Manuals / Allied Telesis / Computer Equipment / Network Card

Allied Telesis C613-16164-00 REV E manual VRF-lite security domains, Interface management with VRF

Models: C613-16164-00 REV E

1 91

Download 91 pages 55.02 Kb

Page 6

Understanding VRF-lite

VRF-lite security domains

VRF-lite provides network isolation on a single device at Layer 3. Each VRF domain can use the same or overlapping network addresses, as they have independent routing tables. This separation of the routing tables prevents communication to Layer 3 interfaces in other VRF domains on the same device. Each Layer 3 interface belongs to exactly one VRF instance and traffic between two Layer 3 interfaces on the same VRF instance is allowed as normal. But by default, interfaces in other VRF instances are not reachable as no route exits between the interfaces unless explicitly configured via Inter-VRF routing.

vlan1

1.

vlan2

1.

1.

SW

10.

1/24

1.

PC1

1.

.1/24

1/8

.1

.1

.1/16

1

.1

vlan3

.1

vlan5

10

1.

vlan4

PC2

vlan6

1.

Company A

1.

10.

1/24

1.

1.

PC3

1/24

Company B

PC4

PC5

VRF red

VRF green

Company C

PC6

VRF blue

For example, on a device three VRF instances (VRF red, VRF green and VRF blue) are configured for three different companies. Devices PC1 and PC2 from Company A can communicate normally within the confines of VRF red, but none of PC1’s and PC2’s traffic can be seen by other devices in VRF green and VRF blue.

Route table and interface management with VRF-lite

A key feature that VRF-lite introduces to a router is the existence of multiple IP route tables within the one router.

By default, before any VRF is configured, a router will have one route table, and routes via all IP interfaces of the router will be stored in this one table. As VRF instances are configured on the router, the original route table remains. This default route table, and its associated IP interfaces, are then referred to as the default global VRF domain.

Interface management with VRF

Each network interface can belong to only one VRF. As mentioned above, initially every interface is in the default global VRF domain. As Layer 3 interfaces are moved to the created VRF instances, they are removed from the global VRF domain, so the global VRF domain manages a decreasing set of Layer 3 interfaces.

Page 6 Configure VRF-lite

Image 6

Allied Telesis C613-16164-00 REV E VRF-lite security domains, Route table and interface management with VRF-lite, Vlan5

Contents

How To Configure VRF-lite Introduction What is VRF-lite?Who should read this document? Software feature licensesCommand summary Which products and software version does it apply to?Contents Glossary VRFUnderstanding VRF-lite Interface management with VRF VRF-lite security domainsRoute table and interface management with VRF-lite Vlan5Route management with VRF Adding a VRF-aware static ARPInter-VRF communication Static and dynamic inter-VRF routing VRF-lite features in AW+ For exampleVRF-aware utilities within AW+ VRF aware services includeRoute limiting per VRF instance  Ping Telnet client  SSH client TCP dump Configuring VRF-lite Awplusconfig# access-list standardAwplusconfig-if#switchportaccess vlanx Family Awplusconfig-route-map#match ip Static inter-VRF routing Ip route 192.168.50.0/24 Ip route vrf green 192.168.1.0/24Dynamic inter-VRF communication explained Forwarding Information Base FIB and routing protocolsBGP Inter-VRF communication via BGP Route-target both ASNVRFinstance For example Using the route-target commandRoute-target import ASNVRFinstance For example Can be replaced withIf VRF shared initially includes Also, if VRF shared configuration includesIf VRF red initially includes Via BGP IVR, VRF shared will end up with the routesIf VRF shared configuration includes Then via BGP IVR, VRF red will end up with the routesHow VRF-lite security is maintained Viewing source VRF and attribute information for a prefixSimple VRF-lite configuration examples Multiple VRFs without inter-VRF communication26 Configure VRF-lite Vlan 28 Configure VRF-lite Configure VRF-lite 30 Configure VRF-lite Configure VRF-lite 32 Configure VRF-lite Inter-VRF configuration examples with Internet access Configuration Configure VRF-lite Example B Configuration 38 Configure VRF-lite Configure VRF-lite Example C Configuration 42 Configure VRF-lite Configure VRF-lite Configuring a complex inter-VRF solution Network description Each VLANs is associated with a VRF instance VRF communication plan Configuration breakdown Configure VRF-lite Configure Vrfs Configure the hardware ACLs This example, three access groups are attached to port Within the same IP subnet that the switch port is a member192.168.43.0/24 via the shared VRF Configure Vlan Database Configure IP Addresses Configure VRF-lite Configure Dynamic Routing Configure VRF-lite 56 Configure VRF-lite Configure Static Routing Complete show run output from VRF device is below Configure VRF-lite 60 Configure VRF-lite Configure VRF-lite IP route table from VRF device is below VRF blue Hostname Internetrouter Hostname sharedrouter Hostname redospfpeer N1 Ospf NssaHostname greeniBGPpeer Hostname bluerippeer Hostname orangerouter Hostname orangeospfpeer Stack provisioning Other features used in this configurationVCStack and VRF-lite GreyX610 VCStack configuration Virtual Chassis IDX900 configuration 74 Configure VRF-lite Green Sharing VRF routing and double tagging on the same portCommunication plan PortConfigurations X610 aX610 B Configure VRF-lite Additional notes BGP configuration tips 80 Configure VRF-lite VRF device Red router vlan database Red router Configuring static route limits Route LimitsConfiguring Dynamic route limits Allowed number of fib routes excluding Connect and Static100 No max-fib-routes SyntaxVRF-lite usage guidelines Useful VRF-related diagnostics command list GeneralRouting general Routing protocols IP prefix network, e.g HW platform table commands TCPdump