Leaking subscribers between VRFs

Hi,
I have two VRFs, lets call them internet, and customers_1.
PPPoE, and IPoE subscribers terminate in the customers_1 VRF, I am wanting to leak these addresses into the internet vrf.
I have configured the relevant import and export statements, and see the routes, however the routes are advertised into the internet vrf with a next hop of 0.0.0.0 thus, they do not appear in CEF (seen via sh cef vrf interent), and traffic is not forwarded.
Can anyone let me know how I would achieve this.
here is the customer_1 vrf routing table (partial):
B    3.3.3.0/24 [200/0] via 202.74.33.249 (nexthop in vrf internet), 00:00:08
B    4.4.4.0/24 [200/0] via 202.74.33.249 (nexthop in vrf internet), 00:00:08
S    100.64.0.0/12 is directly connected, 01:11:20, Null0
C    100.64.0.0/17 is directly connected, 1w3d, Loopback2
L    100.64.0.1/32 is directly connected, 1w3d, Loopback2
A   100.64.0.99/32 is directly connected, 1w1d, Bundle-Ether100.1.ip8
B    103.241.56.0/22 [200/0] via 202.74.33.249 (nexthop in vrf internet), 00:00:08
A    116.251.122.4/32 is directly connected, 1w1d, Bundle-Ether100.1.pppoe5
A    116.251.193.254/32 is directly connected, 1w1d, Bundle-Ether100.1.ip7
here is the internet vrf rotuing table (partial)
B    3.3.3.0/24 [200/0] via 202.74.33.249, 00:00:02
B    4.4.4.0/24 [200/0] via 202.74.33.249, 00:00:02
B    100.64.0.99/32 [200/0] via 0.0.0.0 (nexthop in vrf customers_1), 00:47:47, Bundle-Ether100.1.ip8
B    116.251.122.4/32 [200/0] via 0.0.0.0 (nexthop in vrf customers_1), 00:47:47, Bundle-Ether100.1.pppoe5
B    116.251.128.0/18 [200/0] via 202.74.33.249, 00:00:02
B    116.251.192.0/21 [200/0] via 202.74.33.249, 00:00:02
B    116.251.193.254/32 [200/0] via 0.0.0.0 (nexthop in vrf customers_1), 00:47:47, Bundle-Ether100.1.ip7
B    202.74.33.58/32 is directly connected, 00:44:45, Loopback1 (nexthop in vrf customers_1)
the follwoing  are the vrf export/import statements - i have no route-maps yet, as am just trying to get basic connectivity going first.
vrf internet
address-family ipv4 unicast
  import route-target
   65536:200
   65536:100
  export route-target
   65536:200
vrf customers_1
address-family ipv4 unicast
  import route-target
   65536:200
   65536:100
  export route-target
   65536:100
in BGP i have for the customers vrf:
vrf customers_1
  rd 65536:100
  address-family ipv4 unicast
   redistribute ospf customers_1 match internal external
   redistribute subscriber
many thanks,
mike

Mike,
I do not have other alternative solutions, the only one i can suggest is by using Access-list forwarding (ABF) on incoming interface from internet. The good thing about this is that you can have one ACE for pool of your customer's ip address. Put summarized destination address and point to the VRF as the destination. It is called ABF VRF select. This cause the ingress packet from internet with destination of vrf customers_1 ip address will be forwarded using VRF customers_1.
regards,
rivalino

Similar Messages

  • NAT between VRFs

    Is it possible to do address translation between VRFs? I see NAT is possible from VRF to global, but haven't find any info about possibility to NAT between VRFs. Is it possible ?

    Please refer the following link for more information on NAT Integration with MPLS VPNs.
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatvpn.pdf

  • Nat between vrf

    Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.
    I've ip overlapping issue, so i'm trying to use nat aware vrf.
    The shared service is on a vrf also.
    I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.
    This is my configuration :
    ip vrf proxy
    rd 500:500
    route-target export 500:500
    route-target export 501:501
    route-target import 500:500
    route-target import 401:401
    ip vrf upa
    rd 300:300
    route-target export 300:300
    route-target export 401:401
    route-target import 300:300
    route-target import 501:501
    ip vrf upa-tv
    rd 1000:1000
    route-target export 1000:1000
    route-target export 401:401
    route-target import 1000:1000
    route-target import 501:501
    mpls label protocol ldp
    interface GigabitEthernet0/0
    no ip address
    duplex auto
    speed auto
    interface GigabitEthernet0/0.1
    description interfacccia outside per ip pubblico ipsec
    encapsulation dot1Q 500
    ip address 195.195.195.195 255.255.255.0
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 300
    ip vrf forwarding upa
    ip address 172.31.47.254 255.255.255.0
    ip nat enable
    interface GigabitEthernet0/0.20
    encapsulation dot1Q 310
    ip vrf forwarding proxy
    ip address 172.31.50.1 255.255.255.0
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 320
    ip vrf forwarding upa-tv
    ip address 10.4.1.254 255.255.255.0
    interface GigabitEthernet0/1
    description connessa a 6500
    ip address 80.x.x.1 255.255.255.0
    duplex auto
    speed auto
    mpls ip
    router bgp 65000
    no synchronization
    bgp log-neighbor-changes
    neighbor 80.80.80.2 remote-as 65000
    no auto-summary
    address-family vpnv4
    neighbor 80.80.80.2 activate
    neighbor 80.80.80.2 send-community both
    exit-address-family
    address-family ipv4 vrf upa-tv
    no synchronization
    exit-address-family
    address-family ipv4 vrf upa
    redistribute connected
    no synchronization
    exit-address-family
    address-family ipv4 vrf proxy
    redistribute connected
    no synchronization
    exit-address-family
    ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
    ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
    ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
    as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.
    network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 300
    ip vrf forwarding upa
    ip address 172.31.47.254 255.255.255.0
    ip nat inside
    interface GigabitEthernet0/0.20
    encapsulation dot1Q 310
    ip vrf forwarding proxy
    ip address 172.31.50.1 255.255.255.0
    ip nat outside
    ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy
    tried also with
    ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
    but it didn't work...
    any suggestion ?
    any help will be appreciated
    Max

    Hi Mohammed, now all works well.
    I understand my error, basically when i tried to ping, i pinged a router on my
    own vrf, because i imported the network, so the packet didn't came across
    interfaces and nat was not in place.Now i tried static host and network
    natting and dymanic natting and all works well.
    here there is a complete working configuration
    ip vrf proxy
    rd 500:500
    route-target export 500:500
    route-target export 501:501
    route-target import 500:500
    route-target import 401:401
    ip vrf upa
    rd 300:300
    route-target export 300:300
    route-target export 401:401
    route-target import 300:300
    route-target import 501:501
    ip vrf upa-tv
    rd 1000:1000
    route-target export 1000:1000
    route-target export 401:401
    route-target import 1000:1000
    route-target import 501:501
    mpls label protocol ldp
    interface GigabitEthernet0/0
    no ip address
    duplex auto
    speed auto
    interface GigabitEthernet0/0.1
    description interfacccia outside per ip pubblico ipsec
    encapsulation dot1Q 500
    ip address 195.195.195.195 255.255.255.0
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 300
    ip vrf forwarding upa
    ip address 172.31.47.254 255.255.255.0
    ip nat inside
    interface GigabitEthernet0/0.20
    encapsulation dot1Q 310
    ip vrf forwarding proxy
    ip nat outside
    ip address 172.31.50.1 255.255.255.0
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 320
    ip vrf forwarding upa-tv
    ip address 10.4.1.254 255.255.255.0
    interface GigabitEthernet0/1
    description connessa a 6500
    ip address 80.x.x.1 255.255.255.0
    duplex auto
    speed auto
    mpls ip
    router bgp 65000
    no synchronization
    bgp log-neighbor-changes
    neighbor 80.80.80.2 remote-as 65000
    no auto-summary
    address-family vpnv4
    neighbor 80.80.80.2 activate
    neighbor 80.80.80.2 send-community both
    exit-address-family
    address-family ipv4 vrf upa-tv
    no synchronization
    exit-address-family
    address-family ipv4 vrf upa
    redistribute connected
    no synchronization
    exit-address-family
    address-family ipv4 vrf proxy
    redistribute connected
    no synchronization
    exit-address-family
    ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
    ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
    ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
    Many thanks for the help, now all works well and i understand the way to
    configure it.

  • Howto control/filter traffic between VRF-(lite) using route leaking?

    Hi,
    does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?
    Scenario 1:
    I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.
    Scenario 2:
    Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns
    Kind Regards,
    Thorsten

    Thanks.
    That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.
    Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.
    Does cisco offer software for managing this?

  • Route Leaking between VRF:s (Shared services)

    Hi,
    I'm a bit confused by this setup that i'm trying to achieve.
    The setup is classic though, I have one VRF for education (EDU), one for administrators (ADM) and then a shared VRF (GEM) like this:
    ip vrf ADM
    description *** ADMIN NET ***
    rd 2:2
    export map ADM-to-EDU
    route-target export 2:2
    route-target import 1:1
    route-target import 2:2
    ip vrf EDU
    description *** ELEV NET ***
    rd 3:3
    route-target export 3:3
    route-target import 1:1
    route-target import 33:33
    route-target import 3:3
    ip vrf GEM
    description *** GEMENSAM NET ***
    rd 1:1
    route-target export 1:1
    route-target import 2:2
    route-target import 3:3
    route-target import 1:1
    As you can see, i have also configured an export map for vrf ADM, which i'm then importing routes from.
    the Map looks as follows:
    access-list 1 permit 172.18.254.37
    route-map ADM-to-EDU permit 10
    match ip address 1
    set extcommunity rt 33:33 additive
    A relevant part of the ip setup is as follows:
    interface Loopback3
    ip vrf forwarding EDU
    ip address 3.3.3.3 255.255.255.255
    interface Loopback37
    ip vrf forwarding ADM
    ip address 172.18.254.37 255.255.255.255
    I'm running BGP:
    router bgp 65235
    no synchronization
    bgp log-neighbor-changes
    no auto-summary
    address-family ipv4 vrf GEM  redistribute connected
      redistribute static
      default-information originate
      no synchronization
    exit-address-family
    address-family ipv4 vrf EDU
      redistribute connected
      redistribute static
      default-information originate
      no synchronization
    exit-address-family
    address-family ipv4 vrf ADM
      redistribute connected
      redistribute static
      default-information originate
      no synchronization
    exit-address-family
    Now, the thing is, the leaking is working, i can see the leaked route in the EDU routing table below,
    Router#sh ip route vrf EDU
    Routing Table: EDU
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 172.19.16.5 to network 0.0.0.0
         1.0.0.0/32 is subnetted, 1 subnets
    B       1.1.1.1 is directly connected, 04:53:31, Loopback1
         3.0.0.0/32 is subnetted, 1 subnets
    C       3.3.3.3 is directly connected, Loopback3
         172.19.0.0/32 is subnetted, 1 subnets
    B       172.19.16.5 is directly connected, 02:27:51, Loopback0
         172.18.0.0/32 is subnetted, 1 subnets
    B       172.18.254.37 is directly connected, 00:32:14, Loopback37
    B*   0.0.0.0/0 [20/0] via 172.19.16.5 (GEM), 02:08:42
    but i cannot reach it:
    Router#ping vrf EDU 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    But if i run "debug ip packet" and the perform another ping, i get this result which i think is a bit weird? to me it seems as if it works.
    Router#ping vrf EDU 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    *Mar  1 05:42:40.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:40.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:40.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:40.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:40.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:40.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:42.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:42.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:42.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:42.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:42.582: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:42.586: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:42.590: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:42.590: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:44.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:44.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:44.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:44.574: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:44.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:44.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:46.566: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:46.570: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:46.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:46.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:46.570: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:46.574: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:48.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:48.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:48.566: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:48.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:48.574: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:48.574: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:48.582: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:48.582: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    Success rate is 0 percent (0/5)
    Router#
    However, if i add leaking for 3.3.3.3 in ADM vrf like this:
    access-list 2 permit 3.3.3.3
    route-map EDU-to-ADM permit 10
    match ip address 2
    set extcommunity rt  22:22 additive
    ip vrf ADM
    description *** ADMIN NET ***
    rd 2:2
    export map ADM-to-EDU
    route-target export 2:2
    route-target import 1:1
    route-target import 22:22      < - added line
    route-target import 2:2
    ip vrf EDU
    description *** ELEV NET ***
    rd 3:3
    export map EDU-to-ADM         < - added line
    route-target export 3:3
    route-target import 1:1
    route-target import 33:33
    route-target import 3:3
    Then it will work:
    Router#ping vrf EDU 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms
    So actually, my big question is, am i doing this the right or wrong way? i'm a bit confused.
    Sorry about the rant, maybe it will clarify some things for others who are confused, or maybe just make it worse!
    Some additional thoughts:
    Why can't i perform this ping, shouldnt this work?
    Router#ping vrf GEM 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Router#
    bgp info:
    Router#sh ip bgp vpnv4 all
    BGP table version is 79, local router ID is 1.1.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 1:1 (default for vrf GEM)
    *> 0.0.0.0          172.19.16.5              0         32768 ?
    *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
    *> 2.2.2.2/32       0.0.0.0                  0         32768 ?
    *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
    *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
    *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
    Route Distinguisher: 2:2 (default for vrf ADM)
    *> 0.0.0.0          172.19.16.5              0         32768 ?
    *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
    *> 2.2.2.2/32       0.0.0.0                  0         32768 ?
    *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
    *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
    *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
    Route Distinguisher: 3:3 (default for vrf EDU)
    *> 0.0.0.0          172.19.16.5              0         32768 ?
    *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
       Network          Next Hop            Metric LocPrf Weight Path
    *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
    *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
    *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
    Router#

    Thank you for your answer Aravala.
    Ok, so i think i'm beginning to understand this now after several hours..
    Below is my setup now, and it works, but the thing is that it ONLY works from nets that are actually configured on interfaces.
    What i mean by this is,
    i want to reach ONLY the ip 172.18.254.37(ADM net) from ANY adress on 172.19.0.0/16 (EDU net)
    so naturally i try and change the prefix list to:
    ip prefix-list 1 seq 5 permit 172.18.254.37/32
    ip prefix-list 2 seq 5 permit 172.19.0.0/16
    But this doesnt work, i would be very grateful if someone could explain why and how to get around it..! i dont want to define every subnet on 172.19.0.0/16 and at the same time leave all of the 172.18.254.0/24 network open.
    working setup:
    ip vrf ADM
    description *** ADMIN NET ***
    rd 2:2
    export map ADM-to-EDU
    route-target export 2:2
    route-target import 1:1
    route-target import 22:22
    route-target import 2:2
    ip vrf EDU
    description *** ELEV NET ***
    rd 3:3
    export map EDU-to-ADM
    route-target export 3:3
    route-target import 1:1
    route-target import 33:33
    route-target import 3:3
    ip vrf GEM
    description *** GEMENSAM NET ***
    rd 1:1
    route-target export 1:1
    route-target import 2:2
    route-target import 3:3
    route-target import 1:1
    ip prefix-list 1 seq 5 permit 172.18.254.0/24
    ip prefix-list 2 seq 5 permit 172.19.64.0/21
    route-map ADM-to-EDU permit 10
    match ip address prefix-list 1
    set extcommunity rt  33:33 additive
    route-map EDU-to-ADM permit 10
    match ip address prefix-list 2
    set extcommunity rt  22:22 additive

  • Problem leaking route from VRF to global table on CSR 1000V

    Hi Guys,
    So I have a problem with VRF's on a CSR 1000V, specifically exporting a connected subnet from a VRF into the global routing table.
    My config, very abbreviated, is as follows:
    Router:
    GE1: 10.0.0.1/31 VRF TEST
    GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))
    Now sh ip route displays:
    0.0.0.0/0 (BGP)
    172.30.20.1/24 (Connected)
    sh ip route vrf TEST displays:
    0.0.0.0/0 (BGP)
    10.0.0.1/31 connected
    My VRF config is as follows:
    ip vrf TEST
    rd 1:1
    import ipv4 unicast map GLOBAL
    export ipv4 unicast map CONNECTED-SUBNET
    ip prefix-list CONNECTED seq 1 permit 10.0.0.1/31
    ip prefix-list DEFAULT   seq 1 permit 0.0.0.0/0
    route-map CONNECTED-SUBNET permit 10
     match ip address prefix-list CONNECTED
    route-map GLOBAL permit 10
     match ip address prefix-list DEFAULT
    Now my import command works perfectly (0.0.0.0/0 is imported from BGP into the VRF's routing table), however my export command does not function - seemingly at all.
    Even though my prefix list is an exact match, I do not see 10.0.0.1/31 appearing in the global routing table, or the BGP table at all (show ip bgp 10.0.0.1 shows only the 0.0.0.0/0 default route)
    Any thoughts on what is going on here? Am I misunderstanding the export command for VRF's? I was under the impression this will export directly to the BGP table, and then be imported to the global routing table if applicable?
    Any thoughts/input would be appreciated!

    Hello
    "GE1: 10.0.0.1/31 VRF TEST
    GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))"
    I must have misunderstood somewhere  I was assuming you had no vrf bgp between GE1-2 , and just vrf on subnet 10.0.0.0/x which needed to be advertised in the global routing table hence my last post suggested you redistribute into bgp,
    So assuming you are accepting a default route from GE2 it went like this
    GE1
    int fa0/1
    ip vrf forwading TEST
    ip addresses 10.0.0.1 255.255.255.255
    int xx
    ip address 172.30.20.1 255.255.255.0
    router bgp xy
    neighbour 172.30.20.2 remote-as yx
    redistribute static ( to advertised the vrf subnet to GE2)
    ip route 10.0.0.1 255.255.255.255 fa0/1 ( this is tell the global rib where to go for the vrf route)
    ip prefix-list VRF  permit 0.0.0.0/0
    route-map VRF_rm
    match ip address prefix VRF ( match on the default route advertised from GE2 which is in the global rib)
    ip vrf TEST
    import-map ipv4 vrf VRF-rm ( import the default from global rib into the vrf rib)
    res
    Paul

  • CSR1000V VRF Route Leaking vs GNS

    Hi folks,
    working on 2 lab envronments. I have successfully configured VRF route leaking on GNS3, however can't get it working on CSR1000v with same config (only IP's and name's of VRF etc is different). Is there something on the CSR1000v that I have to do that's different from GNS? Is there a reason why the route in GNS is in both the OSPF database and the routing table yet in ESXi it's only in the database?
    OSPF between neighbors
    BGP to do route leaking
    GNS - leaking route 220.0.0.0
    GNS - Neighbor running OSPF has 220.0.0.0 in the database and the routing table for VRF 100
    ESXi - leaking route 45.0.0.0
    ESXi - Neighbor running OSPF has 45.0.0.0 in the database and is NOT in the routing table for VRF cavia
    GNS - 3640's with c3640-js-mz.124-17
    ESXi - CSR1000V with Cisco IOS XE Software, Version 03.12.00.S
    On both labs using BGP to leak routes between VRF's.
    GNS LAB
    VRF's --------------------------------------------------
    ip vrf 100
     rd 100:100
     route-target export 1:100
     route-target import 1:300
    ip vrf 200
     rd 200:200
     route-target export 1:200
     route-target import 1:300
    ip vrf 300
     rd 300:300
     route-target export 1:300
     route-target import 1:100
     route-target import 1:200
    OSPF --------------------------------------------------------------
    router ospf 100 vrf 100
     router-id 4.4.4.4
     log-adjacency-changes
     redistribute bgp 10 subnets
     network 100.0.0.0 0.0.0.3 area 0
     network 0.0.0.0 255.255.255.255 area 0
    router ospf 200 vrf 200
     router-id 44.44.44.44
     log-adjacency-changes
     redistribute bgp 10 subnets
     network 200.0.0.0 0.0.0.3 area 0
     network 0.0.0.0 255.255.255.255 area 0
    BGP -------------------------------------------------------------
    router bgp 10
     no synchronization
     bgp log-neighbor-changes
     no auto-summary
     address-family ipv4 vrf 300
      no synchronization
      network 220.0.0.0 mask 255.255.255.252
     exit-address-family
     address-family ipv4 vrf 200
      redistribute ospf 200 vrf 200
      no synchronization
     exit-address-family
     address-family ipv4 vrf 100
      redistribute ospf 100 vrf 100
      no synchronization
     exit-address-family
    R4#sh ip bgp vpnv4 all
    BGP table version is 17, local router ID is 44.44.44.44
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 100:100 (default for vrf 100)
    *> 10.0.0.0/24      100.0.0.1                2         32768 ?
    *> 100.0.0.0/30     0.0.0.0                  0         32768 ?
    *> 220.0.0.0/30     0.0.0.0                  0         32768 i
    Route Distinguisher: 200:200 (default for vrf 200)
    *> 20.0.0.0/24      200.0.0.1                2         32768 ?
    *> 200.0.0.0/30     0.0.0.0                  0         32768 ?
    *> 220.0.0.0/30     0.0.0.0                  0         32768 i
    Route Distinguisher: 300:300 (default for vrf 300)
    *> 10.0.0.0/24      100.0.0.1                2         32768 ?
    *> 20.0.0.0/24      200.0.0.1                2         32768 ?
    *> 100.0.0.0/30     0.0.0.0                  0         32768 ?
    *> 200.0.0.0/30     0.0.0.0                  0         32768 ?
    *> 220.0.0.0/30     0.0.0.0                  0         32768 i
    -----------------------on neighbor R3 220.0.0.0 (in vrf 300) is in the routing table for vrf 100 as designed----------------------
    R3#sh ip route vrf 100
         220.0.0.0/30 is subnetted, 1 subnets
    O E2    220.0.0.0 [110/1] via 100.0.0.2, 00:29:48, FastEthernet1/0.10
         100.0.0.0/30 is subnetted, 1 subnets
    C       100.0.0.0 is directly connected, FastEthernet1/0.10
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.0.0.0 is directly connected, FastEthernet0/0
    ----------------------OSPF Database on neighbor R3-------------------------------------------
    R3#sh ip ospf data
                OSPF Router with ID (33.33.33.33) (Process ID 200)
                    Router Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum Link count
    33.33.33.33     33.33.33.33     521         0x80000006 0x005A0E 2
    44.44.44.44     44.44.44.44     541         0x80000006 0x001C18 1
                    Net Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum
    200.0.0.2       44.44.44.44     540         0x80000005 0x006820
                    Type-5 AS External Link States
    Link ID         ADV Router      Age         Seq#       Checksum Tag
    220.0.0.0       44.44.44.44     540         0x80000005 0x009BAE 3489660938
                OSPF Router with ID (3.3.3.3) (Process ID 100)
                    Router Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum Link count
    3.3.3.3         3.3.3.3         722         0x80000006 0x008C9F 2
    4.4.4.4         4.4.4.4         581         0x80000006 0x00F845 1
                    Net Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum
    100.0.0.2       4.4.4.4         581         0x80000005 0x00FEA7
                    Type-5 AS External Link States
    Link ID         ADV Router      Age         Seq#       Checksum Tag
    220.0.0.0       4.4.4.4         581         0x80000005 0x00509A 3489660938
    ESXi LAB
    VRF's----------------------------------------------------------
    vrf definition cavia
     rd 1:100
     address-family ipv4
      route-target export 1000:100
      route-target import 1000:300
     exit-address-family
    vrf definition microsoft
     rd 1:200
     address-family ipv4
      route-target export 1000:200
      route-target import 1000:300
     exit-address-family
    vrf definition shared
     rd 1:300
     address-family ipv4
      route-target export 1000:300
      route-target import 1000:100
      route-target import 1000:200
     exit-address-family
    OSPF ----------------------------------------------------------------
    router ospf 100 vrf cavia
     redistribute bgp 50 subnets
     network 172.100.200.0 0.0.0.3 area 0
     network 0.0.0.0 255.255.255.255 area 0
    router ospf 200 vrf microsoft
     redistribute bgp 50 subnets
     network 172.200.200.0 0.0.0.3 area 0
     network 0.0.0.0 255.255.255.255 area 0
    BGP -----------------------------------------------------------------
    router bgp 50
     bgp log-neighbor-changes
     address-family ipv4 vrf cavia
      redistribute ospf 100
     exit-address-family
     address-family ipv4 vrf microsoft
      redistribute ospf 200
     exit-address-family
     address-family ipv4 vrf shared
      network 45.0.0.0 mask 255.255.255.252
     exit-address-family
    ---------------45.0.0.0 is in the correct BGP VRF's----------------
    R8#sh ip bgp vpnv4 all
    BGP table version is 20, local router ID is 8.8.8.8
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
                  r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
                  x best-external, a additional-path, c RIB-compressed, 
    Origin codes: i - IGP, e - EGP, ? - incomplete
    RPKI validation codes: V valid, I invalid, N Not found
         Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 1:100 (default for vrf cavia)
     *>  45.0.0.0/30      0.0.0.0                  0         32768 i
     *>  80.100.0.0/30    172.100.200.1            2         32768 ?
     *>  172.100.100.0/30 172.100.200.1            2         32768 ?
     *>  172.100.100.4/30 172.100.200.1            2         32768 ?
     *>  172.100.200.0/30 0.0.0.0                  0         32768 ?
    Route Distinguisher: 1:200 (default for vrf microsoft)
     *>  45.0.0.0/30      0.0.0.0                  0         32768 i
     *>  80.200.0.0/30    172.200.200.1            2         32768 ?
     *>  172.200.100.0/30 172.200.200.1            2         32768 ?
     *>  172.200.100.4/30 172.200.200.1            2         32768 ?
     *>  172.200.200.0/30 0.0.0.0                  0         32768 ?
    Route Distinguisher: 1:300 (default for vrf shared)
     *>  45.0.0.0/30      0.0.0.0                  0         32768 i
     *>  80.100.0.0/30    172.100.200.1            2         32768 ?
     *>  80.200.0.0/30    172.200.200.1            2         32768 ?
     *>  172.100.100.0/30 172.100.200.1            2         32768 ?
     *>  172.100.100.4/30 172.100.200.1            2         32768 ?
     *>  172.100.200.0/30 0.0.0.0                  0         32768 ?
     *>  172.200.100.0/30 172.200.200.1            2         32768 ?
         Network          Next Hop            Metric LocPrf Weight Path
     *>  172.200.100.4/30 172.200.200.1            2         32768 ?
     *>  172.200.200.0/30 0.0.0.0                  0         32768 ?
    -----------------------on neighbor R1 45.0.0.0 (in vrf shared) is not in the routing table for vrf cavia----------------------
    R1#sh ip route vrf cavia
    Gateway of last resort is 172.100.200.2 to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 172.100.200.2
          80.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
    C        80.100.0.0/30 is directly connected, GigabitEthernet1.1
    L        80.100.0.1/32 is directly connected, GigabitEthernet1.1
    B        80.100.0.4/30 [20/0] via 80.100.0.2, 03:52:22
          172.100.0.0/16 is variably subnetted, 7 subnets, 2 masks
    C        172.100.100.0/30 is directly connected, GigabitEthernet3.1
    L        172.100.100.2/32 is directly connected, GigabitEthernet3.1
    C        172.100.100.4/30 is directly connected, GigabitEthernet2.1
    L        172.100.100.6/32 is directly connected, GigabitEthernet2.1
    B        172.100.101.0/30 [20/0] via 80.100.0.2, 03:52:22
    C        172.100.200.0/30 is directly connected, GigabitEthernet4.1
    L        172.100.200.1/32 is directly connected, GigabitEthernet4.1
    ----------------------OSPF Database on neighbor R1 -------------------------------------------
    R1#
    R1#sh ip ospf data
                OSPF Router with ID (172.100.200.1) (Process ID 100)
                    Router Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum Link count
    172.100.200.1   172.100.200.1   668         0x8000000A 0x009F4E 4
    172.100.200.2   172.100.200.2   681         0x80000007 0x005F5C 1
                    Net Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum
    172.100.200.1   172.100.200.1   668         0x80000002 0x0012BD
                    Type-5 AS External Link States
    Link ID         ADV Router      Age         Seq#       Checksum Tag
    45.0.0.0        172.100.200.2   441         0x80000002 0x0047E1 3489660978
    80.100.0.4      172.100.200.1   1679        0x80000008 0x00A883 3489725929
    172.100.101.0   172.100.200.1   1679        0x80000008 0x00C4A9 3489725929

    BUMP

  • Inter-VRF Route leakage

    Hi Guyz,
    I have 3 VRF's on VSS core.
    1) VRF A
    2) VRF B
    3) Global VRF.
    I have Firewall in L3 mode between these VRFs. Traffic between A & B have to cross firewall.
     i can use BGP or EVN to leak routes between VRFs,  but they leak only routes tht are present in  routing table.
    Now i need to leak specific route for eg 10.10.10.10/32 from VRF A to VRF B.
    10.10.10.0/24 is directly connected interface on VRF A. 
    i need to find a way where i can leake /32 route between VRFs.
    Thanks

    Changing the autonomous system number may be necessary when 2 separate BGP networks are combined under a single autonomous system. This typically occurs when one ISP purchases another ISP. The neighbor local-as command is used initially to configure BGP peers to support 2 local autonomous system numbers to maintain peering between 2 separate BGP networks. This configuration allows the ISP to immediately make the transition without any impact on existing customer configurations
    enable
    configure terminal
    router bgp as-number
    address-family {ipv4 | ipv6 | vpnv4| [multicast | unicast | vrf {vrf-name}]}

  • MPLS VRF Routes Leaking

    I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
    Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
    Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
    What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

    you could do one of the following ways to implement Internet access for L3 MPLS VPN
    1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
    2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.
    inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
    3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
    good luck
    if helpful Rate

  • Traffic leaking between PVLAN Isolated ports

    Hi,
    Is it possible to leak traffic between ports configured as 'PVLAN isolated' ?
    Task is pretty simple - there is an IP segment, terminated on cat3750 SVI, and two test servers connected to this switch in ports, configurated for isolated PVLAN. I'd like to be sure there is no uncontrolled communication between those servers, except permitted traffic.
    Both servers can reach SVI IP address, but cant reach each other. So far, so good, PVLAN works. What about allowing some traffic between those hosts? Any ideas if thats possible at all, and how to configure devices?

    Hi,
    you could place the two servers in two different VLANs, let the Cat 3750 route between them and apply access-lists to control the desired traffic.
    Have a look at
    "Configuring Network Security with ACLs"
    http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a0080403fec.html#
    for all possibilities.
    Hope this helps
    Martin

  • VRF Route leaking to internet

    I'm just starting to learn about route leaking today, so I'm still trying to figure this out.
    In short, I've created three vlans and put them in a vrf and would like them to access the internet.  At this point, I have vrf created, vlans assigned and a global route leaked from the vrf to the gateway of last resort.  A machine in the vrf is able to ping all three vlan gateways, but cannot still get to the internet.
    I have everything on a 6509 core switch, and my firewall is an ASA 5505.  I've also tried putting routing configs in using eigrp, but the vrf networks never made it to the ASA.  Attached are my configs on both.  If anyone could help me with what I'm missing that would be great.  Thanks!
    ****  6509 Config  ****
    lab-core6509#sh run
    Building configuration...
    Current configuration : 22128 bytes
    ! Last configuration change at 17:31:43 pst Tue Jan 7 2014 by rmf
    ! NVRAM config last updated at 12:30:19 pst Tue Jan 7 2014 by rmf
    upgrade fpd auto
    version 12.2
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    no service password-encryption
    service sequence-numbers
    service counters max age 5
    hostname lab-core6509
    boot-start-marker
    boot system flash disk0:s72033-ipservicesk9_wan-mz.122-33.SXI.bin
    boot-end-marker
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    clock timezone pst -8
    clock summer-time PDT recurring
    clock calendar-valid
    ip subnet-zero
    ip dhcp excluded-address 192.168.80.1 192.168.80.9
    ip dhcp pool 192.168.80.0/24
       network 192.168.80.0 255.255.255.0
       default-router 192.168.80.1
       domain-name procopio-guest.com
       dns-server 8.8.8.8
    ip vrf bingfish
    rd 123:1
    ip domain-name company.local
    mls ip slb purge global
    mls netflow interface
    no mls flow ip
    no mls flow ipv6
    mls cef error action reset
    spanning-tree mode pvst
    diagnostic bootup level minimal
    diagnostic cns publish cisco.cns.device.diag_results
    diagnostic cns subscribe cisco.cns.device.diag_commands
    fabric timer 15
    redundancy
    main-cpu
      auto-sync running-config
    mode sso
    vlan internal allocation policy ascending
    vlan access-log ratelimit 2000
    interface Port-channel10
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    interface GigabitEthernet1/1
    switchport
    switchport access vlan 500
    switchport mode access
    spanning-tree portfast edge
    ~SNIP~  (I don't think anyone cares about all the interface configs!)
    interface Vlan510
    description voice server net
    ip address 10.90.10.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    interface Vlan666
    ip address 10.90.253.1 255.255.255.0
    interface Vlan851
    description bingfish client net
    ip vrf forwarding bingfish
    ip address 10.249.1.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    interface Vlan852
    description bingfish server net
    ip vrf forwarding bingfish
    ip address 10.249.2.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    interface Vlan853
    description bingfish management net
    ip vrf forwarding bingfish
    ip address 10.249.3.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    interface Vlan901
    description guest network
    ip address 192.168.80.1 255.255.255.0
    ip access-group guest-net in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    interface Vlan912
    description internet perimeter
    ip address 10.91.2.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    interface Vlan999
    description management net
    ip address 10.90.100.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    router eigrp 200
    network 10.0.0.0
    address-family ipv4 vrf bingfish
      autonomous-system 99
      network 10.249.1.0 0.0.0.255
      network 10.249.2.0 0.0.0.255
      network 10.249.3.0 0.0.0.255
      redistribute static metric 10000 100 255 1 1500
    exit-address-family
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.91.1.2
    ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
    no ip http server
    no ip http secure-server
    ip access-list extended guest-net
    deny   ip any 10.0.0.0 0.255.255.255
    permit ip any any
    control-plane
    dial-peer cor custom
    line con 0
    exec-timeout 30 0
    line vty 0 4
    exec-timeout 30 0
    line vty 5 15
    exec-timeout 30 0
    ntp logging
    ntp authenticate
    ntp trusted-key 10
    ntp clock-period 17179851
    ntp source Vlan500
    ntp master
    ntp server 10.90.1.50 prefer
    end
    ****  ASA 5505 Config  ****
    lab-5505asa# sh run
    : Saved
    ASA Version 8.2(5)
    hostname lab-5505asa
    domain-name company.local
    names
    dns-guard
    interface Ethernet0/0
    description inside
    interface Ethernet0/1
    description outside
    switchport access vlan 2
    interface Ethernet0/2
    description dmz
    switchport access vlan 4
    speed 100
    duplex full
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.91.1.2 255.255.255.0
    ospf cost 10
    interface Vlan2
    nameif outside
    security-level 0
    ip address <outside ip> 255.255.255.128
    ospf cost 10
    interface Vlan4
    nameif DMZ
    security-level 50
    ip address 172.16.35.1 255.255.255.0
    ospf cost 10
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name company.local
    object-group service DM_INLINE_SERVICE_1
    service-object tcp eq domain
    service-object udp eq domain
    service-object udp eq ntp
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    object-group network DM_INLINE_NETWORK_1
    network-object host 10.90.1.10
    network-object host 10.90.1.11
    object-group network DM_INLINE_NETWORK_2
    network-object host <outside ip>
    network-object host<outside ip>
    object-group service DM_INLINE_SERVICE_2
    service-object tcp eq domain
    service-object udp eq domain
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq ftp
    port-object eq ftp-data
    port-object eq www
    port-object eq https
    port-object eq 3008
    port-object eq 3010
    port-object eq ssh
    object-group network DM_INLINE_NETWORK_3
    network-object 216.9.240.0 255.255.240.0
    network-object 68.171.224.0 255.255.224.0
    object-group service DM_INLINE_TCP_4 tcp
    port-object eq 3268
    port-object eq 3269
    port-object eq ldap
    port-object eq ldaps
    object-group network DM_INLINE_NETWORK_6
    network-object host 172.16.35.12
    network-object host 172.16.35.13
    object-group service DM_INLINE_TCP_5 tcp
    port-object eq www
    port-object eq https
    object-group network DM_INLINE_NETWORK_7
    network-object host 172.16.35.12
    network-object host 172.16.35.13
    object-group network DM_INLINE_NETWORK_8
    network-object host 172.16.36.45
    network-object host 172.16.36.46
    object-group service DM_INLINE_TCP_6 tcp
    port-object eq 2598
    port-object eq citrix-ica
    port-object eq www
    object-group service DM_INLINE_TCP_7 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_3 tcp
    port-object eq www
    port-object eq https
    object-group network DM_INLINE_NETWORK_4
    network-object host<outside ip>
    network-object host <outside ip>
    network-object host <outside ip>
    object-group network DM_INLINE_NETWORK_5
    network-object host 172.16.35.12
    network-object host 172.16.35.13
    object-group network DM_INLINE_NETWORK_10
    network-object host 172.16.36.15
    network-object host 172.16.36.42
    object-group network xenapp_servers
    network-object host 10.90.1.45
    network-object host 10.90.1.46
    network-object host 10.90.5.54
    object-group network xendesktop_servers
    network-object host 10.90.1.38
    network-object host 10.90.1.54
    object-group network DM_INLINE_NETWORK_11
    network-object host 172.16.36.10
    network-object host 172.16.36.42
    network-object 10.80.1.0 255.255.255.0
    group-object xenapp_servers
    group-object xendesktop_servers
    object-group network DM_INLINE_NETWORK_9
    network-object host 172.16.36.27
    network-object host 172.16.36.31
    object-group network DM_INLINE_NETWORK_12
    network-object host 74.117.58.150
    network-object host 97.95.240.159
    object-group network DM_INLINE_NETWORK_13
    network-object 10.90.10.0 255.255.255.0
    network-object 192.168.80.0 255.255.255.0
    network-object 10.249.0.0 255.255.0.0
    object-group network DM_INLINE_NETWORK_14
    network-object 10.90.1.0 255.255.255.0
    network-object 10.90.5.0 255.255.255.0
    access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_12 any log disable
    access-list outside_access_in extended permit tcp any host <outside ip>eq 3389 log disable
    access-list outside_access_in extended permit tcp any host<outside ip>eq smtp log disable
    access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
    access-list dmz_access_in extended permit ip any any log disable
    access-list inside_access_in extended deny ip host 10.90.100.25 any log disable
    access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
    access-list inside_access_in extended permit tcp host 10.90.1.27 host 172.16.35.11 eq smtp log disable
    access-list inside_access_in extended permit ip 10.80.1.0 255.255.255.0 any log disable
    access-list inside_access_in extended permit tcp host 10.90.1.33 object-group DM_INLINE_NETWORK_3 eq 3101 log disable
    access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_14 any object-group DM_INLINE_TCP_2 log disable
    access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 log disable
    access-list inside_access_in extended permit udp host 10.90.1.50 any eq ntp log disable
    access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_11 log disable
    access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.27 eq smtp log disable
    access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.35.10 host 172.16.36.10 log disable
    access-list DMZ_access_in extended permit tcp host 172.16.35.11 any eq smtp log disable
    access-list DMZ_access_in extended permit tcp host 172.16.35.10 any object-group DM_INLINE_TCP_1 log disable
    access-list DMZ_access_in remark rule for cag to owa
    access-list DMZ_access_in extended permit tcp host 172.16.35.13 object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_3 log disable
    access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.10 object-group DM_INLINE_TCP_4 log disable
    access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_5 log disable
    access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_6 log disable inactive
    access-list slow-down extended permit ip 10.90.0.0 255.255.0.0 any
    access-list slow-down extended permit ip any 10.90.0.0 255.255.0.0
    pager lines 24
    logging enable
    logging trap debugging
    logging asdm warnings
    logging host inside 10.90.1.65 6/1470
    logging permit-hostdown
    mtu inside 1500
    mtu outside 1500
    mtu DMZ 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-713.bin
    asdm history enable
    arp timeout 14400
    global (inside) 2 interface
    global (outside) 1 interface
    global (DMZ) 1 interface
    nat (inside) 1 10.80.1.0 255.255.255.0
    nat (inside) 1 10.90.1.0 255.255.255.0
    nat (inside) 1 10.90.5.0 255.255.255.0
    nat (inside) 1 192.168.80.0 255.255.255.0
    nat (inside) 1 10.249.0.0 255.255.0.0
    nat (DMZ) 1 172.16.35.0 255.255.255.0
    static (DMZ,outside)<outside ip>172.16.35.10 netmask 255.255.255.255 dns
    static (DMZ,outside) <outside ip>172.16.35.55 netmask 255.255.255.255 dns
    static (DMZ,outside) <outside ip>172.16.35.50 netmask 255.255.255.255 dns
    static (DMZ,outside) <outside ip>172.16.35.60 netmask 255.255.255.255 dns
    static (inside,outside) <outside ip>10.90.1.21 netmask 255.255.255.255 dns
    static (inside,DMZ) 172.16.36.31 10.90.1.31 netmask 255.255.255.255
    static (inside,DMZ) 172.16.36.10 10.90.1.10 netmask 255.255.255.255
    static (inside,DMZ) 172.16.36.27 10.90.1.27 netmask 255.255.255.255
    static (inside,DMZ) 172.16.36.15 10.90.1.15 netmask 255.255.255.255
    static (inside,DMZ) 172.16.36.42 10.90.1.42 netmask 255.255.255.255
    static (inside,DMZ) 10.90.1.0 10.90.1.0 netmask 255.255.255.0
    static (inside,DMZ) 10.80.1.0 10.80.1.0 netmask 255.255.255.0
    static (inside,DMZ) 10.90.5.0 10.90.5.0 netmask 255.255.255.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    access-group DMZ_access_in in interface DMZ
    router eigrp 200
    network 10.0.0.0 255.0.0.0
    passive-interface default
    no passive-interface inside
    route outside 0.0.0.0 0.0.0.0 209.242.145.129 1
    route inside 10.0.0.0 255.0.0.0 10.91.1.1 1
    route inside 10.249.0.0 255.255.0.0 10.91.1.1 1
    route inside 192.168.80.0 255.255.255.0 10.91.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh 10.0.0.0 255.0.0.0 inside
    ssh timeout 60
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics host number-of-rate 3
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 10.90.1.50 source inside prefer
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect netbios
      inspect tftp
      inspect icmp
      inspect pptp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:9ba1f1f89fa1a88af05e2fc5fdba3090
    : end

    So it would appear I've solved it by adding a static route in the global routing table back to the subnets in the vrf:
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.91.1.2
    ip route 10.249.1.0 255.255.255.0 Vlan851   <-----------------------
    ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
    Thanks

  • Multi-VRF on the same device

    Hi, I have a certain design that I am thinking of implementing however need some help to understand the feasability as well as confirm if it is indeed possible to do it. It is sort of like configuring multi-vrf on the same device and leak routes from them into a global routing table. It seems impractical to do it however if I want to limit connectivity between various vlan's on a L3 level without ACL's this seems the better option. Please do correct me if that is not so.
    Design
    A device which has a number of vlan interfaces on the north side let's say a 6500 configured with a number of vlan's. Each vlan has its own vrf. The SVI interfaces are where I apply the ip vrf forwarding XXX command. This device will be like the PE I assume?
    Now I might be running various routing protocols (EIGRP, RIP, Static, BGP) within these vrf's with the devices on the other end that have no idea about vrf's. Since I have a number of routes I have learnt within their own vrf's I want to either export all these routes into the global table or create a global vrf where I can export all these routes.
    The reason being that I want to propogate all these routes to the south side. The south side interface of this PE 6500 is physically connected to a firewall via a L3 point-to-point interface. That firewall's south interface in turns connects to another switch.
    I am going to form a BGP session with between the Top PE 6500 Switch and the bottom switch and I would like to propogate all the routes that I have in their own individual vrf's on the Top 6500 PE switch to the bottom switch via BGP.
    I don't think I can run MP-BGP due to the firewalls being in the physical path. Besides I would like to run a normal BGP IPv4 session between the top and bottom switch to keep it simple and familiar.
    The reason I would like to have every vlan in its own vrf is to limit connectivity between the vlan's without configuring ACL's. It provides a bit more security between the VLAN's.
    What I am not sure about is how the packet forwarding would work or if it would work at all.
    Thx for your help.

    Hi Vikram,
    Firstly, you mentioned that the reason for going down this path is for security between the different VLANs. Have you looked at Private VLANs as another option?
    Certainly leaking routes between different VRFs can be achieved and I would recommend having a 'Shared VRF' that you leak in and out of. Having the Firewall between the PE nodes does present an issue both for BGP as well as LDP peering if you wanted to establish a MP-BGP session. From what you have mentioned above, this solution might over-complicate what you are trying to do.
    Are the network ranges in each VLAN also unique?
    Can the Firewall run IGP? If so, maybe you could run Private VLANs and the use an IGP to propogate the networks through the FW across to your other switch? If you were to establish a BGP session between the switches each side of the FW, the FW would also need to either become a BGP peer or have IGP enabled. Each BGP node would then need to inject the BGP routes into IGP. If this isnt done, the FW will drop traffic as there would not be a suitable route.
    Are the resources through the FW shared or are they also client connected networks?
    Trent Husking

  • Route Leaking in MPLS/VPN Networks (IOX support)

    Hi all,
    I would like to if IOX of CRS-1 can support route leaking between VRF<>Global routing table?
    hhttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtmlttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
    Regards

    Hi,
    You can use the vrf keyword after the prefix you want to join and before specifying the NH. It will tell the router in which VRF the lookup should be done:
    http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.0/routing/command/reference/rr40crs1book_chapter9.html#wp172562637
    The vrf name "default" is reserved to reference the GRT.
    HTH
    Laurent.

  • VRF Import/Export - how to filter routes

    Hi,
    Is there another way of filtering the routes you want to import into a vrf because the 'route-target export' and 'route-target import' imports ALL the routes tagged with the given 'asn:xx'. I wanted to have only selected routes imported from one vrf to another. Vrf 'import map' command does not work for me?
    Does filtering makes sense or practical at vrf-vrf level? Where do you use 'import map' command?
    thanks
    resti

    Hi Harold,
    Actually my needs are a little different. Instead of leaking between 2 VRFs, I need to leak to global. Have a default in my VRF that gets imported to global table.
    Goals:
    1. At hub and spoke both sites, let ISP connection run in a separate VRF. Gets a little extra security from internet.
    2. When ISP connection is active, let each site route its traffic out to internet directly. However when the local ISP connection fails, remove the default route that points to ISP so that OSPF learned default from the hub site routes all traffic to hub and puts on internet.
    What's working:
    DMVPN tunnels work fine across INET VRF.
    What's not working:
    1. The IP SLA tracked route leak to global VRF is not working. Traffic doesn't go out to internet directly using local connection.
    I followed following example for this configuration.
    http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/47807-routeleaking.html
    Any suggestions? Is it possible or supported configuration?
    Below is a diagram of my setup.
    Below is my relevant config snapshot. 2.2.2.1 is actually my another FW in front in the lab that does all NAT and provides internet connection to this lab.
    ip sla auto discovery
    ip sla 1
     icmp-echo 8.8.8.8 source-ip 2.2.2.2
     vrf INET
    ip sla schedule 1 life forever start-time now
    ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 2.2.2.1 track 1
    ip route vrf INET 0.0.0.0 0.0.0.0 2.2.2.1
    Lab-RTR#sh ip sla sumary
    IPSLAs Latest Operation Summary
    Codes: * active, ^ inactive, ~ pending
    ID           Type        Destination       Stats       Return      Last
                                               (ms)        Code        Run
    *1           icmp-echo   8.8.8.8           RTT=32      OK          4 seconds ago
    Lab-RTR#sh ip route | in 0.0.0.0
    Gateway of last resort is 10.254.2.99 to network 0.0.0.0
    O*E1  0.0.0.0/0 [110/221] via 10.254.2.99, 00:00:59, Tunnel2
    As you can see, its learning default from Tunnel instead of taking the static default.

  • VRF Lite running in the enterprise network

    Hello everybody
    Altough VRF lite (or Mulit VRF) seems to be a Service Provider Tecnology.
    Does it make sense to use it in an Enterprise Network to isolate Networks from others ?
    I cant find any design paper which describes if this would make sense.
    What do you think. Is someone using it ? Does Cisco recommend it ?

    Yes, VRF-lite SHOULD be used in an Enterprise environment to isolate the different security classes of devices.
    In the past you would isolate different groups of users using Layer1, i.e. separate hubs either totally isolated or connected together by a router with ACLs. Since the PCs were only connected at shared 10 Mbit and the routers were such low performance and worms weren't really prevalent, this was not a big security issue at the time.
    Then we migrated to VLANs, which essentially allowed Layer2 isolation within the same switch to provide the same functionality of separating different classes of users and to break up broadcast domains. Unfortunately, everyone connected the VLANs together at Layer3 with a router (or SVI) which essentially connected everything together again! And almost no one gets the ACLs right (if at all) to isolate the VLANs from each other. In fact, in most cases every VLAN can automatically reach every other VLAN from a Layer3 or IP perspective. This is a huge security problem.
    Enter VRF-lite, essentially created by Cisco as their tag switching migrated to standards based MPLS and had a need to isolate Layer3 security domains from each other within the same switch (or router). Think of VLANs for routing tables. VRF stands for 'Virtual Route Forwarding', which basically means separate routing tables. Since VRF-lite is a per-switch feature (running locally to the switch) you will need to use other technologies to connect multiple VRF-lite switches together and keep the traffic isolated, see below.
    What makes this so secure is that there is no command within the switch to connect different VRFs together within the same switch. You would need to connect a cable between two ports on the same switch configured in different VRFs to be able to communicate between them (recent IOS 12.2SR allows tunnels with different source VRFs but that is a corner case). The reason for this is simple, remember the basis for VRF (and VRF-lite) is for a service provider to isolate multiple customers from each other within the same switch. Just like an ATM, Frame-Relay, SONET, or Optical switch, the command line makes it very difficult (or impossible) to accidentally connect 2 different customers together.
    Think about that. Even if someone was able to get ssh enable access to your switch (you aren't running telnet anymore, right?!), they CAN'T connect 2 VRFs together with any command.
    And, yes, this is highly recommended by Cisco Engineers and is actually deployed far more than you think. I have VRF-lite running on at least 10 client's networks and those are LARGE networks. VRF-lite was integrated into the environment purely to solve a Layer3 security class isolation issue. I have used Layer3 dot1q trunks on c6500 switches and tunnels to keep isolated connectivity between VRFs between switches.
    In Cisco speak, VRF-lite falls under the topic of 'Path Isolation' which is combined with other features that isolate traffic within the same network such as dot1q trunking, tunneling, VPN, policy-routing, and MPLS. Do a search on Cisco's web site for 'path isolation' and you will find a bunch of info.
    See the following URLs for a good start:
    http://www.cisco.com/en/US/netsol/ns658/networking_solutions_design_guidances_list.html
    http://www.cisco.com/en/US/netsol/ns658/netbr0900aecd804a17db.html
    http://www.cisco.com/en/US/netsol/ns658/networking_solutions_white_paper0900aecd804a17c9.shtml
    As always, rate all posts appropriately, particularly those that provide value and don't be shy about following up with additional questions or comments.
    Good luck!

Maybe you are looking for