Allied Telesis C613-16164-00 REV E manual Configure the hardware ACLs

Page 49

Configuring a complex inter-VRF solution

Configure the hardware ACLs

The command access-list hardware <name> creates the hardware access list. The access list is associated with individual switch ports as an access-group. Each access group contains one or more filters, which filter source traffic ingressing the switch port based on the filter entry order.

Each individual filter in the example below match on IP traffic destined to a specific network from any source IP.

Any IP traffic not matching an ACL is implicitly permitted. This allows traffic not filtered to be able to access the Internet.

Note - these traffic filters are being used for quite a different purpose than the ACLs that are used in the route-maps for controlling which routes are leaked between VRFs.

Instead, these filters are checking individual packets that are coming into the switch, and blocking those packets that are trying to reach IP addresses that should not be reachable from their VRF domain.

Via the filters, the switch knows which IP subnets should not be reachable from a given domain, and so can drop any packets that are trying to reach IP addresses in those subnets.

The dropping (filtering) of those ingress packets is important in the case where a VRF has a default route to a shared VRF and there is an external router that exists in the shared VRF. If there is no external router in the shared VRF or VRF has no default route via the shared VRF, then these IP hardware filters are not required.

Without these filters, traffic which has source IP within one VRF to destination IP within another VRF will be routed via the shared VRF to the external router (the external Internet BGP router in this example). The external router will route the traffic back to the shared VRF, which will in turn route the traffic to the destination IP within the destination VRF. And the packet will be replied to. In effect, the external router inadvertently breaks the inter-VRF security.

Without the external router, although the shared VRF has routes to the other VRF domains, the VRF device will maintain the inter-VRF security. Traffic from one VRF will be unable to access another VRF via the shared VRF. In that case the hardware traffic filters are not so important, but they can still be used to prevent any accidental forwarding (by some external device) of traffic from one VRF to another VRF that the traffic should not be able to access.

Configure VRF-lite Page 49

Page 48 Page 50
Image 49
Page 48 Page 50
Contents What is VRF-lite? How To Configure VRF-lite IntroductionCommand summary Software feature licensesWho should read this document? Which products and software version does it apply to?Contents VRF GlossaryUnderstanding VRF-lite Route table and interface management with VRF-lite VRF-lite security domainsInterface management with VRF Vlan5Adding a VRF-aware static ARP Route management with VRFInter-VRF communication Static and dynamic inter-VRF routing For example VRF-lite features in AW+Route limiting per VRF instance VRF aware services includeVRF-aware utilities within AW+  Ping SSH client  Telnet client TCP dump Awplusconfig# access-list standard Configuring VRF-liteAwplusconfig-if#switchportaccess vlanx Family Awplusconfig-route-map#match ip Ip route 192.168.50.0/24 Ip route vrf green 192.168.1.0/24 Static inter-VRF routingForwarding Information Base FIB and routing protocols Dynamic inter-VRF communication explainedBGP Inter-VRF communication via BGP Route-target import ASNVRFinstance For example Using the route-target commandRoute-target both ASNVRFinstance For example Can be replaced withIf VRF red initially includes Also, if VRF shared configuration includesIf VRF shared initially includes Via BGP IVR, VRF shared will end up with the routesThen via BGP IVR, VRF red will end up with the routes If VRF shared configuration includesViewing source VRF and attribute information for a prefix How VRF-lite security is maintainedMultiple VRFs without inter-VRF communication Simple VRF-lite configuration examples26 Configure VRF-lite Vlan 28 Configure VRF-lite Configure VRF-lite 30 Configure VRF-lite Configure VRF-lite 32 Configure VRF-lite Inter-VRF configuration examples with Internet access Configuration Configure VRF-lite Example B Configuration 38 Configure VRF-lite Configure VRF-lite Example C Configuration 42 Configure VRF-lite Configure VRF-lite Network description Configuring a complex inter-VRF solution Each VLANs is associated with a VRF instance VRF communication plan Configuration breakdown Configure VRF-lite Configure Vrfs Configure the hardware ACLs Within the same IP subnet that the switch port is a member This example, three access groups are attached to port192.168.43.0/24 via the shared VRF Configure Vlan Database Configure IP Addresses Configure VRF-lite Configure Dynamic Routing Configure VRF-lite 56 Configure VRF-lite Configure Static Routing Complete show run output from VRF device is below Configure VRF-lite 60 Configure VRF-lite Configure VRF-lite IP route table from VRF device is below VRF blue Hostname Internetrouter Hostname sharedrouter N1 Ospf Nssa Hostname redospfpeerHostname greeniBGPpeer Hostname bluerippeer Hostname orangerouter Hostname orangeospfpeer VCStack and VRF-lite Other features used in this configurationStack provisioning GreyVirtual Chassis ID X610 VCStack configurationX900 configuration 74 Configure VRF-lite Communication plan Sharing VRF routing and double tagging on the same portGreen PortX610 a ConfigurationsX610 B Configure VRF-lite Additional notes BGP configuration tips 80 Configure VRF-lite VRF device Red router vlan database Red router Route Limits Configuring static route limitsAllowed number of fib routes excluding Connect and Static Configuring Dynamic route limits100 Syntax No max-fib-routesVRF-lite usage guidelines General Useful VRF-related diagnostics command listRouting general Routing protocols IP prefix network, e.g TCPdump HW platform table commands

C613-16164-00 REV E specifications

The Allied Telesis C613-16164-00 REV E is a robust networking device designed to enhance connectivity and communication within enterprise environments. Renowned for its reliability and efficiency, this device serves as an ideal choice for organizations seeking to improve their network infrastructure.

At its core, the C613-16164-00 REV E is a part of Allied Telesis' suite of products that adhere to high-performance standards. One of the main features is its support for both Layer 2 and Layer 3 networking, making it versatile enough to handle a variety of network configurations. This capability allows for seamless integration into different network architectures, whether for simple local area networks (LANs) or more advanced setups with routing capabilities.

Another significant characteristic of the C613-16164-00 REV E is its high-speed data transfer capabilities. With support for Gigabit Ethernet, the device ensures that data can be transmitted quickly and efficiently across the network. This is particularly important for businesses that rely on heavy data usage and need to maintain performance standards even during peak hours.

Additionally, the C613-16164-00 REV E features advanced security measures, including VLAN support and port security configurations, which help protect sensitive information and prevent unauthorized access. This is essential for businesses that handle confidential data and must comply with industry regulations.

In terms of manageability, the device supports SNMP (Simple Network Management Protocol), allowing for easy monitoring and management of network resources. Network administrators can efficiently manage the device and optimize performance with minimal effort, improving overall productivity.

The design of the C613-16164-00 REV E is also noteworthy; it is built for durability, often featuring a compact form factor that makes installation straightforward without compromising on performance. Its compatibility with various Allied Telesis products ensures that organizations can build a cohesive network ecosystem.

In conclusion, the Allied Telesis C613-16164-00 REV E stands out as an excellent networking solution characterized by its support for multiple networking layers, high-speed data transfer, and robust security features. Ideal for both small to medium enterprises and larger organizations, it helps ensure that businesses can maintain efficient and secure operations in a constantly evolving digital landscape.
Top Page Image Contents