Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 13
Registered: ‎01-22-2013

VRF newbie question

I have an MLXe4 router with several "internal" interfaces (ve81, ve181, ve233) and two "external" interfaces (ve3, ve80).  I would like to use a standard default route to send most traffic out ve80.  However, I'd like traffic from ve233 to route out to ve3.  I think I need to use a VRF to do this.  Is that right?

I have tried to set up one VRF on the MLXe4.  Here is the relevant portion of the config:

vlan 3

tagged ethe 1/7 ethe 2/7

router-interface ve 3

!

vlan 80

tagged ethe 1/7 ethe 2/7

router-interface ve 80

!

vlan 81

tagged ethe 1/1 to 1/4 ethe 2/1 to 2/4

router-interface ve 81

!

vlan 181

tagged ethe 1/1 to 1/4 ethe 2/1 to 2/4

router-interface ve 181

!

vlan 233

tagged ethe 1/1 to 1/4 ethe 2/1 to 2/4

router-interface ve 233

!

!

!

vrf dmz

rd 233:233

address-family ipv4

ip route 0.0.0.0/0 10.12.3.1

exit-address-family

exit-vrf

!

no route-only

!

interface ve 3

ip address 10.12.3.233/24

!

interface ve 80

ip address 10.12.80.2/28

!

interface ve 81

ip address 10.12.81.1/24

!

interface ve 181

ip address 10.12.181.1/24

!

interface ve 233

vrf forwarding dmz

ip address 10.12.233.1/24

!

Tracing from my workstation through ve80 toward ve233 on the MLXe4 isn't working.  I can tell the packet is reaching the router, but something is wrong:

C:\Users\xhammondr>tracert -d 10.12.233.1

Tracing route to 10.12.233.1 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  10.150.214.1 (intermediate router, also has interface 10.12.3.1)

  2     1 ms    <1 ms    <1 ms  10.12.3.233

  3     1 ms     1 ms    <1 ms  10.12.3.233

  4     1 ms     1 ms     1 ms  10.12.3.233

  5     1 ms     1 ms     1 ms  10.12.3.233

...

Same results tracerouting towards other hosts on the same LAN segment ve233 is on:

C:\Users\xhammondr>tracert -d 10.12.233.2

Tracing route to 10.12.233.2 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  10.150.214.1 (intermediate router, also has interface 10.12.3.1)

  2     1 ms     1 ms    <1 ms  10.12.3.233

  3     1 ms    13 ms     1 ms  10.12.3.233

  4     1 ms     1 ms     1 ms  10.12.3.233

  5     1 ms     1 ms     3 ms  10.12.3.233

...

The routing table:

SSH@MLXe-01#sh ip route

Total number of IP routes: 7

Type Codes - B:BGP D:Connected I:ISIS O:OSPF R:RIP S:Static; Cost - Dist/Metric

BGP  Codes - i:iBGP e:eBGP

ISIS Codes - L1:Level-1 L2:Level-2

OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 s:Sham Link

STATIC Codes - d:DHCPv6

        Destination        Gateway         Port          Cost          Type Uptime src-vrf

1       0.0.0.0/0          10.12.80.1      ve 80         1/1           S    87d20h -

2       10.12.3.0/24       DIRECT          ve 3          0/0           D    69d2h  -

3       10.12.51.0/24      DIRECT          mgmt 1        0/0           D    105d

  -

4       10.12.80.0/28      DIRECT          ve 80         0/0           D    104d

  -

5       10.12.81.0/24      10.12.181.43    ve 181        1/1           S    64d6h  -

6       10.12.181.0/24     DIRECT          ve 181        0/0           D    103d

  -

7       192.168.68.0/24    DIRECT          mgmt 1        0/0           D    105d

  -

Any ideas?

Contributor
Posts: 30
Registered: ‎12-13-2010

Re: VRF newbie question

Bind "ve3" also to the "dmz" VRF, then try a "sh ip route vrf dmz ...".

But maybe VRF is not what you want here. The other way could be PBR (Policy Based Routing). VRF will separate all interfaces from each other which are not in the same VRF. For instance you can't reach ve3-  or ve233-clients from clients behind ve181 anymore, because ve181 is in the "Default VRF" and not in the "dmz VRF". Each VRF wil get it's own routing table and you have to do special imports/exports when Inter-VRF communication is needed.

Occasional Contributor
Posts: 13
Registered: ‎01-22-2013

Re: VRF newbie question

Thanks, Gerald.  Adding both ve233 and ve3 to the VRF was exactly what I needed.  I don't want there to be inter-VRF traffic in this particular case.  (An external security device enforces the organizations' cross-network access policies.  That device may or may not allow the traffic between, say, 10.3.81.0 and 10.3.233.0 but the MLX should be ignorant of the policy and should route the allowed traffic correctly.)

Thanks for the help!

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook