Quick Summary of a Cisco VRF-Lite Configuration for a Campus Environment
Architecture
Traditional 3 tier architecture - core, distribution, access.
- Central firewalls (HA Pair, Active/Passive)
- Core switches (VSS pair)
- Distribution switches (VSS pairs)
Virtual Routing and Forwarding
Campus is divided up into 6 VRFs (VRF-Lite):
- Building Management Systems (BMS) - HVAC, FIPS, CCTV, Emergency Lighting, ECPs etc
- Information & Communications Technology (ICT) - Things unique to IT but don't assume secure
- General Staff (STAFF) - General business staff
- Affiliates (AFFIL) - Guests, 3rd parties
- Edge (EDGE) - Printers, Audio/Visual equipment, Voice
- Network Management (NETINF) - Switch management
Each VRF has a Route Distinguisher (RD), and Route Targets (RT Import/Export)
See https://packetlife.net/blog/2013/jun/10/route-distinguishers-and-route-targets/ on what these are and how they are used.
In this case, the RD and RT import/export are all the per VRF.
- BMS 65535:100
- ICT 65535:110
- STAFF 65535:120
- AFFIL 65535:130
- EDGE 65535:140
- NETINF 65535:150
Each VRF has its own router process and therefore its own route tables, in the example below, OSPFv2 has been used.
Firewall interfaces (Core switch - Firewall)
These are VLAN interfaces trunked over a LAG between the core switches and the firewalls.
- BMS VLAN 3000
- ICT VLAN 3010
- STAFF VLAN 3020
- AFFIL VLAN 3030
- EDGE VLAN 3040
- NETINF VLAN 3050
Core switch interfaces (Per Building: Core switch - Disitribution Switch)
These are P2P VLANs on a LAG between the core switches and the distribution switches. One per VRF, per building. So the first building gets VLANs 2010, 2100, 2200, 2300, 2400, 2500, the second building gets VLANs 2011, 2101, 2201, 2301, 2401, 2501 and so on.
- BMS VLAN 2010 - 2099
- ICT VLAN 2100 - 2199
- STAFF VLAN 2200 - 2299
- AFFIL VLAN 2300 - 2399
- EDGE VLAN 2400 - 2499
- NETINF VLAN 2500 - 2599
Distribution switch interfaces (one pair per building ie VSS/VLT/MCLAG)
These are the access VLANs. They are what endpoints/clients will be using. I use the same VLANs per each building because the boundary is the distribution switches.
- BMS VLAN 1000 - 1009
- ICT VLAN 1010 - 1019
- STAFF VLAN 1020 - 1029
- AFFIL VLAN 1030 - 1039
- EDGE VLAN 1040 - 1049
- NETINF VLAN 1050 - 1059
IP Schema and Routing
In the examples below I have used a Class A RFC1918 address range and OSPFv2 routing.
Example Core and Distribution Switch VRF-Lite configuration
Using the AFFIL VRF as an example. To create the other VRFs you simply copy the configuration while changing the identifiers/numbers/addresses to suite.
Core Switch
A static default route to the firewall's AFFIL VLAN interface is used.
ip vrf AFFIL
description Affiliates
rd 65535:130
route-target export 65535:130
route-target import 65535:130
ip multicast-routing vrf AFFIL
vlan 3030
name AFFIL_P2P_FW
vlan 2300
name AFFIL_P2P_BldA
interface Loopback130
description Loop Back AFFIL
ip vrf forwarding AFFIL
ip address 10.30.5.1 255.255.255.255
no ip proxy-arp
ip pim sparse-mode
ip ospf 130 area 0
interface Loopback131
description Mulitcast RP AFFIL
ip vrf forwarding AFFIL
ip address 10.30.5.253 255.255.255.255
no ip proxy-arp
ip pim sparse-mode
ip ospf 130 area 0
interface Vlan3030
description Firewall AFFIL
ip vrf forwarding AFFIL
ip address 10.30.2.5 255.255.255.240
no ip redirects
no ip proxy-arp
!
interface Vlan2300
description Building A AFFIL
ip vrf forwarding AFFIL
ip address 10.30.3.1 255.255.255.252
no ip redirects
no ip proxy-arp
ip ospf 130 area 0
router ospf 130 vrf AFFIL
router-id 10.30.5.1
capability vrf-lite
passive-interface default
no passive-interface Loopback130
no passive-interface Loopback131
no passive-interface Vlan2300
default-information originate always
ip pim vrf AFFIL rp-address 10.30.5.253 override
ip route vrf AFFIL 0.0.0.0 0.0.0.0 10.30.2.3
Associate the appropriate VLANs with the Firewall and the distribution switch interfaces.
Distribution Switch
Layer 3 between core and distribution. Layer 2 between distribution and access. VLANs 1030 - 1032 are the SVIs for the access networks for the building - these will be trunked/tagged to each access switch/stack and associated on each port as appropriate as an access/untagged VLAN.
ip vrf AFFIL
rd 65535:130
route-target export 65535:130
route-target import 65535:130
ip multicast-routing vrf AFFIL
interface Loopback130
description General Management Loop Back AFFIL
ip vrf forwarding AFFIL
ip address 10.30.5.10 255.255.255.255
no ip proxy-arp
ip pim sparse-mode
ip ospf 130 area 0
interface Vlan1030
description AFFIL_VLAN1030
ip vrf forwarding AFFIL
ip address 10.30.100.1 255.255.255.0
interface Vlan1031
description AFFIL_VLAN1031
ip vrf forwarding AFFIL
ip address 10.30.101.1 255.255.255.0
interface Vlan1032
description AFFIL_VLAN1032
ip vrf forwarding AFFIL
ip address 10.30.102.1 255.255.255.0
interface Vlan2300
description AFFIL_P2P_BldA
ip vrf forwarding AFFIL
ip address 10.30.3.2 255.255.255.252
no ip redirects
no ip proxy-arp
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 130 area 0
router ospf 130 vrf AFFIL
router-id 10.30.5.10
redistribute connected subnets
passive-interface default
no passive-interface Loopback130
no passive-interface Vlan1030
ip pim vrf AFFIL rp-address 10.30.5.253
Associate the appropriate VLANs with the core switch interfaces and downstream access switches.
1 comment:
Beautiful
Post a Comment