OSPF and Static Route

Similar Messages

• IP SLA, Tunnels, and static routes

  Here's the scenario:  1 router will have a primary and secondary ISP connection.  I set up an SLA to track connectivity on the primary connection.  Here are the static routes:
  ip route 0.0.0.0 0.0.0.0 Tunnel55 track 10
  ip route 12.54.X.X 255.255.255.240 GigabitEthernet0/0 track 10
  ip route 12.54.X.Y 255.255.255.255 X.15.115.X track 10
  ip route 192.168.32.0 255.255.240.0 Tunnel55 track 10
  ip route 192.168.48.0 255.255.252.0 Tunnel55 track 10
  ip route 192.168.56.0 255.255.255.0 Tunnel55 track 10
  ip route 0.0.0.0 0.0.0.0 Tunnel56 254
  ip route 12.54.X.X 255.255.255.240 GigabitEthernet0/1 254
  ip route 12.54.X.Y 255.255.255.255 X.15.81.X 254
  ip route 192.168.32.0 255.255.240.0 Tunnel56 254
  ip route 192.168.48.0 255.255.252.0 Tunnel56 254
  ip route 192.168.56.0 255.255.255.0 Tunnel56 254
  So I shut down the port (gi0/0) belonging to the primary port.  At this point, it seemed like it worked fine.  The routes shifted over to the backup routes.  However, when I re-enabled the port, only two of the routes switched back. The routes pointing to Tunnels stayed on the secondary tunnel. When I browsed my static routes, I saw this:
  Gateway of last resort is 0.0.0.0 to network 0.0.0.0
  S*    0.0.0.0/0 is directly connected, Tunnel56
        12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  S        12.x.x.16/28 is directly connected, GigabitEthernet0/0
  S        12.x.y.20/32 [1/0] via x.15.115.x
  S     192.168.32.0/20 is directly connected, Tunnel56
  S     192.168.48.0/22 is directly connected, Tunnel56
  S     192.168.56.0/24 is directly connected, Tunnel56
  Is there something special I need to do for Tunnels to allow the Tunnel routes to switch back automatically?

  Hello Ken,
  I can see you are sending the probe packets to the same object ( using the track ID 10 )
  After you bring the interface tunnel up, can you confirm if you can send traffic to that object?
  Regards,
  Julio

• ISE version 1.3 and static route not working

  This command works without any issues with ISE version 1.1 and 1.2:
  ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
  However, it does NOT work in ISE version 1.3.  See below:
  ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
  % Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.
  % Error: Error adding static route.
  ciscoisedev/admin(config)#
  Any ideas anyone?

  So it appears that there is no option to lock down access to the shell now that the command that you used to use is no longer valid. What is worse is that there isn't an option to create an ACL in the shell that you could attach to the interface. So I would recommend that you create a defect with Cisco TAC and get this re-added or request that ACL functionality is added. 
  For the GUI (in case you were not already aware of this), you can restrict access from Administration > Admin Access > Settings > Access > IP Access

• 2911/k9 lose static routing table entry

  Hi,
  my cisco router 2911/k9 with release 15.2(4)m6a lose default and static routing table entry every day, and after a reload the entry came back to my routing table.
  this is an extract of my config:
  interface Serial0/0/0:0
   no ip address
   encapsulation frame-relay IETF
   frame-relay lmi-type cisco
  interface Serial0/0/0:0.1 point-to-point
   ip address  xxxxx.1
   ip access-group 100 in
   ip load-sharing per-packet
   ip inspect cccc in
   no cdp enable
   frame-relay interface-dlci 100   
  interface Serial0/1/0:0
   no ip address
   encapsulation frame-relay IETF
   frame-relay lmi-type cisco
  interface Serial0/1/0:0.1 point-to-point
   ip address yyyyy.1
   ip access-group 100 in
   ip load-sharing per-packet
   ip inspect cccc in
   no cdp enable
   frame-relay interface-dlci 100
  ip route 0.0.0.0 0.0.0.0 xxxxx.2
  ip route 0.0.0.0 0.0.0.0 yyyyyy.2
  and more ip route static specific
  Please, Who can help  me? Can be a bug ?

  Hi,
  It could be a bug but at this point, I am not that bold to assume that. We need more information.
  May it be that your Frame Relay connection flaps? Is it possible that your subinterfaces go down? Please check the logs to see if the interfaces or subinterfaces change their status (up/down).
  Can you verify the logs if there are any notes of recursive routing?
  When you say the router loses the static routes, do they both completely disappear from the routing table? Do they at least stay configured in your running-config?
  As a last-resort measure, turn on logging of debugging messages by logging buffered 1000000 debugging and then start the debug ip routing command. This command will cause a debugging message to be recorded every time there is a change to the routing table. At least we will see what event caused the default routes to disappear. You will probably need to run this debug running overnight till the default routes disappear.
  Best regards,
  Peter

• How do you Redistribution EIGRP into OSPF and maintain a distance of 250 for a static route?

  Ok, I have scoured the forums long enough and have to post. The design is below. I moved a firewall to our new data center, which required adding some static routes for VPN connections and broadband backups. To minimize the amount of static routes I redistribute static into EIGRP with a route-map and prefix-list.
  My problem is the next part of my network. When the data leaves my 56128's it hits an edge device connecting to our dark fiber. On this edge device I am running OSPF onto the dark fiber, then redistribute some EIGRP subnets into OSPF and again all is well.
  Everything works up until the point the redistributed routes hit my RIB at my main data center where I am running IBGP. IBPG is run between our MPLS router and core for all our remote sites. When my backup route from the 56128's hits the cores, it supersedes the BGP route because the AD route O E2 [110/20] is lower than the BGP AD B [200/0]. Given the configuration below what can be done to remedy this? Oh when I redistribute I can only change the AD for the backup routes, all other routes should stay the same.
  56128's where my static routes are:
  ip route 192.168.101.0/24 192.168.30.77 name firewall 250
  router eigrp 65100
     redistribute static route-map Static-To-Eigrp
  route-map Static-To-Eigrp permit 10
     match ip address prefix-list Static2Eigrp
  ip prefix-list Static2Eigrp seq 2 permit 192.168.101.0/24
  Edge device:
  router eigrp 65100
   network 172.18.0.5 0.0.0.0
   network 172.18.0.32 0.0.0.3
   network 172.18.0.36 0.0.0.3
   redistribute ospf 65100 metric 2000000 0 255 1 1500
   redistribute static metric 200000 0 255 1 1500 route-map STATICS_INTO_EIGRP
   passive-interface default
   no passive-interface Port-channel11
   no passive-interface Port-channel12
   eigrp router-id 172.18.0.5
  router ospf 65100
   router-id 172.18.0.5
   log-adjacency-changes
   redistribute eigrp 65100 subnets route-map EIGRP_INTO_OSPF
   passive-interface default
   no passive-interface GigabitEthernet1/0/1
   no passive-interface GigabitEthernet1/0/2
   no passive-interface GigabitEthernet2/0/1
   no passive-interface GigabitEthernet2/0/2
   network 172.18.0.0 0.0.255.255 area 0
  ip prefix-list EIGRP_INTO_OSPF seq 5 permit 172.18.0.0/16 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 10 permit 192.168.94.0/29 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 15 permit 192.168.26.32/29 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 20 permit 192.168.30.72/29 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 25 permit 192.168.20.128/25 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 26 permit 192.168.101.0/24 le 32 <- Backup Route for MPLS Remote Office
  route-map EIGRP_INTO_OSPF permit 10
   match ip address prefix-list EIGRP_INTO_OSPF

  So in the case of a /24. If it were say broken up into /25's? From our remote sites we are using aggregate-address summary-only. Not sure how I would advertise a more specific route via BGP, sorry.
  I didnt have this problem until I moved my firewalls. They plugged into the cores where IBGP was running and the static never kicked in unless the bgp route disappeared. I guess I could use my static redistribution for my VPN sites and use statics across the cores for the handful of backup links I have.

• Default static route and Null 0

  Hi Everyone,
  Need to clear some doubts  for below setup
  Switch 3550A is connected to Internet Router and has OSPF nei relationship with it.
  3550A#                      sh run int fa0/11
  Building configuration...
  Current configuration : 272 bytes
  interface FastEthernet0/11
   description OSPF LAN Connection to 2691 Router Interface Fas 0/1
   no switchport
   ip address 192.168.5.2 255.255.255.254
  sh ip route shows
  3550A#sh ip route
  Gateway of last resort is 192.168.5.3 to network 0.0.0.0
  O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 20:39:56, FastEthernet0/11
  3550A#
  All is working fine.
  For testing  purposes i config below static route on 3550A
  ip default-network 192.168.1.0
  ip route 192.168.1.0 255.255.255.0 Null0
  After above change
  3550A#           sh ip route
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is not set
  S*   192.168.1.0/24 is directly connected, Null0
  O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 20:38:38, FastEthernet0/11
  Now i can not ping to internet as below
  3550A#ping 4.2.2.2
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  When we ping from Switch then source IP is always the Outside interface IP right?
  So in this case Switch is using which IP as source?
   Ping to internet is not working as default network is set to 192.168.1.0 and all request goes to this IP and then it goes to
  Null interface right?
  Extended ping works fine as below
  3550A#ping
  Protocol [ip]:
  Target IP address: 4.2.2.2
  Repeat count [5]:
  Datagram size [100]:
  Timeout in seconds [2]:
  Extended commands [n]: y
  Source address or interface: 192.168.5.2
  Type of service [0]:
  Set DF bit in IP header? [no]:
  Validate reply data? [no]:
  Data pattern [0xABCD]:
  Loose, Strict, Record, Timestamp, Verbose[none]:
  Sweep range of sizes [n]:
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
  Packet sent with a source address of 192.168.5.2
  Success rate is 100 percent (5/5), round-trip min/avg/max = 76/79/80 ms
  Second thing to confirm is this ping works because 192.168.5.2 is directly connected to Internet Router interface?
  Regards
  MAhesh

  Hi Mahesh,
  When we ping from Switch then source IP is always the Outside interface IP right?
  That is correct.  By default it is always the outgoing interface on the device unless you specify it differently.
  Ping to internet is not working as default network is set to 192.168.1.0 and all request goes to this IP and then it goes to
  Null interface right?
  That is correct. Null0 can't be used as next-hop.
  Second thing to confirm is this ping works because 192.168.5.2 is directly connected to Internet Router interface?
  No, that is because 192.168.5.0/30 is NATed. Remember 192.168.x.x address is a private segment and cannot access the Internet unless NAT is used.
  HTH
  Reza

• How to do nating in isa570 and is routing to be enabled for that . I have static ip configured and pining at my office and i want to acess rdp from my home

  How to do nating in isa570 and is routing to be enabled for that . I have static ip configured and pining at my office and i want to acess rdp from my home

  HHow did you export? Did you use H.264? Hour and a half is going to be a big file. For your customers sake you might consider breaking it down into segments.

• Can anyone check this for me, nat overload, static and default routes, dhcp

  VA has DHCP on fa0/0 and will have last good address for the gateway and will reserve 20 IP's for admin devices.
  VA fa0/1 will be using static IP addressing and will be using the last good address as the default gateway address.
  Serial links will use the 50.75.120.0/30 network on all serials.
  Default route set to main via VAs next hop.
  VA will be using NAT overload to Main via local interface.
  VA
  Fa0/0= 172.16.81.254
  Fa0/1=172.16.82.126
  S0/0/0=50.75.120.130
  Main s0/0/1= 50.75.120.129 with a clock rate of 128kbps
  Building configuration...
  Current configuration : 1376 bytes
  version 12.4
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  no service password-encryption
  hostname VA
  enable secret 5 $1$mERr$3nisV1NYMTmTN5PhTMBC2/
  enable password insurance
  ip dhcp excluded-address 172.16.81.235 172.16.81.254
  ip dhcp pool VA-dhcp
  network 172.16.80.0 255.255.254.0
  default-router 172.16.81.254
  spanning-tree mode pvst
  interface FastEthernet0/0
  ip address 172.16.81.254 255.255.254.0
  ip nat inside
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 172.16.82.126 255.255.255.128
  ip nat inside
  duplex auto
  speed auto
  interface Serial0/0/0
  ip address 50.75.100.130 255.255.255.252
  ip nat outside
  interface Serial0/0/1
  no ip address
  shutdown
  interface Vlan1
  no ip address
  shutdown
  ip nat inside source list 1 interface Serial0/0/0 overload
  ip nat inside source list 2 interface Serial0/0/0 overload
  ip classless
  ip route 0.0.0.0 0.0.0.0 Serial0/0/1
  ip route 50.74.100.128 255.255.255.252 50.74.100.130
  access-list 1 permit 172.16.0.0 0.0.255.255
  access-list 2 permit 172.16.0.0 0.0.255.255
  banner motd ^C
  Restricted access to all unauthorized users, proceed at your will. Unauthorized users will be prosecuted to the extend of the law. ^C
  line con 0
  password shots
  login
  line aux 0
  line vty 0 4
  password xrays
  login
  end
  VA(config)#
  A network beginner, thank you in advance :))
  Sent from Cisco Technical Support iPhone App

  Reyna,
  I can see a couple of issues
  Your static routes:-
  ip route 0.0.0.0 0.0.0.0 Serial0/0/1
  ip route 50.74.100.128 255.255.255.252 50.74.100.130
  Ser 0/0/1 is shut and has no ip addressing.
  The route to 50.74.100.128 has no way to reach the next hop 50.74.100.130
  Your NAT translations are both the same therfore only one is effective.
  Just tidy up a little:-
  The only static route you need is a default route:-
  ip route 0.0.0.0 0.0.0.0 50.75.100.129
  The NAT only requires one list and trans pointing out the outside interface
  ip nat inside source list 1 interface Serial0/0/1 overload
  access-list 1 permit 172.16.0.0 0.0.255.255
  Regards,
  Alex.
  Please rate useful posts.

• Is it possible in IOS to have two static routes for the same subnet, one a higher priority and "failover" between the 2?

  Hi All
  Is it possible in IOS to have for a particular subnet:
  a) Two static routes?
  b) Make one static route a higher priority than the other?
  c) If one static router "goes down", failover to the lower priority static route?
  We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
  Again, many thanks in advance for all responses!
  Thanks
  John

  Hi John,
  Hope the below explaination will help you...
  R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
  R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
  If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
  The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
  In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
  Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
  IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
  R1(config)# ip sla 1
  R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
  R1(config)# timeout 1000
  R1(config)# threshold 2
  R1(config)# frequency 3
  R1(config)# ip sla schedule 1 life forever start-time now
  The above configuration defines and starts an IP SLA probe.
  The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
  Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
  Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
  After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
  R1(config)# track 1 ip sla 1 reachability
  The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
  To verify the track status use the use the “show track” command as shown below:
  R1# show track
  Track 1
  IP SLA 1 reachability
  Reachability is Down
  1 change, last change 00:03:19
  Latest operation return code: Unknown
  The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
  Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
  Tracking
  Return Code
  Track State
  Reachability
  OK or over threshold
  (all other return codes)
  Up
  Down
  The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
  R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
  R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
  The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
  Please rate the helpfull posts.
  Regards,
  Naidu.

• I´m doing a design for presale, where I will need a router what support PAT for 500 or a little more of users, it not need any more features only static routing and dhcp pool for 500 users, can you help me for know what router recommend?

  I´m doing a design for presale, where  I will  need a router what support PAT for 500 or a little more of users, it  not need any more features only static routing and dhcp pool for 500 users, can you help me for know what router recommend?

  What is your WAN speed currently and projected WAN speed in the next 3 years?

• Redistribute static in OSPF and EIGRP

  When use "redistribute static" in OSPF OR eigrp, does it also redistribute connected networks?
  When use "sh ip eigrp topology", the entries with "via RStatic" indicate a redistribution of static routes, corret?

  Hello,
  redistribute static will redistribute all static routes found in the IP routing table. In case you want to announce the connected interfaces you have two options:
  1) router ospf 10
  network 192.168.1.1 0.0.0.0 area 0
  for
  interface Ethernet0
  ip address 192.168.1.1 255.255.255.0
  2) router ospf 10
  redistribute connected
  The same applies for EIGRP.
  Hope this helps! Please rate all posts.
  Martin

• ACE and host static routes?

  Hi,
  Does an ACE context work with host static routes?
  I've been trying to set up a context to load balance LDAP where the servers have IP addresses across multiple VLANs and I'm not allowed to change the IP addresses. I've tried bridging and routing configurations. The only case that works is where the server is a member of the server-side VLAN. I noticed a comment in the Routing manual page 2-2 is says that secondary IP addresses are not supported. Is a host static route equivalent to a secondary address.
  Is it possible to achieve my goal.
  Thank you
  Cathy

  The problem is most probably asymetric routing.
  When the client connects to the vip, the ace module will forward the traffic to the server re-using the client ip address so that the server believes it is communicating directly with the client.
  The response from the server is sent to the client.
  Since there are routers inbetween, they route the traffic using the best path which is most probably not through the ACE module.
  So the client receives a resposne from the server which it drops because it is expecting a response from the vip.
  one easy solution is to perform client nat on the ACE blade.
  interface vlan 395
  nat-pool 1 128.243.253.188 128.243.253.188 netmask 255.255.255.248 pat
  Then configure
  policy-map multi-match L4POLICY
  class L4VIPCLASS
  nat dynamic 1 vlan 395
  If it works after that, you'll now you had an asymetric routing issue.
  You can then keep the client nat solution or investigate the asymetry.
  Gilles.

• Nexus 5548 and Define static route to forward traffic to Catalyst 4500

  Dear Experts,
  Need your technical assistance for the Static routing in between Nexus 5548 and Catalyst 4500.
  Further I connected both Nexus 5548 with Catalyst 4500 as individual trunk ports because there is HSRP on Catalyst 4500. So I just took 1 port from each nexus 5548, make it trunk with the Core Switch (Also make trunk from each Switch each port). Change the speed on Nexus to 1000 because other side on Catalyst 4500 line card is 1G RJ45.
  *Here is the Config on Nexus 5548 to make port a Trunk:*
  N5548-A/ N5548-B
  Interface Ethernet1/3
  Switchport mode trunk
  Speed 1000
  Added the static route on both nexus for Core HSRP IP: *ip route 0.0.0.0/0 10.10.150.39 (Virtual HSRP IP )*
  But I could not able to ping from N5548 Console to core Switch IP of HSRP? Is there any further configuration to enable routing or ping?
  Pleas suggest

  Hello,
  Please see attached config for both Nexus 5548. I dont have Catalyst 4500 but below is simple config what I applied:
  Both Catalyst 4500
  interface gig 3/48
  switchport mode trunk
  switchport trunk encap dot1q
  On Nexus 5548 Port 1/3 is trunk
  Thanks,
  Jehan

• Hi all, need advice on OSPF and private vlans

  Hi all.
  I have a project to complete and need some help on the possible solution I can use.
  Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
  I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
  My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
  Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
  I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
  Any help and advice would be greatly appreciated.
  Cheers
  Steve

  Steve
  Thanks, that helps.
  GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
  It's good that area 7 is only for these users and not mixed up with other users.
  So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
  Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
  Can you confirm the above ?
  In terms of keeping them separate there are 2 possible choices. You can either -
  1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
  The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
  But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
  2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
  The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
  Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
  You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
  I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
  It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way.  So it may well be worth going back to find out exactly what "segregating" user traffic means.
  I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
  Jon

• Interworking on Static Routing as IGP

  Was testing interworking between Vlan over ethernet and FR. As long as my LDP was on static routing, I couldnt reach end-to-end. The moment i configured OSPF as my routing protocol it came up. Can anyone let me know what the reason could be ?

  Gautam,
  This is actually normal behavior.
  Before the label learnt via an LDP peer is coupled to a route in the FIB, the next-hop IP address of the route needs to match one of the interface IP addresses bound to the LDP peer (see below). So basically it will not work without a next IP address.
  r2#sh mpls ldp nei
  Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
  TCP connection: 3.3.3.3.11004 - 2.2.2.2.646
  State: Oper; Msgs sent/rcvd: 27/27; Downstream
  Up time: 00:15:07
  LDP discovery sources:
  Serial3/0, Src IP addr: 192.168.23.3
  Addresses bound to peer LDP Ident:
  3.3.3.3 192.168.34.3 192.168.23.3 <++++++ the route next hop has to match one of these addresses.
  Hope this helps,