NetFlow from VRF on 4451-X
I have a 4451-X router running XE 3.13.
I want to get NetFlow data from interface G0/0/0 and sent it to my collector via the management VRF interface G0. Is this possible? If so, what is the configuration to make it work?
This is what I have so far:
flow record NetFlow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets
flow exporter NetFlow-to-Orion
destination 10.y.y.90 vrf Mgmt-intf
source GigabitEthernet0
transport udp 2055
export-protocol netflow-v5
flow monitor NetFlow-Monitor
description Original Netflow captures
exporter NetFlow-to-Orion
cache timeout inactive 10
cache timeout active 5
record NetFlow
interface GigabitEthernet0/0/0
ip address xxx.xxx.xxx.xxx/30
ip flow monitor NetFlow-Monitor input
ip flow monitor NetFlow-Monitor output
media-type sfp
no negotiation auto
no lldp transmit
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.x.x.37 255.255.255.0
negotiation auto
What am I missing?
Thanks,
Patrick
What netFlow tool do you have? Is the NetFlow tool seeing packets but not reporting anything?
If so, it can be because the flow records exported does not have the necessary information needed by the tool to process the NetFlow datagrams. Most NetFlow tools expect the below configuration:
flow record netfow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes
collect counter packets
collect flow direction
And in the flow exporter, reduce the active cache timeout to 1
If the server where the NetFlow tool is installed is not seeing packets, make sure that:
1. You have a route to the destination from the GigabitEthernet0
2. No firewalls on the server or ACLs are blocking packets from the switch to the NetFlow server
Thanks,
Don
Similar Messages
-
Route leaking from VRF to Global on same router with VLAN interface
Hi all,
I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
interface FastEthernet4
description ***Connection to WAN***
ip vrf forwarding FVRF
ip address 10.0.0.6 255.255.255.0
interface Vlan100
description ***LAN***
ip address 192.168.227.1 255.255.255.0
So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
I though I could do that config but it is not possible:
(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
OR
DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
%Invalid next hop address (it's this router)
Any ideas are really welcome.
Best regards,
LaurentHi,
I have tried the following solution:
Add 10.0.0.0 /24 From VRFto Global:
ip route 10.0.0.0 255.255.255.0 FastEthernet4
Add 192.168.227.0 /24 from Global to VRF:
router bgp 64512
bgp log-neighbor-changes
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
route-map Global permit 10
match ip address prefix-list Global-VRF
ip vrf FVRF
rd 1:1
import ipv4 unicast map Global
So now the VRF table looks like that:
# sh ip route vrf FVRF
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
B 192.168.227.0/24 is directly connected, 00:15:12, Vlan100
The Global table looks like this:
#sh ip route
Gateway of last resort is 10.1.0.107 to network 0.0.0.0
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
But When I try to ping it still doesn´t work:
#ping vrf FVRF 192.168.227.1 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
Success rate is 0 percent (0/5)
#ping 10.0.0.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
Success rate is 0 percent (0/5)
Any ideas?
Regards,
Laurent -
Monitoring DHCP leases from vrf tunnels
Hello,
I am looking to monitor dhcp leases from vrf tunnels on a 4510R switch and be notified when a lease is handed out Does anyone have any suggestions on the best way to accomplish this?
Thanks!See http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_iimib.html . Assuming you're running the correct version of code, you can get VRF-aware CISCO-IPSEC-FLOW-MONITOR-MIB and CISCO-IPSEC-MIB support. You will need to make sure you have configured your device to allow for VRF-based SNMP polling. The VRF instances will not show sum totals for the system. To get that, you will need to poll using a non-VRF community string.
-
Leaking MPLS VPN learned routes from VRF to Global
I'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
RP/0/0/CPU0:B25BR1#sh run vrf TR
Wed Dec 17 22:40:33.772 UTC
vrf TR
address-family ipv4 unicast
import route-target
65000:7020
export to default-vrf route-policy TR-2-GLOBAL
export route-target
65000:7020
RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
Wed Dec 17 22:40:50.851 UTC
route-policy TR-2-GLOBAL
if destination in TR-2-GLOBAL then
pass
endif
end-policy
RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
Wed Dec 17 22:40:57.861 UTC
prefix-set TR-2-GLOBAL
192.168.0.17/32,
192.168.0.18/32,
192.168.0.19/32,
192.168.0.20/32
end-set
!Routes that I want to see also are 192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
RP/0/0/CPU0:B25BR1#sh route vrf TR
Wed Dec 17 22:41:45.767 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
B 10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
C 10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
L 10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
B 10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
B 192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
B 192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
RP/0/0/CPU0:B25BR1#sh ip rou
Wed Dec 17 22:41:50.097 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
S 10.0.0.0/27 is directly connected, 08:04:01, Null0
O 10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
C 10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
L 10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
O 10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
O 10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
S 10.0.128.0/29 is directly connected, 08:04:01, Null0
O 10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
C 10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
L 10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
S 10.1.0.4/30 is directly connected, 06:57:23, Null0
S 10.1.128.4/30 is directly connected, 08:04:01, Null0
C 10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
O 192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
O 192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
O 192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
L 192.168.0.8/32 is directly connected, 08:04:00, Loopback0
B 192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
B 192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
Thanks!
-SajithI'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
RP/0/0/CPU0:B25BR1#sh run vrf TR
Wed Dec 17 22:40:33.772 UTC
vrf TR
address-family ipv4 unicast
import route-target
65000:7020
export to default-vrf route-policy TR-2-GLOBAL
export route-target
65000:7020
RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
Wed Dec 17 22:40:50.851 UTC
route-policy TR-2-GLOBAL
if destination in TR-2-GLOBAL then
pass
endif
end-policy
RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
Wed Dec 17 22:40:57.861 UTC
prefix-set TR-2-GLOBAL
192.168.0.17/32,
192.168.0.18/32,
192.168.0.19/32,
192.168.0.20/32
end-set
!Routes that I want to see also are 192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
RP/0/0/CPU0:B25BR1#sh route vrf TR
Wed Dec 17 22:41:45.767 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
B 10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
C 10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
L 10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
B 10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
B 192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
B 192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
RP/0/0/CPU0:B25BR1#sh ip rou
Wed Dec 17 22:41:50.097 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
S 10.0.0.0/27 is directly connected, 08:04:01, Null0
O 10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
C 10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
L 10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
O 10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
O 10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
S 10.0.128.0/29 is directly connected, 08:04:01, Null0
O 10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
C 10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
L 10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
S 10.1.0.4/30 is directly connected, 06:57:23, Null0
S 10.1.128.4/30 is directly connected, 08:04:01, Null0
C 10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
O 192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
O 192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
O 192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
L 192.168.0.8/32 is directly connected, 08:04:00, Loopback0
B 192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
B 192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
Thanks!
-Sajith -
Problem leaking route from VRF to global table on CSR 1000V
Hi Guys,
So I have a problem with VRF's on a CSR 1000V, specifically exporting a connected subnet from a VRF into the global routing table.
My config, very abbreviated, is as follows:
Router:
GE1: 10.0.0.1/31 VRF TEST
GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))
Now sh ip route displays:
0.0.0.0/0 (BGP)
172.30.20.1/24 (Connected)
sh ip route vrf TEST displays:
0.0.0.0/0 (BGP)
10.0.0.1/31 connected
My VRF config is as follows:
ip vrf TEST
rd 1:1
import ipv4 unicast map GLOBAL
export ipv4 unicast map CONNECTED-SUBNET
ip prefix-list CONNECTED seq 1 permit 10.0.0.1/31
ip prefix-list DEFAULT seq 1 permit 0.0.0.0/0
route-map CONNECTED-SUBNET permit 10
match ip address prefix-list CONNECTED
route-map GLOBAL permit 10
match ip address prefix-list DEFAULT
Now my import command works perfectly (0.0.0.0/0 is imported from BGP into the VRF's routing table), however my export command does not function - seemingly at all.
Even though my prefix list is an exact match, I do not see 10.0.0.1/31 appearing in the global routing table, or the BGP table at all (show ip bgp 10.0.0.1 shows only the 0.0.0.0/0 default route)
Any thoughts on what is going on here? Am I misunderstanding the export command for VRF's? I was under the impression this will export directly to the BGP table, and then be imported to the global routing table if applicable?
Any thoughts/input would be appreciated!Hello
"GE1: 10.0.0.1/31 VRF TEST
GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))"
I must have misunderstood somewhere I was assuming you had no vrf bgp between GE1-2 , and just vrf on subnet 10.0.0.0/x which needed to be advertised in the global routing table hence my last post suggested you redistribute into bgp,
So assuming you are accepting a default route from GE2 it went like this
GE1
int fa0/1
ip vrf forwading TEST
ip addresses 10.0.0.1 255.255.255.255
int xx
ip address 172.30.20.1 255.255.255.0
router bgp xy
neighbour 172.30.20.2 remote-as yx
redistribute static ( to advertised the vrf subnet to GE2)
ip route 10.0.0.1 255.255.255.255 fa0/1 ( this is tell the global rib where to go for the vrf route)
ip prefix-list VRF permit 0.0.0.0/0
route-map VRF_rm
match ip address prefix VRF ( match on the default route advertised from GE2 which is in the global rib)
ip vrf TEST
import-map ipv4 vrf VRF-rm ( import the default from global rib into the vrf rib)
res
Paul -
Are L2TPv3 endpoints not supported to source from VRFs?
Hi,
I have a customer that needs to tunnel serial data from remote sites to a central site. This serial data is HDLC encapsulated and the remote site has a Cisco 1921 router with HWIC4A/S.
The central router is a Cisco 2951, also with HWIC4A/S.
This customer has several VPNs carried by a service provider through MPLS. One VPN is for operational traffic, one is for test traffic and so on.
They want to send the tunneled traffic through the operational VPN on the router doing tunneling through VRF lite. This does however not seem to be supported but I can't find any restrictions in the Cisco documentation.
Here is a working configuration:
pseudowire-class PW
encapsulation l2tpv3
sequencing transmit
protocol none
ip local interface loopback0
ip tos value 128
ip ttl 10
interface Loopback0
ip address x.x.x.x 255.255.255.255
interface Serial0/0/0
description ### redacted ###
no ip address
no keepalive
ignore dtr
clock rate 19200
no cdp enable
xconnect y.y.y.y 1001 encapsulation l2tpv3 manual pw-class PW
l2tp id 61001 101
redacted#show l2tun session all
Session id 61001 is up, logical session id 65668, tunnel id n/a
Remote session id is 101, remote tunnel id n/a
Locally initiated session
Unique ID is 24
Session Layer 2 circuit, type is HDLC, name is Serial0/0/0
Session vcid is 1001
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
Call serial number is 0
Remote tunnel name is
Internet address is y.y.y.y
Local tunnel name is
Internet address is x.x.x.x
IP protocol 115
Session is manually signaled
Session state is established, time since change 19:04:36
1087277 Packets sent, 0 received
21281118 Bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
1087277 Packets sent, 0 received
21281118 Bytes sent, 0 received
Receive packets dropped:
out-of-order: 0
other: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
other: 0
total: 0
DF bit off, ToS reflect disabled, ToS value 128, TTL value 10
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
encap size = 28 bytes
45800014 00000000 0a738706 0a741822
0a74fbe7 00000065 00000000
Sequencing is on
Ns 1087268, Nr 0, 0 out of order packets received
Packets switched/dropped by secondary path: Tx 0, Rx 0
Conditional debugging is disabled
SSM switch id is 4226, SSM segment id is 12422
The traffic is unidirectional so it's expected to only have packets sent and not received. This works fine. However, if put the loopback in a VRF, the tunnel still comes up but no traffic is forwarded.
int loopback 0
ip vrf forwarding OPER
This would stop the traffic from passing through the tunnel. I suspect that the Cisco implementation of L2TPv3 is not VRF aware but have been unable to get any confirmation so far.
Has anyone else tried to deploy this when sourcing from a VRF?Hi All,
I could solve it myself. Thanks for the time.
The problem was I tried to navigate directly from the component ''BT125H_TASK' to the component 'CRMCMP_CMG', as I could not find any parent for BT125H_TASK earlier.
Now I could find its parent component which is 'BT110M_ACT'.
The outbound plug created in the task component has to be added to the component usage of 'BT110M_ACT' and the delegation should be done. The other things are the same. It works fine.
Regards
Vidhya -
Trouble with advertise a route BGP from VRF on Cisco IOS 7600
Hi
the diagram especifie the actually operating network
we try to advertise the network 172.16.161.6 to Nortel devices and Cisco devices on cisco AS 2005 and 64912, if we are staying look the routing table on cisco 7600 the network 172.16.161.6 is know it
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/28 ms
cisco 7600#trace
cisco 7600#traceroute vrf data 172.16.161.6
Type escape sequence to abort.
Tracing the route to 172.16.161.6
1 189.1.11.5 [MPLS: Labels 581/730 Exp 0] 24 msec 24 msec 24 msec
2 172.16.12.73 [MPLS: Label 730 Exp 0] 36 msec 28 msec 36 msec
3 172.16.12.74 20 msec 20 msec 24 msec
4 172.16.14.10 64 msec 20 msec 20 msec
5 172.16.19.9 20 msec 24 msec 20 msec
6 172.16.161.6 24 msec 20 msec 24 msec
PE_CAR_1#ping vrf data 172.16.161.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.161.6, timeout is 2 seconds:
but the devices Nortel on AS 64912 on routing tables don´t know the networ 172.16.161.6
the difference on cisco 7600 that know both AS 64912 and 2005 is this one:
configuration on Cisco Router 7600
router bgp 2006
bgp router-id 172.16.110.97
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 172.16.10.41 remote-as 64912
neighbor 172.16.10.41 description PP-A6
neighbor 172.16.11.233 remote-as 64912
neighbor 172.16.11.233 description PP-2TE2
neighbor 172.16.12.73 remote-as 2005
neighbor 172.16.12.73 description PE_MEX_1
neighbor 172.16.12.73 fall-over bfd
neighbor 172.16.13.9 remote-as 2005
neighbor 172.16.13.9 description PE_MEX_3
neighbor 172.16.13.9 fall-over bfd
neighbor 172.16.13.77 remote-as 2005
neighbor 172.16.14.6 remote-as 64512
neighbor 172.16.14.10 remote-as 64512
neighbor 172.16.16.26 remote-as 64982
neighbor 172.16.16.26 description INTERNET-2
neighbor 172.16.16.30 remote-as 64982
neighbor 172.16.16.30 description INTERNET-1
address-family ipv4
neighbor 172.16.10.41 activate (conexion to Nortel Devices)
neighbor 172.16.10.41 route-map AS-PATH-MAN in
neighbor 172.16.10.41 route-map REDES-WAN->MAN out
neighbor 172.16.11.233 activate (conexion to Nortel Devices)
neighbor 172.16.11.233 route-map AS-PATH-MAN in
neighbor 172.16.11.233 route-map REDES-WAN->MAN out
neighbor 172.16.12.73 activate
neighbor 172.16.12.73 route-map REDES-WAN-PE_MEX_1 in
neighbor 172.16.12.73 route-map DEFAULT-ROUTE out
neighbor 172.16.13.9 activate (conexion to Cisco 7600 Devices)
neighbor 172.16.13.9 route-map REDES-WAN-PE_MEX_3 in
neighbor 172.16.13.9 route-map DEFAULT-ROUTE out
neighbor 172.16.13.77 activate
neighbor 172.16.13.77 route-map DEFAULT-ROUTE out
neighbor 172.16.14.6 activate (conexion to ASR 9000)
neighbor 172.16.14.6 route-map default out
neighbor 172.16.14.10 activate (conexion to ASR 9000)
neighbor 172.16.14.10 route-map default out
the difference that look it from routes to know Nortel devices an Cisco Devices is the sollow on Cisco 7600
Cisco 7600#sho ip bgp 150.151.1.250
BGP routing table entry for 150.151.0.0/16, version 5612717
Paths: (2 available, best #1, table default)
Multipath: eBGP
Advertised to update-groups:
2 4
2005
172.16.13.9 from 172.16.13.9 (150.220.250.5)
Origin IGP, localpref 300, valid, external, best
Community: 100:22
Extended Community: RT:100:22
2005
172.16.12.73 from 172.16.12.73 (150.220.250.1)
Origin IGP, localpref 260, valid, external
Community: 100:22
Extended Community: RT:100:22
Cisco 7600#sho ip bgp 172.16.161.6
BGP routing table entry for 172.16.161.6/32, version 6133620
Paths: (2 available, best #2, table default)
Multipath: eBGP
Not advertised to any peer
64512 64513
172.16.14.6 from 172.16.14.6 (172.16.14.1)
Origin incomplete, localpref 100, valid, external, multipath
Extended Community: RT:64512:64513
64512 64513
172.16.14.10 from 172.16.14.10 (172.16.14.2)
Origin incomplete, localpref 100, valid, external, multipath, best
Extended Community: RT:64512:64513
NOT advertised to any peer
if we looking on ASR the vrf GAT the network is advertised but on vrf CAMPUS not
RP/0/RSP0/CPU0:ED_MEX_1#sho bgp vrf CAMPUS 172.16.161.6
Mon May 20 12:58:03.516 UTC
BGP routing table entry for 172.16.161.6/32, Route Distinguisher: 64512:64513
Versions:
Process bRIB/RIB SendTblVer
Speaker 20 20
Local Label: 16004
Last Modified: May 17 17:24:29.877 for 2d19h
Paths: (1 available, best #1)
Not advertised to any peer
Path #1: Received by speaker 0
Not advertised to any peer
64513
172.16.19.5 from 172.16.19.5 (172.16.162.4)
Origin incomplete, metric 110, localpref 100, valid, external, best, group-best, import-candidate
Received Path ID 0, Local Path ID 1, version 20
Extended community: RT:64512:64513
but the vrf GAT:
RP/0/RSP0/CPU0:ED_MEX_1#sho bgp vrf GAT 172.16.161.6
Mon May 20 12:58:52.909 UTC
BGP routing table entry for 172.16.161.6/32, Route Distinguisher: 64512:2006
Versions:
Process bRIB/RIB SendTblVer
Speaker 30 30
Last Modified: May 17 17:24:29.877 for 2d19h
Paths: (1 available, best #1)
Advertised to CE peers (in unique update groups):
172.16.14.5
Path #1: Received by speaker 0
Advertised to CE peers (in unique update groups):
172.16.14.5
64513
172.16.19.5 from 172.16.19.5 (172.16.162.4)
Origin incomplete, metric 110, localpref 100, valid, external, best, group-best, import-candidate, imported
Received Path ID 0, Local Path ID 1, version 30
Extended community: RT:64512:64513
Any idea for this trouble, we try to advertise the extend community but nothing.
the configuration on ASR is the follow:
router bgp 64512
bgp router-id 172.16.14.1
address-family ipv4 unicast
address-family vpnv4 unicast
vrf GAT
rd 64512:2006
address-family ipv4 unicast
redistribute connected
redistribute static
neighbor 172.16.14.5
remote-as 2006
address-family ipv4 unicast
send-community-ebgp
route-policy pass-all in
route-policy pass-all out
send-extended-community-ebgp
vrf CAMPUS
rd 64512:64513
address-family ipv4 unicast
redistribute connected
redistribute static
neighbor 172.16.19.5
remote-as 64513
address-family ipv4 unicast
route-policy pass-all in
route-policy pass-all out
we only put send-extended-community-ebgp only on vrf GAT.
Best RegardsHi Harold thanks for your comment
We do it your recommendation and put on AS 64912 routes a route-map for identify the traffic IN on interface the finally configuration on cisco 7600 is:
router bgp 2006
bgp router-id 172.16.110.97
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 172.16.14.6 remote-as 64512
neighbor 172.16.14.6 description EDGE_MEX_1
neighbor 172.16.14.10 remote-as 64512
neighbor 172.16.14.10 description EDGE_MEX_2
address-family ipv4
no synchronization
neighbor 172.16.14.6 route-map REDES_CAMPUS in
neighbor 172.16.14.6 route-map default out
neighbor 172.16.14.10 activate
neighbor 172.16.14.10 route-map REDES_CAMPUS in
neighbor 172.16.14.10 route-map default out
neighbor 172.16.16.26 activate
with the follow route maps:
ip extcommunity-list standard GAT permit rt 64512:64513
ip bgp-community new-format
ip community-list standard REDES-GAT permit 64512:2006
route-map REDES_CAMPUS permit 430
match extcommunity GAT
set local-preference 250
set community 64512:2006 additive
set extcommunity rt 64512:64513 additive
route-map REDES-WAN->MAN permit 1600
match community REDES-GAT
with this information the routes advertise on neighbord know the loopback 172.16.161.6
GW_MEX_2#sho ip bgp neighbors 172.16.11.233 advertised-routes
BGP table version is 6160029, local router ID is 172.16.110.97
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.1/32 172.16.12.73 300 0 2005 ?
*> 1.0.0.2/32 172.16.12.73 300 0 2005 ?
Network Next Hop Metric LocPrf Weight Path
*> 172.16.140.72/32 172.16.13.9 300 0 2005 ?
*> 172.16.141.22/32 172.16.12.73 250 0 2005 ?
*> 172.16.141.61/32 172.16.12.73 250 0 2005 i
*> 172.16.141.71/32 172.16.12.73 250 0 2005 i
*> 172.16.142.0/27 172.16.13.9 300 0 2005 ?
*> 172.16.142.32/27 172.16.13.9 250 0 2005 ?
*> 172.16.144.0/27 172.16.13.9 300 0 2005 ?
*> 172.16.146.1/32 172.16.13.9 300 0 2005 65451 i
*> 172.16.150.0/27 172.16.12.73 250 0 2005 ?
*> 172.16.152.0/27 172.16.13.9 300 0 2005 ?
*> 172.16.152.32/28 172.16.13.9 300 0 2005 ?
*> 172.16.155.1/32 172.16.13.9 300 0 2005 ?
*> 172.16.161.1/32 172.16.14.6 0 250 0 64512 ?
*> 172.16.161.6/32 172.16.14.10 0 250 0 64512 ?
Thanks for your cooperation
Best Regards -
Denying telnet traffic from VRF interfaces on the router
Hi,
We are currently trying to accomplish incomming telnet traffic from an VRF interface to be denied by the router(7613--IOS:12.2(18)SXF4). In the line vty , we have associated an access-class specifying the block should be allowed for inbound telnet connection to the router. This is working good but it also allows the incomming telnet from an VRF interface having the same block as the global table block which is configured for allowing the incomming telnet connection. We don't want to allow any telnet connection from the vrf interface , even though it matches the permit block in the access-list
Kindly note that, we have not specified vrf-also command on the access-class.
Please let us a way to accomplish the above requirement .
Thanking You
Regards
Anantha Subramanian NatarajanHi,
Thanks for the suggestion.
I think, I haven't made my requirement clear. We would not like applying access-list to the VRF interfaces to acheive this requirement bcos, then we may have to bind to all the VRF interfaces(I mean customer interfaces),we acting as service provider. We are looking the way by applying access-class binded to line vty ,which is common to all the telnet traffic.
Kindly let us know,if you have some suggestions on the same
Regards
Anantha Subramanian Natarajan -
I am trying to configure Netflow support on a new 4451 and cannot get the following commands to accept. Can someone advise me please.
Cisco IOS XE Software, Version 03.10.00.S - Extended Support Release
Cisco IOS Software, ISR4400 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(3)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 25-Jul-13 17:45 by mcpre
Technology Package License Information:
Technology Technology-package Technology-package
Current Type Next reboot
appx None None None
uc None None None
security None None None
ipbase ipbasek9 Permanent ipbasek9
(config-if)#ip route
(config-if)#ip route-c
(config-if)#ip route-cache ?
cef Enable Cisco Express Forwarding
policy Enable fast-switching policy cache for outgoing packets
same-interface Enable fast-switching on the same interface
<cr>
Only command available
(config-if)#ip flo
(config-if)#ip flow ?
monitor Apply a Flow MonitorFollow the Flexible NetFlow Configuration Guide to configure Flexible NetFlow:
http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/xe-3s/fnf-xe-3s-book.html -
Excluding addresses/segments from Netflow export
Hi there. We've requested that our network provider export Netflow from the WAN facing interface on their CE router in every regional office we have, to our collector at head office. They are concerned about the fact that we would be seeing their management traffic on our collector, since the management of the router is not OOB, so it will be exported along with the rest of the traffic.
They are proposing setting up a new VRF for management traffic, and it looks like this is going to be a complicated change considering we've got 60-70 locations.
Is it not possible to simply configure Netflow to not export data to/from the providers management IP's? This seems like something flexible netflow should be able to do...or maybe not?I am not sure if I fully understood your network setup.
But once netflow is enabled in an interface, all the traffic flow that is being flown through that interface will be reported to netflow harvester server. We can't make exception for a particular IP/flow.
CF -
Communication between multiple vrf context on fwsm
i have 2 vrf context on fwsm of 6509 switch. i want to reach from vrf context1 inside to vrf context inside. how can i do it?
vrf_context1_inside----6509_fwsm----vrf_context2_inside
vrf_context1_inside must reach to vrf_context2_insideThanks for the response.
FileLock. We still have to target JDK 1.3 so we can't use FileLocks (at this point)
JNI: That's an interesting idea. I suspect many people are using our software on Windows. Therefore, we could probably fix it in Windows the same as in the C++ code. If they're not on Windows, we could use the Sockets approach.
I also had another idea: how about hashing the username string into some integer (or long) value. Then use the hashed value to lock some other resource: like the port number passed to ServerSocket. I know ServerSocket only accepts 0 - 0xFFFF so this obviously won't work. But is there some other system-wide thing we could lock given an integral value? -
Hi Guyz,
I have 3 VRF's on VSS core.
1) VRF A
2) VRF B
3) Global VRF.
I have Firewall in L3 mode between these VRFs. Traffic between A & B have to cross firewall.
i can use BGP or EVN to leak routes between VRFs, but they leak only routes tht are present in routing table.
Now i need to leak specific route for eg 10.10.10.10/32 from VRF A to VRF B.
10.10.10.0/24 is directly connected interface on VRF A.
i need to find a way where i can leake /32 route between VRFs.
ThanksChanging the autonomous system number may be necessary when 2 separate BGP networks are combined under a single autonomous system. This typically occurs when one ISP purchases another ISP. The neighbor local-as command is used initially to configure BGP peers to support 2 local autonomous system numbers to maintain peering between 2 separate BGP networks. This configuration allows the ISP to immediately make the transition without any impact on existing customer configurations
enable
configure terminal
router bgp as-number
address-family {ipv4 | ipv6 | vpnv4| [multicast | unicast | vrf {vrf-name}]} -
BGP routing updates via VRF's fails on PE
HQ connects to 2 different remote sites via MPLS.
HQ connects to PE1 via MPLS vrf SITE1
HQ also connects to PE1 via MPLS vrf SITE2
WAN1 connects to PE2 via F0/0 vrf SITE1
WAN2 connects to PE2 via F0/1 vrf SITE2
HQ sees all prefixes from both remote sites!!
HQ and WAN1 can successfully ping/trace each other.
HQ and WAN2 can successfully ping/trace each other.
WAN1 only sees HQ prefixes
WAN2 only sees HQ prefixes
PE1 vrf SITE1 routing table sees HQ and WAN1 prefixes only
PE1 vrf SITE2 routing table sees HQ and WAN2 prefixes only
I can see from HQ that HQ is sending the same prefixes to both eBGP PE1 peers.
(I.E. sh bgp ipv4 uni nei x.x.x.x adv)
TOPOLOGY:
/---MPLS--PE2------WAN1
HQ----PE1--
\---MPLS--PE2------WAN2
HQ AS 10
WAN1 AS 20
WAN2 AS 30
MPLS AS 65535
On PE1 and PE2
Under vrf SITE1, I added route-target import from vrf SITE2 and
Under vrf SITE2, I added route-target import from vrf SITE1 and this did not work at all.
HQ must remain in 2 different vrf's while the remotes are in different vrf's as well.
PROBLEM:
I need to be able to communicate between WAN1 to WAN2 via HQ.
Anyone know what might fix my problem????, Or can explain what is happening that causes this failure?
THANKS and BEST REGARDS
FrankHi Frank
Looking at your mentioned design above it seems all fine and should work..Just one question did you import the cross-vrf RTs after the normal setup was up and working ' coz in that case I think we would need to soft clear the BGP Process on PE1 to cross import the vrf routes from PE2..But on PE2 it should have worked fine..
May be as asked by Olivier you can share the configs once to look at it.
Coming to your second question of
PROBLEM:
I need to be able to communicate between WAN1 to WAN2 via HQ.
This is a case of MPLS Hub and Spoke VPN Services using eBGP as PE-CE..
Here we need to use 3 VRF with separe export RT for the Hub (HQ-VRF) and Spoke 1(Site 1-VRF) /Spoke 2(Site 2-VRF)
Hub will import the RT of Spoke 1 and Spoke 2 . SPoke 1/ Spoke 2 will import only HQ RT..
On PE1 create a default null route under VRF Hub and under BGP addess-family ipv4 vrf HQ-VRF send a default route using below network statement
network 0.0.0.0
This will help to achieve the desired traffic flow of WAN1 communicating to WAN2 via HQ..
Hope this provides some insight to your query.
Regards
Varma -
How to provied Redundancy for VRF MGMT with help of BGP over MPLS(MPBGP)
Hi,
Please find the Network Topology.
This is One Remote site and mamaged by Mgmt office.
All devices on remote site is accessed by MGMT Office. My organisation seek for Redundancy for Managing devices.
My administration is from MGW to R1. I am new to MPLS.
AS u can see in diagram, R1 have 3 VRF(Voice,Signal and MGMT).Currently i have primary link over whitch we are running MPBGP.
Traffic from these VRF goes to this primary link. Currently Secondary link is not connected.
Now my organisation proposed for the secondary link and they want that only traffic from VRF -- MGMT should go through MPLS RTR R2 (the secondary link ) , when the mgmt routes not learned from MPLS RTR R1 (Connected to the SP1 ).
Current R1 config
There is IBGP betweem R1 to both MPLS RTR.
BGP Config
router bgp 64513
synchronization disable
neighbor 10.36.150.1 remote-as 64513
neighbor 10.36.150.1 activate
neighbor 10.36.150.1 update-source loopback1
address-family ipv4 vrf signalling
redistribute connected
redistribute static
$
address-family ipv4 vrf voice
redistribute connected
redistribute static
$
address-family ipv4 vrf OAM-T
redistribute connected
redistribute static
$
address-family vpnv4
neighbor 10.36.150.1 activate
neighbor 10.36.150.1 send-community
$
!<ospfv2>
router ospf 100
interface gei-3/3
network point-to-point
$
network 10.36.150.49 0.0.0.0 area 0.0.0.0 --- loopback ip (Configured)
network 10.36.149.60 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R1.(Configured)
network 10.36.149.64 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R2. ---------- (till now not configured as secondary link is not connected)
router-id 10.36.150.49
so what configuration need to done at R1 to achiev the redunancy for MGMT vrf ?
if possible please reply with sample configuration.
or
IN MPBGP protocol, where i will apply routing policy to apply as- path prepand so that Route would be secondary to neighbor.
IGP-OSPF and BGP over MPLS is running.
on Which address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4 VRF ?
if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
please provide the reply with its config .
thanks in advance,
Regards,
Ajay
Message was edited by: Ajaykumar yadavHi,
Please find the Network Topology.
This is One Remote site and mamaged by Mgmt office.
All devices on remote site is accessed by MGMT Office. My organisation seek for Redundancy for Managing devices.
My administration is from MGW to R1. I am new to MPLS.
AS u can see in diagram, R1 have 3 VRF(Voice,Signal and MGMT).Currently i have primary link over whitch we are running MPBGP.
Traffic from these VRF goes to this primary link. Currently Secondary link is not connected.
Now my organisation proposed for the secondary link and they want that only traffic from VRF -- MGMT should go through MPLS RTR R2 (the secondary link ) , when the mgmt routes not learned from MPLS RTR R1 (Connected to the SP1 ).
Current R1 config
There is IBGP betweem R1 to both MPLS RTR.
BGP Config
router bgp 64513
synchronization disable
neighbor 10.36.150.1 remote-as 64513
neighbor 10.36.150.1 activate
neighbor 10.36.150.1 update-source loopback1
address-family ipv4 vrf signalling
redistribute connected
redistribute static
$
address-family ipv4 vrf voice
redistribute connected
redistribute static
$
address-family ipv4 vrf OAM-T
redistribute connected
redistribute static
$
address-family vpnv4
neighbor 10.36.150.1 activate
neighbor 10.36.150.1 send-community
$
!<ospfv2>
router ospf 100
interface gei-3/3
network point-to-point
$
network 10.36.150.49 0.0.0.0 area 0.0.0.0 --- loopback ip (Configured)
network 10.36.149.60 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R1.(Configured)
network 10.36.149.64 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R2. ---------- (till now not configured as secondary link is not connected)
router-id 10.36.150.49
so what configuration need to done at R1 to achiev the redunancy for MGMT vrf ?
if possible please reply with sample configuration.
or
IN MPBGP protocol, where i will apply routing policy to apply as- path prepand so that Route would be secondary to neighbor.
IGP-OSPF and BGP over MPLS is running.
on Which address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4 VRF ?
if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
please provide the reply with its config .
thanks in advance,
Regards,
Ajay
Message was edited by: Ajaykumar yadav -
Assistance Needed: Inter-VRF Routing with MP-BGP
hello everyone,
I've been trying to solve a problem for over a day regarding inter-vrf routing using MP-BGP and I can't seem to figure a few things out.
I have Cisco 1921 which has VRF-JLAN and VRF-JGLOBE with 3 interfaces configured as (g0/0 = vrf JLAN, g0/1=no vrf, g0/2 = dot1q trunk to 2960S). vrf JLAN is a restricted network for users access, dns server, e.t.c. vrf JGLOBE is for Video server and global routing table belongs to Wifi Access. I've been able to seperate all the network and I can route traffic out to the Internet from vrf JLAN and the global route table but where I'm having issues is getting vrf JGLOBE to route traffic using the Global route table.
For example: vrf JLAN should not be accessed by either Global or vrf JGLOBE. JGLOBE should be able to access vrf JLAN dns server but it should route its internet traffic via Global route table (g0/1). Last JLAN should be able to access 2 networks from the Global route table.
I've attached my config and diagram so you can better understand what I'm trying to achieve. More light to solving this problem would be much appreciated.
ip vrf JGLOBE
rd 65001:2
export map WIFI
route-target export 65001:2
ip vrf JLAN
rd 65001:1
import ipv4 unicast map C-GLOBAL
route-target export 65001:1
route-target import 65001:1
route-target import 65001:2
interface GigabitEthernet0/0
description LAN-ACCESS-INTERNET [TO Nexthop FIREWALL]
ip vrf forwarding JLAN
ip address 192.168.4.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect INTERNET-FW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface GigabitEthernet0/1
description GLOBAL-Wifi-INTERNET [TO Nexthop - FIREWALL]
ip address 192.168.5.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect GLOBAL-FW in
ip inspect GLOBAL-FW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
interface GigabitEthernet0/2.3
description Users LAN
encapsulation dot1Q 3
ip vrf forwarding JLAN
ip address 192.168.30.1 255.255.255.240
interface GigabitEthernet0/2.4
description Video Server
encapsulation dot1Q 4
ip vrf forwarding JGLOBE
ip address 10.6.40.1 255.255.255.0
router ospf 1 vrf JLAN
router-id 10.6.6.10
redistribute bgp 65001 subnets
network 0.0.0.0 255.255.255.255 area 0
router ospf 2 vrf JGLOBE
router-id 10.5.7.10
redistribute bgp 65001 subnets
network 0.0.0.0 255.255.255.255 area 0
router bgp 65001
bgp router-id 10.4.6.4
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
address-family ipv4
redistribute connected
exit-address-family
address-family ipv4 vrf JGLOBE
redistribute connected
redistribute ospf 2
exit-address-family
address-family ipv4 vrf JLAN
redistribute connected
redistribute ospf 1
exit-address-family
ip dns view vrf JGLOBE default
ip dns view vrf JLAN default
ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip route vrf JGLOBE 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.5.1
ip route vrf JLAN 0.0.0.0 0.0.0.0 192.168.4.1 name LAN_INET
ip prefix-list GLOBAL-INET seq 5 permit 0.0.0.0/0
ip prefix-list SERVER-NET seq 5 permit 10.6.40.2/32
ip prefix-list WIFI-NET seq 5 permit 10.254.0.0/22 le 32Hi Matt
Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
Regards
Varma
Maybe you are looking for
-
Is there any way to slave Premiere to incoming timecode?
I have a .mov file with embedded timecode. I recorded two channels of Ultrasonic audio (500 kHz samble rate - can even go higher, but I didn't want to take up too much recording space and wanted to save time opening files) on different software. I
-
SQLServer Reporting Services 2005 Prompts for Credentials for a trusted domain user
Currently the report is running in the domain AAA. Users in the domain AAA are using the report. Another new domain BBB and an user XXX is now created and BBB\XXX has been given Browser access. Domain AAA and BBB are trusted domains. After this when
-
Tour calendar does not keep entries "forever"
Can anyone tell me how to fix an issue I am having with a new Tour where the past calendar entries only show for 60 days even though I have selected the "Forever" option? In the Verizon forum, someone suggested it could be a low memory issue and tha
-
I hate Outlook, how do you actually search by sender like in Gmail?
Bare in mind the more you cache offline the more space you need locally - if you had a 50GB mailbox and had 45GB used, and choose to cache all files, you'd need 45GB plus additional space for index, and the DB extras, so probably close to the 50GB ma
-
Error when starting Discoverer 3i
I have installed Discoverer 3i on NT 4.0 Client with SP5. It is a single server install. When user starts Discoverer 3i he gets the following error message: Unable connect to the Oracle Discoverer Application Server. oracle/discoverer/corba/_st_DCILo