[f-nsp] Single device VRF (MLX)
Ronald Voermans
r.voermans at global-datacenter.nl
Sun Feb 13 16:06:33 EST 2011
Hello,
I'm trying to implement VRF's on an MLX-8 for the following reason: I have several VLAN's on the MLX, but I don't want a device on VLAN A be reachable to a device on VLAN B. I thought I could solve this by using VRF's.
Here's what I've configured:
vrf cust_DRG
rd 226:226
address-family ipv4
ip route 0.0.0.0/0 172.17.2.2
ip route 10.28.0.0/16 172.17.2.5
exit-address-family
exit-vrf
vlan 226
untagged eth 1/19
tagged ethe 1/5 ethe 1/20
router-interface ve 226
interface ve 226
vrf forwarding cust_DRG
ip address 172.17.2.1/24
When I connect a device (non-vrf aware, for example a PC) to ethe 1/19 and give the device an IP address of 172.17.2.20, I cannot ping 172.17.2.1 and vice-versa. When pinging from 172.17.2.1 (MLX) to 172.17.2.20 (PC), I see ICMP packets arriving at the PC, and the PC is trying to return packets to the MLX. But they don't arrive. On both devices however ARP entries are made.
Also, when adding a device to a tagged port (which isn't vrf aware, but is dot1q-aware), I can't ping to the MLX or to a device through the MLX (the PC for example).
When removing the vrf forwarding cust_DRG statement in interface ve 226, I am able to ping a device on eth 1/19 of one of the tagged interfaces. This confirms to me that the issue is related to the MLX/VRF!
Is this normal behavior? If not, what am I doing wrong?
If this is normal behavior (ie VRF's don't solve my question), how can i make sure the seperate VLAN's on the MLX are really distinct, and there's now way to go from VLAN A to VLAN B?
Thanks!
Rgds,
Ronald Voermans
More information about the foundry-nsp
mailing list