Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Securing Campus Networks With Virtual Routing and Forwarding

    Încărcat de

    mstepp
    241 vizualizări6 pagini
    Use VRF and MPLS VPN to secure Campus Communications

    Drepturi de autor

    © Attribution Non-Commercial (BY-NC)

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Use VRF and MPLS VPN to secure Campus Communications

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    241 vizualizări6 pagini

    Securing Campus Networks With Virtual Routing and Forwarding

    Încărcat de

    mstepp
    Use VRF and MPLS VPN to secure Campus Communications

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 6

    Securing Campus Networks with Virtual Routing and Forwarding (VRF)

    Overview

    The Customer has requested Layer 2 and Layer 3 separation in the campus networks between the AA and BB user groups. Common access for all users to centralized applications should be maintained.

    Solution In this solution, we will create Layer 2 boundaries with VLANs and Layer 3 boundaries with VRFs. The benefit of VRFs is that a separate routing table is created for each and no routing or communication exists between VRFs. However, this benefit is also a drawback as applications must reside within the same VRF as the users who access it. To solve the VRF limitation, we will use the import function of VRF route targets and Multiprotocol BGP (MBGP). The Data Center router will use MBGP to advertise the selected route targets into its own local VRF routing tables; no MBGP peering is required. We will then use OSPF (EIGRP, RIP will also work) to advertise the selected routes to adjacent Campus Routers. VRF AA and BB will have full access to VRF CC without any access to each other.

    VRF AA VL 1:192.168.1.1 VL 2:192.168.2.1 VRF BB

    VRF AA VL 101:192.168.101.1

    VRF AA VL 101:192.168.101.2

    MPLS Site A
    VL 201:192.168.201.1 VRF BB VL 201:192.168.201.2 VRF BB

    VRF AA VL 11:192.168.11.1

    Site B

    VL 22:192.168.22.1 VRF BB

    Secure Boundary
    No local connectivity

    VRF AA VL 101: 192.168.101.254

    VRF BB VL 201:192.168.201.254

    Users in VRF AA cannot communicate with those in VRF BB, though Users in each VRF can access Applications in VRF CC.

    VRF AA: export 1:1 | import 1:1,99:99 VRF BB: export 2:2 | import 2:2,99:99 VRF CC: export 99:99 | import 1:1,2:2,99:99

    Data Center
    VRF CC VL 99:192.168.99.254

    Applications in VRF CC, are accessible by both VRF AA and VRF BB. This does not create a bridge or security loophole for VRF AA or VRF BB.

    Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

    Page 1 of 6

    Reference Some quick reference notes. Route Distinguisher (RD) is a 64-bit identifier that is pre-pended to the customers 32-bit IPv4 prefix to create a globally unique 96-bit VPNv4 prefix. The RD is configured per VRF on the PE router. Route Target (RT) identifies the VPN membership of routes. RTs allow selective import and export of VPNv4 prefixes from a VRF. Route-Targets are encoded in a 64 bit BGP extended community (16 bits of Type and 48 bits of Value).
    ip vrf AA << create virtual routing and forwarding table rd 1:1 << globally unique 64 bit identifier route-target export 1:1 << export routes with an RT of 1:1 route-target import 1:1 << import routes with an RT of 1:1 route-target import 99:99 << import/export routes with RT of 99:99

    Configuration IOS configuration for routers at Site A, Site B, and the Data Center.
    Site A Router
    VRF AA VL 1:192.168.1.1 VL 2:192.168.2.1 VRF BB VRF AA VL 101:192.168.101.1

    MPLS Site A
    VL 201:192.168.201.1 VRF BB

    ip vrf AA rd 1:1 ! ip vrf BB rd 2:2 ! interface VLAN 1 description AA User VLAN 1 ip vrf forwarding AA ip address 192.168.1.1 255.255.255.0 ! interface VLAN 2 description BB User VLAN 2 ip vrf forwarding BB ip address 192.168.2.1 255.255.255.0 ! interface Vlan 101 description AA WAN ip vrf forwarding AA ip address 192.168.101.1 255.255.255.0 ! interface Vlan 201 description BB WAN ip vrf forwarding BB ip address 192.168.201.1 255.255.255.0 !

    Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

    Page 2 of 6

    router ospf 101 vrf AA network 192.168.1.1 0.0.0.0 area 1 network 192.168.101.1 0.0.0.0 area 0 ! router ospf 201 vrf BB network 192.168.2.1 0.0.0.0 area 1 network 192.168.201.1 0.0.0.0 area 0

    Site B Router
    VRF AA VL 101:192.168.101.2 VRF AA VL 11:192.168.11.1

    MPLS
    VL 201:192.168.201.2 VRF BB

    Site B

    VL 22:192.168.22.1 VRF BB

    ip vrf AA rd 1:1 ! ip vrf BB rd 2:2 ! Interface Vlan11 description AA User VLAN 11 ip vrf forwarding AA ip address 192.168.11.1 255.255.255.0 ! interface Vlan22 description BB User VLAN 22 ip vrf forwarding BB ip address 192.168.22.1 255.255.255.0 ! interface Vlan101 description AA WAN ip vrf forwarding AA ip address 192.168.101.2 255.255.255.0 ! interface Vlan201 description BB WAN ip vrf forwarding BB ip address 192.168.201.2 255.255.255.0 ! router ospf 101 vrf AA network 192.168.11.1 0.0.0.0 area 2 network 192.168.101.2 0.0.0.0 area 0 ! router ospf 201 vrf BB network 192.168.22.1 0.0.0.0 area 2 network 192.168.201.2 0.0.0.0 area 0

    Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

    Page 3 of 6

    Data Center Router


    ip vrf AA rd 1:1 route-target export 1:1 route-target import 1:1 route-target import 99:99 ! ip vrf BB rd 2:2 route-target export 2:2 route-target import 2:2 route-target import 99:99 ! ip vrf CC rd 99:99 route-target export 99:99 route-target import 1:1 route-target import 2:2 route-target import 99:99 ! interface Vlan99 description Systems VLAN 99 ip vrf forwarding CC ip address 192.168.99.254 255.255.255.0 ! interface Vlan101 description AA WAN ip vrf forwarding AA ip address 192.168.101.254 255.255.255.0 ! interface Vlan201 description BB WAN ip vrf forwarding BB ip address 192.168.201.254 255.255.255.0 ! router ospf 101 vrf AA redistribute bgp 1000 subnets network 192.168.101.254 0.0.0.0 area 0 ! router ospf 201 vrf BB redistribute bgp 1000 subnets network 192.168.201.254 0.0.0.0 area 0 ! router bgp 1000 ! address-family ipv4 vrf CC redistribute connected ! address-family ipv4 vrf BB redistribute connected redistribute ospf 201 vrf BB ! address-family ipv4 vrf AA redistribute connected redistribute ospf 101 vrf AA

    Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

    Page 4 of 6

    Verification Routing verification for Site A, Site B, and Data Center.


    Site A Router SA#sh ip ro vrf AA Routing Table: AA O IA 192.168.11.1 [110/2] via 192.168.101.2, 03:07:43, Vlan101 O E2 192.168.99.0/24 << vrf CC route available in vrf AA routing table [110/1] via 192.168.101.254, 03:07:43, Vlan101 C 192.168.1.0/24 is directly connected, Vlan1 C 192.168.101.0/24 is directly connected, Vlan101 SA#sh ip ro vrf BB Routing Table: BB C 192.168.201.0/24 is directly connected, Vlan201 O E2 192.168.99.0/24 << vrf CC route available in vrf BB routing table [110/1] via 192.168.201.254, 03:07:58, Vlan201 O IA 192.168.22.1 [110/2] via 192.168.201.2, 03:07:58, Vlan201 C 192.168.2.0/24 is directly connected, Vlan2 SA# ping vrf AA 192.168.99.254 Sending 5, 100-byte ICMP Echos to 192.168.99.254, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms SA# ping vrf BB 192.168.99.254 Sending 5, 100-byte ICMP Echos to 192.168.99.254, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

    Site B Router SB#sh ip ro vrf AA Routing Table: AA C 192.168.11.0/24 is directly connected, Vlan11 O E2 192.168.99.0/24 << vrf CC route available in vrf AA routing table [110/1] via 192.168.101.254, 03:08:38, Vlan101 O IA 192.168.1.1 [110/2] via 192.168.101.1, 03:08:38, Vlan101 C 192.168.101.0/24 is directly connected, Vlan101 SB#sh ip ro vrf BB Routing Table: BB C 192.168.201.0/24 is directly connected, Vlan201 O E2 192.168.99.0/24 << vrf CC route available in vrf BB routing table [110/1] via 192.168.201.254, 03:08:42, Vlan201 C 192.168.22.0/24 is directly connected, Vlan22 O IA 192.168.2.1 [110/2] via 192.168.201.1, 03:08:42, Vlan201 SB# ping vrf AA 192.168.99.254 Sending 5, 100-byte ICMP Echos to 192.168.99.254, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms SB# ping vrf BB 192.168.99.254 Sending 5, 100-byte ICMP Echos to 192.168.99.254, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms Data Center Router DC#show ip bgp vpnv4 all

    Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

    Page 5 of 6

    Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:1 (default for vrf AA) *> 192.168.1.1/24 192.168.101.1 2 32768 ? *> 192.168.11.1/24 192.168.101.2 2 32768 ? *> 192.168.99.0 0.0.0.0 0 32768 ? << vrf CC route available in vrf AA routing table *> 192.168.101.0 0.0.0.0 0 32768 ? Route Distinguisher: 2:2 (default for vrf BB) *> 192.168.2.1/24 192.168.201.1 2 32768 ? *> 192.168.22.1/24 192.168.201.2 2 32768 ? *> 192.168.99.0 0.0.0.0 0 32768 ? << vrf CC route available in vrf BB routing table *> 192.168.201.0 0.0.0.0 0 32768 ? Route Distinguisher: 99:99 (default for vrf CC) *> 192.168.1.1/24 192.168.101.1 2 32768 ? << vrf AA route available in vrf CC routing table *> 192.168.2.1/24 192.168.201.1 2 32768 ? << vrf BB route available in vrf CC routing table *> 192.168.11.1/24 192.168.101.2 2 32768 ? << vrf AA route available in vrf CC routing table *> 192.168.22.1/24 192.168.201.2 2 32768 ? << vrf BB route available in vrf CC routing table *> 192.168.99.0 0.0.0.0 0 32768 ? *> 192.168.101.0 0.0.0.0 0 32768 ? << vrf AA route available in vrf CC routing table *> 192.168.201.0 0.0.0.0 0 32768 ? << vrf BB route available in vrf CC routing table DC#sh ip ro vrf AA Routing Table: AA O IA 192.168.11.1 [110/2] via 192.168.101.2, 03:03:50, Vlan101 B 192.168.99.0/24 is directly connected, 03:04:25, Vlan99 << vrf CC route available in vrf AA routing table O IA 192.168.1.1 [110/2] via 192.168.101.1, 03:03:50, Vlan101 C 192.168.101.0/24 is directly connected, Vlan101 DC#sh ip ro vrf BB Routing Table: BB C 192.168.201.0/24 is directly connected, Vlan201 B 192.168.99.0/24 is directly connected, 03:04:29, Vlan99 << vrf CC route available in vrf BB routing table O IA 192.168.22.1 [110/2] via 192.168.201.2, 03:03:54, Vlan201 O IA 192.168.2.1 [110/2] via 192.168.201.1, 03:03:54, Vlan201 DC#sh ip ro vrf CC Routing Table: CC B 192.168.11.1 [20/2] via 192.168.101.2 (AA), 03:03:49, Vlan101 << vrf AA route available in vrf CC routing table B 192.168.201.0/24 is directly connected, 03:04:34, Vlan201 << vrf BB route available in vrf CC routing table C 192.168.99.0/24 is directly connected, Vlan99 B 192.168.22.1 [20/2] via 192.168.201.2 (BB), 03:03:49, Vlan201 << vrf BB route available in vrf CC routing table B 192.168.1.1 [20/2] via 192.168.101.1 (AA), 03:03:49, Vlan101 << vrf AA route available in vrf CC routing table B 192.168.2.1 [20/2] via 192.168.201.1 (BB), 03:03:49, Vlan201 << vrf BB route available in vrf CC routing table B 192.168.101.0/24 is directly connected, 03:04:34, Vlan101 << vrf AA route available in vrf CC routing table

    DC#ping vrf CC 192.168.1.1 Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms DC#ping vrf CC 192.168.2.1 Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

    Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

    Page 6 of 6

    S-ar putea să vă placă și