, using whatever Vlan you
chose as management vlan. The switch itself likely is only virtualized
at Layer 2, but this doesn't prevent your router/firewall setup from
working. It just means you can only manage the switch through one of the
three routing contexts..
oli
More information about the cisco-nsp
mailing list