[c-nsp] Logical Router Segmentation
Douglas C. Stephens
stephens at ameslab.gov
Sat Jan 10 01:55:57 EST 2009
Chris,
Does your switch or router have VRF-lite in its feature set?
I had a similar problem wrapping my brain around layer-3 segmentation. What
you describe seems similar in concept to problems I faced in the past couple
of years. I found some docs at Cisco that were close to what I wanted to,
and they covered Policy-Based Routing and VRF as two solutions. A lot of
what those documents talked about re. VRF was using either MPLS or GRE
tunnels. That seemed a bit heavy for my campus LAN. So I found instead
VRF-lite, which worked without all that MPLS and GRE stuff. I implemented
VRF-lite in my core switch/routers because it was going to be easier to
implement and maintain than PBR and traditional VRF.
Basically, VRF and VRF-lite create alternate independent RIBs (route tables)
in your switch or router. Unless you configure some way to explicitly share
or leak routes between each of them and your global table, they won't.
So you could create a totally separate routing process (OSPF, BGP, static
routes, whatever) that is independent of your main OSPF IGP. As far as your
existing internal OSPF, your switch/router's OSPF area 0 is an ASBR with a
default route leading out to your content filter and firewall.
What you might do with this is to create a VRF definition for your external
connections, including the one coming back from the "outside" of your
firewall.
ip vrf externalzone
rd 111:222
Then put your group of "external zone" interfaces into
int fa1/0
ip vrf forwarding externalzone
ip address 10.0.0.1 255.255.255.0
exit
int fa2/0
ip vrf forwarding externalzone
ip address 10.0.1.1 255.255.255.0
exit
int fa3/0
ip vrf forwarding externalzone
ip address 10.0.2.1 255.255.255.0
exit
Then you set up your routing for the VRF. I'll show you OSPF and static
routes.
router ospf 333 vrf externalzone
log-adjacency-changes
capability vrf-lite
area 0 stub no-summary
passive-interface default
network 10.0.0.0 0.0.0.255 area 0
network 10.0.1.0 0.0.0.255 area 0
network 10.0.2.0 0.0.0.255 area 0
distribute-list deny-def-route out
ip route vrf externalzone 0.0.0.0 0.0.0.0 <uplink-1-farside-ip>
ip route vrf externalzone 0.0.0.0 0.0.0.0 <uplink-2-farside-ip> 20
ip route vrf externalzone <internal nets> 10.0.2.2
It works for VLAN SVIs as well as L3 routed physical ports. Just make sure
your switch/router has VRF-line in its feature set.
If you have this feature available, here are some links to other web pages
that can help you understand it better.
http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/net_qanda0900aecd804a16ae.html
http://www.cisco.com/en/US/netsol/ns658/networking_solutions_package.html
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080851cc6.pdf
http://www.ciscosystems.com/en/US/docs/optical/15000r4_0/ethernet/454/guide/vrf.pdf
http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/cheatsheet.shtml
At 05:52 PM 1/9/2009, Chris Burwell wrote:
>I am looking for a bit of guidance on logically segmenting an existing
>router. Currently I have a core network router that has fiber
>connections to all of our buildings. Each building is in it's own
>VLAN. We run OSPF on the router and all VLANS are in the same area
>0.0.0.1.
>
>In the future things are going to change, one of which will be our
>ISP. So we will have two fiber connections to the outside world. One
>will go to the internet VIA a yet to be named ISP, while the other
>will go to an external entity that provides some services to us. Since
>money is tight right now, I want to try to use our current hardware
>for the new setup.
>
>What I am unsure about is how everything would be setup. I know that
>the two external connections will be in their own VLAN, but it is the
>routing part that I am trying to wrap my head around. Would we have to
>run a separate routing instance for the two external connections? I
>ask this because once the outbound traffic makes it past our firewall,
>the router is going to have to make a decision on if the traffic
>should be routed to the external entity or to the internet. Would we
>be able to accomplish this with our current routing setup?
>
>The setup will be the two external connections on their own VLAN. A
>third connection will also be a part of that VLAN, and this will
>provide the "outside" link on our firewall. From there the firewall
>will connect to another port on our internal network (which is again
>on it's own VLAN, but this VLAN is part of our internal OSPF area). SO
>outbound traffic would travel into the internal interface on the
>firewall, out the external interface and back into our core router.
> >From here the decision needs to be made on what link the packet should
>be forwarded out of.
>
>I appreciate any help!
>
>- Chris
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Douglas C. Stephens | UNIX/Windows/Email Admin
System Support Specialist | Network/DNS Admin
Information Systems | Phone: (515) 294-6102
Ames Laboratory, US DOE | Email: stephens at ameslab.gov
More information about the cisco-nsp
mailing list