Assistance Needed: Inter-VRF Routing with MP-BGP
hello everyone,
I've been trying to solve a problem for over a day regarding inter-vrf routing using MP-BGP and I can't seem to figure a few things out.
I have Cisco 1921 which has VRF-JLAN and VRF-JGLOBE with 3 interfaces configured as (g0/0 = vrf JLAN, g0/1=no vrf, g0/2 = dot1q trunk to 2960S). vrf JLAN is a restricted network for users access, dns server, e.t.c. vrf JGLOBE is for Video server and global routing table belongs to Wifi Access. I've been able to seperate all the network and I can route traffic out to the Internet from vrf JLAN and the global route table but where I'm having issues is getting vrf JGLOBE to route traffic using the Global route table.
For example: vrf JLAN should not be accessed by either Global or vrf JGLOBE. JGLOBE should be able to access vrf JLAN dns server but it should route its internet traffic via Global route table (g0/1). Last JLAN should be able to access 2 networks from the Global route table.
I've attached my config and diagram so you can better understand what I'm trying to achieve. More light to solving this problem would be much appreciated.
ip vrf JGLOBE
rd 65001:2
export map WIFI
route-target export 65001:2
ip vrf JLAN
rd 65001:1
import ipv4 unicast map C-GLOBAL
route-target export 65001:1
route-target import 65001:1
route-target import 65001:2
interface GigabitEthernet0/0
description LAN-ACCESS-INTERNET [TO Nexthop FIREWALL]
ip vrf forwarding JLAN
ip address 192.168.4.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect INTERNET-FW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface GigabitEthernet0/1
description GLOBAL-Wifi-INTERNET [TO Nexthop - FIREWALL]
ip address 192.168.5.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect GLOBAL-FW in
ip inspect GLOBAL-FW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
interface GigabitEthernet0/2.3
description Users LAN
encapsulation dot1Q 3
ip vrf forwarding JLAN
ip address 192.168.30.1 255.255.255.240
interface GigabitEthernet0/2.4
description Video Server
encapsulation dot1Q 4
ip vrf forwarding JGLOBE
ip address 10.6.40.1 255.255.255.0
router ospf 1 vrf JLAN
router-id 10.6.6.10
redistribute bgp 65001 subnets
network 0.0.0.0 255.255.255.255 area 0
router ospf 2 vrf JGLOBE
router-id 10.5.7.10
redistribute bgp 65001 subnets
network 0.0.0.0 255.255.255.255 area 0
router bgp 65001
bgp router-id 10.4.6.4
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
address-family ipv4
redistribute connected
exit-address-family
address-family ipv4 vrf JGLOBE
redistribute connected
redistribute ospf 2
exit-address-family
address-family ipv4 vrf JLAN
redistribute connected
redistribute ospf 1
exit-address-family
ip dns view vrf JGLOBE default
ip dns view vrf JLAN default
ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip route vrf JGLOBE 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.5.1
ip route vrf JLAN 0.0.0.0 0.0.0.0 192.168.4.1 name LAN_INET
ip prefix-list GLOBAL-INET seq 5 permit 0.0.0.0/0
ip prefix-list SERVER-NET seq 5 permit 10.6.40.2/32
ip prefix-list WIFI-NET seq 5 permit 10.254.0.0/22 le 32
Hi Matt
Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
Regards
Varma
Similar Messages
-
Inter VLAN Routing with ASA 5520 and Cat 2960
Hi there,
I am a complete novice at networking, but I was tasked to have an ASA 5520 do inter VLAN routing (since my shop doesn't have a layer 3 router).
As a basic setup, I am trying to have three workstations on three different VLANs communicate with each other. The attached screenshot shows the topology.
I am unable to ping from a PC to the ASA...therefore I can't ping to other VLANs. Any assistance would be greatly appreciated.
ROUTER CONFIG:
ciscoasa#
ciscoasa# show run
: Saved
ASA Version 8.3(1)
hostname ciscoasa
domain-name null
enable password ###### encrypted
passwd ###### encrypted
names
dns-guard
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
no nameif
security-level 100
ip address 10.10.1.1 255.255.255.0
interface GigabitEthernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet0/1.20
vlan 20
nameif vlan20
security-level 100
ip address 10.10.20.1 255.255.255.0
interface GigabitEthernet0/1.30
vlan 30
nameif vlan30
security-level 100
ip address 10.10.30.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name null
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan10 1500
mtu vlan20 1500
mtu vlan30 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.5 inside
dhcpd enable inside
dhcpd address 10.10.10.101-10.10.10.253 vlan10
dhcpd enable vlan10
dhcpd address 10.10.20.101-10.10.20.253 vlan20
dhcpd enable vlan20
dhcpd address 10.10.30.101-10.10.30.253 vlan30
dhcpd enable vlan30
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4ad1bba72f1f51b2a47e8cacb9d3606a
: end
SWITCH CONFIG
Switch#show run
Building configuration...
Current configuration : 2543 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no aaa new-model
system mtu routing 1500
ip subnet-zero
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
vlan internal allocation policy ascending
interface GigabitEthernet0/1
description Port Configured As Trunk
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
interface GigabitEthernet0/4
switchport access vlan 30
switchport mode access
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface GigabitEthernet0/9
interface GigabitEthernet0/10
interface GigabitEthernet0/11
interface GigabitEthernet0/12
interface GigabitEthernet0/13
interface GigabitEthernet0/14
interface GigabitEthernet0/15
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
interface GigabitEthernet0/24
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface GigabitEthernet0/27
interface GigabitEthernet0/28
interface GigabitEthernet0/29
interface GigabitEthernet0/30
interface GigabitEthernet0/31
interface GigabitEthernet0/32
interface GigabitEthernet0/33
interface GigabitEthernet0/34
interface GigabitEthernet0/35
interface GigabitEthernet0/36
interface GigabitEthernet0/37
interface GigabitEthernet0/38
interface GigabitEthernet0/39
interface GigabitEthernet0/40
interface GigabitEthernet0/41
interface GigabitEthernet0/42
interface GigabitEthernet0/43
interface GigabitEthernet0/44
interface GigabitEthernet0/45
interface GigabitEthernet0/46
interface GigabitEthernet0/47
interface GigabitEthernet0/48
interface Vlan1
ip address 10.10.1.2 255.255.255.0
no ip route-cache
interface Vlan10
no ip address
no ip route-cache
interface Vlan20
no ip address
no ip route-cache
interface Vlan30
no ip address
no ip route-cache
ip default-gateway 10.10.1.1
ip http server
ip http secure-server
control-plane
line con 0
line vty 5 15
endciscoasa# capture cap10 interface vlan10
ciscoasa# capture cap20 interface vlan20
ciscoasa# show cap cap10
97 packets captured
1: 17:32:32.541262 802.1Q vlan#10 P0 10.10.10.101.2461 > 10.10.10.1.8905: ud
p 96
2: 17:32:36.741294 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
3: 17:32:36.741523 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
4: 17:32:37.539217 802.1Q vlan#10 P0 10.10.10.101.2462 > 10.10.10.1.8905: ud
p 98
5: 17:32:39.104914 802.1Q vlan#10 P0 10.10.10.101.2463 > 10.12.5.64.8906: ud
p 95
6: 17:32:41.738914 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
7: 17:32:41.739143 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
8: 17:32:42.544023 802.1Q vlan#10 P0 10.10.10.101.2464 > 10.10.10.1.8905: ud
p 93
9: 17:32:46.747352 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
10: 17:32:46.747580 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
11: 17:32:47.546633 802.1Q vlan#10 P0 10.10.10.101.2465 > 10.10.10.1.8905: ud
p 98
12: 17:32:51.739921 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
13: 17:32:51.740150 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
14: 17:32:52.544100 802.1Q vlan#10 P0 10.10.10.101.2466 > 10.10.10.1.8905: ud
p 98
15: 17:32:56.741859 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
16: 17:32:56.742088 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
17: 17:32:57.547396 802.1Q vlan#10 P0 10.10.10.101.2467 > 10.10.10.1.8905: ud
p 98
18: 17:33:01.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
19: 17:33:01.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
20: 17:33:02.547609 802.1Q vlan#10 P0 10.10.10.101.2468 > 10.10.10.1.8905: ud
p 97
21: 17:33:06.742774 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
22: 17:33:06.743018 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
23: 17:33:07.543337 802.1Q vlan#10 P0 10.10.10.101.2469 > 10.10.10.1.8905: ud
p 93
24: 17:33:10.375514 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
25: 17:33:11.114679 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
26: 17:33:11.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
27: 17:33:11.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
28: 17:33:11.864731 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
29: 17:33:12.546266 802.1Q vlan#10 P0 10.10.10.101.2470 > 10.10.10.1.8905: ud
p 98
30: 17:33:16.746497 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
31: 17:33:16.746726 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
32: 17:33:17.548403 802.1Q vlan#10 P0 10.10.10.101.2471 > 10.10.10.1.8905: ud
p 97
33: 17:33:21.744880 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
34: 17:33:21.745109 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
35: 17:33:22.545351 802.1Q vlan#10 P0 10.10.10.101.2472 > 10.10.10.1.8905: ud
p 95
36: 17:33:23.785558 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
37: 17:33:24.522464 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
38: 17:33:25.272568 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
39: 17:33:26.744926 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
40: 17:33:26.745154 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
41: 17:33:27.548708 802.1Q vlan#10 P0 10.10.10.101.2473 > 10.10.10.1.8905: ud
p 96
42: 17:33:31.749625 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
43: 17:33:31.749854 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
44: 17:33:32.550096 802.1Q vlan#10 P0 10.10.10.101.2474 > 10.10.10.1.8905: ud
p 97
45: 17:33:36.748343 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
46: 17:33:36.748572 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
47: 17:33:37.546251 802.1Q vlan#10 P0 10.10.10.101.2475 > 10.10.10.1.8905: ud
p 95
48: 17:33:41.745566 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
49: 17:33:41.745795 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
50: 17:33:42.547975 802.1Q vlan#10 P0 10.10.10.101.2476 > 10.10.10.1.8905: ud
p 97
51: 17:33:46.747855 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
52: 17:33:46.748084 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
53: 17:33:47.548403 802.1Q vlan#10 P0 10.10.10.101.2477 > 10.10.10.1.8905: ud
p 94
54: 17:33:51.747718 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
55: 17:33:51.747931 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
56: 17:33:52.547670 802.1Q vlan#10 P0 10.10.10.101.2478 > 10.10.10.1.8905: ud
p 97
57: 17:33:54.134239 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
58: 17:33:56.750678 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
59: 17:33:56.750891 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
60: 17:33:57.563035 802.1Q vlan#10 P0 10.10.10.101.2479 > 10.10.10.1.8905: ud
p 97
61: 17:33:59.245272 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
62: 17:34:01.752188 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
63: 17:34:01.752402 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
64: 17:34:01.995737 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
65: 17:34:01.995813 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
66: 17:34:01.995950 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
67: 17:34:01.996011 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
68: 17:34:01.996118 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
69: 17:34:01.996179 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
70: 17:34:02.551836 802.1Q vlan#10 P0 10.10.10.101.2480 > 10.10.10.1.8905: ud
p 98
71: 17:34:03.011306 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
72: 17:34:03.011367 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
73: 17:34:03.011443 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
74: 17:34:03.011489 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
75: 17:34:03.011550 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
76: 17:34:03.011596 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
77: 17:34:04.027037 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
78: 17:34:04.027082 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
79: 17:34:04.027174 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
80: 17:34:04.027250 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
81: 17:34:04.027311 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
82: 17:34:04.027357 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
83: 17:34:04.745811 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
84: 17:34:06.058514 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
85: 17:34:06.058605 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
86: 17:34:06.058651 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
87: 17:34:06.058712 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
88: 17:34:06.058758 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
89: 17:34:06.058819 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
90: 17:34:06.750907 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
91: 17:34:06.751151 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
92: 17:34:07.552751 802.1Q vlan#10 P0 10.10.10.101.2481 > 10.10.10.1.8905: ud
p 96
93: 17:34:11.752082 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
94: 17:34:11.752326 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
95: 17:34:12.553392 802.1Q vlan#10 P0 10.10.10.101.2482 > 10.10.10.1.8905: ud
p 96
96: 17:34:16.755438 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
97: 17:34:16.755682 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
98: 17:34:17.554811 802.1Q vlan#10 P0 10.10.10.101.2483 > 10.10.10.1.8905: ud
p 97
99: 17:34:21.751303 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
100: 17:34:21.751563 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
101: 17:34:22.552034 802.1Q vlan#10 P0 10.10.10.101.2484 > 10.10.10.1.8905: ud
p 95
102: 17:34:26.753989 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
103: 17:34:26.754218 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
104: 17:34:27.560334 802.1Q vlan#10 P0 10.10.10.101.2485 > 10.10.10.1.8905: ud
p 98
105: 17:34:31.755499 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
106: 17:34:31.755728 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
107: 17:34:32.563950 802.1Q vlan#10 P0 10.10.10.101.2486 > 10.10.10.1.8905: ud
p 95
107 packets shown
ciscoasa# show cap cap20
92 packets captured
1: 17:26:53.653378 802.1Q vlan#20 P0 10.10.20.101.1187 > 216.49.94.13.80: S 8
20343450:820343450(0) win 65535
2: 17:27:12.019133 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
3: 17:27:17.214481 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
4: 17:27:55.593688 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
5: 17:27:58.555284 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
6: 17:28:04.564790 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
7: 17:29:06.504856 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
8: 17:29:06.504917 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
6:bb
9: 17:29:06.505222 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
10: 17:29:09.467032 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
11: 17:29:15.476537 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
12: 17:30:17.417245 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
13: 17:30:18.156043 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
14: 17:30:20.378688 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
15: 17:30:23.220356 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
16: 17:30:26.388102 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
17: 17:30:28.721047 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
18: 17:30:34.222507 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
19: 17:33:43.156928 802.1Q vlan#20 P0 arp who-has 10.10.20.101 tell 10.10.20.1
01
20: 17:33:44.187002 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
21: 17:33:44.187047 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
6:bb
22: 17:33:44.187261 802.1Q vlan#20 P0 10.10.20.101 > 10.10.20.1: icmp: echo re
quest
23: 17:33:44.187520 802.1Q vlan#20 P0 10.10.20.1 > 10.10.20.101: icmp: echo re
ply
24: 17:33:44.239016 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
25: 17:33:44.327360 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
26: 17:33:44.989740 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
27: 17:33:45.150611 802.1Q vlan#20 P0 10.10.20.101.6646 > 10.10.20.255.6646:
udp 236
28: 17:33:45.331312 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
29: 17:33:45.740943 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
30: 17:33:46.331892 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
31: 17:33:46.492131 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
32: 17:33:47.243502 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
33: 17:33:47.994501 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
34: 17:33:48.335050 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
35: 17:33:48.335141 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
36: 17:33:48.745658 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
37: 17:33:49.496861 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
38: 17:33:50.248812 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
39: 17:33:50.249300 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
40: 17:33:50.999170 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
41: 17:33:50.999246 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
42: 17:33:51.750342 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
43: 17:33:51.750418 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
44: 17:33:52.341336 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
45: 17:33:52.341474 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
46: 17:33:52.501576 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
47: 17:33:52.501652 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
48: 17:33:53.254183 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
49: 17:33:53.254320 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 204
50: 17:33:54.134361 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
51: 17:33:54.755118 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
52: 17:33:54.823535 802.1Q vlan#20 P0 10.120.2.198.1261 > 161.69.12.13.443: R
250934743:250934743(0) ack 2427374744 win 0
53: 17:33:54.823901 802.1Q vlan#20 P0 10.120.2.198.1262 > 161.69.12.13.443: R
3313764765:3313764765(0) ack 1397588942 win 0
54: 17:33:54.824618 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
55: 17:33:56.257448 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
56: 17:33:57.759833 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
57: 17:33:57.779729 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
58: 17:33:59.245394 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
59: 17:33:59.262178 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
60: 17:34:00.263780 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
61: 17:34:01.265382 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
62: 17:34:02.266908 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
63: 17:34:03.268540 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
64: 17:34:03.789189 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
65: 17:34:04.019591 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
66: 17:34:04.745933 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
67: 17:34:04.770757 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
68: 17:34:05.521991 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
69: 17:34:06.273209 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
70: 17:34:07.024367 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
71: 17:34:07.775518 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
72: 17:34:08.526706 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
73: 17:34:09.277939 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
74: 17:34:09.278061 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
75: 17:34:09.278702 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 204
76: 17:34:15.810489 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
77: 17:34:16.809726 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
78: 17:34:17.811222 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
79: 17:34:19.814349 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
80: 17:34:19.814380 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
81: 17:34:23.820682 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
82: 17:34:23.820788 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
83: 17:34:30.822924 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 50
84: 17:34:31.572892 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 50
85: 17:34:32.324079 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 50
86: 17:34:33.083079 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
87: 17:34:34.077007 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
88: 17:34:35.078639 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
89: 17:34:37.081584 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
90: 17:34:37.081706 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
91: 17:34:41.087809 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
92: 17:34:41.087840 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
92 packets shown -
Inter-VPN routing with export map for host routes
Hi,
I am trying to export host routes from a connected network from one VRF to multiple other VRFs. This is to allow the leaking specific host routes for management purposes. However, I suspect that the /32 host route(s) actually need to be present in the management VRF so the RTs are added accordingly, rather than just specified in the match clause of the MGMT VRF export map.
Ideally here, I only want to export 10.111.111.254/32 from the connected network 10.111.111.0/24 in the MGMT VRF. The only way around this I can see it to move 10.111.111.0/24 behind another device, and add specific host route(s) within the MGMT VRF for the 10.111.111.X/32 host routes (which are redistributed into the MGMT VRF), using the additional device as the next-hop.
ip vrf MGMT
rd 1:1
export map MGMT-EXPORT-MAP
route-target export 1:1
route-target import 1:1
route-target import 1:1001
ip vrf CUST-B
rd 1:2
export map CUSTOMERS-EXPORT-MAP
route-target export 1:2
route-target import 1:2
route-target import 1:1000
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip vrf forwarding MGMT
ip address 10.111.111.1 255.255.255.0
interface FastEthernet0/0.200
encapsulation dot1Q 101
ip vrf forwarding CUST-B
ip address 10.96.2.1 255.255.254.0
router bgp 65000
bgp router-id 1.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
address-family ipv4 vrf CUST-B
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf MGMT
redistribute connected
no synchronization
exit-address-family
ip prefix-list CUSTOMERS seq 5 permit 10.96.2.0/23
ip prefix-list ONPREMISE seq 5 permit 10.111.111.0/24
ip prefix-list ONPREMISE seq 10 permit 10.111.111.254/32
route-map CUSTOMERS-EXPORT-MAP permit 10
match ip address prefix-list CUSTOMERS
set extcommunity rt 1:1001 additive
route-map MGMT-EXPORT-MAP permit 10
match ip address prefix-list ONPREMISE
set extcommunity rt 1:1000 additive
Cheers,
MattHi Matt
Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
Regards
Varma -
Hi Guyz,
I have 3 VRF's on VSS core.
1) VRF A
2) VRF B
3) Global VRF.
I have Firewall in L3 mode between these VRFs. Traffic between A & B have to cross firewall.
i can use BGP or EVN to leak routes between VRFs, but they leak only routes tht are present in routing table.
Now i need to leak specific route for eg 10.10.10.10/32 from VRF A to VRF B.
10.10.10.0/24 is directly connected interface on VRF A.
i need to find a way where i can leake /32 route between VRFs.
ThanksChanging the autonomous system number may be necessary when 2 separate BGP networks are combined under a single autonomous system. This typically occurs when one ISP purchases another ISP. The neighbor local-as command is used initially to configure BGP peers to support 2 local autonomous system numbers to maintain peering between 2 separate BGP networks. This configuration allows the ISP to immediately make the transition without any impact on existing customer configurations
enable
configure terminal
router bgp as-number
address-family {ipv4 | ipv6 | vpnv4| [multicast | unicast | vrf {vrf-name}]} -
Do you need a cisco router at remote sites when using VRF BGP?
Hello.....
If you could refer to the attached document and read the following... I need to know if a CISCO router is required for each of the sites. OR does the ISP (Provider) provide the only required Router in the private cloud?
We want to replace the Cisco 891 with a PepLink but I don't know if we can do that. Can anyone jump in and help me understand?
When we hear about VRF, its almost synonymous to MPLS VPN. Virtual Routing and Forwarding is commonly used by Service Providers to provide services within an MPLS cloud with multiple customers. The most interesting feature of this is that, VRF allows creation of multiple routing tables within a single router. This means that overlapping use of IP addresses from different customers is possible. Some enterprises use VRF to seggrate their services like VOIP, wireless, geographical location and other varieties.Whether you can replace the 891 device with another device boils down to a single question: Do you need to run BGP with the Service Provider in order to use their service. If you need to run a routing protocol with your service provider, your service is likely a L3VPN (IP VPN) solution ( i.e. you inject your site's routes into the providers L3VPN session, they use MP-BGP+VRF for segmentation within their network).
If, however, they just drop you a L2 connection and provide L2 emulated services ( e.g. L2VPN or VPLS ) across their network, then your device can be whatever you want it to be.
From your device's perspective, it is not VRF aware. That is, it does not know about how the service provider segments your service from another customers. In the L3VPN case, your device is routing-protocol aware. In the L2VPN case, your device is not routing protocol aware and does not need to form adjacency with the service provider's equipment.
HTH.
Rate if helpful. -
Cisco 1700 with MP-BGP and VRF support
I have a Cisco 1721 with MP-BGP Support, you can create VRFs with it and every other MPLSVPN feature, but the commands for MPLS switching are not supported like Router(config-if)mpls ip , I read in some forums that you can create MPLS VPN without enabling MPLS at all, just with MPBGP, but I couldn't do it myself, Can someone tell me how to make it work or what can I do with a Cisco 1721 that supports MP-BGP?
thanks in advanceHere is an example. Take care about overhead for packets like VoIP. The overhead is 88 bytes.
The packet semms something like that.
IpHeader-pub@ - NAT-Tudp4500 - ESP - IpHeader-priv@(vrf discriminator) - GRE - Original IP Header - Data - Esp Trailer.
In this case you neet tunnel-mode because you use
private @ in order to determine vrf (vrf discriminator).
This is a LAB config, all other security parameters you need on a router are not configured. If you add access-list on the external interface of REMOTE you have to understand every encapsulation step in order to well tune it.
Good reading.
The PPT draw shows physically and logically views.
PS, take care about fragmentation issues, the problematic is still not well managed by the routers, I could not made Tunnel-path-mtu discovery work with vrf's. The workaround is to fragment packets. It's not good for performance but actually there is no other solution concerning that.
Kind Regards
Miguel -
3750 SMI is HSRP possible with inter-VLAN routing
Dear Netprof,
Wondering if anyone has managed to do this in practice.
I have two sites separate by a LES100 circuit, which is currently configured as a trunk.
I have 2 x 3750G-48-SMI's at each site (total of 4).
I want to have the same vlan numbering at each site, i.e vlans 10, 20, 30, etc for users and vlans 100, 200, 300 for servers then another load of vlans for DMZ and market feeds.
The same VLANs would be presented at both sites.
Is it possible to setup HSRP so that on each stack inter-VLAN routing can occur on each site if the LES 100 fails.
Any web links would be appreciated.
Thanks in advance,
Regards, adrian.Hi, many thanks for your assistance on this.
I totally agree, the best way would be to have a different default gateway configured at each site. However I have all the client machines with static addresses and this would involve a lot of work.
The vlans that are split between the sites has the majority of users at one site, so vlan 10 would have 95% of the users at site 1 and vlan 20 would have 95% of the users at site 2.
I was planning on balancing the HSRP between the switches so on vlan 10 the primary switch (active) would be at site 1 and secondary (standby) would be at site 2. The reverse configuration would be used for vlan 20.
I am thinking along the lines of something like this for the config, can I have your thoughts?
Site 1
Interface vlan 10
Ip address 192.168.10.2 255.255.255.0
Standby 1 ip 192.168.10.1
standby 1 priority 110
standby 1 preempt
Interface vlan 20
Ip address 192.168.20.2 255.255.255.0
Standby 2 ip 192.168.20.1
Interface vlan 30
Ip address 192.168.30.2 255.255.255.0
Standby 3 ip 192.168.30.1
standby 3 priority 110
standby 3 preempt
Interface vlan 40
Ip address 192.168.40.2 255.255.255.0
Standby 4 ip 192.168.40.1
Site 2
Interface vlan 10
Ip address 192.168.10.3 255.255.255.0
Standby 1 ip 192.168.10.1
Interface vlan 20
Ip address 192.168.20.3 255.255.255.0
Standby 2 ip 192.168.20.1
standby 2 priority 110
standby 2 preempt
Interface vlan 30
Ip address 192.168.30.3 255.255.255.0
Standby 3 ip 192.168.30.1
Interface vlan 40
Ip address 192.168.40.3 255.255.255.0
Standby 4 ip 192.168.40.1
standby 4 priority 110
standby 4 preempt
I thought CEF should only need to route the first packet and all remaining packets in the flow should be switched (not routed) ?
Thank again for your assistance.
Regards, Adrian. -
Route leaking from VRF to Global on same router with VLAN interface
Hi all,
I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
interface FastEthernet4
description ***Connection to WAN***
ip vrf forwarding FVRF
ip address 10.0.0.6 255.255.255.0
interface Vlan100
description ***LAN***
ip address 192.168.227.1 255.255.255.0
So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
I though I could do that config but it is not possible:
(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
OR
DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
%Invalid next hop address (it's this router)
Any ideas are really welcome.
Best regards,
LaurentHi,
I have tried the following solution:
Add 10.0.0.0 /24 From VRFto Global:
ip route 10.0.0.0 255.255.255.0 FastEthernet4
Add 192.168.227.0 /24 from Global to VRF:
router bgp 64512
bgp log-neighbor-changes
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
route-map Global permit 10
match ip address prefix-list Global-VRF
ip vrf FVRF
rd 1:1
import ipv4 unicast map Global
So now the VRF table looks like that:
# sh ip route vrf FVRF
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
B 192.168.227.0/24 is directly connected, 00:15:12, Vlan100
The Global table looks like this:
#sh ip route
Gateway of last resort is 10.1.0.107 to network 0.0.0.0
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
But When I try to ping it still doesn´t work:
#ping vrf FVRF 192.168.227.1 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
Success rate is 0 percent (0/5)
#ping 10.0.0.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
Success rate is 0 percent (0/5)
Any ideas?
Regards,
Laurent -
ACE design with inter-Vlan routing
Hello all.
I'm working on a design for a customer where the ACE will perform inter vlan routing.
A few questions about that :
- is routed traffic enforced in hardware with some kind of CEF-like mechanism ? (I suppose yes because there is a FIB ? per
https://supportforums.cisco.com/docs/DOC-19253 ) we expect a certain load and routing is software will not be acceptable
- if I put my VIPs within the VLANs hosting the application, is there any restriction on accesses made to this VIP (if the VIP is reached after the routing process is performed) ?
example :
VLAN2 (client) ----- ACE ----- VLAN3 (servers)192.168.2.0/24 192.168.3.0/24
If I try to access the VIP (192.168.3.20) from a PC in the VLAN2 (192.168.2.15) does it work ?
I assume yes because the VIP appears as a connected /32 in the routing table, I just want to be sure to not fall into some tricky part of code because the access to the VIP is done after the routing process. I just want to be sure there is no drawback / restriction about that.
Thanks in advance.Hello Surya!
Yes this is possible. You can reach the VIP from one VLAN to another (The VIP is not really inside of the VLAN). Important is to check your ACLs and you need to have the service-policy either globally or local on both VLAN-interfaces.
And I guess there is nothing like CEF implemented in the ACE, because it is not needed there.
Cheers,
Marko -
Things I need to know when swapping out old router with Airport Extreme?
Hi, having been given some good advice in other areas of this forum, I've decided to swap my current D-Link router with an Aiport Extreme. I recently added an Airport Express and Time Capsule to my current wireless network (as 'join current network wirelessly') hoping to avoid the changing or my current router. However it appears to get the best and most flexible performance I need to go that further step. I've not done this before, having had the network setup by the ISP. What do I need to know, be aware of prior to unplugging my current router? Like:
Should the airport extreme just 'work' once I plug it in? Other than the normal set up process. Or:
Will the cable modem (Motorola SBV5121) require reconfiguration or some form of sync with the router?
Will I need my password and ID from the ISP for the new router? I currently only have the the current router password - no idea what the ISP ID and password is, they were set by the guy installing - yes I know I should have written them down somewhere.
Any traps or challenges I need to be aware of that is not covered in the printed material?
I have heard ISP's will generally not assist with this as it is not viable for them to try and help, understandable. So I just wanted to be as prepared as possible.
Any thoughts or experiences or pointers to documentation would be greatly appreciated.
Kind regards
RichardApologies this should hve been posted in the Airport Extreme forum - it's been moved.
-
I need advise and help with this problem .
First , I have been with Mac for many years ( 14 to be exact ) I do have some knowledge and understanding of Apple product .
At the present time I'm having lots of problems with the router so I was looking in to some info , and come across one web site regarding : port forwarding , IP addresses .
In my frustration , amongst lots of open web pages tutorials and other useless information , I come across innocent looking link and software to installed called Genieo , which suppose to help with any router .
Software ask for permission to install , and about 30 % in , my instinct was telling me , there is something not right . I stop installation . Delete everything , look for any
trace in Spotlight , Library . Nothing could be find .
Now , every time I open Safari , Firefox or Chrome , it will open in my home page , but when I start looking for something in steed of Google page , there is
''search.genieo.com'' page acting like a Google . I try again to get raid of this but I can not find solution .
With more research , again using genieo.com search eng. there is lots of articles and warnings . From that I learn do not use uninstall software , because doing this will install more things where it come from.
I do have AppleCare support but its to late to phone them , so maybe there some people with knowledge , how to get this of my computer
Any help is welcome , English is my learned language , you may notice this , so I'm not that quick with the respondGenieo definitely doesn't help with your router. It's just adware, and has no benefit to you at all. They scammed you so that they could display their ads on your computer.
To remove it, see:
http://www.thesafemac.com/arg-genieo/
Do not use the Genieo uninstaller! -
What do I do with the Beta 10.9.3 program I've been using these past several weeks, now that 10.9.3 is out and downloaded.......I still have 'feedback assistant' in my dock........are there files I need to do something with ??? thanx..............75 yrs old and still swimmin' upstream.........
from : OS X Beta Seed Program FAQ
How do I get a shipping version of OS X back on my Mac?
To get a shipping release of OS X on your Mac, you can simply install the final version of the software you are testing when it appears in Software Update.
How do I leave the OS X Beta Seed Program?
To leave the program, visit the Leave Program page and follow the instructions to remove your Apple ID and your computers from the OS X Beta Seed Program. This will stop pre-release updates from appearing in the Mac App Store on your computers.
You only need to do more than you already have, if you'd rather not see future pre-release updates. -
Urgent!!! Cisco ACE and asymetric routing assistance needed
I am wondering if someone can give me pointers on the cisco ACE
and asymetric routes. I've attached the diagram:
-Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
-Firewall External interface is 192.168.15.1/24,
-Firewall Internal interface is 192.168.192.1/24,
-F5_BigIP External interface is 192.168.192.4/24,
-F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
-host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
-Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
pointing to the F5_BigIP,
-host_y is dual-home to both VLAN_A and VLAN_B with the default
gateway on host_y pointing to VLAN_A which is 192.168.196.1,
-host_x CAN ssh/telnet/http/https to both of host_y IP addresses
of 192.168.196.10 and 192.168.197.10.
In other words, from host_x, when I try to connect to host_y
via IP address of 192.168.197.10, the traffics will go through VLAN_B
but the return traffics will go through VLAN_A. Everything
is working perfectly for me so far.
Now customer just replaces the F5_BigIP with Cisco ACE. Now,
I could not get it to work with Asymetric route with Cisco ACE. In
other words, from host_x, I can no longer ssh or telnet to host_y
via IP address of 192.168.197.10.
Anyone knows how to get asymetric route to work on Cisco ACE?
Thanks in advance.That won't work because ACE uses the vlan id to distinguish between flows.
So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
You would need to force your host to respond on the same vlan the traffic came in.
This could be done with client nat on ACE using different nat pool.
Gilles. -
Since I installed my new d6300 netgear my downloads on Apple TV have taken a lot longer than previously using a billion router. Do I need to do something with the net gear set up?
Just connect the new iPod to your computer and setup the iPod via iTunes (instead of via wifi).
If you want to copy all the infor from an old iPod touch to the inew iPod see:
iOS: Transferring information from your current iPhone, iPad, or iPod touch to a new device -
Somebody have samples about how to fill the ROI tables only to have the receipt from inter-organization transfer with in-transit routing.
Thanks in advance.Pl. visit following links.
Oracle Apps: 11.5.10 / R12 ROI How to Receive Intransit Shipment (Inter-org transfer) for Lot / Serial Controlled Items …
11.5.10 ROI를 통해 INTRANSIT SHIPMENT(INTER-ORG TRANSFER)를 처리하는 방법
Maybe you are looking for
-
What's wrong with the Guide?
Today the guide for On demand is wonky and I can't figure out how to get it back to normal. And this white on bright blue has got to go. It's very hard to read. This is going from bad to worse. How do I change this setting back to normal??? Makes me
-
Mailto links in websites not working correctly in FF 36.0.1
I know this isn't a new problem as I've found lots about it in the Internet but I haven't found anything that will fix it! This problem only started for me when I updated to Firefox36, until then everything was working perfectly, but as I've seen ref
-
YouTube freezing - Audio but no picture
Hey guys, Had Mac for decades and never ever had any problems. Since last night, YouTube does not work! With no picture it's like listening to a clip rather than watching it! Fine if you're multitasking, but aint no means normal for the picture to di
-
My computer is locked in an endless cycle of Firefox upgrade Yes or No
Responding to a prompt from Mozilla/Firefox a few days ago, I clicked ok to install a Firefox upgrade. Since then, whenever I try to open with Mozilla I get a prompt that says: "Your computer must be restarted to complete a previous upgrade of Firefo
-
Application server queue overflow,application server overloaded currently
dear Experts, please check my problem and give me one solution here iam trying to solve this problem but not getting result i,e today i installed one system (nw2005sr3) and after that i created one client for log in to this client i created parameter