1 router, 1 internet connection/IP - multiple VRFs using the same ISP gateway
My knowledge of inter-VRF routing isn't the best.
I have one public IP. The public Internet and its quad 0 is on the default VRF....
Then I have a Guest_VRF and a corporate_VRF which would both need to access the Internet and point to the default gateway on the default VRF.
I can see this being done with multiple Cisco routers however I can't figure out a way that I could do this all-in-one device. I keep envisioning multiple NAT/PATs here which is just messy or using loopbacks and tunnels.
I'm focusing mainly on an ISR G1/G2 router here. Does anyone have any advice?
Using a VRF is like using a seperate router. If you have the same WAN IP for both VRF's, then you have to configure it twice in both WAN interfaces. If you however only use one WAN interface, you'll have to divide this interface by trunking (using VLAN's) or subinterfaces.
interface FastEthernet0.5 encapsulation dot1Q 5 ip address 18.104.22.168 255.255.255.252
Notice we do not use ip vrf forwarding, we are using the default vrf here
interface FastEthernet0.10 ip vrf forwarding wanconnection:1 encapsulation dot1Q 10 ip address 22.214.171.124 255.255.255.252 (<== this can be another IP if you prefer to divide it with 2 different IP's)
The connection then goes as follows:
- your router (normal vrf) => wan connection => vpn used for dot1Q tag 5
- your router (wanconnection:1 vrf) => wan connection => vpn used for dot1Q tag 10
if you want to do this without tagging and just have 2 physical interfaces, it's the same implementation:
interface FastEthernet0 ip address 126.96.36.199 255.255.255.252 interface FastEthernet1 ip vrf forwarding wanconnection:1 ip address 188.8.131.52 255.255.255.252
Every other interface needed in the specific vrf "wanconnection:1" needs to be added in the same way:
ip vrf forwarding wanconnection:1
interface FastEthernet4 ip vrf forwarding wanconnection:1 ip address 10.0.0.1 255.255.255.0
ip vrf wanconnection:1 rd 65000:1
the rd 100:1 command explained: Creates a VRF table by specifying a route distinguisher. Enter either an AS number and an arbitrary number (xxx:y) or an IP address and arbitrary number (A.B.C.D:y).
for the routing part:
ip route 0.0.0.0 0.0.0.0 184.108.40.206 ip route vrf wanconnection:1 0.0.0.0 0.0.0.0 220.127.116.11
If you only have one WAN connection without tagging enabled, you could use inter Vrf routing: http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/
ip vrf wanconnection:1 rd 65000:1 route-target export 65000:2 route-target import 65000:99 ip vrf wanconnection:2 rd 65000:2 route-target export 65000:1 route-target import 65000:99 ip vrf shared:1 rd 65000:99 route-target export 65000:99 route-target import 65000:1 route-target import 65000:2 interface FastEthernet0 ip vrf forwarding shared:1 ip address 18.104.22.168 255.255.255.252 interface loopback1 ip vrf forwarding shared:1 ip address 22.214.171.124 255.255.255.255 ip route vrf shared:1 0.0.0.0 0.0.0.0 126.96.36.199 ip route vrf wanconnection:1 0.0.0.0 0.0.0.0 188.8.131.52 ip route vrf wanconnection:2 0.0.0.0 0.0.0.0 184.108.40.206 interface FastEthernet1 ip vrf forwarding wanconnection:1 ip address 10.0.0.1 255.255.255.0 description "LAN interface vrf 1" interface FastEthernet2 ip vrf forwarding wanconnection:2 ip address 10.0.2.1 255.255.255.0 description "LAN interface vrf 2"
here FastEthernet1 will use the default route for vrf wanconnection:1 and FastEthernet2 will use the default route for vrf wanconnection:2 (provided by the "ip route" commands).
I think the route leaking at the end is what he OP was after without knowing it :)
@javano I think so 2 :) but I hope I gave a bit of an overview of some of the possibilities :)
yeah - route-leaking is what I was looking for without knowing it....makes sense now. I'll try and build this this weekend and see how it goes!
The wanconnection:N static routes do not make sense to me. It would be better example, if you'd have 2 LAN sides, 1 WAN side, default route (like you have already) to WAN side shared VRF but then you should have LAN side routes pointing to LAN next-hop.