Summary addressing

if I advertise an address of 192.200.10.0/29 using eigrp, will this include my interfaces 192.200.10.1, 2, 5 and 6 ?

yeah it will include 192.200.10.1,2,5 & 6.
Network 192.200.10.0
starting IP address 192.200.10.1
Ending IP address 192.200.10.6
Broadcast 192.200.10.7
subnet mask 255.255.255.248
hope this gives you clear idea,
rate this post.

Similar Messages

  • IP summary address

    This is a two part question. Let's assume I have a router that we will call router1. On this router I have the networks 10.0.0.0/14 which will cover the range 10.0.0.0-10.3.255.255. Upstream from this router I have an asa that has a remote network of 10.27.0.0. Router2 has the networks 10.4.0.0/14. Router1 and Router2 use ripv2 and have auto summarization disabled. On R1's interface to R2, I will use the IP summary-address 10.0.0.0 255.252.0.0. Will I also need to include 10.27.0.0 255.255.255.0 in an IP summary-address as well? Or since my ripv2 process has network 10.0.0.0, then will this get sent anyway? I didn't know if when using manual summarization, then you would need to summarize all possible routes?
    Next question. On the asa can I NAT the remote network of 10.27.0.0/24 to something that is contiguous on R1 so that it will be included in the manual summarization? Thanks!

    If you use the summary address 10.0.0.0 255.252.0.0, any subnet falling in this range will be send as summary only.
    ie, 101.1.1.0/24 will be a part of the summary and it will not be send separately.
    However, 10.27.0.0 255.255.255.0 is not falling in the range of the summary address. Hence it will be sent separately by the RIP process.
    CF

  • What would be the proper summary address for these?

    Hello support community,
    I'm trying to write a summary network address for the ip address in red below, but they need to be separate from the ones in black, is this a proper summary route for these networks in red? 10.20.0.0/10 ?
    IP Address 
    Binary 1st octet
    Binary 2st octet
    Binary 3rd octet
    Binary 4th octet 
    10.0.0.0
    00001010
    00000000
    00000000
    00000000
    10.2.0.0
    00001010
    00000010
    00000000
    00000000
    10.3.0.0
    00001010
    00000011
    00000000
    00000000
    10.20.0.0
    00001010
    00010100
    00000000
    00000000
    10.30.0.0
    00001010
    00011110
    00000000
    00000000
    10.31.0.0
    00001010
    00011111
    00000000
    00000000
    10.32.0.0
    00001010
    00100000
    00000000
    00000000
    10.40.0.0
    00001010
    00101000
    00000000
    00000000
    10.41.0.0
    00001010
    00101001
    00000000
    00000000
    10.44.0.0
    00001010
    00101100
    00000000
    00000000
    10.45.0.0
    00001010
    00101101
    00000000
    00000000
    10.48.0.0
    00001010
    00110000
    00000000
    00000000
    10.50.0.0
    00001010
    00110010
    00000000
    00000000
    10.51.0.0
    00001010
    00110011
    00000000
    00000000
    10.52.0.0
    00001010
    00110100
    00000000
    00000000
    10.53.0.0
    00001010
    00110101
    00000000
    00000000
    10.55.0.0
    00001010
    00110111
    00000000
    00000000
    10.56.0.0
    00001010
    00111000
    00000000
    00000000
    10.61.0.0
    00001010
    00111101
    00000000
    00000000
    10.63.0.0
    00001010
    00111111
    00000000
    00000000
    10.70.0.0
    00001010
    01000110
    00000000
    00000000
    10.71.0.0
    00001010
    01000111
    00000000
    00000000
    10.72.0.0
    00001010
    01001000
    00000000
    00000000
    10.73.0.0
    00001010
    01001001
    00000000
    00000000
    10.74.0.0
    00001010
    01001010
    00000000
    00000000
    10.75.0.0
    00001010
    01001011
    00000000
    00000000
    10.76.0.0
    00001010
    01001100
    00000000
    00000000
    10.77.0.0
    00001010
    01001101
    00000000
    00000000
    10.78.0.0
    00001010
    01001110
    00000000
    00000000
    10.79.0.0
    00001010
    01001111
    00000000
    00000000

    Hi,
    I think you need to split aggregation in to below three subnets. 
    10.16.0.0/12
    10.32.0.0/11
    10.64.0.0/10
    10.20.0.0/10 is not a valid prefix. 
    Please don't forget to rate this post if it has been helpful
    -akash

  • Workings of auto-summary in EIGRP?

    We are using 172.20.0.0 internally with /25 mask for local user subnets. This network is spread around 40 locations. Normally we have 'no auto-summary' under our router command like:
    router eigrp 1
    network 172.20.0.0
    no auto-summary
    So if I wanted to know if a particular subnet was in use, ie, 'sh ip route 172.20.100.0', I would see that in a routing table, and felt confident that there truly was a 172.20.100.0 subnet.
    Someone inadvertently configured a router with 'auto-summary', and I was trying to troubleshoot a problem on 172.20.100.0. I shut down the interface that is configured for 172.20.100.0, yet it still showed up in the routing table. I track down where that route was advertised, and I found it was coming from a router that has the 'auto-summary' and the 'show ip route 172.20.100.0' on that router showed it coming from interface null-0.
    The reason I don't like to use auto-summary is because of just that - I don't get a true picture of what subnets are actually real - everything gets summarized into the major network.
    Is that the way auto-summary is supposed to work? If one uses the 'auto-summary on all routers, how does one tell if a particular subnet is in actual use of not?

    Jim
    In your description you tell us that your network uses 172.20.0.0 and do not mention any other networks. If this is true (that there are no other networks than 172.20.0.0) then it makes no difference whether no auto-summary is configured or not - you will get the exact same results as long as the network is based on a single major network (a class B network in your case).
    auto-summary only makes a difference when a router has an interface in one network and has another interface(s) in another network. If all interfaces are in the same network then EIGRP advertises all subnets out all interfaces. If the router has interfaces in two networks (say for example that your LAN interfaces were in 172.20.0.0 and you put your serial interfaces on 10.0.0.0) the the router would not advertise subnets of 172.20.0.0 over the serial 10.0.0.0 interfaces but would advertise a summary route.
    In the situation that you describe that you found a router with an entry for 172.20.100.0 to null 0 then the logical explanations would be that either there is a summary address configured on that router for 172.20.100.0 or that someone configured a static route for 172.20.100.0. Or is it possible that the route that you were looking at was really for 172.20.0.0 and not for 172.20.100.0?
    HTH
    Rick

  • 2800 Multilink Problem

    Hello,
    We 've got a dial problem with a 2811 branch router (ISDN2) and a 7206 central router (2*ISDN30)
    Wehn the 2800 dials in no problem.
    When threshold comes up no problem.
    But when the second B-channel closed the 2800 doesn't route trafic any more.
    Routing protocols still work.
    Extended ping from the routers FE interface to de central location form.
    But a device connected to the FE interface cannot ping the remote site.
    When i use IOS
    c2800nm-advsecurityk9-mz.124-10.bin : FAILTY
    c2800nm-advsecurityk9-mz.124-12.bin : FAILTY
    c2800nm-advsecurityk9-mz.124-5.bin : OKE
    c2800nm-advsecurityk9-mz.124-8a.bin : OKE
    Branch router:
    interface BRI0/2/0
    no ip address
    encapsulation ppp
    dialer pool-member 1
    isdn switch-type basic-net3
    isdn tei-negotiation first-call
    isdn point-to-point-setup
    ppp authentication chap
    end
    interface Dialer10
    ip address 1.1.1.1 255.255.255.252
    ip pim sparse-dense-mode
    encapsulation ppp
    dialer pool 1
    dialer string 0123456789
    dialer load-threshold 75 either
    dialer max-call 2
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname somerouter
    ppp chap password <REMOVED>
    ppp multilink
    end
    Central router:
    interface Dialer1
    description ISDN:
    bandwidth 128
    ip address 1.1.1.2 255.255.255.252
    ip pim sparse-dense-mode
    encapsulation ppp
    ip summary-address eigrp 1 0.0.0.0 0.0.0.0 180
    dialer pool 1
    dialer remote-name someroute
    dialer idle-timeout 180
    dialer-group 1
    no fair-queue
    no cdp enable
    ppp authentication chap
    ppp multilink
    end

    Hi
    Have you checked up the routes for the remote destinations when the second channel is down ?
    Can you check whether you are getting any routes available through the live BRI Channel available when the other one goes down ?
    Also can you verify whether the channel is stil active using show isdn active command ?
    regds

  • NAT is not working for VRF partially

    Hello!
    I have a diagram like this:
    VRF_A  and VRF_B have overlapping addressing plans from series 192.168.x.x.
    As routing protocol in both of VRFs adopted RIP (I tried all, but effect much the same).
    The closest to PE1 network is 172.16.0.0/24.
    PE1:
    ip vrf VRF_A rd 65001:1 route-target export 65001:1 route-target import 65001:1ip vrf VRF_B rd 65001:2 route-target export 65001:2 route-target import 65001:2ip nat inside source list 10 interface FastEthernet0/0 vrf VRF_A overloadip nat inside source list 10 interface FastEthernet0/0 vrf VRF_B overloadip route vrf VRF_A 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 globalip route vrf VRF_B 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 globalinterface FastEthernet0/0 ip address 172.16.0.24 255.255.255.0 ip nat outside duplex fullinterface FastEthernet1/0 ip vrf forwarding VRF_A ip address 192.168.0.2 255.255.255.0 ip nat inside duplex full
    interface FastEthernet4/0 ip vrf forwarding VRF_B ip address 192.168.0.2 255.255.255.0 ip nat inside duplex full
    When I try ti ping 172.16.0.1 from CE11, CE21 and from VRF_A and VRF_B on PE1 - all if fine! NAT is performed and ping is OK.
    But when I tried to ping from others (PE2 and CE21 and CE22) NAT is not performed, I see 192.168.x.x at Internet Router and ping is failled.
    I'm in stupor. What could it be??? And how to avoid this situation? Are there "exits"?
    I forgot to mention that there is a full connectivity inside both of VRFs. Routing protocols and redistribution work fine.
    Kind regard,
    Ellad

    It's wrong:
    PE1interface toward P1 ip nat insideinterface toward P2 ip nat inside
    Here is PE1:Current configuration : 2829 bytes
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname PE1
    boot-start-marker
    boot-end-marker
    no aaa new-model
    ip subnet-zero
    ip vrf VRF_A
    rd 65001:1
    route-target export 65001:1
    route-target import 65001:1
    ip vrf VRF_B
    rd 65001:2
    route-target export 65001:2
    route-target import 65001:2
    ip cef
    ip audit po max-events 100
    mpls label protocol ldp
    interface Loopback0
    ip address 10.0.2.1 255.255.255.255
    interface FastEthernet0/0
    ip address 172.16.0.24 255.255.255.0
    ip nat outside
    duplex full
    interface FastEthernet1/0
    ip vrf forwarding VRF_A
    ip address 192.168.0.2 255.255.255.0
    ip nat inside
    duplex full
    interface FastEthernet2/0 ip address 10.0.23.1 255.255.255.0
    duplex full
    tag-switching mtu 1512
    tag-switching ip
    interface FastEthernet3/0
    ip address 10.0.24.1 255.255.255.0
    duplex full
    tag-switching mtu 1512
    tag-switching ip
    interface FastEthernet4/0
    ip vrf forwarding VRF_B
    ip address 192.168.0.2 255.255.255.0
    ip nat inside
    duplex full
    router ospf 1
    log-adjacency-changes
    network 10.0.0.0 0.255.255.255 area 0
    router rip
    version 2
    no auto-summary
    address-family ipv4 vrf VRF_B
    redistribute bgp 65001 metric 1
    network 192.168.0.0
    no auto-summary
    exit-address-family
    router bgp 65001
    no bgp default ipv4-unicast
    bgp log-neighbor-changes
    neighbor 10.0.5.1 remote-as 65001
    neighbor 10.0.5.1 update-source Loopback0
    address-family vpnv4
    neighbor 10.0.5.1 activate
    neighbor 10.0.5.1 next-hop-self
    neighbor 10.0.5.1 send-community both
    exit-address-family
    address-family ipv4 vrf VRF_B
    redistribute static
    redistribute rip
    no auto-summary
    no synchronization
    exit-address-family
    address-family ipv4 vrf VRF_A
    no auto-summary
    no synchronization
    exit-address-family
    ip nat inside source list 10 interface FastEthernet0/0 vrf VRF_A overload
    ip nat inside source list 10 interface FastEthernet0/0 vrf VRF_B overload
    ip classless
    ip route vrf VRF_A 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 global
    ip route vrf VRF_B 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 global
    no ip http server
    no ip http secure-server
    ip extcommunity-list 1 permit soo 65002:901
    access-list 1 deny   10.1.8.1
    access-list 1 deny   10.0.8.1
                              access-list 1 deny   10.1.2.1
    access-list 1 deny   10.0.2.1
    access-list 1 permit any
    access-list 10 permit 192.168.0.0 0.0.255.255
    access-list 10 permit 192.168.1.0 0.0.0.255
    route-map rm-soo permit 10
    set extcommunity soo 65002:901!
    route-map rm-soo-action deny 10
    match extcommunity 1
    route-map rm-soo-action permit 20
    match ip address 1
    gatekeeper
    shutdown
    line con 0
    exec-timeout 144 0
    logging synchronous
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    login
    end
    1.0.5.1 is Loopback0 of P3. It's a route-reflector for all PEs. I study.
    And all what you see above - Dynamipses. Internet router - real Ubuntu server.

  • Assigning multiple areas to SVI's created on 6500 Switch

    Hey, We are having Cisco 6500 Switch at aggregation layer where all our SVIs are created and we need to advertise them in OSPF for reachability purpose. Now we are using L2 campus model so access layer is not running any routing protocol but we need to segregate our SVIs traffic based on different buildings. We are doing this by assigning unique areas to a group of SVIs while advertising in OSPF. My question is, is this a recommended way ? or we have to advertise all the SVIs in Area 0? because we don't have multiple areas but still we are adding them while advertising at 6500 switch. Thanks.

    Having said that, i am still confused whether is it a good approach or we should advertise all our SVIs directly into OSPF Area0.
    Using an area per building seems unnecessary because all the L3 routing is done on the aggregation layer so it doesn't really make a lot of sense, at least to me.
    I think using one area for all SVIs may be a good idea because then you can simply advertise one summary for the all the SVI subnets into area 0 towards the core.
    This is assuming you can summarise all the aggregation IP subnets with one summary address.
    Even that may not be necessary as it depends on the rest of your topology.
    For example if your core connected multiple buildings as in a campus and each building had a distribution pair of switches connected back to the core then yes it would make sense to use an area per building/site and only advertise a summary to the core.
    Up to you really.
    Jon

  • Resilient connections to EIS

    Hi all,
    I've got a question regarding designing a weblogic-based solution that needs to talk to an EIS.
    Basically we have a new system that also needs to keep an old system up to date for an interim period. In order to do this the new system is placing messages representing transactions onto a queue to be processed asynchronously. We are currently considering 3 options:
    - Message driven beans using JCA
    - WLI process using JCA
    - Writing our own message consumer which manages threads to write to the backend (the reason for this will become clear below)
    Basically the worry we have is that the backend may become unavailble (planned or unplanned) and we're worried that an MDB or WLI solution has no way of automatically stopping processing and then automatically picking it up again once the EIS comes back. We bascially don't want to get into a situation where we have a pool of MDBs (for instance) continually trying and failing to connect to the backend (filling the logs and wasting resources). The roll-your-own solution was therefore to enable us to control the number of threads that were attempting to connect by recognising failures and closing down all but one polling thread until we got a response again.
    This RYO approach feels really wrong, though, and it seems that WLI must have something in it to cope with this kind of failure situation. I have seen some stuff in the docs about automatically suspending and then restarting processing but am unsure if any adapters support this model. For information we are currently looking to connect to an Adabas/Natural backend via either 3270, CICS or direct natural connections.
    Hope someone can help on this !
    Thanks
    Ian

    Andy
    It depends.
    I was assuming they had area 0 at both DCs as you mentioned that.
    You should really use two areas and then they would need to filter your routes because you would be injecting them into one area on one link and then they would be sending them to you on the other link.
    The problem arises if each of their DCs is using different areas.
    So say the main DC is area 0 and the backup DC is area 1.
    All OSPF areas need to be directly connected to area 0 and obviously this wouldn't happen on the link to the area 1 DC if you use your own area.
    You can use virtual links but you should avoid these if possible.
    If you simply use their existing areas at your end then that means you are going to receive type 1 and type 2 LSAs as well.
    I don't think I can give you a definitive answer because there are too many variable in terms of OSPF areas, summarisation etc.
    Are the subnets within your main and backup DC different and the same question for their DCs ?
    Depending on the answers to the above it may make more sense to run EIGRP across those links using summary addresses at your end for the subnets and let them do the redistribution because EIGRP does not have the same issues with areas.
    I cannot see how that would affect their VRFs and even if it did they can always create a non VRF interface for the exchange of routes
    I'm happy to help out further when you get more information but I think you need to talk with the other network guy especially about how the OSPF connections are going to work.
    Jon

  • Do I need "advanced license" to run MPLS on ME3600X?

    Those who have dealt with ME3600X switch, can you tell me if I need to purchase the “Advanced Metro IP Access License” in order to run L2/L3 MPLS VPN? The license is $3995 in addition. It is a big cost for us. More specifically, I want to know if the following commands are supported with the license comes with the switch. No advanced MPLS features like traffic engineering is required at this point.
    ip vrf vpnA
    rd 100:1
    route-target export 100:1
    route-target import 100:1
    interface Ethernet1/0
    ip vrf forwarding vpnA
    interface Ethernet1/1
    mpls ip
    router ospf 1 vrf vpnA
    log-adjacency-changes
    area 1 sham-link 12.12.100.4 12.12.100.5
    redistribute bgp 100 metric-type 1 subnets
    network 12.12.128.130 0.0.0.0 area 1
    router bgp 100
    no synchronization
    bgp router-id 12.12.4.4
    bgp log-neighbor-changes
    neighbor 12.12.5.5 remote-as 100
    neighbor 12.12.5.5 update-source Loopback0
    no auto-summary
    address-family vpnv4
    neighbor 12.12.5.5 activate
    neighbor 12.12.5.5 send-community both
    exit-address-family
    address-family ipv4 vrf vpnA
    redistribute ospf 1 vrf vpnA match internal external 1 external 2
    no synchronization
    network 12.12.100.4 mask 255.255.255.255
    exit-address-family
    mpls ldp router-id Loopback0 force

    Hi dear,
    according to the information available on CCO over here
    http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps10956/data_sheet_c78-601946.html
    you indeed need to get that license in your gear to let it run MPLS.
    The commands highlighted in red should work after that.
    HTH,
    Ivan.

  • BGP in Dual Homing setup not failing over correctly

    Hi all,
    we have dual homed BGP connections to our sister company network but the failover testing is failing.
    If i shutdown the WAN interface on the primary router, after about 5 minutes, everything converges and fails over fine.
    But, if i shut the LAN interface down on the primary router, we never regain connectivity to the sister network.
    Our two ASR's have an iBGP relationship  and I can see that after a certain amount of time, the BGP routes with a next hop of the primary router get flushed from BGP and the prefferred exit path is through the secondary router. This bit works OK, but i believe that the return traffic is still attempting to return over the primary link...
    To add to this, we have two inline firewalls on each link which are only performing IPS, no packet filtering.
    Any pointers would be great.
    thanks
    Mario                

    Hi John,
    right... please look at the output below which is the partial BGP table during a link failure...
    10.128.0.0/9 is the problematic summary that still keeps getting advertised out when we do not want it to during a failure....
    now there are prefixes in the BGP table which fall within that large summary address space. But I am sure that they are all routes that are being advertised to us from the eBGP peer...
    *> 10.128.0.0/9     0.0.0.0                            32768 i
    s> 10.128.56.16/32  172.17.17.241                 150      0 2856 64619 i
    s> 10.128.56.140/32 172.17.17.241                 150      0 2856 64619 i
    s> 10.160.0.0/21    172.17.17.241                 150      0 2856 64611 i
    s> 10.160.14.0/24   172.17.17.241                 150      0 2856 64611 i
    s> 10.160.16.0/24   172.17.17.241                 150      0 2856 64611 i
    s> 10.200.16.8/30   172.17.17.241                 150      0 2856 65008 ?
    s> 10.200.16.12/30  172.17.17.241                 150      0 2856 65006 ?
    s> 10.255.245.0/24  172.17.17.241                 150      0 2856 64548 ?
    s> 10.255.253.4/32  172.17.17.241                 150      0 2856 64548 ?
    s> 10.255.253.10/32 172.17.17.241                 150      0 2856 64548 ?
    s> 10.255.255.8/30  172.17.17.241                 150      0 2856 6670 ?
    s> 10.255.255.10/32 172.17.17.241                 150      0 2856 ?
    s> 10.255.255.12/30 172.17.17.241                 150      0 2856 6670 ?
    s> 10.255.255.14/32 172.17.17.241                 150      0 2856 ?
    i would not expect summary addresses to still be advertised if the specific prefixes are coming from eBGP... am i wrong?
    thanks for everything so far...
    Mario De Rosa

  • DMVPN GRE over IPSEC Packet loss

    I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
    %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
    %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
    The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
    Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
    When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
    You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
    interface Tunnel111
    description **DPN VPN**
    bandwidth 1000
    ip address 172.31.111.107 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1300
    ip pim sparse-dense-mode
    ip nhrp authentication XXXX
    ip nhrp map multicast dynamic
    ip nhrp map multicast X.X.X.X
    ip nhrp map X.X.X.X X.X.X.X
    ip nhrp network-id 100002
    ip nhrp holdtime 360
    ip nhrp nhs 172.31.111.254
    ip route-cache flow
    ip tcp adjust-mss 1260
    ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
    qos pre-classify
    tunnel source GigabitEthernet0/0
    tunnel mode gre multipoint
    tunnel key XXXX
    tunnel protection ipsec profile X.X.X.X
    interface GigabitEthernet0/0
    description **TO DPNVPN**
    ip address 10.X.X.X 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip pim sparse-dense-mode
    ip virtual-reassembly
    duplex full
    speed 100
    no snmp trap link-status
    no mop enabled
    Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
    Brenden

    Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
    It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?

  • Best-practice to redistribute NAT entries into OSPF

    I have several different subnets that are all either NAT'd or accessible via a VPN. There's no actual route on the ASA to the addresses, and they're not directly connected, eliminating the usual redistribution commands.
    What is the best-practice for redistributing such entries into an OSPF area? In the past, I've had static entries on the upstream firewall, allowing the rest of the network to see this. I'm trying to get rid of as many static routes as possible (or at least make them a floating route so as to provide backup should something in OSPF fail), but am having difficulty figuring out how to redistribute these into the OSPF area.
    I can't use a summary-address command as there's no external routes that are being redistributed. The area range command is out as I don't have a separate area that routes are being redistributed from.
    One thought I've had is to create a static null route for each subnet (allowing me to redistribute static, and have the static entries only on the originating box), but I imagine rather than NAT'ng or open the site-to-site VPN, it would discard traffic (as the destination is null).
    Any ideas on what to do when you have "imaginary" addresses that don't exist anywhere but in NAT entries or that's defined as interesting traffic for a site-to-site VPN?
    Thanks in advance.

    I have the code working without use of config files. I am just disappointed that it is not working using the configuration files. That was one of the primary intents of my code re-factoring. 
     Katherine
    Xiong , If you are proposing this as an answer then does this imply that Microsoft's stance is not to use configuration files with SSIS?? Please answer.
    SM

  • Route Leaking between VRF:s (Shared services)

    Hi,
    I'm a bit confused by this setup that i'm trying to achieve.
    The setup is classic though, I have one VRF for education (EDU), one for administrators (ADM) and then a shared VRF (GEM) like this:
    ip vrf ADM
    description *** ADMIN NET ***
    rd 2:2
    export map ADM-to-EDU
    route-target export 2:2
    route-target import 1:1
    route-target import 2:2
    ip vrf EDU
    description *** ELEV NET ***
    rd 3:3
    route-target export 3:3
    route-target import 1:1
    route-target import 33:33
    route-target import 3:3
    ip vrf GEM
    description *** GEMENSAM NET ***
    rd 1:1
    route-target export 1:1
    route-target import 2:2
    route-target import 3:3
    route-target import 1:1
    As you can see, i have also configured an export map for vrf ADM, which i'm then importing routes from.
    the Map looks as follows:
    access-list 1 permit 172.18.254.37
    route-map ADM-to-EDU permit 10
    match ip address 1
    set extcommunity rt 33:33 additive
    A relevant part of the ip setup is as follows:
    interface Loopback3
    ip vrf forwarding EDU
    ip address 3.3.3.3 255.255.255.255
    interface Loopback37
    ip vrf forwarding ADM
    ip address 172.18.254.37 255.255.255.255
    I'm running BGP:
    router bgp 65235
    no synchronization
    bgp log-neighbor-changes
    no auto-summary
    address-family ipv4 vrf GEM  redistribute connected
      redistribute static
      default-information originate
      no synchronization
    exit-address-family
    address-family ipv4 vrf EDU
      redistribute connected
      redistribute static
      default-information originate
      no synchronization
    exit-address-family
    address-family ipv4 vrf ADM
      redistribute connected
      redistribute static
      default-information originate
      no synchronization
    exit-address-family
    Now, the thing is, the leaking is working, i can see the leaked route in the EDU routing table below,
    Router#sh ip route vrf EDU
    Routing Table: EDU
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 172.19.16.5 to network 0.0.0.0
         1.0.0.0/32 is subnetted, 1 subnets
    B       1.1.1.1 is directly connected, 04:53:31, Loopback1
         3.0.0.0/32 is subnetted, 1 subnets
    C       3.3.3.3 is directly connected, Loopback3
         172.19.0.0/32 is subnetted, 1 subnets
    B       172.19.16.5 is directly connected, 02:27:51, Loopback0
         172.18.0.0/32 is subnetted, 1 subnets
    B       172.18.254.37 is directly connected, 00:32:14, Loopback37
    B*   0.0.0.0/0 [20/0] via 172.19.16.5 (GEM), 02:08:42
    but i cannot reach it:
    Router#ping vrf EDU 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    But if i run "debug ip packet" and the perform another ping, i get this result which i think is a bit weird? to me it seems as if it works.
    Router#ping vrf EDU 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    *Mar  1 05:42:40.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:40.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:40.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:40.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:40.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:40.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:42.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:42.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:42.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:42.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:42.582: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:42.586: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:42.590: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:42.590: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:44.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:44.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:44.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:44.574: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:44.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:44.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:46.566: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:46.570: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:46.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:46.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:46.570: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:46.574: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:48.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:48.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:48.566: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:48.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:48.574: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:48.574: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:48.582: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:48.582: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    Success rate is 0 percent (0/5)
    Router#
    However, if i add leaking for 3.3.3.3 in ADM vrf like this:
    access-list 2 permit 3.3.3.3
    route-map EDU-to-ADM permit 10
    match ip address 2
    set extcommunity rt  22:22 additive
    ip vrf ADM
    description *** ADMIN NET ***
    rd 2:2
    export map ADM-to-EDU
    route-target export 2:2
    route-target import 1:1
    route-target import 22:22      < - added line
    route-target import 2:2
    ip vrf EDU
    description *** ELEV NET ***
    rd 3:3
    export map EDU-to-ADM         < - added line
    route-target export 3:3
    route-target import 1:1
    route-target import 33:33
    route-target import 3:3
    Then it will work:
    Router#ping vrf EDU 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms
    So actually, my big question is, am i doing this the right or wrong way? i'm a bit confused.
    Sorry about the rant, maybe it will clarify some things for others who are confused, or maybe just make it worse!
    Some additional thoughts:
    Why can't i perform this ping, shouldnt this work?
    Router#ping vrf GEM 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Router#
    bgp info:
    Router#sh ip bgp vpnv4 all
    BGP table version is 79, local router ID is 1.1.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 1:1 (default for vrf GEM)
    *> 0.0.0.0          172.19.16.5              0         32768 ?
    *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
    *> 2.2.2.2/32       0.0.0.0                  0         32768 ?
    *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
    *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
    *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
    Route Distinguisher: 2:2 (default for vrf ADM)
    *> 0.0.0.0          172.19.16.5              0         32768 ?
    *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
    *> 2.2.2.2/32       0.0.0.0                  0         32768 ?
    *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
    *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
    *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
    Route Distinguisher: 3:3 (default for vrf EDU)
    *> 0.0.0.0          172.19.16.5              0         32768 ?
    *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
       Network          Next Hop            Metric LocPrf Weight Path
    *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
    *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
    *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
    Router#

    Thank you for your answer Aravala.
    Ok, so i think i'm beginning to understand this now after several hours..
    Below is my setup now, and it works, but the thing is that it ONLY works from nets that are actually configured on interfaces.
    What i mean by this is,
    i want to reach ONLY the ip 172.18.254.37(ADM net) from ANY adress on 172.19.0.0/16 (EDU net)
    so naturally i try and change the prefix list to:
    ip prefix-list 1 seq 5 permit 172.18.254.37/32
    ip prefix-list 2 seq 5 permit 172.19.0.0/16
    But this doesnt work, i would be very grateful if someone could explain why and how to get around it..! i dont want to define every subnet on 172.19.0.0/16 and at the same time leave all of the 172.18.254.0/24 network open.
    working setup:
    ip vrf ADM
    description *** ADMIN NET ***
    rd 2:2
    export map ADM-to-EDU
    route-target export 2:2
    route-target import 1:1
    route-target import 22:22
    route-target import 2:2
    ip vrf EDU
    description *** ELEV NET ***
    rd 3:3
    export map EDU-to-ADM
    route-target export 3:3
    route-target import 1:1
    route-target import 33:33
    route-target import 3:3
    ip vrf GEM
    description *** GEMENSAM NET ***
    rd 1:1
    route-target export 1:1
    route-target import 2:2
    route-target import 3:3
    route-target import 1:1
    ip prefix-list 1 seq 5 permit 172.18.254.0/24
    ip prefix-list 2 seq 5 permit 172.19.64.0/21
    route-map ADM-to-EDU permit 10
    match ip address prefix-list 1
    set extcommunity rt  33:33 additive
    route-map EDU-to-ADM permit 10
    match ip address prefix-list 2
    set extcommunity rt  22:22 additive

  • Serial interfaces, ip vrf forwarding, and PBR with set vrf

    I am doing some work with VRF-lite but I am having some trouble with serial interfaces. I have a PE router with a serial interface where I want to take incoming traffic and using policy-based routing send the traffic to the appropriate VRF. I want to assign the serial interface itself to be in one of those VRFs, not the global routing table. Eventually, I also want to overlap the VPNs/VRFs to send traffic going out the serial interface through the VRF assigned to the serial interface. Initially, it looks something like this:
    ip vrf VRF1
    rd 65000:3
    route-target export 65000:3
    ip vrf VRF2
    rd 65000:18
    route-target import 65000:3
    ip route vrf VRF1 10.90.51.0 255.255.255.0 192.168.11.18
    interface Serial0/0/0
    ip vrf forwarding VRF1
    ip address 192.168.11.17 255.255.255.252
    router bgp 65000
    no synchronization
    bgp log-neighbor-changes
    no auto-summary
    address-family ipv4 vrf VRF1
    redistribute static
    no auto-summary
    no synchronization
    exit-address-family
    ip access-list extended remote-source
    permit ip 10.90.0.0 0.0.255.255 any
    route-map SERIAL-INCOMING permit 100
    match ip address remote-source
    set vrf VRF2
    But if I try to turn on the policy based routing at the serial interface, I get an error:
    Router(conf)#interface Serial0/0/0
    Router(config-if)#ip policy route-map SERIAL-INCOMING
    % Can not apply route-map SERIAL-INCOMING to this interface
    % Either remove 'set vrf' from route-map or unconfigure 'ip vrf forward'
    I can sort of get around the problem by using an "ip vrf receive" instead of "ip vrf forward", but unfortunately, that leaves my Serial interface in the global table which isn't what I wanted.
    What troubles me is that I can do this without any problems on an Ethernet interface. Are there any known issues with "ip vrf forward" and using PBR and "set vrf" on Serial interfaces, or have I configured something wrong?
    If I stick with the "ip vrf receive", how can I force the physical Serial interface into the appropriate VRF?
    Thanks.
    Clarke Morledge
    College of William and Mary

    Upon further investigation....
    The serial interface issue was a red herring. It just so happens that every other time I've done this it has been on a flavor of 12.2x on a 6500/7600 where this feature is supported. The only systems I have with Serial interfaces are 1841s.
    The problem with the 1841 is that most of the code revisions out there do not support this feature. It was only added to the regular code train with the recent release of 12.2(24)T. I tested with 12.2(24)T1 and you are now able to use "ip vrf forwarding" on all interfaces along with a PBR route-map that uses the "set vrf" option.
    Thanks, Laurent, for pointing me towards the TAC on this.
    Clarke Morledge
    College of William and Mary

  • Multicast vrf

    Good Day! I have got a task to play multicast traffic through mpls (at least between the same vrf). I have 3 switches 3750 ME, sw1, sw2 and sw3. Multicast source host is connected to sw3 int fa1/0/6, receiver host is connected to sw1 int fa 1/0/5, respectively. Both interfaces are in vlan 100 (just the same vlan number). Interface vlan is in vrf green. Switches are connected back to back sw1-sw2-sw3 via gigabit interfaces (dedicated for mpls) like ce1/pe1-p-pe2/ce2. In addition, sw1 and sw3 are rr-clients for sw2. To check multicast traffic I use multicasttest utility (http://www.mikkle.dk/multicasttest/). Multicast group address for test is 224.237.248.237. Multicast traffic walk from host 192.168.1.3 to 192.168.2.2. Also, there are vl 100 interfaces on switches in vrf green created just for check proper connectivity.
    Configs:
    hostname sw1
    system mtu routing 1500
    ip subnet-zero
    ip routing
    no ip dhcp conflict logging
    ip dhcp excluded-address 192.168.2.1
    ip dhcp excluded-address 172.16.1.1
    ip dhcp pool green1
       network 192.168.2.0 255.255.255.0
       default-router 192.168.2.1
      default-router 172.16.1.1
    ip vrf green
    rd 100:100
    route-target export 100:100
    route-target import 100:100
    mdt default 232.1.1.1
    ip multicast-routing distributed
    ip multicast-routing vrf green distributed
    interface Loopback0
    ip address 10.1.1.1 255.255.255.255
    ip pim sparse-dense-mode
    ip ospf 1 area 0
    interface Loopback100
    ip vrf forwarding green
    ip address 10.0.100.1 255.255.255.255
    ip pim sparse-dense-mode
    interface FastEthernet1/0/5
    switchport access vlan 100
    interface GigabitEthernet1/1/2
    no switchport
    ip address 10.0.1.2 255.255.255.0
    ip pim sparse-dense-mode
    ip ospf 1 area 0
    speed auto 1000
    mpls ip
    interface Vlan100
    ip vrf forwarding green
    ip address 192.168.2.1 255.255.255.0
    ip pim sparse-dense-mode
    router ospf 1
    log-adjacency-changes
    router bgp 65001
    no synchronization
    bgp log-neighbor-changes
    neighbor 10.1.1.2 remote-as 65001
    neighbor 10.1.1.2 update-source Loopback0
    no auto-summary
    address-family ipv4 mdt
      neighbor 10.1.1.2 activate
      neighbor 10.1.1.2 send-community extended
    exit-address-family
    address-family vpnv4
      neighbor 10.1.1.2 activate
      neighbor 10.1.1.2 send-community extended
    exit-address-family
    address-family ipv4 vrf green
      no synchronization
      network 10.0.100.1 mask 255.255.255.255
      network 192.168.2.0
    exit-address-family
    ip classless
    hostname sw2
    system mtu routing 1500
    ip subnet-zero
    ip routing
    ip vrf green
    rd 100:100
    route-target export 100:100
    route-target import 100:100
    mdt default 232.1.1.1
    ip multicast-routing distributed
    ip multicast-routing vrf green distributed
    vtp mode transparent
    interface Loopback0
    ip address 10.1.1.2 255.255.255.255
    ip pim sparse-dense-mode
    ip ospf 1 area 0
    interface GigabitEthernet1/1/1
    no switchport
    ip address 10.0.2.1 255.255.255.0
    ip pim sparse-dense-mode
    ip ospf 1 area 0
    speed auto 1000
    mpls ip
    interface GigabitEthernet1/1/2
    no switchport
    ip address 10.0.1.1 255.255.255.0
    ip pim sparse-dense-mode
    ip ospf 1 area 0
    speed auto 1000
    mpls ip
    router ospf 1
    log-adjacency-changes
    router bgp 65001
    no synchronization
    bgp log-neighbor-changes
    neighbor 10.1.1.1 remote-as 65001
    neighbor 10.1.1.1 update-source Loopback0
    neighbor 10.1.1.1 route-reflector-client
    neighbor 10.1.1.3 remote-as 65001
    neighbor 10.1.1.3 update-source Loopback0
    neighbor 10.1.1.3 route-reflector-client
    no auto-summary
    address-family ipv4 mdt
      neighbor 10.1.1.1 activate
      neighbor 10.1.1.1 send-community extended
      neighbor 10.1.1.3 activate
      neighbor 10.1.1.3 send-community extended
    exit-address-family
    address-family vpnv4
      neighbor 10.1.1.1 activate
      neighbor 10.1.1.1 send-community extended
      neighbor 10.1.1.1 route-reflector-client
      neighbor 10.1.1.3 activate
      neighbor 10.1.1.3 send-community extended
      neighbor 10.1.1.3 route-reflector-client
    exit-address-family
    address-family ipv4 vrf green
      no synchronization
    exit-address-family
    ip classless
    hostname sw3
    system mtu routing 1500
    ip subnet-zero
    ip routing
    no ip dhcp conflict logging
    ip dhcp excluded-address 192.168.1.1
    ip dhcp pool green2
       network 192.168.1.0 255.255.255.0
       default-router 192.168.1.1
    ip vrf green
    rd 100:100
    route-target export 100:100
    route-target import 100:100
    mdt default 232.1.1.1
    ip multicast-routing distributed
    ip multicast-routing vrf green distributed
    vtp mode transparent
    interface Loopback0
    ip address 10.1.1.3 255.255.255.255
    ip pim sparse-dense-mode
    ip ospf 1 area 0
    interface Loopback100
    ip vrf forwarding green
    ip address 10.0.100.3 255.255.255.255
    ip pim sparse-dense-mode
    interface FastEthernet1/0/6
    switchport access vlan 100
    interface GigabitEthernet1/1/1
    no switchport
    ip address 10.0.2.2 255.255.255.0
    ip pim sparse-dense-mode
    ip ospf 1 area 0
    speed auto 1000
    mpls ip
    interface Vlan100
    ip vrf forwarding green
    ip address 192.168.1.1 255.255.255.0
    ip pim sparse-dense-mode
    router ospf 1
    log-adjacency-changes
    router bgp 65001
    no synchronization
    bgp log-neighbor-changes
    neighbor 10.1.1.2 remote-as 65001
    neighbor 10.1.1.2 update-source Loopback0
    no auto-summary
    address-family ipv4 mdt
      neighbor 10.1.1.2 activate
      neighbor 10.1.1.2 send-community extended
    exit-address-family
    address-family vpnv4
      neighbor 10.1.1.2 activate
      neighbor 10.1.1.2 send-community extended
    exit-address-family
    address-family ipv4 vrf green
      no synchronization
      network 10.0.100.3 mask 255.255.255.255
      network 192.168.1.0
    exit-address-family
    ip classless
    Пинги везде проходят (как между свитчами, так и между хостами)
    sw1#ping vrf green 192.168.2.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
    sw1#ping vrf green 192.168.1.3
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
    sw1#ping vrf green 224.237.248.237
    Type escape sequence to abort.
    Sending 1, 100-byte ICMP Echos to 224.237.248.237, timeout is 2 seconds:
    Reply to request 0 from 192.168.2.1, 1 ms
    Reply to request 0 from 10.0.100.1, 1 ms
    sw3#ping vrf green 192.168.1.3
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
    sw3#ping vrf green 192.168.2.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
    sw3#ping vrf green 224.237.248.237
    Type escape sequence to abort.
    Sending 1, 100-byte ICMP Echos to 224.237.248.237, timeout is 2 seconds:
    Reply to request 0 from 192.168.1.1, 1 ms
    Reply to request 0 from 10.0.100.3, 1 ms
    I can see I pim neighbors in global table, but cat’s see them in vrf green. I think the problem is here.
    sw1#sh ip pim neighbor
    PIM Neighbor Table
    Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
          P - Proxy Capable, S - State Refresh Capable
    Neighbor          Interface                Uptime/Expires    Ver   DR
    Address                                                            Prio/Mode
    10.0.1.1          GigabitEthernet1/1/2     20:25:44/00:01:43 v2    1 / S P
    sw2#sh ip pim neighbor
    PIM Neighbor Table
    Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
          P - Proxy Capable, S - State Refresh Capable
    Neighbor          Interface                Uptime/Expires    Ver   DR
    Address                                                            Prio/Mode
    10.0.2.2          GigabitEthernet1/1/1     20:25:57/00:01:22 v2    1 / DR S P
    10.0.1.2          GigabitEthernet1/1/2     20:25:58/00:01:19 v2    1 / DR S P
    sw3#sh ip pim neighbor
    PIM Neighbor Table
    Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
          P - Proxy Capable, S - State Refresh Capable
    Neighbor          Interface                Uptime/Expires    Ver   DR
    Address                                                            Prio/Mode
    10.0.2.1          GigabitEthernet1/1/1     20:26:13/00:01:35 v2    1 / S P
    sw1#sh ip pim vrf green neighbor
    PIM Neighbor Table
    Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
          P - Proxy Capable, S - State Refresh Capable
    Neighbor          Interface                Uptime/Expires    Ver   DR
    Address                                                            Prio/Mode
    sw1#
    sw3#sh ip pim vrf green neighbor
    PIM Neighbor Table
    Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
          P - Proxy Capable, S - State Refresh Capable
    Neighbor          Interface                Uptime/Expires    Ver   DR
    Address                                                            Prio/Mode
    sw3#
    mroute in vrf:
    sw1#sh ip mroute vrf green 224.237.248.237
    IP Multicast Routing Table
    Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
           L - Local, P - Pruned, R - RP-bit set, F - Register flag,
           T - SPT-bit set, J - Join SPT, M - MSDP created entry,
           X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
           U - URD, I - Received Source Specific Host Report,
           Z - Multicast Tunnel, z - MDT-data group sender,
           Y - Joined MDT-data group, y - Sending to MDT-data group
           V - RD & Vector, v - Vector
    Outgoing interface flags: H - Hardware switched, A - Assert winner
    Timers: Uptime/Expires
    Interface state: Interface, Next-Hop or VCD, State/Mode
    (*, 224.237.248.237), 02:50:33/00:02:56, RP 0.0.0.0, flags: DCL
      Incoming interface: Null, RPF nbr 0.0.0.0
      Outgoing interface list:
        Vlan100, Forward/Sparse-Dense, 02:50:33/00:00:00
    sw3#sh ip mroute vrf green 224.237.248.237
    IP Multicast Routing Table
    Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
           L - Local, P - Pruned, R - RP-bit set, F - Register flag,
           T - SPT-bit set, J - Join SPT, M - MSDP created entry,
           X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
           U - URD, I - Received Source Specific Host Report,
           Z - Multicast Tunnel, z - MDT-data group sender,
           Y - Joined MDT-data group, y - Sending to MDT-data group
           V - RD & Vector, v - Vector
    Outgoing interface flags: H - Hardware switched, A - Assert winner
    Timers: Uptime/Expires
    Interface state: Interface, Next-Hop or VCD, State/Mode
    (*, 224.237.248.237), 02:48:36/00:02:25, RP 0.0.0.0, flags: DCL
      Incoming interface: Null, RPF nbr 0.0.0.0
      Outgoing interface list:
        Vlan100, Forward/Sparse-Dense, 02:48:36/00:00:00
    sw1#mstat
    VRF name: green
    Source address or name: 192.168.2.1
    Destination address or name: 192.168.1.3
    Group address or name: 224.237.248.237
    Multicast request TTL [64]:
    Response address for mtrace:
    Type escape sequence to abort.
    Mtrace from 192.168.2.1 to 192.168.1.3 via group 224.237.248.237 in VRF green
    From source (?) to destination (?)
    Waiting to accumulate statistics....* * *
    Timeout on first trace.
    sw3#mstat
    VRF name: green
    Source address or name: 192.168.1.1
    Destination address or name: 192.168.1.3
    Group address or name: 224.237.248.237
    Multicast request TTL [64]:
    Response address for mtrace:
    Type escape sequence to abort.
    Mtrace from 192.168.1.1 to 192.168.1.3 via group 224.237.248.237 in VRF green
    From source (?) to destination (?)
    Waiting to accumulate statistics......
    Results after 10 seconds:
      Source        Response Dest   Packet Statistics For     Only For Traffic
    192.168.1.1     192.168.1.1     All Multicast Traffic     From 192.168.1.1
         |       __/  rtt 0    ms   Lost/Sent = Pct  Rate     To 224.237.248.237
         v      /     hop 0    ms   ---------------------     --------------------
    192.168.1.1     ?
         |      \__   ttl   0
         v         \  hop 0    ms        0         0 pps           0    0 pps
    192.168.1.3     192.168.1.1
      Receiver      Query Source
    I hope I have shown all necessary configs, outputs and schemes to make the picture clear. Other outputs I can show on demand. Thanks in advance.

    Hi Evgeny
    Unfortunately the multicast VPN feature is not supported on the 3750 ME platform even though the commands are present . This is also mentioned in Cisco Feature Navigator. There are no plans to implement this on this platform.
    Thanks
    Mayuresh

Maybe you are looking for

  • Passing Objects: ServletContext versus JNDI

    I am currently developing a Web application that uses a variation of the (often recommended) model-view-controller architecture. Specifically, I have a single Front Controller Servlet that identifies what the request is for, and then delegates proces

  • My spot healing brush stopped working

    My spot healing brush stopped working. After releasing the mouse, it blinks and remains black. If I do another spot, the first spot is fixed and the second one is black. And so on. This began after updating to 12.0.4 x64 (Mac 10.7.3)*

  • What's the best plugin for wide-angle / perspective correction

    Hi guys, I do a lot of location photography with a wide angle lens. When shooting upwards it sends the top of the building into the distance. My workflow has been to export to Photoshop for these and use the 'Transform' tools to add a little correcti

  • Transactional replication with 1 publisher 2 subscribers in SQL 2012 SE

    I have a setup of transaction replication between one publisher and subscriber in the Same server.Now, I need to add a new subscriber to the existing publisher. So publisher database name is DB_A and Subscriber 1 name is DB_B. So the new subscriber w

  • Access INI files

    Hello Can I read an INI file using methods which would automatically search for a topic, an item and retrieve its value? If it is possible, please tell me which class and methods to use. Thanks for ur help.