Meraki

Community

VRF on a Meraki-based Hybrid Environment

Schiller
Getting noticed
a week ago
a week ago

VRF on a Meraki-based Hybrid Environment

Hello Cisco Community,

 

I am working on a complex network segmentation project and need design guidance, specifically due to hardware role assignments and an IOS XE version constraint.

  • My current design is as follow:
    Primary L3 Core/Distribution: Meraki MS250 (Handles inter-VLAN routing for all non-VRF traffic).
  • Dedicated VRF Engine: Cisco Catalyst 9300L (running native IOS XE 17.15 via CLI). This device is only to be used for its VRF functionality.
  • Firewall/Egress: Meraki MX250. 
  • I must create 10 fully isolated VRFs, where all 10 VRFs must use the exact same overlapping IP subnet (e.g., 10.1.1.0/24).

 

The network needs to route traffic as follows:

  1. Client Traffic (VLAN 101-110, all 10.1.1.0/24) C9300L (VRF lookup).

  2. C9300L (routed out of VRF) MS250 (Primary Core).

  3. MS250 MX250 (Egress/NAT) Internet.

 

What is the best method to connect the C9300L's 10 VRFs to the MS250?

 

Routing Loop Prevention: Since the MS250 is the primary core, what specific static routes or route filtering is required on the C9300L and the MS250 to ensure the VRF-bound traffic is sent to the C9300L without causing a routing loop, while non-VRF traffic uses the MS250's existing routing tables?

 

Any advice on the optimal connection type (L3 Routed Port vs. SVI with Static Route) between the C9300L and MS250 in this highly specific VRF-delegated role would be greatly appreciated.

0 Kudos
4 Replies 4
rhbirkelund
Kind of a big deal
Kind of a big deal
a week ago
a week ago

From what I can tell, based on your description, that topology is not one that is compatible with Meraki. 

 

Meraki does not support VRFs, and without VRFs you can not do overlapping ip subnets on the Meraki MX, as it will be unable to distinguish between the VRFs. 

 

I am not that much into VRF and MPLS VPNs, but perhaps you can do a transit VLAN for the Meraki, and on the C9300L do NAT'ing between the transit VLAN in the GRT and specific VRFs with routeleaking?

 

Regardless, I'd reach out to my Meraki SE, and have a chat with them on what's possible, if it were me. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
GIdenJoe
Kind of a big deal
Kind of a big deal
a week ago
a week ago

True:  How do you expect the routes to remain distinct once you get out of the VRF onto the MX?

You would need some sort of NAT to be able to send to an MX.  Or just use a firewall that supports multiple contexts so you can use VRF lite all the way.

cmr
Kind of a big deal
Kind of a big deal
a week ago
a week ago

If you want the MS250s to be the distribution then they need to be L2 only.  The L3 routing would need to be done inside the 9300L VRFs.  Combine this with NAT on the 9300L for egress to the MX and it could work as you have enough ports on the MX for one pair of ports per 9300L VRF with each port in a separate VLAN on the MX, but it would be one hell of a horrible setup to try to support.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Others have already given good answers.  I would also like to mention the recent Meraki VRF support for C9300 switches.

https://documentation.meraki.com/MS/Layer_3_Switching/VRF

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.