I wish to segment a network consisting on 150 tenant using vrf lite on Cisco 6800. The vrf configuration will be standalone as only the 6800 will be configured with vrf. Tenant's CPE will be connected via VLAN on the 6800 and will be on a separate vrf. Are there limitations using vrf lite?
Cisco 6800 – VRF-Lite Limitations
ciscomplsnetwork-corevrfvrf-lite
Related Solutions
It appears that you're applying the load balancing policy to the routing-instance
. It needs to be applied to the forwarding-table
in order for it to perform ECMP on the forwarding plane.
routing-options {
forwarding-table {
export load-balancing-policy;
}
}
To confirm it's working, you should see something similar to this. Note the additional entry on the forwarding table for entry 10.0.0.0/24
.
# run show route forwarding-table table {client}
Routing table: {client}.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default user 0 8:5b:e:84:4c:b0 ucst 561 3 ge-1/1/2.3017
default perm 0 rjct 961 1
0.0.0.0/32 perm 0 dscd 959 1
10.0.0.0/24 user 0 196.33.144.3 ucst 589 5 ge-1/1/5.2100 *
10.0.0.0/24 user 0 196.33.144.11 ucst 645 6 gr-1/1/10.1 *
10.0.0.55/32 user 0 ucst 645 6 gr-1/1/10.1
10.0.0.210/32 user 0 ucst 645 6 gr-1/1/10.1
10.0.6.0/24 user 0 ucst 921 3 gr-1/1/10.16
.
.
Each fills a different purpose and all three may be part of an overall solution. Lets start with the oldest concept first.
Subnets are the IP worlds way of determining what devices are "assumed to be on-link". Devices within the same subnet will send unicast traffic directly to each other by default while devices in different subnets will send unicast traffic via a router by default.
You could put each subnet on a separate physical network. This forces traffic to go via the router, which can act as a firewall. That works fine if your isolation domains match up with your physical network layout but gets to be a PITA if they don't.
You can have multiple subnets on the same "link", but doing so does not provide a high degree of isolation between the devices. IPv4 unicast traffic between different subnets will by default flow via your router where it can be filtered but broadcasts, IPv6 link local traffic and non-ip protocols will flow directly between the hosts. IPv6 global unicast traffic may or may not flow via the router depending on how the hosts are configured. Furthermore if someone wants to bypass the router they can trivially do so by adding an extra IP address to their NIC.
VLANs take an Ethernet network and split it up into multiple seperate Virtual Ethernet networks. This lets you ensure that traffic goes via the router without constraining your physical network layout.
VRFs let you build multiple virtual routers in one box. They are a relatively recent idea and are mostly useful in large complex networks. Essentially while VLANs let you build multiple independent virtual Ethernet networks on the same infrastructure VRFs (used in conjunction with an appropriate virtual link layer such as VLANs or MPLS) let you build multiple independent IP networks on the same infrastructure. Some examples of where they might be useful.
- If you are running a multi-tenant datacenter scenario each customer may have their own (possibly overlapping) set of subnets and want different routing and filtering rules.
- In a large network you may want to route between subnets/vlans in the same security domain locally while sending cross security domain traffic to a central firewall.
- If you are doing DDOS scrubbing you may want to separate unscrubbed traffic from scrubbed traffic.
- If you have multiple classes of customer you may want to apply different routing rules to their traffic. For example you could route "economy" traffic on the cheapest path while routing "premium" traffic on the fastest path.
Best Answer
The new SUP-2T can support up to 4000 VRFs. This design has two main drawbacks which you need to consider:
You will introduce single point of failure.
Routing between two different VRFs in future ( it is possible but it will require static routes or running standalone BGP on the box)