Route Leaking between VRF:s (Shared services)

Similar Messages

• Route leaking from VRF to Global on same router with VLAN interface

  Hi all,
  I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
  interface FastEthernet4
  description ***Connection to WAN***
  ip vrf forwarding FVRF
  ip address 10.0.0.6 255.255.255.0
  interface Vlan100
  description ***LAN***
  ip address 192.168.227.1 255.255.255.0
  So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
  I though I could do that config but it is not possible:
  (config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
  % For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
  OR
  DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
  %Invalid next hop address (it's this router)
  Any ideas are really welcome.
  Best regards,
  Laurent

  Hi,
  I have tried the following solution:
  Add 10.0.0.0 /24 From VRFto Global:
  ip route 10.0.0.0 255.255.255.0 FastEthernet4
  Add 192.168.227.0 /24 from Global to VRF:
  router bgp 64512
  bgp log-neighbor-changes
  address-family ipv4
    no synchronization
    redistribute connected
    no auto-summary
  exit-address-family
  ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
  route-map Global permit 10
  match ip address prefix-list Global-VRF
  ip vrf FVRF
    rd 1:1
    import ipv4 unicast map Global
  So now the VRF table looks like that:
  #      sh ip route vrf FVRF
  C        10.0.0.0/24 is directly connected, FastEthernet4
  S        10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
  L        10.0.0.6/32 is directly connected, FastEthernet4
  B     192.168.227.0/24 is directly connected, 00:15:12, Vlan100
  The Global table looks like this:
  #sh ip route
  Gateway of last resort is 10.1.0.107 to network 0.0.0.0
  D*    0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
         10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
  S        10.0.0.0/24 is directly connected, FastEthernet4
  C        10.1.0.0/24 is directly connected, Tunnel1
  L        10.1.0.227/32 is directly connected, Tunnel1
  C        10.2.0.0/24 is directly connected, Tunnel2
  L        10.2.0.227/32 is directly connected, Tunnel2
  C        10.10.10.227/32 is directly connected, Loopback100
         192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.227.0/24 is directly connected, Vlan100
  L        192.168.227.1/32 is directly connected, Vlan100
  But When I try to ping it still doesn´t work:
  #ping vrf FVRF 192.168.227.1 source fastEthernet 4
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
  Packet sent with a source address of 10.0.0.6
  Success rate is 0 percent (0/5)
  #ping 10.0.0.1 source vlan 100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
  Packet sent with a source address of 192.168.227.1
  Success rate is 0 percent (0/5)
  Any ideas?
  Regards,
  Laurent

• How is communication between essbase and shared services done?

  how is communication between essbase and shared services done?

  I am not sure exactly what you need to know and it depends on the version
  Prior to 11.1.2 it communicates using LDAP to port 28089, HTTP to 28080, JDBC to the hss relational database
  11.1.2 - JDBC to the HSS relational database
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Copying server images between hardware - Will Shared Services break?

  Upgrading to 11.1.2 and the servers are moving from test to production environment. We want to configure MSAD with Shared Services and attach the repositories to our production SQL shared server.
  Our final goal is to copy the image from the 11.1.2 servers (not the sql shared server) and snap it onto newer hardware.
  My concern is any properties/java files that may hard code any static information that may exist on the original servers.
  has anyone with 11.1.2 done a server image to other hardware and experienced any connectivity issues with Shared Services or the repositories?
  JTS

  If everything has been registered against the machine name then in theory you should be fine if everything else is staying the same, it should allow for IP address changes.
  I know in the early days of system 9 there were some issues with the IP address being stored but it shouldn't happen now.
  Though I can't give you a 100% guarantee because there are no guarentees with 11.1.2
  Cheers
  John
  http://john-goodwin.blogspot.com/

• MPLS VRF Routes Leaking

  I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
  Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
  Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
  What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

  you could do one of the following ways to implement Internet access for L3 MPLS VPN
  1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
  2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.
  inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
  3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
  good luck
  if helpful Rate

• Route Leaking in MPLS/VPN Networks (IOX support)

  Hi all,
  I would like to if IOX of CRS-1 can support route leaking between VRF<>Global routing table?
  hhttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtmlttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
  Regards

  Hi,
  You can use the vrf keyword after the prefix you want to join and before specifying the NH. It will tell the router in which VRF the lookup should be done:
  http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.0/routing/command/reference/rr40crs1book_chapter9.html#wp172562637
  The vrf name "default" is reserved to reference the GRT.
  HTH
  Laurent.

• Shared Services and Essbase

  Hello All,
  Pretty much an undesired Bug, Basically there is an ID listed as an Essbase admin which yes it was few months back. At present that ID has been removed from Shared Services , also I checked in the list of Essbase Users within EAS and did not find the ID.
  Interesting thing ***** When I exported the Essbase security file I could see that ID listed as an Admin , not sure how it comes up only in Security file but not any where else.
  Is there any issue between Essbase and Shared services communication, because the Essbase should refresh Manually for any changes in the Shared Services.
  Any comments Friends ?
  Thanks !!

  Its probably worth having a read of the following docs in Oracle Support as they should give an idea
  Deleting a User/Group from Shared Services Does Not Delete it from the Essbase Security File [ID 1388447.1]
  How to Delete a User from the 11.1.2.x Essbase.sec File [ID 1396890.1]
  Cheers
  John
  http://john-goodwin.blogspot.com/

• How to Regester one Shared Service with Another ??

  Hi All,
  I am working on Hyperion System 9.3.1. I am getting problem when I want to access Essbase through Planning.
  Here is the scenario:
  I have Hyperion Essbase installed in Computer 1 with separate Shared Services; I have Planning installed in Computer 2 with another Shares Services.
  All things were working fine as I have created same users in both the shared services and was using native user of Essbase.
  Now I have changed the native user to Externalize user in Essbase. Since then I am not able to access Essbase through my Planning application. The user privilege differs in both the Shared Services as Computer 1 has only Essbase and Computer 2 has Planning.
  The error message I am getting in planning while connection is “Unable to obtain a connection to Hyperion Essbase”. In the essbase.log file I am getting “Login fails due to invalid login credentials” message.
  I think the problem here is between Shared Services only. As both are in different system and the user privileges are also different.
  Kindly suggest how to sink my Essbase between these two shared services.
  Regards,
  Navneet

  Just to clarify,
  You have Planning and Essbase on one machine and you have shared services installed twice on different machines?
  I'm not sure if this architecture will work, you might have to separate Planning and Essbase to there own servers and create a new Essbase server specifically for Planning applications. Planning utilizes Essbase for its OLAP data store and Essbase registers with Shared Services directly.
  Brian Chow

• Howto control/filter traffic between VRF-(lite) using route leaking?

  Hi,
  does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?
  Scenario 1:
  I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.
  Scenario 2:
  Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns
  Kind Regards,
  Thorsten

  Thanks.
  That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.
  Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.
  Does cisco offer software for managing this?

• CSR1000V VRF Route Leaking vs GNS

  Hi folks,
  working on 2 lab envronments. I have successfully configured VRF route leaking on GNS3, however can't get it working on CSR1000v with same config (only IP's and name's of VRF etc is different). Is there something on the CSR1000v that I have to do that's different from GNS? Is there a reason why the route in GNS is in both the OSPF database and the routing table yet in ESXi it's only in the database?
  OSPF between neighbors
  BGP to do route leaking
  GNS - leaking route 220.0.0.0
  GNS - Neighbor running OSPF has 220.0.0.0 in the database and the routing table for VRF 100
  ESXi - leaking route 45.0.0.0
  ESXi - Neighbor running OSPF has 45.0.0.0 in the database and is NOT in the routing table for VRF cavia
  GNS - 3640's with c3640-js-mz.124-17
  ESXi - CSR1000V with Cisco IOS XE Software, Version 03.12.00.S
  On both labs using BGP to leak routes between VRF's.
  GNS LAB
  VRF's --------------------------------------------------
  ip vrf 100
   rd 100:100
   route-target export 1:100
   route-target import 1:300
  ip vrf 200
   rd 200:200
   route-target export 1:200
   route-target import 1:300
  ip vrf 300
   rd 300:300
   route-target export 1:300
   route-target import 1:100
   route-target import 1:200
  OSPF --------------------------------------------------------------
  router ospf 100 vrf 100
   router-id 4.4.4.4
   log-adjacency-changes
   redistribute bgp 10 subnets
   network 100.0.0.0 0.0.0.3 area 0
   network 0.0.0.0 255.255.255.255 area 0
  router ospf 200 vrf 200
   router-id 44.44.44.44
   log-adjacency-changes
   redistribute bgp 10 subnets
   network 200.0.0.0 0.0.0.3 area 0
   network 0.0.0.0 255.255.255.255 area 0
  BGP -------------------------------------------------------------
  router bgp 10
   no synchronization
   bgp log-neighbor-changes
   no auto-summary
   address-family ipv4 vrf 300
    no synchronization
    network 220.0.0.0 mask 255.255.255.252
   exit-address-family
   address-family ipv4 vrf 200
    redistribute ospf 200 vrf 200
    no synchronization
   exit-address-family
   address-family ipv4 vrf 100
    redistribute ospf 100 vrf 100
    no synchronization
   exit-address-family
  R4#sh ip bgp vpnv4 all
  BGP table version is 17, local router ID is 44.44.44.44
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  Route Distinguisher: 100:100 (default for vrf 100)
  *> 10.0.0.0/24      100.0.0.1                2         32768 ?
  *> 100.0.0.0/30     0.0.0.0                  0         32768 ?
  *> 220.0.0.0/30     0.0.0.0                  0         32768 i
  Route Distinguisher: 200:200 (default for vrf 200)
  *> 20.0.0.0/24      200.0.0.1                2         32768 ?
  *> 200.0.0.0/30     0.0.0.0                  0         32768 ?
  *> 220.0.0.0/30     0.0.0.0                  0         32768 i
  Route Distinguisher: 300:300 (default for vrf 300)
  *> 10.0.0.0/24      100.0.0.1                2         32768 ?
  *> 20.0.0.0/24      200.0.0.1                2         32768 ?
  *> 100.0.0.0/30     0.0.0.0                  0         32768 ?
  *> 200.0.0.0/30     0.0.0.0                  0         32768 ?
  *> 220.0.0.0/30     0.0.0.0                  0         32768 i
  -----------------------on neighbor R3 220.0.0.0 (in vrf 300) is in the routing table for vrf 100 as designed----------------------
  R3#sh ip route vrf 100
       220.0.0.0/30 is subnetted, 1 subnets
  O E2    220.0.0.0 [110/1] via 100.0.0.2, 00:29:48, FastEthernet1/0.10
       100.0.0.0/30 is subnetted, 1 subnets
  C       100.0.0.0 is directly connected, FastEthernet1/0.10
       10.0.0.0/24 is subnetted, 1 subnets
  C       10.0.0.0 is directly connected, FastEthernet0/0
  ----------------------OSPF Database on neighbor R3-------------------------------------------
  R3#sh ip ospf data
              OSPF Router with ID (33.33.33.33) (Process ID 200)
                  Router Link States (Area 0)
  Link ID         ADV Router      Age         Seq#       Checksum Link count
  33.33.33.33     33.33.33.33     521         0x80000006 0x005A0E 2
  44.44.44.44     44.44.44.44     541         0x80000006 0x001C18 1
                  Net Link States (Area 0)
  Link ID         ADV Router      Age         Seq#       Checksum
  200.0.0.2       44.44.44.44     540         0x80000005 0x006820
                  Type-5 AS External Link States
  Link ID         ADV Router      Age         Seq#       Checksum Tag
  220.0.0.0       44.44.44.44     540         0x80000005 0x009BAE 3489660938
              OSPF Router with ID (3.3.3.3) (Process ID 100)
                  Router Link States (Area 0)
  Link ID         ADV Router      Age         Seq#       Checksum Link count
  3.3.3.3         3.3.3.3         722         0x80000006 0x008C9F 2
  4.4.4.4         4.4.4.4         581         0x80000006 0x00F845 1
                  Net Link States (Area 0)
  Link ID         ADV Router      Age         Seq#       Checksum
  100.0.0.2       4.4.4.4         581         0x80000005 0x00FEA7
                  Type-5 AS External Link States
  Link ID         ADV Router      Age         Seq#       Checksum Tag
  220.0.0.0       4.4.4.4         581         0x80000005 0x00509A 3489660938
  ESXi LAB
  VRF's----------------------------------------------------------
  vrf definition cavia
   rd 1:100
   address-family ipv4
    route-target export 1000:100
    route-target import 1000:300
   exit-address-family
  vrf definition microsoft
   rd 1:200
   address-family ipv4
    route-target export 1000:200
    route-target import 1000:300
   exit-address-family
  vrf definition shared
   rd 1:300
   address-family ipv4
    route-target export 1000:300
    route-target import 1000:100
    route-target import 1000:200
   exit-address-family
  OSPF ----------------------------------------------------------------
  router ospf 100 vrf cavia
   redistribute bgp 50 subnets
   network 172.100.200.0 0.0.0.3 area 0
   network 0.0.0.0 255.255.255.255 area 0
  router ospf 200 vrf microsoft
   redistribute bgp 50 subnets
   network 172.200.200.0 0.0.0.3 area 0
   network 0.0.0.0 255.255.255.255 area 0
  BGP -----------------------------------------------------------------
  router bgp 50
   bgp log-neighbor-changes
   address-family ipv4 vrf cavia
    redistribute ospf 100
   exit-address-family
   address-family ipv4 vrf microsoft
    redistribute ospf 200
   exit-address-family
   address-family ipv4 vrf shared
    network 45.0.0.0 mask 255.255.255.252
   exit-address-family
  ---------------45.0.0.0 is in the correct BGP VRF's----------------
  R8#sh ip bgp vpnv4 all
  BGP table version is 20, local router ID is 8.8.8.8
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
                r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
                x best-external, a additional-path, c RIB-compressed, 
  Origin codes: i - IGP, e - EGP, ? - incomplete
  RPKI validation codes: V valid, I invalid, N Not found
       Network          Next Hop            Metric LocPrf Weight Path
  Route Distinguisher: 1:100 (default for vrf cavia)
   *>  45.0.0.0/30      0.0.0.0                  0         32768 i
   *>  80.100.0.0/30    172.100.200.1            2         32768 ?
   *>  172.100.100.0/30 172.100.200.1            2         32768 ?
   *>  172.100.100.4/30 172.100.200.1            2         32768 ?
   *>  172.100.200.0/30 0.0.0.0                  0         32768 ?
  Route Distinguisher: 1:200 (default for vrf microsoft)
   *>  45.0.0.0/30      0.0.0.0                  0         32768 i
   *>  80.200.0.0/30    172.200.200.1            2         32768 ?
   *>  172.200.100.0/30 172.200.200.1            2         32768 ?
   *>  172.200.100.4/30 172.200.200.1            2         32768 ?
   *>  172.200.200.0/30 0.0.0.0                  0         32768 ?
  Route Distinguisher: 1:300 (default for vrf shared)
   *>  45.0.0.0/30      0.0.0.0                  0         32768 i
   *>  80.100.0.0/30    172.100.200.1            2         32768 ?
   *>  80.200.0.0/30    172.200.200.1            2         32768 ?
   *>  172.100.100.0/30 172.100.200.1            2         32768 ?
   *>  172.100.100.4/30 172.100.200.1            2         32768 ?
   *>  172.100.200.0/30 0.0.0.0                  0         32768 ?
   *>  172.200.100.0/30 172.200.200.1            2         32768 ?
       Network          Next Hop            Metric LocPrf Weight Path
   *>  172.200.100.4/30 172.200.200.1            2         32768 ?
   *>  172.200.200.0/30 0.0.0.0                  0         32768 ?
  -----------------------on neighbor R1 45.0.0.0 (in vrf shared) is not in the routing table for vrf cavia----------------------
  R1#sh ip route vrf cavia
  Gateway of last resort is 172.100.200.2 to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 172.100.200.2
        80.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
  C        80.100.0.0/30 is directly connected, GigabitEthernet1.1
  L        80.100.0.1/32 is directly connected, GigabitEthernet1.1
  B        80.100.0.4/30 [20/0] via 80.100.0.2, 03:52:22
        172.100.0.0/16 is variably subnetted, 7 subnets, 2 masks
  C        172.100.100.0/30 is directly connected, GigabitEthernet3.1
  L        172.100.100.2/32 is directly connected, GigabitEthernet3.1
  C        172.100.100.4/30 is directly connected, GigabitEthernet2.1
  L        172.100.100.6/32 is directly connected, GigabitEthernet2.1
  B        172.100.101.0/30 [20/0] via 80.100.0.2, 03:52:22
  C        172.100.200.0/30 is directly connected, GigabitEthernet4.1
  L        172.100.200.1/32 is directly connected, GigabitEthernet4.1
  ----------------------OSPF Database on neighbor R1 -------------------------------------------
  R1#
  R1#sh ip ospf data
              OSPF Router with ID (172.100.200.1) (Process ID 100)
                  Router Link States (Area 0)
  Link ID         ADV Router      Age         Seq#       Checksum Link count
  172.100.200.1   172.100.200.1   668         0x8000000A 0x009F4E 4
  172.100.200.2   172.100.200.2   681         0x80000007 0x005F5C 1
                  Net Link States (Area 0)
  Link ID         ADV Router      Age         Seq#       Checksum
  172.100.200.1   172.100.200.1   668         0x80000002 0x0012BD
                  Type-5 AS External Link States
  Link ID         ADV Router      Age         Seq#       Checksum Tag
  45.0.0.0        172.100.200.2   441         0x80000002 0x0047E1 3489660978
  80.100.0.4      172.100.200.1   1679        0x80000008 0x00A883 3489725929
  172.100.101.0   172.100.200.1   1679        0x80000008 0x00C4A9 3489725929

  BUMP

• VRF Route leaking to internet

  I'm just starting to learn about route leaking today, so I'm still trying to figure this out.
  In short, I've created three vlans and put them in a vrf and would like them to access the internet.  At this point, I have vrf created, vlans assigned and a global route leaked from the vrf to the gateway of last resort.  A machine in the vrf is able to ping all three vlan gateways, but cannot still get to the internet.
  I have everything on a 6509 core switch, and my firewall is an ASA 5505.  I've also tried putting routing configs in using eigrp, but the vrf networks never made it to the ASA.  Attached are my configs on both.  If anyone could help me with what I'm missing that would be great.  Thanks!
  ****  6509 Config  ****
  lab-core6509#sh run
  Building configuration...
  Current configuration : 22128 bytes
  ! Last configuration change at 17:31:43 pst Tue Jan 7 2014 by rmf
  ! NVRAM config last updated at 12:30:19 pst Tue Jan 7 2014 by rmf
  upgrade fpd auto
  version 12.2
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  no service password-encryption
  service sequence-numbers
  service counters max age 5
  hostname lab-core6509
  boot-start-marker
  boot system flash disk0:s72033-ipservicesk9_wan-mz.122-33.SXI.bin
  boot-end-marker
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  clock timezone pst -8
  clock summer-time PDT recurring
  clock calendar-valid
  ip subnet-zero
  ip dhcp excluded-address 192.168.80.1 192.168.80.9
  ip dhcp pool 192.168.80.0/24
     network 192.168.80.0 255.255.255.0
     default-router 192.168.80.1
     domain-name procopio-guest.com
     dns-server 8.8.8.8
  ip vrf bingfish
  rd 123:1
  ip domain-name company.local
  mls ip slb purge global
  mls netflow interface
  no mls flow ip
  no mls flow ipv6
  mls cef error action reset
  spanning-tree mode pvst
  diagnostic bootup level minimal
  diagnostic cns publish cisco.cns.device.diag_results
  diagnostic cns subscribe cisco.cns.device.diag_commands
  fabric timer 15
  redundancy
  main-cpu
    auto-sync running-config
  mode sso
  vlan internal allocation policy ascending
  vlan access-log ratelimit 2000
  interface Port-channel10
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet1/1
  switchport
  switchport access vlan 500
  switchport mode access
  spanning-tree portfast edge
  ~SNIP~  (I don't think anyone cares about all the interface configs!)
  interface Vlan510
  description voice server net
  ip address 10.90.10.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan666
  ip address 10.90.253.1 255.255.255.0
  interface Vlan851
  description bingfish client net
  ip vrf forwarding bingfish
  ip address 10.249.1.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan852
  description bingfish server net
  ip vrf forwarding bingfish
  ip address 10.249.2.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan853
  description bingfish management net
  ip vrf forwarding bingfish
  ip address 10.249.3.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan901
  description guest network
  ip address 192.168.80.1 255.255.255.0
  ip access-group guest-net in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan912
  description internet perimeter
  ip address 10.91.2.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  interface Vlan999
  description management net
  ip address 10.90.100.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  router eigrp 200
  network 10.0.0.0
  address-family ipv4 vrf bingfish
    autonomous-system 99
    network 10.249.1.0 0.0.0.255
    network 10.249.2.0 0.0.0.255
    network 10.249.3.0 0.0.0.255
    redistribute static metric 10000 100 255 1 1500
  exit-address-family
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.91.1.2
  ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
  no ip http server
  no ip http secure-server
  ip access-list extended guest-net
  deny   ip any 10.0.0.0 0.255.255.255
  permit ip any any
  control-plane
  dial-peer cor custom
  line con 0
  exec-timeout 30 0
  line vty 0 4
  exec-timeout 30 0
  line vty 5 15
  exec-timeout 30 0
  ntp logging
  ntp authenticate
  ntp trusted-key 10
  ntp clock-period 17179851
  ntp source Vlan500
  ntp master
  ntp server 10.90.1.50 prefer
  end
  ****  ASA 5505 Config  ****
  lab-5505asa# sh run
  : Saved
  ASA Version 8.2(5)
  hostname lab-5505asa
  domain-name company.local
  names
  dns-guard
  interface Ethernet0/0
  description inside
  interface Ethernet0/1
  description outside
  switchport access vlan 2
  interface Ethernet0/2
  description dmz
  switchport access vlan 4
  speed 100
  duplex full
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.91.1.2 255.255.255.0
  ospf cost 10
  interface Vlan2
  nameif outside
  security-level 0
  ip address <outside ip> 255.255.255.128
  ospf cost 10
  interface Vlan4
  nameif DMZ
  security-level 50
  ip address 172.16.35.1 255.255.255.0
  ospf cost 10
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name company.local
  object-group service DM_INLINE_SERVICE_1
  service-object tcp eq domain
  service-object udp eq domain
  service-object udp eq ntp
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_1
  network-object host 10.90.1.10
  network-object host 10.90.1.11
  object-group network DM_INLINE_NETWORK_2
  network-object host <outside ip>
  network-object host<outside ip>
  object-group service DM_INLINE_SERVICE_2
  service-object tcp eq domain
  service-object udp eq domain
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  port-object eq 3008
  port-object eq 3010
  port-object eq ssh
  object-group network DM_INLINE_NETWORK_3
  network-object 216.9.240.0 255.255.240.0
  network-object 68.171.224.0 255.255.224.0
  object-group service DM_INLINE_TCP_4 tcp
  port-object eq 3268
  port-object eq 3269
  port-object eq ldap
  port-object eq ldaps
  object-group network DM_INLINE_NETWORK_6
  network-object host 172.16.35.12
  network-object host 172.16.35.13
  object-group service DM_INLINE_TCP_5 tcp
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_7
  network-object host 172.16.35.12
  network-object host 172.16.35.13
  object-group network DM_INLINE_NETWORK_8
  network-object host 172.16.36.45
  network-object host 172.16.36.46
  object-group service DM_INLINE_TCP_6 tcp
  port-object eq 2598
  port-object eq citrix-ica
  port-object eq www
  object-group service DM_INLINE_TCP_7 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_3 tcp
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_4
  network-object host<outside ip>
  network-object host <outside ip>
  network-object host <outside ip>
  object-group network DM_INLINE_NETWORK_5
  network-object host 172.16.35.12
  network-object host 172.16.35.13
  object-group network DM_INLINE_NETWORK_10
  network-object host 172.16.36.15
  network-object host 172.16.36.42
  object-group network xenapp_servers
  network-object host 10.90.1.45
  network-object host 10.90.1.46
  network-object host 10.90.5.54
  object-group network xendesktop_servers
  network-object host 10.90.1.38
  network-object host 10.90.1.54
  object-group network DM_INLINE_NETWORK_11
  network-object host 172.16.36.10
  network-object host 172.16.36.42
  network-object 10.80.1.0 255.255.255.0
  group-object xenapp_servers
  group-object xendesktop_servers
  object-group network DM_INLINE_NETWORK_9
  network-object host 172.16.36.27
  network-object host 172.16.36.31
  object-group network DM_INLINE_NETWORK_12
  network-object host 74.117.58.150
  network-object host 97.95.240.159
  object-group network DM_INLINE_NETWORK_13
  network-object 10.90.10.0 255.255.255.0
  network-object 192.168.80.0 255.255.255.0
  network-object 10.249.0.0 255.255.0.0
  object-group network DM_INLINE_NETWORK_14
  network-object 10.90.1.0 255.255.255.0
  network-object 10.90.5.0 255.255.255.0
  access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_12 any log disable
  access-list outside_access_in extended permit tcp any host <outside ip>eq 3389 log disable
  access-list outside_access_in extended permit tcp any host<outside ip>eq smtp log disable
  access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
  access-list dmz_access_in extended permit ip any any log disable
  access-list inside_access_in extended deny ip host 10.90.100.25 any log disable
  access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
  access-list inside_access_in extended permit tcp host 10.90.1.27 host 172.16.35.11 eq smtp log disable
  access-list inside_access_in extended permit ip 10.80.1.0 255.255.255.0 any log disable
  access-list inside_access_in extended permit tcp host 10.90.1.33 object-group DM_INLINE_NETWORK_3 eq 3101 log disable
  access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_14 any object-group DM_INLINE_TCP_2 log disable
  access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 log disable
  access-list inside_access_in extended permit udp host 10.90.1.50 any eq ntp log disable
  access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_11 log disable
  access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.27 eq smtp log disable
  access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.35.10 host 172.16.36.10 log disable
  access-list DMZ_access_in extended permit tcp host 172.16.35.11 any eq smtp log disable
  access-list DMZ_access_in extended permit tcp host 172.16.35.10 any object-group DM_INLINE_TCP_1 log disable
  access-list DMZ_access_in remark rule for cag to owa
  access-list DMZ_access_in extended permit tcp host 172.16.35.13 object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_3 log disable
  access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.10 object-group DM_INLINE_TCP_4 log disable
  access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_5 log disable
  access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_6 log disable inactive
  access-list slow-down extended permit ip 10.90.0.0 255.255.0.0 any
  access-list slow-down extended permit ip any 10.90.0.0 255.255.0.0
  pager lines 24
  logging enable
  logging trap debugging
  logging asdm warnings
  logging host inside 10.90.1.65 6/1470
  logging permit-hostdown
  mtu inside 1500
  mtu outside 1500
  mtu DMZ 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-713.bin
  asdm history enable
  arp timeout 14400
  global (inside) 2 interface
  global (outside) 1 interface
  global (DMZ) 1 interface
  nat (inside) 1 10.80.1.0 255.255.255.0
  nat (inside) 1 10.90.1.0 255.255.255.0
  nat (inside) 1 10.90.5.0 255.255.255.0
  nat (inside) 1 192.168.80.0 255.255.255.0
  nat (inside) 1 10.249.0.0 255.255.0.0
  nat (DMZ) 1 172.16.35.0 255.255.255.0
  static (DMZ,outside)<outside ip>172.16.35.10 netmask 255.255.255.255 dns
  static (DMZ,outside) <outside ip>172.16.35.55 netmask 255.255.255.255 dns
  static (DMZ,outside) <outside ip>172.16.35.50 netmask 255.255.255.255 dns
  static (DMZ,outside) <outside ip>172.16.35.60 netmask 255.255.255.255 dns
  static (inside,outside) <outside ip>10.90.1.21 netmask 255.255.255.255 dns
  static (inside,DMZ) 172.16.36.31 10.90.1.31 netmask 255.255.255.255
  static (inside,DMZ) 172.16.36.10 10.90.1.10 netmask 255.255.255.255
  static (inside,DMZ) 172.16.36.27 10.90.1.27 netmask 255.255.255.255
  static (inside,DMZ) 172.16.36.15 10.90.1.15 netmask 255.255.255.255
  static (inside,DMZ) 172.16.36.42 10.90.1.42 netmask 255.255.255.255
  static (inside,DMZ) 10.90.1.0 10.90.1.0 netmask 255.255.255.0
  static (inside,DMZ) 10.80.1.0 10.80.1.0 netmask 255.255.255.0
  static (inside,DMZ) 10.90.5.0 10.90.5.0 netmask 255.255.255.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  router eigrp 200
  network 10.0.0.0 255.0.0.0
  passive-interface default
  no passive-interface inside
  route outside 0.0.0.0 0.0.0.0 209.242.145.129 1
  route inside 10.0.0.0 255.0.0.0 10.91.1.1 1
  route inside 10.249.0.0 255.255.0.0 10.91.1.1 1
  route inside 192.168.80.0 255.255.255.0 10.91.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh timeout 60
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics host number-of-rate 3
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 10.90.1.50 source inside prefer
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect icmp
    inspect pptp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:9ba1f1f89fa1a88af05e2fc5fdba3090
  : end

  So it would appear I've solved it by adding a static route in the global routing table back to the subnets in the vrf:
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.91.1.2
  ip route 10.249.1.0 255.255.255.0 Vlan851   <-----------------------
  ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
  Thanks

• Nexus 7000 route leak from GRT (default VRF) to other VRF's

  Hello
  We have a Nexus 7000 infrastructure whereby we have had multiple VDC's and VRF's deployed. A requirement has now come about whereby one of these VRF's needs to be able to see our GRT (default VRF) so we need to leak the GRT routes into the VRF and vice versa.
  I have been doing a lot of reading and I am happy with the how this works with inter-VRF route leaking but I seem to missing a few things in respect of how this works with the GRT.
  I have also read on another forum that this is not supported. See link below.
  https://supportforums.cisco.com/document/133711/vrf-configuration-and-verification-nexus-7000
  Does anyone have experience of this? I can also see how this works in IOS and I have GNS3 and got this working.
  We use BGP currently so we are able to use MP-BGP if required.
  Any help would be very useful.

  Hi,
  In Table 14 of the Cisco Nexus 7000 Series NX-OS Verified Scalability Guide the verified limit is specified as 1000 per system i.e., across all VDCs for NX-OS release 5.2, 6.0 and 6.1.
  There is a footnote associated with this number which states:
  With each new VDC configured, the number of configurable VRFs per system is reduced by two as each VDC has a default VRF and management VRFs that are not removable. For example, with 8 configured VDCs on Cisco NX-OS Release 5.2, you can configure up to 984 VRFs per system (either all in one VDC or across VDCs).
  Regards

• Difference between user directory and native directory in Shared Services

  Hi,
  Please any one can help me......
  I am new to Hyperion, what is difference between Hyperion Shared services Native directory and User/Active directory.
  thanks in advance..............

  Hi,
  Shared Services native directory, as the name suggests, is a user directory (i.e. ldap) that is native to Hyperion. It allows you to create users, groups and define access rights to Hyperion Products. User/Active directory is the directory where users in your company reside. Shared Services can connect to it and retrieve the list of users and groups. You can define the access rights for these users if you configure the system in a way that it works with Active Directory.
  You can use both combined also. Meaning, you can create user groups in native directory and assign native directory users into them and define access rights onto user groups and/or users.
  Cheers,
  Alp

• Shared Services - Sharing MetaData between Essbase and Planning?

  <p><font size="2" face="Verdana">I have been out of the Hyperionworld for about a 1 and 1/2 years now and am trying to playcatch-up. I am looking at Planning admin doc for 9.2.0.3 and it isdiscussing sharing models in Shared Services (old HUB stuff that Ididn't get to do much with back in the day either).<br><br>At the risk of appearing dense, I wanted to verify if metadatamodels from Essbase cube can be shared with Planning applications?It may be somewhere in some doc explicitly that I am not readingbut only seems to talk about HFM and Planning sharingmodels.<br><br>If this is the case has anyone used it in this manner before? Areall properties for Planning dim/members translated across fromEssbase or are there dim/member properties that I would have to goback and complete still? Any drawbacks/issues with using the sharedmodel approach that I should watch out for?  Other doc you canpoint me at that discusses using this in more detail?<br></font></p><p><font size="2" face="Verdana">Kathy<br></font></p>

  To be honest it looks you after some of the functionality within EPMA, though if you have an essbase database then surely you will have a source for the dimensions so this could be used to populate the planning application as well.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Nat between vrf

  Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.
  I've ip overlapping issue, so i'm trying to use nat aware vrf.
  The shared service is on a vrf also.
  I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.
  This is my configuration :
  ip vrf proxy
  rd 500:500
  route-target export 500:500
  route-target export 501:501
  route-target import 500:500
  route-target import 401:401
  ip vrf upa
  rd 300:300
  route-target export 300:300
  route-target export 401:401
  route-target import 300:300
  route-target import 501:501
  ip vrf upa-tv
  rd 1000:1000
  route-target export 1000:1000
  route-target export 401:401
  route-target import 1000:1000
  route-target import 501:501
  mpls label protocol ldp
  interface GigabitEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/0.1
  description interfacccia outside per ip pubblico ipsec
  encapsulation dot1Q 500
  ip address 195.195.195.195 255.255.255.0
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 300
  ip vrf forwarding upa
  ip address 172.31.47.254 255.255.255.0
  ip nat enable
  interface GigabitEthernet0/0.20
  encapsulation dot1Q 310
  ip vrf forwarding proxy
  ip address 172.31.50.1 255.255.255.0
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 320
  ip vrf forwarding upa-tv
  ip address 10.4.1.254 255.255.255.0
  interface GigabitEthernet0/1
  description connessa a 6500
  ip address 80.x.x.1 255.255.255.0
  duplex auto
  speed auto
  mpls ip
  router bgp 65000
  no synchronization
  bgp log-neighbor-changes
  neighbor 80.80.80.2 remote-as 65000
  no auto-summary
  address-family vpnv4
  neighbor 80.80.80.2 activate
  neighbor 80.80.80.2 send-community both
  exit-address-family
  address-family ipv4 vrf upa-tv
  no synchronization
  exit-address-family
  address-family ipv4 vrf upa
  redistribute connected
  no synchronization
  exit-address-family
  address-family ipv4 vrf proxy
  redistribute connected
  no synchronization
  exit-address-family
  ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
  ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
  ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
  as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.
  network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 300
  ip vrf forwarding upa
  ip address 172.31.47.254 255.255.255.0
  ip nat inside
  interface GigabitEthernet0/0.20
  encapsulation dot1Q 310
  ip vrf forwarding proxy
  ip address 172.31.50.1 255.255.255.0
  ip nat outside
  ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy
  tried also with
  ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
  but it didn't work...
  any suggestion ?
  any help will be appreciated
  Max

  Hi Mohammed, now all works well.
  I understand my error, basically when i tried to ping, i pinged a router on my
  own vrf, because i imported the network, so the packet didn't came across
  interfaces and nat was not in place.Now i tried static host and network
  natting and dymanic natting and all works well.
  here there is a complete working configuration
  ip vrf proxy
  rd 500:500
  route-target export 500:500
  route-target export 501:501
  route-target import 500:500
  route-target import 401:401
  ip vrf upa
  rd 300:300
  route-target export 300:300
  route-target export 401:401
  route-target import 300:300
  route-target import 501:501
  ip vrf upa-tv
  rd 1000:1000
  route-target export 1000:1000
  route-target export 401:401
  route-target import 1000:1000
  route-target import 501:501
  mpls label protocol ldp
  interface GigabitEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/0.1
  description interfacccia outside per ip pubblico ipsec
  encapsulation dot1Q 500
  ip address 195.195.195.195 255.255.255.0
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 300
  ip vrf forwarding upa
  ip address 172.31.47.254 255.255.255.0
  ip nat inside
  interface GigabitEthernet0/0.20
  encapsulation dot1Q 310
  ip vrf forwarding proxy
  ip nat outside
  ip address 172.31.50.1 255.255.255.0
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 320
  ip vrf forwarding upa-tv
  ip address 10.4.1.254 255.255.255.0
  interface GigabitEthernet0/1
  description connessa a 6500
  ip address 80.x.x.1 255.255.255.0
  duplex auto
  speed auto
  mpls ip
  router bgp 65000
  no synchronization
  bgp log-neighbor-changes
  neighbor 80.80.80.2 remote-as 65000
  no auto-summary
  address-family vpnv4
  neighbor 80.80.80.2 activate
  neighbor 80.80.80.2 send-community both
  exit-address-family
  address-family ipv4 vrf upa-tv
  no synchronization
  exit-address-family
  address-family ipv4 vrf upa
  redistribute connected
  no synchronization
  exit-address-family
  address-family ipv4 vrf proxy
  redistribute connected
  no synchronization
  exit-address-family
  ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
  ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
  ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
  Many thanks for the help, now all works well and i understand the way to
  configure it.