VRF question - both private and external Internet networks on same router.

Discussion in 'Cisco' started by Rob, Jan 20, 2005.

  1. Rob

    Rob Guest

    I'm trying to setup a router to use VRF. My Telecom provider is
    giving me a single T3 access where I'm splitting off both private (to
    the rest of my internal WAN) and Internet on the same DS3. They will
    be using Frame encapsulation and subinterfaces. I in turn plan to
    map each serial subinterface to a specific FastEthernet port.

    Internal = S0/0.1 to Fa0/0
    Public = S0/0.2 to Fa0/1

    I've played with VRF a bit and I believe I got it working. Create two
    different VRF instances, throw my interfaces into them, and voila. My
    internal network uses OSPF which can use VRF, but I'm stuck using a
    single static route for my Internet side. I would prefer to use BGP
    and exchange full routing tables, but I can't to a "ROUTER BGP XXX
    VRF" type of command. It doesn't take.

    My main priority is to maintain security between the public and
    private side of this router, so never the two shall meet. Obviously,
    I don't want a big gaping hole in my network.

    Here is my question. Is it okay/proper/correct/possible/secure to use
    a single VRF for my internal network, on a single Serial
    subinterface/FastEthernet pairing, but leave the Internet "side" of
    the router outside of a VRF? Leave it on the regular router? That
    way all router commands are available to me, like BGP? Or if you use
    VRF once, do I have to use it all the way through for everything?

    Thanks.
    Bob
    Rob, Jan 20, 2005
    #1
    1. Advertising

  2. Rob

    Ivan Ostreš Guest

    In article <>, bobh1234
    @hotmail.com says...
    > I'm trying to setup a router to use VRF. My Telecom provider is
    > giving me a single T3 access where I'm splitting off both private (to
    > the rest of my internal WAN) and Internet on the same DS3. They will
    > be using Frame encapsulation and subinterfaces. I in turn plan to
    > map each serial subinterface to a specific FastEthernet port.
    >
    > Internal = S0/0.1 to Fa0/0
    > Public = S0/0.2 to Fa0/1
    >
    > I've played with VRF a bit and I believe I got it working. Create two
    > different VRF instances, throw my interfaces into them, and voila. My
    > internal network uses OSPF which can use VRF, but I'm stuck using a
    > single static route for my Internet side. I would prefer to use BGP
    > and exchange full routing tables, but I can't to a "ROUTER BGP XXX
    > VRF" type of command. It doesn't take.
    >
    > My main priority is to maintain security between the public and
    > private side of this router, so never the two shall meet. Obviously,
    > I don't want a big gaping hole in my network.
    >
    > Here is my question. Is it okay/proper/correct/possible/secure to use
    > a single VRF for my internal network, on a single Serial
    > subinterface/FastEthernet pairing, but leave the Internet "side" of
    > the router outside of a VRF? Leave it on the regular router? That
    > way all router commands are available to me, like BGP? Or if you use
    > VRF once, do I have to use it all the way through for everything?
    >
    > Thanks.
    > Bob
    >
    >


    It is true that you can have just one instance of BGP process on cisco
    router. But you could try to go like this:

    router bgp 65001
    address-family ipv4 unicast vrf vrf1
    neighbor 10.20.0.60 remote-as 65535
    neighbor 10.20.0.60 activate
    no auto-summary
    exit-address-family

    That is configuration per VRF.



    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Jan 20, 2005
    #2
    1. Advertising

  3. Rob

    Bob Guest

    On Thu, 20 Jan 2005 12:40:44 +0100, Ivan Ostreš
    <> wrote:

    >It is true that you can have just one instance of BGP process on cisco
    >router. But you could try to go like this:
    >
    >router bgp 65001
    > address-family ipv4 unicast vrf vrf1
    > neighbor 10.20.0.60 remote-as 65535
    > neighbor 10.20.0.60 activate
    > no auto-summary
    > exit-address-family
    >
    >That is configuration per VRF.



    Oh, That's the proper VRF way to do it? Thanks!
    -Rob
    Bob, Jan 20, 2005
    #3
  4. Rob

    Bob Guest

    On Thu, 20 Jan 2005 12:40:44 +0100, Ivan Ostreš
    <> wrote:

    >router bgp 65001
    > address-family ipv4 unicast vrf vrf1
    > neighbor 10.20.0.60 remote-as 65535
    > neighbor 10.20.0.60 activate
    > no auto-summary
    > exit-address-family
    >
    >That is configuration per VRF.



    So if this is the (for example) BGP configuration that I'm using on my
    existing BGP router, which is a single 7204VXR router only doing
    Internet, how would it translate to BGP using VRF? I also tried the
    commands above and noticed it also created a minimal BGP config for my
    vrf2 as well. I couldn't delete it. I assume that won't hurt
    anything?


    --------------------------------------------------------------------------------
    router bgp 12000
    no synchronization
    bgp log-neighbor-changes
    network 100.200.118.0
    network 100.200.119.0
    neighbor 200.201.202.203 remote-as 3333
    neighbor 200.201.202.203 description Peer to ISP-3333
    neighbor 200.201.202.203 ebgp-multihop 2
    neighbor 200.201.202.203 update-source FastEthernet0/0
    neighbor 200.201.202.203 soft-reconfiguration inbound
    neighbor 200.201.202.203 distribute-list 1 out
    no auto-summary

    access-list 1 remark My company public networks
    access-list 1 permit 100.200.118.0 0.0.0.255
    access-list 1 permit 100.200.119.0 0.0.0.255
    --------------------------------------------------------------------------------

    Thank you so much for your help Ivan.
    -Rob
    Bob, Jan 20, 2005
    #4
  5. Rob

    Rob Guest

    Last question. Is it okay to have only one VRF on the router? If I
    have the Internet "side" of it not in VRF, it seems to still be
    segregated from the private VRF side. Then I can use standard BGP
    commands. Yes?




    On Thu, 20 Jan 2005 12:40:44 +0100, Ivan Ostreš
    <> wrote:

    >In article <>, bobh1234
    >@hotmail.com says...
    >> I'm trying to setup a router to use VRF. My Telecom provider is
    >> giving me a single T3 access where I'm splitting off both private (to
    >> the rest of my internal WAN) and Internet on the same DS3. They will
    >> be using Frame encapsulation and subinterfaces. I in turn plan to
    >> map each serial subinterface to a specific FastEthernet port.
    >>
    >> Internal = S0/0.1 to Fa0/0
    >> Public = S0/0.2 to Fa0/1
    >>
    >> I've played with VRF a bit and I believe I got it working. Create two
    >> different VRF instances, throw my interfaces into them, and voila. My
    >> internal network uses OSPF which can use VRF, but I'm stuck using a
    >> single static route for my Internet side. I would prefer to use BGP
    >> and exchange full routing tables, but I can't to a "ROUTER BGP XXX
    >> VRF" type of command. It doesn't take.
    >>
    >> My main priority is to maintain security between the public and
    >> private side of this router, so never the two shall meet. Obviously,
    >> I don't want a big gaping hole in my network.
    >>
    >> Here is my question. Is it okay/proper/correct/possible/secure to use
    >> a single VRF for my internal network, on a single Serial
    >> subinterface/FastEthernet pairing, but leave the Internet "side" of
    >> the router outside of a VRF? Leave it on the regular router? That
    >> way all router commands are available to me, like BGP? Or if you use
    >> VRF once, do I have to use it all the way through for everything?
    >>
    >> Thanks.
    >> Bob
    >>
    >>

    >
    >It is true that you can have just one instance of BGP process on cisco
    >router. But you could try to go like this:
    >
    >router bgp 65001
    > address-family ipv4 unicast vrf vrf1
    > neighbor 10.20.0.60 remote-as 65535
    > neighbor 10.20.0.60 activate
    > no auto-summary
    > exit-address-family
    >
    >That is configuration per VRF.
    Rob, Jan 21, 2005
    #5
  6. Rob

    Ivan Ostreš Guest

    In article <>, bobh1234
    @hotmail.com says...
    > Last question. Is it okay to have only one VRF on the router? If I
    > have the Internet "side" of it not in VRF, it seems to still be
    > segregated from the private VRF side. Then I can use standard BGP
    > commands. Yes?
    >


    Yes, you can. The problem is that you don't get the real logical
    separation (it's like running a server with some programs and a vmware
    on it). Yo should really create two VRF's and use one for internet and
    one for private network. It will be easier later...

    Just my 0.02,

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Jan 21, 2005
    #6
  7. Rob

    Ivan Ostreš Guest

    In article <>, bobh1234
    @hotmail.com says...
    > On Thu, 20 Jan 2005 12:40:44 +0100, Ivan Ostreš
    > <> wrote:
    >
    > >router bgp 65001
    > > address-family ipv4 unicast vrf vrf1
    > > neighbor 10.20.0.60 remote-as 65535
    > > neighbor 10.20.0.60 activate
    > > no auto-summary
    > > exit-address-family
    > >
    > >That is configuration per VRF.

    >
    >
    > So if this is the (for example) BGP configuration that I'm using on my
    > existing BGP router, which is a single 7204VXR router only doing
    > Internet, how would it translate to BGP using VRF? I also tried the
    > commands above and noticed it also created a minimal BGP config for my
    > vrf2 as well. I couldn't delete it. I assume that won't hurt
    > anything?
    >
    >


    You can find some related ideas and configs on this page:

    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_e
    xample09186a00800a6c11.shtml


    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Jan 21, 2005
    #7
  8. Rob

    Rob Guest

    Thanks again.



    On Fri, 21 Jan 2005 09:01:37 +0100, Ivan Ostreš
    <> wrote:

    >In article <>, bobh1234
    >@hotmail.com says...
    >> On Thu, 20 Jan 2005 12:40:44 +0100, Ivan Ostreš
    >> <> wrote:
    >>
    >> >router bgp 65001
    >> > address-family ipv4 unicast vrf vrf1
    >> > neighbor 10.20.0.60 remote-as 65535
    >> > neighbor 10.20.0.60 activate
    >> > no auto-summary
    >> > exit-address-family
    >> >
    >> >That is configuration per VRF.

    >>
    >>
    >> So if this is the (for example) BGP configuration that I'm using on my
    >> existing BGP router, which is a single 7204VXR router only doing
    >> Internet, how would it translate to BGP using VRF? I also tried the
    >> commands above and noticed it also created a minimal BGP config for my
    >> vrf2 as well. I couldn't delete it. I assume that won't hurt
    >> anything?
    >>
    >>

    >
    >You can find some related ideas and configs on this page:
    >
    >http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_e
    >xample09186a00800a6c11.shtml
    Rob, Jan 21, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul C.
    Replies:
    1
    Views:
    764
    hgreenblatt
    Apr 11, 2004
  2. keithb

    Multi-vrf to Multi-vrf

    keithb, May 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    2,266
    Christophe Fillot
    May 10, 2004
  3. AM

    VRF and VRf-lite.

    AM, Sep 18, 2006, in forum: Cisco
    Replies:
    3
    Views:
    31,251
    peart
    Feb 15, 2009
  4. boozer_2

    VRF aware IPSEC with vrf-lite

    boozer_2, Aug 20, 2007, in forum: Cisco
    Replies:
    0
    Views:
    3,741
    boozer_2
    Aug 20, 2007
  5. ngurjar
    Replies:
    0
    Views:
    1,799
    ngurjar
    Oct 11, 2008
Loading...

Share This Page