This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Inter-VRF routing on singular Router

S4mrai
New Contributor

‎04-02-2024 08:26 AM

Hi, I have a ICX-7450 stack with 5 members running L3 Code with L3-prem license.

I have a default VRF on  VE1 (VLAN 1) and a Non-default VRF on VE 200 (VLAN 200)

I want to allow traffic between VLAN 1 Networks and VLAN 200 Networks :

config excpert:

vlan 1 name DEFAULT by port
 router-interface ve 1
 spanning-tree 802-1w

vlan 200 name clientx by port
 ### Here would be the tagged ports
 router-interface ve 200
 spanning-tree 802-1w

vrf clientx
 rd 11:11
 ip router-id 10.30.0.16
 address-family ipv4
 ip route 0.0.0.0/0 10.30.0.254
 ip route 172.16.100.0/24 ve 1
 exit-address-family
 exit-vrf

ip router-id 172.18.10.16
ip route 0.0.0.0/0 172.18.10.254
ip route 10.30.0.0/24 ve 200


interface ve 1
 ip address 172.18.10.16 255.255.255.0


interface ve 200
 vrf forwarding clientx
 ip address 10.30.0.16 255.255.255.0



I just want clients from the default vrf (172.18.10.0/24) to be able to communicate with the clientx vrf (10.30.0.0/24)
Documentation is telling me that VRF Route leaking works by selecting the respective exit interface of the vrf but it doesn't work. Clients cannot reach each other.

I think I am dumb, in cisco I would just use the "import maps" but this is my first time vrf on Ruckus.

(please note: Networks are changed and very simplified in this example, each vrf has more routes which the other side should not see. I only specified the one network which we want inter-Vrf connectivity . This L3 Router is also the gateway for the cleints in their respective vlans.)

0 Kudos
10 REPLIES 10

S4mrai
New Contributor
In response to Chandini

‎04-08-2024 01:03 AM

Hello I cannot move this in production interface to a different vrf. wouldn't this also mean that both interfaces share the same routing table completely ?

The Setup is:
Firewall1  int 1 ->  ICX1 (Gateway-default) ve 1       default VRF  Multiple Subnets 
Firewall1 int 30 -> ICX1 (Gateway-clientx ) ve 200   clientx VRF  Multiple Subnets

We need to reach one of the default subnets from clientx via the ICX Gateway and Vice versa. Routing these Subnets trough the Firewall is not an option.

We also do not want to have both Interfaces in the same VRF and then block access wiith a ACL because we need those Subnets to enter the Firewall in a seperate Interface and then we'd have to use ACL-Policybased Routing






0 Kudos

Chandini
RUCKUS Team Member

‎04-08-2024 07:24 AM

Hi S4mrai

Thank you for reaching us

You are correct they will fall in same routing table. I wanted to see when they are part of same routing table if the ping is reachable or no because the two routes do display in the routing table in earlier output you shared. 

In case this is a production network I would not recommend the change. I would request you to log a case using the below link as this may need further tests and may require you to share more details.

Thanks 

0 Kudos

S4mrai
New Contributor
In response to Chandini

‎04-08-2024 08:04 AM

I solved part of it:

I cleared all vrf and arp wih the "clear" command.

since then L3 Communication works, I can ping between the leaked routes subnets as intended.


Only issue now is: broadcasts are not relayed altough I have an ip helper configured as well as directed broadcasts and I allowed ip forwarding for bootpc and bootps.
Do you want me to post my config here or should I close this and open a new thread ?

0 Kudos

jdryan
Moderator
Moderator
In response to S4mrai

‎04-12-2024 06:19 AM - edited ‎04-12-2024 06:20 AM

Hi S4mrai, 

Adding to the post, the  directed-broadcast and UDP forwarding is probably not best in case of dhcp. 
Here best approach would be to use relay/dhcp-relay on L3 interfaces. 
But if the DHCP has to cross the vrf's, then similar route provisioning with relay/dhcp-helper  should help. 
As relay/dhcp-helper would convert the broadcast of the DHCP to unicast and direct it to the server and with route provisioning it should help cross the VRFs. 


Let us know if the bits help ! 

 

 

0 Kudos

Mayank
RUCKUS Team Member
In response to S4mrai

‎04-14-2024 01:58 AM

Hi S4mrai,

Adding to the post. As this is a new setup you need to test it out before moving it into production.

In order to check the network flow I would suggest you check out the configuration first to achieve the Baseline. 

For VRF Related Configuration you can refer to the below link for your reference:

https://docs.commscope.com/bundle/fastiron-08095-l3guide/page/GUID-FA7A07AF-9EBB-4DDC-81B6-2F3F7E814....

 

You can also refer to the below short video link for your reference:

 

Below link for CONFIGURING A MANAGEMENT VRF :

 

https://youtu.be/1kzIY1SiK_A?si=fRIgk2gh6vkyZZmH

 

Below link for CONFIGURING MULTI-VRF :

 

https://youtu.be/vC3bhw1aGzg?si=4HvcHWzl7RqoOrrg

 

Since the issue is also related to the DHCP you can refer to the below link for your reference:

 

https://youtu.be/AXCPDVptsyk?si=UwezPcJgoBMVePZX

 

https://youtu.be/OCE0eEQqQAY?si=YdAdqyjTVcuK4Z7p

 

Below link for IP HELPER ADDRESS :

 

https://youtu.be/5eQI-ptLCtY?si=vguL8xxcatGx9s_f

 

Moving Forward If this issue is not resolved, Please log a ticket with the below link so that we can help you further.

 

https://support.ruckuswireless.com/contact-us

 

I hope this information helps you

 

Please feel free to leave us a message if any concerns

 

Thanks

0 Kudos
Copyright © 2024 Khoros, LLC