VRF question - both private and external Internet networks on same router.

Discussion in 'Cisco' started by Rob, Jan 20, 2005.

  1. Rob

    Rob Guest

    I'm trying to setup a router to use VRF. My Telecom provider is
    giving me a single T3 access where I'm splitting off both private (to
    the rest of my internal WAN) and Internet on the same DS3. They will
    be using Frame encapsulation and subinterfaces. I in turn plan to
    map each serial subinterface to a specific FastEthernet port.

    Internal = S0/0.1 to Fa0/0
    Public = S0/0.2 to Fa0/1

    I've played with VRF a bit and I believe I got it working. Create two
    different VRF instances, throw my interfaces into them, and voila. My
    internal network uses OSPF which can use VRF, but I'm stuck using a
    single static route for my Internet side. I would prefer to use BGP
    and exchange full routing tables, but I can't to a "ROUTER BGP XXX
    VRF" type of command. It doesn't take.

    My main priority is to maintain security between the public and
    private side of this router, so never the two shall meet. Obviously,
    I don't want a big gaping hole in my network.

    Here is my question. Is it okay/proper/correct/possible/secure to use
    a single VRF for my internal network, on a single Serial
    subinterface/FastEthernet pairing, but leave the Internet "side" of
    the router outside of a VRF? Leave it on the regular router? That
    way all router commands are available to me, like BGP? Or if you use
    VRF once, do I have to use it all the way through for everything?

    Rob, Jan 20, 2005
    1. Advertisements

  2. Rob

    Ivan Ostreš Guest

    It is true that you can have just one instance of BGP process on cisco
    router. But you could try to go like this:

    router bgp 65001
    address-family ipv4 unicast vrf vrf1
    neighbor remote-as 65535
    neighbor activate
    no auto-summary

    That is configuration per VRF.
    Ivan Ostreš, Jan 20, 2005
    1. Advertisements

  3. Rob

    Bob Guest

    Oh, That's the proper VRF way to do it? Thanks!
    Bob, Jan 20, 2005
  4. Rob

    Bob Guest

    So if this is the (for example) BGP configuration that I'm using on my
    existing BGP router, which is a single 7204VXR router only doing
    Internet, how would it translate to BGP using VRF? I also tried the
    commands above and noticed it also created a minimal BGP config for my
    vrf2 as well. I couldn't delete it. I assume that won't hurt

    router bgp 12000
    no synchronization
    bgp log-neighbor-changes
    neighbor remote-as 3333
    neighbor description Peer to ISP-3333
    neighbor ebgp-multihop 2
    neighbor update-source FastEthernet0/0
    neighbor soft-reconfiguration inbound
    neighbor distribute-list 1 out
    no auto-summary

    access-list 1 remark My company public networks
    access-list 1 permit
    access-list 1 permit
    Bob, Jan 20, 2005
  5. Rob

    Rob Guest

    Last question. Is it okay to have only one VRF on the router? If I
    have the Internet "side" of it not in VRF, it seems to still be
    segregated from the private VRF side. Then I can use standard BGP
    commands. Yes?
    Rob, Jan 21, 2005
  6. Rob

    Ivan Ostreš Guest

    Yes, you can. The problem is that you don't get the real logical
    separation (it's like running a server with some programs and a vmware
    on it). Yo should really create two VRF's and use one for internet and
    one for private network. It will be easier later...

    Just my 0.02,
    Ivan Ostreš, Jan 21, 2005
  7. Rob

    Ivan Ostreš Guest

    You can find some related ideas and configs on this page:

    Ivan Ostreš, Jan 21, 2005
  8. Rob

    Rob Guest

    Rob, Jan 21, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.