CSR1000V VRF Route Leaking vs GNS

Similar Messages

• MPLS VRF Routes Leaking

  I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
  Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
  Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
  What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

  you could do one of the following ways to implement Internet access for L3 MPLS VPN
  1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
  2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.
  inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
  3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
  good luck
  if helpful Rate

• VRF Route leaking to internet

  I'm just starting to learn about route leaking today, so I'm still trying to figure this out.
  In short, I've created three vlans and put them in a vrf and would like them to access the internet.  At this point, I have vrf created, vlans assigned and a global route leaked from the vrf to the gateway of last resort.  A machine in the vrf is able to ping all three vlan gateways, but cannot still get to the internet.
  I have everything on a 6509 core switch, and my firewall is an ASA 5505.  I've also tried putting routing configs in using eigrp, but the vrf networks never made it to the ASA.  Attached are my configs on both.  If anyone could help me with what I'm missing that would be great.  Thanks!
  ****  6509 Config  ****
  lab-core6509#sh run
  Building configuration...
  Current configuration : 22128 bytes
  ! Last configuration change at 17:31:43 pst Tue Jan 7 2014 by rmf
  ! NVRAM config last updated at 12:30:19 pst Tue Jan 7 2014 by rmf
  upgrade fpd auto
  version 12.2
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  no service password-encryption
  service sequence-numbers
  service counters max age 5
  hostname lab-core6509
  boot-start-marker
  boot system flash disk0:s72033-ipservicesk9_wan-mz.122-33.SXI.bin
  boot-end-marker
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  clock timezone pst -8
  clock summer-time PDT recurring
  clock calendar-valid
  ip subnet-zero
  ip dhcp excluded-address 192.168.80.1 192.168.80.9
  ip dhcp pool 192.168.80.0/24
     network 192.168.80.0 255.255.255.0
     default-router 192.168.80.1
     domain-name procopio-guest.com
     dns-server 8.8.8.8
  ip vrf bingfish
  rd 123:1
  ip domain-name company.local
  mls ip slb purge global
  mls netflow interface
  no mls flow ip
  no mls flow ipv6
  mls cef error action reset
  spanning-tree mode pvst
  diagnostic bootup level minimal
  diagnostic cns publish cisco.cns.device.diag_results
  diagnostic cns subscribe cisco.cns.device.diag_commands
  fabric timer 15
  redundancy
  main-cpu
    auto-sync running-config
  mode sso
  vlan internal allocation policy ascending
  vlan access-log ratelimit 2000
  interface Port-channel10
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet1/1
  switchport
  switchport access vlan 500
  switchport mode access
  spanning-tree portfast edge
  ~SNIP~  (I don't think anyone cares about all the interface configs!)
  interface Vlan510
  description voice server net
  ip address 10.90.10.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan666
  ip address 10.90.253.1 255.255.255.0
  interface Vlan851
  description bingfish client net
  ip vrf forwarding bingfish
  ip address 10.249.1.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan852
  description bingfish server net
  ip vrf forwarding bingfish
  ip address 10.249.2.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan853
  description bingfish management net
  ip vrf forwarding bingfish
  ip address 10.249.3.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan901
  description guest network
  ip address 192.168.80.1 255.255.255.0
  ip access-group guest-net in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan912
  description internet perimeter
  ip address 10.91.2.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan999
  description management net
  ip address 10.90.100.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  router eigrp 200
  network 10.0.0.0
  address-family ipv4 vrf bingfish
    autonomous-system 99
    network 10.249.1.0 0.0.0.255
    network 10.249.2.0 0.0.0.255
    network 10.249.3.0 0.0.0.255
    redistribute static metric 10000 100 255 1 1500
  exit-address-family
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.91.1.2
  ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
  no ip http server
  no ip http secure-server
  ip access-list extended guest-net
  deny   ip any 10.0.0.0 0.255.255.255
  permit ip any any
  control-plane
  dial-peer cor custom
  line con 0
  exec-timeout 30 0
  line vty 0 4
  exec-timeout 30 0
  line vty 5 15
  exec-timeout 30 0
  ntp logging
  ntp authenticate
  ntp trusted-key 10
  ntp clock-period 17179851
  ntp source Vlan500
  ntp master
  ntp server 10.90.1.50 prefer
  end
  ****  ASA 5505 Config  ****
  lab-5505asa# sh run
  : Saved
  ASA Version 8.2(5)
  hostname lab-5505asa
  domain-name company.local
  names
  dns-guard
  interface Ethernet0/0
  description inside
  interface Ethernet0/1
  description outside
  switchport access vlan 2
  interface Ethernet0/2
  description dmz
  switchport access vlan 4
  speed 100
  duplex full
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.91.1.2 255.255.255.0
  ospf cost 10
  interface Vlan2
  nameif outside
  security-level 0
  ip address <outside ip> 255.255.255.128
  ospf cost 10
  interface Vlan4
  nameif DMZ
  security-level 50
  ip address 172.16.35.1 255.255.255.0
  ospf cost 10
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name company.local
  object-group service DM_INLINE_SERVICE_1
  service-object tcp eq domain
  service-object udp eq domain
  service-object udp eq ntp
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_1
  network-object host 10.90.1.10
  network-object host 10.90.1.11
  object-group network DM_INLINE_NETWORK_2
  network-object host <outside ip>
  network-object host<outside ip>
  object-group service DM_INLINE_SERVICE_2
  service-object tcp eq domain
  service-object udp eq domain
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  port-object eq 3008
  port-object eq 3010
  port-object eq ssh
  object-group network DM_INLINE_NETWORK_3
  network-object 216.9.240.0 255.255.240.0
  network-object 68.171.224.0 255.255.224.0
  object-group service DM_INLINE_TCP_4 tcp
  port-object eq 3268
  port-object eq 3269
  port-object eq ldap
  port-object eq ldaps
  object-group network DM_INLINE_NETWORK_6
  network-object host 172.16.35.12
  network-object host 172.16.35.13
  object-group service DM_INLINE_TCP_5 tcp
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_7
  network-object host 172.16.35.12
  network-object host 172.16.35.13
  object-group network DM_INLINE_NETWORK_8
  network-object host 172.16.36.45
  network-object host 172.16.36.46
  object-group service DM_INLINE_TCP_6 tcp
  port-object eq 2598
  port-object eq citrix-ica
  port-object eq www
  object-group service DM_INLINE_TCP_7 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_3 tcp
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_4
  network-object host<outside ip>
  network-object host <outside ip>
  network-object host <outside ip>
  object-group network DM_INLINE_NETWORK_5
  network-object host 172.16.35.12
  network-object host 172.16.35.13
  object-group network DM_INLINE_NETWORK_10
  network-object host 172.16.36.15
  network-object host 172.16.36.42
  object-group network xenapp_servers
  network-object host 10.90.1.45
  network-object host 10.90.1.46
  network-object host 10.90.5.54
  object-group network xendesktop_servers
  network-object host 10.90.1.38
  network-object host 10.90.1.54
  object-group network DM_INLINE_NETWORK_11
  network-object host 172.16.36.10
  network-object host 172.16.36.42
  network-object 10.80.1.0 255.255.255.0
  group-object xenapp_servers
  group-object xendesktop_servers
  object-group network DM_INLINE_NETWORK_9
  network-object host 172.16.36.27
  network-object host 172.16.36.31
  object-group network DM_INLINE_NETWORK_12
  network-object host 74.117.58.150
  network-object host 97.95.240.159
  object-group network DM_INLINE_NETWORK_13
  network-object 10.90.10.0 255.255.255.0
  network-object 192.168.80.0 255.255.255.0
  network-object 10.249.0.0 255.255.0.0
  object-group network DM_INLINE_NETWORK_14
  network-object 10.90.1.0 255.255.255.0
  network-object 10.90.5.0 255.255.255.0
  access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_12 any log disable
  access-list outside_access_in extended permit tcp any host <outside ip>eq 3389 log disable
  access-list outside_access_in extended permit tcp any host<outside ip>eq smtp log disable
  access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
  access-list dmz_access_in extended permit ip any any log disable
  access-list inside_access_in extended deny ip host 10.90.100.25 any log disable
  access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
  access-list inside_access_in extended permit tcp host 10.90.1.27 host 172.16.35.11 eq smtp log disable
  access-list inside_access_in extended permit ip 10.80.1.0 255.255.255.0 any log disable
  access-list inside_access_in extended permit tcp host 10.90.1.33 object-group DM_INLINE_NETWORK_3 eq 3101 log disable
  access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_14 any object-group DM_INLINE_TCP_2 log disable
  access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 log disable
  access-list inside_access_in extended permit udp host 10.90.1.50 any eq ntp log disable
  access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_11 log disable
  access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.27 eq smtp log disable
  access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.35.10 host 172.16.36.10 log disable
  access-list DMZ_access_in extended permit tcp host 172.16.35.11 any eq smtp log disable
  access-list DMZ_access_in extended permit tcp host 172.16.35.10 any object-group DM_INLINE_TCP_1 log disable
  access-list DMZ_access_in remark rule for cag to owa
  access-list DMZ_access_in extended permit tcp host 172.16.35.13 object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_3 log disable
  access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.10 object-group DM_INLINE_TCP_4 log disable
  access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_5 log disable
  access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_6 log disable inactive
  access-list slow-down extended permit ip 10.90.0.0 255.255.0.0 any
  access-list slow-down extended permit ip any 10.90.0.0 255.255.0.0
  pager lines 24
  logging enable
  logging trap debugging
  logging asdm warnings
  logging host inside 10.90.1.65 6/1470
  logging permit-hostdown
  mtu inside 1500
  mtu outside 1500
  mtu DMZ 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-713.bin
  asdm history enable
  arp timeout 14400
  global (inside) 2 interface
  global (outside) 1 interface
  global (DMZ) 1 interface
  nat (inside) 1 10.80.1.0 255.255.255.0
  nat (inside) 1 10.90.1.0 255.255.255.0
  nat (inside) 1 10.90.5.0 255.255.255.0
  nat (inside) 1 192.168.80.0 255.255.255.0
  nat (inside) 1 10.249.0.0 255.255.0.0
  nat (DMZ) 1 172.16.35.0 255.255.255.0
  static (DMZ,outside)<outside ip>172.16.35.10 netmask 255.255.255.255 dns
  static (DMZ,outside) <outside ip>172.16.35.55 netmask 255.255.255.255 dns
  static (DMZ,outside) <outside ip>172.16.35.50 netmask 255.255.255.255 dns
  static (DMZ,outside) <outside ip>172.16.35.60 netmask 255.255.255.255 dns
  static (inside,outside) <outside ip>10.90.1.21 netmask 255.255.255.255 dns
  static (inside,DMZ) 172.16.36.31 10.90.1.31 netmask 255.255.255.255
  static (inside,DMZ) 172.16.36.10 10.90.1.10 netmask 255.255.255.255
  static (inside,DMZ) 172.16.36.27 10.90.1.27 netmask 255.255.255.255
  static (inside,DMZ) 172.16.36.15 10.90.1.15 netmask 255.255.255.255
  static (inside,DMZ) 172.16.36.42 10.90.1.42 netmask 255.255.255.255
  static (inside,DMZ) 10.90.1.0 10.90.1.0 netmask 255.255.255.0
  static (inside,DMZ) 10.80.1.0 10.80.1.0 netmask 255.255.255.0
  static (inside,DMZ) 10.90.5.0 10.90.5.0 netmask 255.255.255.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  router eigrp 200
  network 10.0.0.0 255.0.0.0
  passive-interface default
  no passive-interface inside
  route outside 0.0.0.0 0.0.0.0 209.242.145.129 1
  route inside 10.0.0.0 255.0.0.0 10.91.1.1 1
  route inside 10.249.0.0 255.255.0.0 10.91.1.1 1
  route inside 192.168.80.0 255.255.255.0 10.91.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh timeout 60
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics host number-of-rate 3
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 10.90.1.50 source inside prefer
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect icmp
    inspect pptp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:9ba1f1f89fa1a88af05e2fc5fdba3090
  : end

  So it would appear I've solved it by adding a static route in the global routing table back to the subnets in the vrf:
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.91.1.2
  ip route 10.249.1.0 255.255.255.0 Vlan851   <-----------------------
  ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
  Thanks

• Nexus 7000 route leak from GRT (default VRF) to other VRF's

  Hello
  We have a Nexus 7000 infrastructure whereby we have had multiple VDC's and VRF's deployed. A requirement has now come about whereby one of these VRF's needs to be able to see our GRT (default VRF) so we need to leak the GRT routes into the VRF and vice versa.
  I have been doing a lot of reading and I am happy with the how this works with inter-VRF route leaking but I seem to missing a few things in respect of how this works with the GRT.
  I have also read on another forum that this is not supported. See link below.
  https://supportforums.cisco.com/document/133711/vrf-configuration-and-verification-nexus-7000
  Does anyone have experience of this? I can also see how this works in IOS and I have GNS3 and got this working.
  We use BGP currently so we are able to use MP-BGP if required.
  Any help would be very useful.

  Hi,
  In Table 14 of the Cisco Nexus 7000 Series NX-OS Verified Scalability Guide the verified limit is specified as 1000 per system i.e., across all VDCs for NX-OS release 5.2, 6.0 and 6.1.
  There is a footnote associated with this number which states:
  With each new VDC configured, the number of configurable VRFs per system is reduced by two as each VDC has a default VRF and management VRFs that are not removable. For example, with 8 configured VDCs on Cisco NX-OS Release 5.2, you can configure up to 984 VRFs per system (either all in one VDC or across VDCs).
  Regards

• Route leaking from VRF to Global on same router with VLAN interface

  Hi all,
  I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
  interface FastEthernet4
  description ***Connection to WAN***
  ip vrf forwarding FVRF
  ip address 10.0.0.6 255.255.255.0
  interface Vlan100
  description ***LAN***
  ip address 192.168.227.1 255.255.255.0
  So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
  I though I could do that config but it is not possible:
  (config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
  % For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
  OR
  DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
  %Invalid next hop address (it's this router)
  Any ideas are really welcome.
  Best regards,
  Laurent

  Hi,
  I have tried the following solution:
  Add 10.0.0.0 /24 From VRFto Global:
  ip route 10.0.0.0 255.255.255.0 FastEthernet4
  Add 192.168.227.0 /24 from Global to VRF:
  router bgp 64512
  bgp log-neighbor-changes
  address-family ipv4
    no synchronization
    redistribute connected
    no auto-summary
  exit-address-family
  ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
  route-map Global permit 10
  match ip address prefix-list Global-VRF
  ip vrf FVRF
    rd 1:1
    import ipv4 unicast map Global
  So now the VRF table looks like that:
  #      sh ip route vrf FVRF
  C        10.0.0.0/24 is directly connected, FastEthernet4
  S        10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
  L        10.0.0.6/32 is directly connected, FastEthernet4
  B     192.168.227.0/24 is directly connected, 00:15:12, Vlan100
  The Global table looks like this:
  #sh ip route
  Gateway of last resort is 10.1.0.107 to network 0.0.0.0
  D*    0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
         10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
  S        10.0.0.0/24 is directly connected, FastEthernet4
  C        10.1.0.0/24 is directly connected, Tunnel1
  L        10.1.0.227/32 is directly connected, Tunnel1
  C        10.2.0.0/24 is directly connected, Tunnel2
  L        10.2.0.227/32 is directly connected, Tunnel2
  C        10.10.10.227/32 is directly connected, Loopback100
         192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.227.0/24 is directly connected, Vlan100
  L        192.168.227.1/32 is directly connected, Vlan100
  But When I try to ping it still doesn´t work:
  #ping vrf FVRF 192.168.227.1 source fastEthernet 4
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
  Packet sent with a source address of 10.0.0.6
  Success rate is 0 percent (0/5)
  #ping 10.0.0.1 source vlan 100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
  Packet sent with a source address of 192.168.227.1
  Success rate is 0 percent (0/5)
  Any ideas?
  Regards,
  Laurent

• Howto control/filter traffic between VRF-(lite) using route leaking?

  Hi,
  does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?
  Scenario 1:
  I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.
  Scenario 2:
  Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns
  Kind Regards,
  Thorsten

  Thanks.
  That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.
  Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.
  Does cisco offer software for managing this?

• Route Leaking in MPLS/VPN Networks (IOX support)

  Hi all,
  I would like to if IOX of CRS-1 can support route leaking between VRF<>Global routing table?
  hhttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtmlttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
  Regards

  Hi,
  You can use the vrf keyword after the prefix you want to join and before specifying the NH. It will tell the router in which VRF the lookup should be done:
  http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.0/routing/command/reference/rr40crs1book_chapter9.html#wp172562637
  The vrf name "default" is reserved to reference the GRT.
  HTH
  Laurent.

• Route Leaking Issue

  Hi All,
  Still cutting my teeth with MPLS, and i am labbing up some stuff, and i've come accross an issue (or not)
  This maybe by design, i'm not sure.
  I've got a basic P core running OSPF and MPLS. Easy so far.
  I've got 2 PEs, one on each side (still with me )
  Attached to each PE I have a CE, and a Loopback.
  On each side the CE is in one VRF and the Loopback is in another.
  All straighforward so far. Routing is work I am using RIP for the CEs and Redisribute connected for the L-Backs.
  MPBGP is working fine and the routes are being carried accross the core.
  I now want to step it up and bit a try out some route leaking. I have imported routes from the CE VRF to the LBack VRF easily
  on one PE. and vice versa.
  However, the next step is where i get confused. When i import routes to a VRF i would expect to see them
  propagated accross the MPLS core to the same VRF on the other side of the VPN.
  Not sure if it should work like this.
  Any Opinions??
  Thank all
  Stephen

  Hi Stephen,
  As per your senario you wnat to import the route from one vrf to other vrf  , So to achive that you can configure route-target for same.
  Below is the senario :
  CE 1_A--------------                                                         ------------------- CE1_B
                             PE 1 ---------------- P ---------------- PE 2
  CE 2_A--------------                                                         ------------------- CE 2_B
  In above senario
  1] CE1_A & CE 1_B are in CUST_A vrf .
  2] CE2_A & CE 2_B are in CUST_B vrf .
  Now If you want that in CE 1 _A  that is in vrf CUST_A should communicate with only CE2_A that is in vrf CUST_B you ca have different RT , Below is the example for above senario.
  PE1 -
  ip vrf CUST_A
  rd 65000:100
  route-target export 65:100
  route-target import 65:100
  route-target import 65: 20
  route-target export 65: 10
  ip vrf CUST_B
  rd 65000:200
  route-target export 65:100
  route-target import 65:100
  route-target import 65: 10
  route-target export 65: 20
  Here in above config you can see that in CUST_A vrf we had export the RT 65: 10 & that RT is imported by CUST_B vrf & in CUST_B vrf you had exported  65:20 RT & that RT is imported by CUST_A vrf.
  So in now you can see that in CE 1_A & CE 2_A will see each other route in there routing table . This is know as extramet in MPLS.
  Regards
  Chetan Kumar
  http://chetanress.blogspot.com

• Assistance Needed: Inter-VRF Routing with MP-BGP

  hello everyone,
  I've been trying to solve a problem for over a day regarding inter-vrf routing using MP-BGP and I can't seem to figure a few things out.
  I have Cisco 1921 which has VRF-JLAN and VRF-JGLOBE with 3 interfaces configured as (g0/0 = vrf JLAN, g0/1=no vrf, g0/2 = dot1q trunk to 2960S). vrf JLAN is a restricted network for users access, dns server, e.t.c. vrf JGLOBE is for Video server and global routing table belongs to Wifi Access. I've been able to seperate all the network and I can route traffic out to the Internet from vrf JLAN and the global route table but where I'm having issues is getting vrf JGLOBE to route traffic using the Global route table.
  For example: vrf JLAN should not be accessed by either Global or vrf JGLOBE. JGLOBE should be able to access vrf JLAN dns server but it should route its internet traffic via Global route table (g0/1). Last JLAN should be able to access 2 networks from the Global route table.
  I've attached my config and diagram so you can better understand what I'm trying to achieve. More light to solving this problem would be much appreciated.
  ip vrf JGLOBE
   rd 65001:2
   export map WIFI
   route-target export 65001:2
  ip vrf JLAN
   rd 65001:1
   import ipv4 unicast map C-GLOBAL
   route-target export 65001:1
   route-target import 65001:1
   route-target import 65001:2
  interface GigabitEthernet0/0
   description LAN-ACCESS-INTERNET [TO Nexthop FIREWALL]
   ip vrf forwarding JLAN
   ip address 192.168.4.3 255.255.255.248
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   ip flow egress
   ip inspect INTERNET-FW out
   ip virtual-reassembly in
   load-interval 30
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   description GLOBAL-Wifi-INTERNET [TO Nexthop - FIREWALL]
   ip address 192.168.5.3 255.255.255.248
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   ip flow egress
   ip inspect GLOBAL-FW in
   ip inspect GLOBAL-FW out
   ip virtual-reassembly in
   load-interval 30
   duplex auto
   speed auto
  interface GigabitEthernet0/2
   no ip address
   duplex auto
   speed auto
  interface GigabitEthernet0/2.3
   description Users LAN
   encapsulation dot1Q 3
   ip vrf forwarding JLAN
   ip address 192.168.30.1 255.255.255.240
  interface GigabitEthernet0/2.4
   description Video Server
   encapsulation dot1Q 4
   ip vrf forwarding JGLOBE
   ip address 10.6.40.1 255.255.255.0
  router ospf 1 vrf JLAN
   router-id 10.6.6.10
   redistribute bgp 65001 subnets
   network 0.0.0.0 255.255.255.255 area 0
  router ospf 2 vrf JGLOBE
   router-id 10.5.7.10
   redistribute bgp 65001 subnets
   network 0.0.0.0 255.255.255.255 area 0
  router bgp 65001
   bgp router-id 10.4.6.4
   bgp log-neighbor-changes
   bgp graceful-restart restart-time 120
   bgp graceful-restart stalepath-time 360
   bgp graceful-restart
   address-family ipv4
    redistribute connected
   exit-address-family
   address-family ipv4 vrf JGLOBE
    redistribute connected
    redistribute ospf 2
   exit-address-family
   address-family ipv4 vrf JLAN
    redistribute connected
    redistribute ospf 1
   exit-address-family
  ip dns view vrf JGLOBE default
  ip dns view vrf JLAN default
  ip route 0.0.0.0 0.0.0.0 192.168.5.1
  ip route vrf JGLOBE 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.5.1
  ip route vrf JLAN 0.0.0.0 0.0.0.0 192.168.4.1 name LAN_INET
  ip prefix-list GLOBAL-INET seq 5 permit 0.0.0.0/0
  ip prefix-list SERVER-NET seq 5 permit 10.6.40.2/32
  ip prefix-list WIFI-NET seq 5 permit 10.254.0.0/22 le 32

  Hi Matt
  Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
  Regards
  Varma

• Running RIP between CPE and PE but rip database on CPE has no vrf routes

  I am running RIP between CPE and PE and it is working - I can see the RIP routes in the VRF routing table. However I cannot see the RIP routes on the CPE, which I need to be able to do.
  PE RIP Config
  router rip
  address-family ipv4 vrf ABC
  redistribute static metric 1
  redistribute bgp 12345
  network XX.0.0.0
  no auto-summary
  exit-address-family
  CPE RIP Config
  router rip
  version 2
  redistribute connected metric 1 route-map Connected
  network XX.0.0.0
  no auto-summary
  route-map Connected permit 10
  description *** Interfaces to be advertised to MPLS Network ***
  match interface Vlan1
  route-map Connected deny 100
  description *** Deny Statement ***
  Thanks in advance for your help
  Regards
  DK

  Hi DK,
  You need to put the "metric #" command in your redistribute bgp configuration under the vrf SAFI in the RIP config on the PE router. This is done to prevent BGP MED (metric) from being used as the RIP metric, which as you would know, has a hop limit of 16.
  router rip
  address-family ipv4 vrf ABC
  redistribute static metric 1
  redistribute bgp 12345 metric 1
  network XX.0.0.0
  no auto-summary
  exit-address-family
  Try that and you should then see your VPN routes showing on the CE when the RIP process refreshes.
  HTH
  Joe.

• Route Leaking between VRF:s (Shared services)

  Hi,
  I'm a bit confused by this setup that i'm trying to achieve.
  The setup is classic though, I have one VRF for education (EDU), one for administrators (ADM) and then a shared VRF (GEM) like this:
  ip vrf ADM
  description *** ADMIN NET ***
  rd 2:2
  export map ADM-to-EDU
  route-target export 2:2
  route-target import 1:1
  route-target import 2:2
  ip vrf EDU
  description *** ELEV NET ***
  rd 3:3
  route-target export 3:3
  route-target import 1:1
  route-target import 33:33
  route-target import 3:3
  ip vrf GEM
  description *** GEMENSAM NET ***
  rd 1:1
  route-target export 1:1
  route-target import 2:2
  route-target import 3:3
  route-target import 1:1
  As you can see, i have also configured an export map for vrf ADM, which i'm then importing routes from.
  the Map looks as follows:
  access-list 1 permit 172.18.254.37
  route-map ADM-to-EDU permit 10
  match ip address 1
  set extcommunity rt 33:33 additive
  A relevant part of the ip setup is as follows:
  interface Loopback3
  ip vrf forwarding EDU
  ip address 3.3.3.3 255.255.255.255
  interface Loopback37
  ip vrf forwarding ADM
  ip address 172.18.254.37 255.255.255.255
  I'm running BGP:
  router bgp 65235
  no synchronization
  bgp log-neighbor-changes
  no auto-summary
  address-family ipv4 vrf GEM  redistribute connected
    redistribute static
    default-information originate
    no synchronization
  exit-address-family
  address-family ipv4 vrf EDU
    redistribute connected
    redistribute static
    default-information originate
    no synchronization
  exit-address-family
  address-family ipv4 vrf ADM
    redistribute connected
    redistribute static
    default-information originate
    no synchronization
  exit-address-family
  Now, the thing is, the leaking is working, i can see the leaked route in the EDU routing table below,
  Router#sh ip route vrf EDU
  Routing Table: EDU
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 172.19.16.5 to network 0.0.0.0
       1.0.0.0/32 is subnetted, 1 subnets
  B       1.1.1.1 is directly connected, 04:53:31, Loopback1
       3.0.0.0/32 is subnetted, 1 subnets
  C       3.3.3.3 is directly connected, Loopback3
       172.19.0.0/32 is subnetted, 1 subnets
  B       172.19.16.5 is directly connected, 02:27:51, Loopback0
       172.18.0.0/32 is subnetted, 1 subnets
  B       172.18.254.37 is directly connected, 00:32:14, Loopback37
  B*   0.0.0.0/0 [20/0] via 172.19.16.5 (GEM), 02:08:42
  but i cannot reach it:
  Router#ping vrf EDU 172.18.254.37
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  But if i run "debug ip packet" and the perform another ping, i get this result which i think is a bit weird? to me it seems as if it works.
  Router#ping vrf EDU 172.18.254.37
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
  *Mar  1 05:42:40.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:40.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
  *Mar  1 05:42:40.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:40.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
  *Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:40.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
  *Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:40.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
  *Mar  1 05:42:42.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:42.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
  *Mar  1 05:42:42.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:42.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
  *Mar  1 05:42:42.582: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:42.586: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
  *Mar  1 05:42:42.590: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:42.590: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
  *Mar  1 05:42:44.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:44.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
  *Mar  1 05:42:44.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:44.574: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
  *Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:44.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
  *Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:44.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
  *Mar  1 05:42:46.566: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:46.570: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
  *Mar  1 05:42:46.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:46.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
  *Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:46.570: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
  *Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:46.574: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
  *Mar  1 05:42:48.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:48.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
  *Mar  1 05:42:48.566: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
  *Mar  1 05:42:48.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
  *Mar  1 05:42:48.574: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:48.574: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
  *Mar  1 05:42:48.582: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
  *Mar  1 05:42:48.582: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
  Success rate is 0 percent (0/5)
  Router#
  However, if i add leaking for 3.3.3.3 in ADM vrf like this:
  access-list 2 permit 3.3.3.3
  route-map EDU-to-ADM permit 10
  match ip address 2
  set extcommunity rt  22:22 additive
  ip vrf ADM
  description *** ADMIN NET ***
  rd 2:2
  export map ADM-to-EDU
  route-target export 2:2
  route-target import 1:1
  route-target import 22:22      < - added line
  route-target import 2:2
  ip vrf EDU
  description *** ELEV NET ***
  rd 3:3
  export map EDU-to-ADM         < - added line
  route-target export 3:3
  route-target import 1:1
  route-target import 33:33
  route-target import 3:3
  Then it will work:
  Router#ping vrf EDU 172.18.254.37
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms
  So actually, my big question is, am i doing this the right or wrong way? i'm a bit confused.
  Sorry about the rant, maybe it will clarify some things for others who are confused, or maybe just make it worse!
  Some additional thoughts:
  Why can't i perform this ping, shouldnt this work?
  Router#ping vrf GEM 172.18.254.37
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Router#
  bgp info:
  Router#sh ip bgp vpnv4 all
  BGP table version is 79, local router ID is 1.1.1.1
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  Route Distinguisher: 1:1 (default for vrf GEM)
  *> 0.0.0.0          172.19.16.5              0         32768 ?
  *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
  *> 2.2.2.2/32       0.0.0.0                  0         32768 ?
  *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
  *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
  *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
  Route Distinguisher: 2:2 (default for vrf ADM)
  *> 0.0.0.0          172.19.16.5              0         32768 ?
  *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
  *> 2.2.2.2/32       0.0.0.0                  0         32768 ?
  *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
  *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
  *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
  Route Distinguisher: 3:3 (default for vrf EDU)
  *> 0.0.0.0          172.19.16.5              0         32768 ?
  *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
     Network          Next Hop            Metric LocPrf Weight Path
  *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
  *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
  *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
  Router#

  Thank you for your answer Aravala.
  Ok, so i think i'm beginning to understand this now after several hours..
  Below is my setup now, and it works, but the thing is that it ONLY works from nets that are actually configured on interfaces.
  What i mean by this is,
  i want to reach ONLY the ip 172.18.254.37(ADM net) from ANY adress on 172.19.0.0/16 (EDU net)
  so naturally i try and change the prefix list to:
  ip prefix-list 1 seq 5 permit 172.18.254.37/32
  ip prefix-list 2 seq 5 permit 172.19.0.0/16
  But this doesnt work, i would be very grateful if someone could explain why and how to get around it..! i dont want to define every subnet on 172.19.0.0/16 and at the same time leave all of the 172.18.254.0/24 network open.
  working setup:
  ip vrf ADM
  description *** ADMIN NET ***
  rd 2:2
  export map ADM-to-EDU
  route-target export 2:2
  route-target import 1:1
  route-target import 22:22
  route-target import 2:2
  ip vrf EDU
  description *** ELEV NET ***
  rd 3:3
  export map EDU-to-ADM
  route-target export 3:3
  route-target import 1:1
  route-target import 33:33
  route-target import 3:3
  ip vrf GEM
  description *** GEMENSAM NET ***
  rd 1:1
  route-target export 1:1
  route-target import 2:2
  route-target import 3:3
  route-target import 1:1
  ip prefix-list 1 seq 5 permit 172.18.254.0/24
  ip prefix-list 2 seq 5 permit 172.19.64.0/21
  route-map ADM-to-EDU permit 10
  match ip address prefix-list 1
  set extcommunity rt  33:33 additive
  route-map EDU-to-ADM permit 10
  match ip address prefix-list 2
  set extcommunity rt  22:22 additive

• VRF-lite, NAT and route-leaking

  Hello, community. I'm trying to reproduce setup with two customers (R1 and R2), PE router (R3) and common services (R4).
  Here is configuration:
  R1:
  interface Loopback0
  ip address 10.10.1.1 255.255.255.255
  interface FastEthernet1/0
  ip address 192.168.15.1 255.255.255.0
  ip route 0.0.0.0 0.0.0.0 192.168.15.5
  R2:
  interface Loopback0
  ip address 10.10.2.2 255.255.255.255
  interface FastEthernet1/0
  ip address 192.168.16.1 255.255.255.192
  ip route 0.0.0.0 0.0.0.0 192.168.16.5
  R3:
  ip vrf VRF1
  rd 1:1
  route-target export 1:1
  route-target import 1:1
  ip vrf VRF2
  rd 2:2
  route-target export 2:2
  route-target import 2:2
  interface FastEthernet0/0
  description R1
  ip vrf forwarding VRF1
  ip address 192.168.15.5 255.255.255.192
  ip nat inside
  ip virtual-reassembly
  interface FastEthernet0/1
  description R2
  ip vrf forwarding VRF2
  ip address 192.168.16.5 255.255.255.192
  ip nat inside
  ip virtual-reassembly
  interface FastEthernet1/0
  description R4
  ip address 1.1.1.1 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  ip route 0.0.0.0 0.0.0.0 1.1.1.2
  ip route vrf VRF1 0.0.0.0 0.0.0.0 FastEthernet1/0 1.1.1.2 global
  ip route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1
  ip route vrf VRF2 0.0.0.0 0.0.0.0 FastEthernet1/0 1.1.1.2 global
  ip route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1
  ip nat inside source list 15 interface FastEthernet1/0 vrf VRF1 overload
  ip nat inside source list 16 interface FastEthernet1/0 vrf VRF2 overload
  access-list 15 permit 192.0.0.0 0.255.255.255
  access-list 15 permit 10.10.0.0 0.0.255.255
  access-list 16 permit 192.0.0.0 0.255.255.255
  access-list 16 permit 10.10.0.0 0.0.255.255
  R4:
  interface Loopback0
  ip address 10.10.10.10 255.255.255.255
  interface FastEthernet0/0
  ip address 1.1.1.2 255.255.255.0
  ip route 0.0.0.0 0.0.0.0 1.1.1.1
  The configuration is not operational.
  r1#ping 192.168.15.5
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.15.5, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 68/89/116 ms
  r1#ping 192.168.15.5 source l0
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.15.5, timeout is 2 seconds:
  Packet sent with a source address of 10.10.1.1
  Success rate is 100 percent (5/5), round-trip min/avg/max = 68/86/92 ms
  r1#ping 1.1.1.1 source l0
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 10.10.1.1
  Success rate is 80 percent (4/5), round-trip min/avg/max = 292/357/400 ms
  r1#ping 1.1.1.2 source l0
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
  Packet sent with a source address of 10.10.1.1
  Success rate is 80 percent (4/5), round-trip min/avg/max = 160/187/216 ms
  r1#ping 10.10.10.10 source l0
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
  Packet sent with a source address of 10.10.1.1
  Success rate is 0 percent (0/5)
  I can't ping R4's loopback address ("shared resource" or also known as "common service")
  The same is with R2 ( second customer).
  But I can still ping R4's loopback from R3:
  R3#ping 10.10.10.10
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 40/88/116 ms
  This is routing table on R3:
  R3#sh ip route | begin Gateway
  Gateway of last resort is 1.1.1.2 to network 0.0.0.0
       1.0.0.0/24 is subnetted, 1 subnets
  C       1.1.1.0 is directly connected, FastEthernet1/0
  S*   0.0.0.0/0 [1/0] via 1.1.1.2
  R3#sh ip route vrf VRF1 | begin Gateway
  Gateway of last resort is 1.1.1.2 to network 0.0.0.0
       192.168.15.0/26 is subnetted, 1 subnets
  C       192.168.15.0 is directly connected, FastEthernet0/0
       10.0.0.0/16 is subnetted, 1 subnets
  S       10.10.0.0 [1/0] via 192.168.15.1
  S*   0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0
  R3#sh ip route vrf VRF2 | begin Gateway
  Gateway of last resort is 1.1.1.2 to network 0.0.0.0
       10.0.0.0/16 is subnetted, 1 subnets
  S       10.10.0.0 [1/0] via 192.168.16.1
       192.168.16.0/26 is subnetted, 1 subnets
  C       192.168.16.0 is directly connected, FastEthernet0/1
  S*   0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0
  So the question is what is the problem cause? How to troubleshoot? What is the troubleshooting steps?

  Hi Eugene Khabarov
  The problem here is that at the PE we have the static route for the Major Subnet 10.10.0.0/16 pointing back to the CEs of which the destination ping IP 10.10.10.10 is part of.
  We need to remove the Major X /16 route from PE and configure explicit X /32 route for the CE Loopback to make this work
  no ip route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1
  ip route vrf VRF1 10.10.1.1 255.255.0.0 192.168.15.1
  no ip route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1
  ip route vrf VRF2 10.10.2.2 255.255.0.0 192.168.16.1
  Hope this helps to answer your query.
  Regards
  Varma

• Inter-VRF Route leakage

  Hi Guyz,
  I have 3 VRF's on VSS core.
  1) VRF A
  2) VRF B
  3) Global VRF.
  I have Firewall in L3 mode between these VRFs. Traffic between A & B have to cross firewall.
   i can use BGP or EVN to leak routes between VRFs,  but they leak only routes tht are present in  routing table.
  Now i need to leak specific route for eg 10.10.10.10/32 from VRF A to VRF B.
  10.10.10.0/24 is directly connected interface on VRF A. 
  i need to find a way where i can leake /32 route between VRFs.
  Thanks

  Changing the autonomous system number may be necessary when 2 separate BGP networks are combined under a single autonomous system. This typically occurs when one ISP purchases another ISP. The neighbor local-as command is used initially to configure BGP peers to support 2 local autonomous system numbers to maintain peering between 2 separate BGP networks. This configuration allows the ISP to immediately make the transition without any impact on existing customer configurations
  enable
  configure terminal
  router bgp as-number
  address-family {ipv4 | ipv6 | vpnv4| [multicast | unicast | vrf {vrf-name}]}

• Vrf routes into global route table

  Dear All
  I am stuck with a design I am trying to come up with for our EDGE network and looking for ideas from the community.
  It is similar to what is described here:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html#wp86450http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html#wp86904
  In short we have a multi-context FWSM at 2 sites creating an EDGE network, each site operate independently. The sites are linked internally in a single routing domain using OSPF. Each of the outside networks are in seperate VRFs, single-tier model.
  I need to find a way to:
  1) link the 2 sites (currently is done with a GRE tunnel between the site vrfs, looking at replacing this with mp-bgp and l3vpn encapsulation)
  2) redistribute routes from each of the vrf into the common global route table (running ospf)
  1 is working nicely with mp-BGP peer between the sites and routes distributed between, however I am stuck on how to achieve 2.
  The only way I can see is to change the global route table to a vrf, then use rt import/export. This is commonly described as shared services. When I did that I got stuck with how to do the BGP peering as the loopback I was using for the peering is inside the new vrf.
  Basically I want dynamic routing from the global route table to learn routes from each of the sites vrf. Then if a particular site's vrf is unavailable, it can pick up the other site's route.
  Am I missing something here? The document linked makes it sound incredibly easy yet I am struggling with how to implement it.
  Any advice is much appreciated

  Hello philip,
  It is really hard to help you, if you do not provide topology where you would like to implement these changes, so just some thoughts to your points:
  2) redistribute routes from each of the vrf into the common global route table (running ospf)
  You can use PE - CE design. VRFs are terminated on PE with all routes you need in respective VRFs. On PE, MP-BGP routes are redistributed into respective VRF's OSPF process . PE is connected with CE via separate physical interface for each VRF or you can use one physical interface with dedicated sub-interface for each VRF. PE is peering with CE using OSPF. All routes end up in CE global routing table.
  Problems with this design ->
  - for each VRF you have to create separate OSPF process on PE and CE, also OSPF process ID has to be unique on PE for each VRF. Also OSPF process ID has to match to establish OSPF neighborship between PE-CE, so on CE you will have to redistribute OSPF routes from each process to your main OSPF process.
  other workarounds ->
  1) instead OSPF you will use as peering protocol BGP between PE-CE, but you still have to redistribute BGP routes to OSPF on CE
  2) you will use different PE to redistribute each VRF -> BGP routes will be redistributed from VRF into OSPF (same process ID as your main OSPF ID). Routes will be advertised via OSPF into CE global routing table.
  You will use on PE per VRF to redistribute routes into OSPF with same process ID as your main process ID. Thanks to different PEs, you can have same OSPF process ID, all these PEs will peer with same CE via OSPF.
  I hope I made my thoughts understandable, cause its quite hard to explain
  When I did that I got stuck with how to do the BGP peering as the loopback I was using for the peering is inside the new vrf.
  This should not be a problem. You can have same IP on all VRF and also global table, so peering can still be done. After BGP routes are exchanged you can leak prefixes from one vrf to another or into global table as you need.
  Best Regards
  Please rate all helpful posts and close solved questions

• Using vrf for separating management and user traffic

  hello
  We use vrf in our network for separating user / production traffic vs management traffic. but the way we have used it has turned out to be messy and we are in a situation where we no longer have the distinction between the two. I personally feel that vrf is a great way to separate management vs user traffic.
  Here is why I am in a dilema
  If  VLANS for users computers and server VLANS are in USERS vrf
  and management servers ( including domain controllers, AD) are in management vrf  , there is no way this will work . and this was the reason we thought it was going to work. now I am wondering if using vrf is even necessary in an enterprise environment when management traffic can be separated on server end and not so much at the clients end.
  anyone has any ideas how to go about this..

  Hello, very interesting scenario! I was in a similar position to you. I agree VRF's are great for management purposes, as it provides you with total segregation of routing instances. In fact the newer cisco devices come with vrf's configured for management out the box, with a separate interface for management only (for the network device itself).
  However, when it comes to enterprise networks and you have domain controllers, file servers, messaging, maybe ACS or ISE, proxies etc... and other services that should be available for your users, is there any point in using vrf's to separate users from management servers. Lets take for example:
  A PC on the domain, and I want to log in using my AD credentials. You need to be able to contact the domain controller(s) in order to login right? Since vrf's are contained they will have no routes to get to different networks in other vrf's. Except when configured to do so.
  Unless you do something called vrf route leaking or advertising. It's explained well here:
  http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/
  http://blog.ipexpert.com/2010/12/01/vrf-route-leaking/
  Anyway, nevertheless - you are still going to be providing reachability via routing, so this defeats the purpose kindof... It could add unnecessary complexity too.
  Me personally, I just made sure that they were separated by VLAN's and had a dedicated vrf for management, i.e. ssh, snmp etc... to the network devices. I weighed up and thought its not worth doing something that will not really be of any benefit.
  I can understand the need for ISPs and large service providers to use this but not business/enterprise.
  I hope this helps.