VRF LITE + IPSEC

Hi this conf is VRF LITE + IPSEC. During the test we see the packets don't come back (from a different vrf) to interface with tunnel. We ping from one PC behind the tunnel ip sec (inside the vrf A) to router inside the vrf B (on the same PE). The packets seem to re-enter in the tunnel (by debug ip packet) but they really do not re-enter in the tunnel.
ip vrf B
rd 100:100
route-target export 100:100
route-target import 100:100
route-target import 100:17
ip vrf A
rd 100:17
route-target export 100:17
route-target import 100:17
route-target import 100:100
crypto keyring itea-peer vrf A
pre-shared-key address 172.16.254.110 key pat55200itea
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
no crypto isakmp ccm
crypto isakmp profile itea-peer
vrf A
keyring itea-peer
match identity address 172.16.254.110 255.255.255.255 A
local-address Serial3/0
crypto ipsec transform-set InfoTn esp-des esp-md5-hmac
crypto map Itea 10 ipsec-isakmp
description ITEA
set peer 172.16.254.110
set transform-set InfoTn
set isakmp-profile itea-peer
match address Serv_Itea
ip access-list extended Serv_Itea
permit ip any 193.43.34.0 0.0.0.255 log
interface Serial3/0
ip vrf forwarding A
ip address 172.19.7.17 255.255.255.252
serial restart-delay 0
crypto map Itea
end
interface GigabitEthernet0/3
ip vrf forwarding B
ip address 2.2.2.1 255.255.255.252
duplex auto
speed auto
media-type rj45
no negotiation auto
end

so you can see ACS match:
Flusso1-New#sh access-lists Serv_Itea
Extended IP access list Serv_Itea
20 permit ip any 193.43.34.0 0.0.0.255 log (4138 matches)
Flusso1-New#
Aug 1 10:51:48: IP: tableid=6, s=193.43.34.10 (Serial3/0), d=2.2.2.1 (GigabitEthernet0/3), routed via RIB
Aug 1 10:51:48: IP: s=193.43.34.10 (Serial3/0), d=2.2.2.1, len 100, rcvd 4
Aug 1 10:51:48: IP: tableid=6, s=2.2.2.1 (local), d=193.43.34.10 (Serial3/0), routed via FIB
Aug 1 10:51:48: IP: s=2.2.2.1 (local), d=193.43.34.10 (Serial3/0), len 100, sending
Flusso1-New#sh access-lists Serv_Itea
Extended IP access list Serv_Itea
20 permit ip any 193.43.34.0 0.0.0.255 log (4139 matches)
Flusso1-New#

Similar Messages

  • CSM VRF Lite OSPF and IPSEC/GRE

    We have a pretty complex vpn configuration. Its a site-to-site VRF-Lite GRE/IPSEC VPN that would be considered a point-to-point, each router is connected to two peers in a ring.
    CSM complains about discovering this VPN configuration due to the VRF and the fact that OSPF with multiple OSPF processes is not supported.
    My question is, can we still monitor the tunnels. We'd like to monitor the tunnels, but that seems impossible unless we can get CSM to see the tunnels which it currently is not.

    VRF Lite and MPLS-VPN act independently so they can work independently. And there is no specific need for mapping. If link is for VRF A on PE so you can make it part of vrf A in CE as well. Both VRFs are independent of each other.
    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddd9.html#1045190
    THis document is for 4500 but logic holds the same.

  • Sourced Based VRFs and IPSEC

    Hi All,
    I have 2 questions.
    1) Does Cisco Router 7600 with SUP720 3BXL supports VRF Selection based on Source IP Address [Layer 3 VPNs]?
    2) We have various clients reaching a Router and we want to forward them to a their company's VRFs, based on their source address (Given by Radius or Statically). Now, Ideally, we want to give to the customer's H.Q. the option to connect to this router using Leased Lines (or Frame Relays) or by using IPSEC (over the internet). Is this possible? Can traffic from an access server arrive to an interface and based on the source, the user will be either forwarded to a VRF or an IPSEC?
    Regards.
    Regards.

    Hello,
    a solution to xour problem could be to have a VRF aware access server and place the customers into their respective VRF right away (the feature is called Multi-VRF aka VRF-lite). IPSec and Dialer interfaces are possible. Based on authentication you could define the VRF and by having a dot1Q trunk to the 7600 which operates as the MPLS PE.
    A second option is to have the trunk to the 7600, VLANs in different VRFs and to do PBR into different VLANs on the CE router/access server.
    Hope this helps! please rate all posts.
    Regards, Martin

  • VRF Lite Issues

    Hey people. I'm trying to solve a small VRF Lite project I've been working on. Router has one public interface. I have GRE tunnels going to a VTI. I also created a second tunnel VTI and put it in a VRF so that I could have one plain GRE tunnel and also a second GRE tunnel that supports IPSEC. I can't seem to figure out how to route packets in and out of the VRF and global table. From a tunnel established on the VRF, I would like to ping one of the global table peers networks (or even a loopback interface on the router itself). Below is my config. Any help is appreciated.
    ip vrf IPSEC-Customers
     rd 65000:1
     route-target export 65000:1
     route-target import 65000:1
    interface Tunnel0
     bandwidth 100000
     bandwidth inherit
     ip address 10.1.1.1 255.255.255.0
     no ip redirects
     ip mtu 1500
     ip nat inside
     ip nhrp map multicast dynamic
     ip nhrp network-id 1011
     ip nhrp holdtime 30
     ip nhrp registration timeout 30
     ip virtual-reassembly
     ip tcp adjust-mss 1400
     load-interval 30
     qos pre-classify
     tunnel source 204.12.X.X
     tunnel mode gre multipoint
     tunnel bandwidth transmit 100000
     tunnel bandwidth receive 100000
    interface Tunnel1
     bandwidth 10000
     bandwidth inherit
     ip vrf forwarding IPSEC-Customers
     ip address 10.1.2.1 255.255.255.0
     no ip redirects
     ip mtu 1500
     ip nhrp map multicast dynamic
     ip nhrp network-id 1012
     ip nhrp holdtime 30
     ip nhrp registration timeout 30
     ip tcp adjust-mss 1400
     load-interval 30
     qos pre-classify
     tunnel source FastEthernet0/0
     tunnel mode gre multipoint
     tunnel key 50
     tunnel bandwidth transmit 100000
     tunnel bandwidth receive 100000
     tunnel protection ipsec profile DMVPN1
    interface FastEthernet0/0
     bandwidth 10000
     ip address 204.12.X.X 255.255.2X.X
     ip access-group Outside_In in
     ip nbar protocol-discovery
     ip flow ingress
     ip flow egress
     ip nat outside
     ip virtual-reassembly
     load-interval 30
     duplex auto
     speed auto
    router bgp 65000
     no synchronization
     bgp log-neighbor-changes
     no auto-summary
     address-family ipv4 vrf IPSEC-Customers
      redistribute connected
      redistribute static
      no synchronization
     exit-address-family
    ip route vrf IPSEC-Customers 10.2.7.0 255.255.255.0 10.1.2.3 name Test

    Hello,
    The tunnel source and destination must be in the same vrf for this to work. In another case you can use a tunnel to ride over a vrf if required.
    So your global table would then become a vrf, i am not sure if we can do this with the global table... :-/ Using your example below:
    ip vrf IPSEC-Customers
     rd 65000:1
     route-target export 65000:1
     route-target import 65000:1
    ip vrf GLOBAL
    rd 1:1
    interface Tunnel0
    ip vrf forwarding GLOBAL
     bandwidth 100000
     bandwidth inherit
     ip address 10.1.1.1 255.255.255.0
     no ip redirects
     ip mtu 1500
     ip nat inside
     ip nhrp map multicast dynamic
     ip nhrp network-id 1011
     ip nhrp holdtime 30
     ip nhrp registration timeout 30
     ip virtual-reassembly
     ip tcp adjust-mss 1400
     load-interval 30
     qos pre-classify
     tunnel source 204.12.X.X
     tunnel mode gre multipoint
     tunnel bandwidth transmit 100000
     tunnel bandwidth receive 100000
    interface Tunnel1
     bandwidth 10000
     bandwidth inherit
     ip vrf forwarding IPSEC-Customers
     ip address 10.1.2.1 255.255.255.0
     no ip redirects
     ip mtu 1500
     ip nhrp map multicast dynamic
     ip nhrp network-id 1012
     ip nhrp holdtime 30
     ip nhrp registration timeout 30
     ip tcp adjust-mss 1400
     load-interval 30
     qos pre-classify
     tunnel source FastEthernet0/0
     tunnel mode gre multipoint
     tunnel key 50
     tunnel bandwidth transmit 100000
     tunnel bandwidth receive 100000
     tunnel protection ipsec profile DMVPN1
    tunnel vrf GLOBAL
    interface FastEthernet0/0
    ip vrf forwarding GLOBAL
     bandwidth 10000
     ip address 204.12.X.X 255.255.2X.X
     ip access-group Outside_In in
     ip nbar protocol-discovery
     ip flow ingress
     ip flow egress
     ip nat outside
     ip virtual-reassembly
     load-interval 30
     duplex auto
     speed auto
    I haven't tested this myself but I have come across this in my studies. In theory this should work.
    hope this helps
    Bilal (CCIE #45032)

  • VRF Lite running in the enterprise network

    Hello everybody
    Altough VRF lite (or Mulit VRF) seems to be a Service Provider Tecnology.
    Does it make sense to use it in an Enterprise Network to isolate Networks from others ?
    I cant find any design paper which describes if this would make sense.
    What do you think. Is someone using it ? Does Cisco recommend it ?

    Yes, VRF-lite SHOULD be used in an Enterprise environment to isolate the different security classes of devices.
    In the past you would isolate different groups of users using Layer1, i.e. separate hubs either totally isolated or connected together by a router with ACLs. Since the PCs were only connected at shared 10 Mbit and the routers were such low performance and worms weren't really prevalent, this was not a big security issue at the time.
    Then we migrated to VLANs, which essentially allowed Layer2 isolation within the same switch to provide the same functionality of separating different classes of users and to break up broadcast domains. Unfortunately, everyone connected the VLANs together at Layer3 with a router (or SVI) which essentially connected everything together again! And almost no one gets the ACLs right (if at all) to isolate the VLANs from each other. In fact, in most cases every VLAN can automatically reach every other VLAN from a Layer3 or IP perspective. This is a huge security problem.
    Enter VRF-lite, essentially created by Cisco as their tag switching migrated to standards based MPLS and had a need to isolate Layer3 security domains from each other within the same switch (or router). Think of VLANs for routing tables. VRF stands for 'Virtual Route Forwarding', which basically means separate routing tables. Since VRF-lite is a per-switch feature (running locally to the switch) you will need to use other technologies to connect multiple VRF-lite switches together and keep the traffic isolated, see below.
    What makes this so secure is that there is no command within the switch to connect different VRFs together within the same switch. You would need to connect a cable between two ports on the same switch configured in different VRFs to be able to communicate between them (recent IOS 12.2SR allows tunnels with different source VRFs but that is a corner case). The reason for this is simple, remember the basis for VRF (and VRF-lite) is for a service provider to isolate multiple customers from each other within the same switch. Just like an ATM, Frame-Relay, SONET, or Optical switch, the command line makes it very difficult (or impossible) to accidentally connect 2 different customers together.
    Think about that. Even if someone was able to get ssh enable access to your switch (you aren't running telnet anymore, right?!), they CAN'T connect 2 VRFs together with any command.
    And, yes, this is highly recommended by Cisco Engineers and is actually deployed far more than you think. I have VRF-lite running on at least 10 client's networks and those are LARGE networks. VRF-lite was integrated into the environment purely to solve a Layer3 security class isolation issue. I have used Layer3 dot1q trunks on c6500 switches and tunnels to keep isolated connectivity between VRFs between switches.
    In Cisco speak, VRF-lite falls under the topic of 'Path Isolation' which is combined with other features that isolate traffic within the same network such as dot1q trunking, tunneling, VPN, policy-routing, and MPLS. Do a search on Cisco's web site for 'path isolation' and you will find a bunch of info.
    See the following URLs for a good start:
    http://www.cisco.com/en/US/netsol/ns658/networking_solutions_design_guidances_list.html
    http://www.cisco.com/en/US/netsol/ns658/netbr0900aecd804a17db.html
    http://www.cisco.com/en/US/netsol/ns658/networking_solutions_white_paper0900aecd804a17c9.shtml
    As always, rate all posts appropriately, particularly those that provide value and don't be shy about following up with additional questions or comments.
    Good luck!

  • Dial-In access to VRF Lite (MPLS VPN)

    Hi,
    I'm trying to implement a solution, that gives opportunity to dial-in to some specific customers VPN (VRF Lite)
    Configuration of NAS is done using cisco.com guide and seems OK. NAS is using RADIUS to authenticate users, and if authenticated, RADIUS sends a specific users virtual-profile configuration to NAS. So far everything seems OK. I can dial-in, succesfuly authenticate against RADIUS and download the virtual-profile configration (DEBUG is pasted below).
    BUT, even there is a command "virtual-profile aaa", and RADIUS sends all info, Virtual-Access interface isn't created or it is created without any configuration.
    Maybe this is happening because I'm using dialer-profile ? Some cisco documentation says that if there are dialer-profiles configured, virtual-profile configuration cann't be downloaded from AAA ???
    Here is debug, You can see RADIUS to NAS communication:
    Aug 24 07:59:59: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to up
    Aug 24 08:00:00: RADIUS(000000A1): Storing nasport 20026 in rad_db
    Aug 24 08:00:00: RADIUS(000000A1): Config NAS IP: 0.0.0.0
    Aug 24 08:00:00: RADIUS/ENCODE(000000A1): acct_session_id: 247
    Aug 24 08:00:00: RADIUS(000000A1): sending
    Aug 24 08:00:00: RADIUS/ENCODE: Best Local IP-Address xxx.xxx.xxx.xxx for Radius-Server xxx.xxx.xxx.xxx
    Aug 24 08:00:00: RADIUS(000000A1): Send Access-Request to xxx.xxx.xxx.xxx:1645 id 21646/40, len 113
    Aug 24 08:00:00: RADIUS: authenticator C9 98 61 51 0F FF 0F C8 - FA A2 3E C1 5E 80 13 0E
    Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
    Aug 24 08:00:00: RADIUS: User-Name [1] 6 "vrft"
    Aug 24 08:00:00: RADIUS: CHAP-Password [3] 19 *
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 20
    Aug 24 08:00:00: RADIUS: cisco-nas-port [2] 14 "Serial2/0:26"
    Aug 24 08:00:00: RADIUS: NAS-Port [5] 6 20026
    Aug 24 08:00:00: RADIUS: NAS-Port-Type [61] 6 ISDN [2]
    Aug 24 08:00:00: RADIUS: Calling-Station-Id [31] 9 "xxxxxxx"
    Aug 24 08:00:00: RADIUS: Called-Station-Id [30] 9 "xxxxxxx"
    Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
    Aug 24 08:00:00: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
    Aug 24 08:00:00: RADIUS: Received from id 21646/40 xxx.xxx.xxx.xxx:1645, Access-Accept, len 277
    Aug 24 08:00:00: RADIUS: authenticator 8D E7 52 2A 4B 72 88 9E - B8 85 38 CF 70 4A B7 79
    Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
    Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
    Aug 24 08:00:00: RADIUS: Framed-IP-Address [8] 6 10.10.8.5
    Aug 24 08:00:00: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.240
    Aug 24 08:00:00: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 54
    Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 48 "lcp:interface-config#1= ip vrf forwarding test"
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 68
    Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 62 "lcp:interface-config#2= ip address 10.10.8.1 255.255.255.240"
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 50
    Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 44 "lcp:interface-config#3= description horray"
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 49
    Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 43 "lcp:interface-config#4= encapsulation ppp"
    Aug 24 08:00:00: RADIUS: Framed-Routing [10] 6 0
    Aug 24 08:00:00: RADIUS(000000A1): Received from id 21646/40
    Aug 24 08:00:00: %ISDN-6-CONNECT: Interface Serial2/0:26 is now connected to xxxxxxx vrft
    Aug 24 08:00:00: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to down
    Please let me know if any other information is required.

    Besides, as I see, virtual-access interface's description is as configured on RADIUS, but all other configuration is from virtual-template. Why? Even if there are no overlapping configuration strings in Vtemplate and on AAA (like ip address etc), configuration string received from RADIUS isn't getting added to virtual-access interface configuration.

  • AAA Authentication and VRF-Lite

    Hi!
    I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
    The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
    Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
    --> Config Begins <---
    aaa new-model
    aa group server radius radius-auth
    server x.x.4.23 auth-port 1645 acct-port 1646
    server x.x.7.139 auth-port 1645 acct-port 1646
    aaa authentication login default group radius-auth local
    aaa authentication enable default group radius-auth enable
    radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
    radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
    ip radius source-interface <outside-if> vrf 10
    ---> Config Ends <---
    The VRF-Lite instance is configured like this:
    ---> Config Begins <---
    ip vrf 10
    rd 65001:10
    ---> Config Ends <---
    Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
    I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

    Just wanted to help future people as some of the answers I found here were confusing.
    This is all you need from the AAA perspective:
    aaa new-model
    aaa group server radius RADIUS-VRF-X
    server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
    ip vrf forwarding X
    aaa authentication login default group RADIUS-VRF-X local
    aaa authorization exec default group X local if-authenticated
    Per VRF AAA reference:
    http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

  • Native Multi-VRF-Lite Design with EIGRP Question

    Hello,
    we think about to implement a VRF-Lite design (no MPLS and MBGP) in our campus network (10,000 ports, 20x 6500Sup720, 400x L2-Switches). MPLS is from our point of view oversized for our requirements. We need only a segmentation from different departments. Our IGP is eigrp.
    In the latest IOS-Release for the cat6500 (12.2.18SXD) is finally a VRF-Lite support for EIGRP inside.
    We could test successful a design with different VRFs in our lab, the division workes fine. But we didn't found a way to implement shared service. These are in our case DHCP, DNS, InternerAccess and some others. We thought about a redistribution between our global EIGRP routing table and the EIGRP-vrf tables, but we didn't found a way to do this.
    How can we do this?
    Thanks

    Use a crossover cable to connect a port belonging to the global routing table to a port belonging to a VRF. This way you can leak EIGRP routes from the global routing table into the VRF (through that physical connection). The drawback is that you use 2 ports (that could instead be used for other things...).
    Another way to this, would be to use static routing; use ip route vrf VRF x.x.x.x m.m.m.m n.n.n.n global to allow traffic to go from the VRF into the global routing table.
    Hope that helps...

  • Using VRF-Lite in 6509 as Really Expensive IPS ByPass

    I have an IPS (Intrustion Prevention) unit that is causing me some problems with some of my servers in my ServerFarm. I would like to route most of my to/from ServerFarm traffic through the IPS, but use some policy-based routing with an ACL (preferably, a policy-based ACL) to allow some servers to bypass the IPS.
    So, I thought of taking my Cisco 6509 and making it into a Really Expensive Optical ByPass switch for this small group of servers. The challenge is that the IPS runs strictly at Layer 2. So if I connect the IPS in a loop to the 6509, I must change the MAC addresses on these interfaces on the 6509 so that each address is unique -- as well as assign unique IPs to each of the two interfaces, but the addresses must share the same L3 subnet. Of course, this leads to overlapping addresses on the 6509, which it does not like. So, I want to see if I can try a little VRF-lite to remove the overlapping address problem.
    To accomplish the bypass segment, I take a piece of fiber and just connect two ports together on the 6509, changing the MAC addresses and assigning the "overlapping" IPs (which is "solved" by placing the different ports in different VRFs, on just one port in the Global table and the other port in a standalone VRF). If I can do this without running this piece of fiber, I'd be welcome to the idea.
    I can fire up OSPF on all of my interfaces, raising the cost of the IPS Bypass link, and use the route-maps to try to route the Bypass traffic correctly. Unfortunately, the route-maps are not behaving. The traffic moves across the two links (one with IPS, one without) assymetrically, which isn't what I want.
    I am uploading a diagram that will show a simplified example of what I am doing. Here is my config below. Does anyone have any ideas on what I am doing wrong, or a better way to do this? (I tried a VACL approach, but I could not redirect the traffic properly):
    ip vrf Srv
    description ServerNets
    rd 65000:10
    object-group ip address IPS-Ignore
    host 192.168.20.2
    interface GigabitEthernet1/3
    ip address 192.168.200.1 255.255.255.0
    ip policy route-map ServerNetIngress
    interface GigabitEthernet1/9
    description ServerNets
    no ip address
    ip flow ingress
    interface GigabitEthernet1/9.20
    description PublicServerNet
    encapsulation dot1Q 20
    ip vrf forwarding Srv
    ip address 192.168.20.1 255.255.255.128
    ip flow ingress
    ip policy route-map ServerNetEgress
    interface GigabitEthernet1/15
    description IPS-ByPass-Global
    mac-address 0015.c7c9.c10f
    ip address 192.168.15.73 255.255.255.252
    ip flow ingress
    ip ospf cost 100
    interface GigabitEthernet1/17
    description IPS-ByPass-Srv-VRF
    mac-address 0015.c7c9.c111
    ip vrf forwarding Srv
    ip address 192.168.15.74 255.255.255.252
    ip flow ingress
    ip ospf cost 100
    interface GigabitEthernet1/19
    description IPS-Scrub-Global
    mac-address 0015.c7c9.c113
    ip address 10.0.0.2 255.255.255.252
    ip flow ingress
    interface GigabitEthernet1/21
    description IPS-Scrub-Srv-VRF
    mac-address 0015.c7c9.c115
    ip vrf forwarding Srv
    ip address 10.0.0.1 255.255.255.252
    ip flow ingress
    router ospf 10 vrf Srv
    router-id 192.168.10.1
    log-adjacency-changes
    capability vrf-lite
    network 192.168.0.0 0.0.255.255 area 0
    router ospf 1
    router-id 192.168.0.1
    log-adjacency-changes
    network 192.168.0.0 0.0.255.255 area 0
    ip access-list extended IPS-Bypass
    permit ip addrgroup IPS-Ignore any
    permit ip any addrgroup IPS-Ignore
    route-map ServerNetIngress permit 100
    description ByPassIPS
    match ip address IPS-Bypass
    set global
    set ip next-hop 192.168.15.74 10.0.0.1
    route-map ServerNetEgress permit 100
    description ByPassIPS
    match ip address IPS-Bypass
    set ip vrf Srv next-hop 192.168.15.73 10.0.0.2
    I obfuscated my addresses, so don't let that throw you off too much.
    Clarke Morledge
    College of William and Mary

    Thank you for the suggestion. Just using the "set ip next-hop" in the respective route-map is sufficient and gets the job done. Unfortunately, my problem is more with how the policy-based ACLs (PBACLs) work; i.e. the lines with the object-group syntax in the config. My contact with the TAC tells me that PBACLs are not really supported to do policy-based routing. So because the PBACL is not working correctly all of the time, things don't get matched properly in the route-map for the policy-based route to get correctly applied.
    This is really too bad since the PBACL looks to be a quite handy feature. In my example -- at least in theory -- I should be able to make but one change to the "object-group" in order to properly handle the policy-based routing involving the two different route-maps. Alas, this is not as easy as I hoped for since making changes to the PBACL apparently produces unpredictable results -- and the TAC just tells me that the feature is not supported for what I want to do.

  • Extending VRF-lite to 6500??

    Hello,
    I have a simple scenario, where there is a 6500 connected to a router (ISP end), which we have planned to implement vrf-lite on.... there are basically 2 VLANs on the LAN, one production and one guest... we need to isolate the routing table instances between the production and guest.. we have planned to configure trunk between the 6500 and PE router at the ISP end. 6500 acts as a CE here.
    Now, I want to extend the VRF information from the PE to the 6500 CE, since the layer 3 VLANs terminate on the 6500. i will define the same VRF information on the 6500 and isolate VRF routing tables for the guest/production vlan on the LAN also.. I know we will require to configure VRF, RD, BGP etc on the PE router and do a "ip vrf forwarding" on the subinterface of the router. What is the configuration required on the 6500 to extend the VRF-lite information to the end vlans ????? does anyone have any sample configs or links to which i can refer ?
    Raj

    Well,
    first a sample config (not from a 6500, but you should be able to get the idea):
    ip vrf Cust1
    rd 65000:1
    ip vrf Cust2
    rd 65000:2
    interface FastEthernet0/0.100
    encapsulation dot1Q 100
    ip vrf forwarding Cust1
    ip address 10.1.1.1 255.255.255.252
    interface FastEthernet0/0.200
    encapsulation dot1Q 200
    ip vrf forwarding Cust1
    ip address 10.1.2.1 255.255.255.252
    interface FastEthernet0/0.300
    encapsulation dot1Q 300
    ip vrf forwarding Cust2
    ip address 10.20.1.1 255.255.255.252
    interface FastEthernet0/0.333
    encapsulation dot1Q 333
    ip vrf forwarding Cust2
    ip address 10.1.1.1 255.255.255.252
    !On a 6500 you could also have:
    interface vlan 400
    ip vrf forwarding Cust2
    ip address 10.1.123.1 255.255.255.252
    router rip
    address-family ipv4 vrf Cust1
    version 2
    network 10.0.0.0
    no auto-summary
    exit-address-family
    address-family ipv4 vrf Cust2
    version 2
    network 10.0.0.0
    no auto-summary
    exit-address-family
    The separation in the control plane (routing etc.) is achieved through the normal VRF configuration. Overlapping IPs and such are supported by having separate IP routing tables per VRF and VRF aware routing protocols like RIP, OSPF, etc.
    In the data plane traffic is sorted by layer2 encapsulation. In the example above, the dot1Q VLAN tag will deliver the same functionality as the MPLS VPN labels. If f.e. an IP packet with destination 10.1.1.1 arrives, the VLAN tag 100 or 333 will allow the VRF-lite CE to determine, whether it belongs to Cust1 or Cust2. The same differentation will take place for traffic from the CE to the PE. So the PE config is practically the same, BUT in addition MP-BGP and route-targets and MPLS towards the core is used.
    So no MPLS is needed on the VRF-lite CE router, no labels will be used, hence VRF-lite.
    The PE will not be the PHP LSR in the MPLS sense, because it is the LAST router in the MPLS network.
    Instead of the FastEthernet also VLAN interfaces can be used. The number of interfaces per VRF or the number of VRFs are limited by memory.
    Hope this helps! Please use the rating system.
    Regards, Martin

  • Vrf-lite (extranet solution)

    Hi,
    I have a requirement of an extranet solution (ASP model) where many customer will be connected to a central site. The spoke sites do not talk to each other, not even through the central site. One option is to use 1 VRF at the central site and import routes from all other spokes sites (different RD and RT at the spopke sites). This has been rules out. so now my other alternative is to use multiple vrf on a single access link (ethernet in this case) between the CE and PE. I was thinking of using vrf-lite at the central site, but few concepts I am not clear about.
    1) can i get away without using vrf-lite on the central site. PE configures individual vrf for each 1.q interface, but CE just uses 1.q without any vrf. For start I am going to have only two/three sites, so I can either map the subinterface to a separate LAN port or i could do .1q on a single LAN int and map it to the WAN subinterface. Maybe this is not the best solution,but I do not want to go for an unnecessary solution.
    2) what are the advantages and disadvantages of using vrf-lite vs no vrf (if it is possible) in this scenario.
    Attached is a diagram.
    thanks,
    Arana

    Jon,
    I am back with some reading on vrf lite. I am pasting a sample configure that I picked up from another post. I noticed that there is no 'network' statement or 'redistribute static'. My questions:
    1) If I am running BGP with PE, what is the normal pratice to advertise my routers per vrf?
    2) In the LAN do I run separate OSPF or EIGRP instances per VRF (per subinterface)? what is the best way?
    3) If I have static route to other LAN routers then I will be using 'redistribute static' right? Do I have to be specific about which static route I should redistribute to that vrf. If not how does the router know which static route to redistribute to which vrf.
    I have attached a diagram. The below sample does not map to my diagram.
    frame-relay switching
    interface serial0/0/0
    encapsulation frame-relay
    interface serial0/0/0.1 point-to-point
    ip vrf forwarding A
    ip address x.x.x.x x.x.x.x
    frame-relay interface-dlci 100
    interface serial0/0/0
    encapsulation frame-relay
    interface serial0/0/0.2 point-to-point
    ip vrf forwarding B
    ip address y.y.y.y y.y.y.y
    frame-relay interface-dlci 101
    And So on for further interfaces.
    router bgp 1
    no synchronization
    bgp log-neighbor-changes
    no auto-summary
    address-family ipv4 vrf A
    neighbor x.x.x.x remote-as x
    no synchronization
    exit-address-family
    address-family ipv4 vrf B
    neighbor y.y.y.y remote-as y
    no synchronization
    exit-address-family
    Vikram,
    As long as we all can share/learn/solve problems, it is perfectly fine. I don't think I qualify to give you any advise but here is what I have found in another post that might be of interest to you.
    In your post you mentioned that you do not think you can run MP-BGP between the two switch through the FW. In another post I had got an indication that you can run LDP between two PE's using GRE tunnel. In your scenario you are going throuhg a FW and in that particular post the PEs are separated by a third service provider. So if you are open to explore this might be a solution for you.
    Hope this piece of information helps.
    thanks,
    Arana

  • VRF-Lite on one 6509; How to route traffic from global to VRF.

    To anyone that can lead me in the right direction:
    I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin"  on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch.  I am using EIGRP for the global network and route table and static routing within the the VRF.  Any suggestions or recommendations?  Thanks in advance for your help in this matter...

    Hello,
    You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
    Example:
    Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
    G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
    interface G0/1
    IP address 1.1.1.1 255.255.255.0
    inteface G0/2
    ip vrf forwarding X
    ip address 2.2.2.2 255.255.255.0
    Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
    configure this:  (ip route vrf X  y.y.y.y y.y.y.y.y G0/1 Global)
    Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
    You Can then redistribute the Global static into the Eigrp as below:
    router Eigrp 1
    no auto summary
    redistribute static metric 1.1.1.1.1
    HTH
    Mohamed

  • How many VRF-Lite Routing Instances can a 6509-E with a 720-Sup module run?

    I know that in a 4500 style switch it supports a maximum of 64 VRF-lite routing instances. However what is the maximum amount of VRF-Lite routing instances can a 6509-E switch support with a Sup-720 sup module?

    Sup 720  supports 1024 VRF Lites
    see table-1 in this link:
    http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_data_sheet09186a0080159856.html
    HTH

  • What is VRF-Lite

    Can anyone explain what is the difference between VRF and VRF Lite. What is the main purpose/application of VRF Lite?
    Thanks in advance
    AK

    Vrf-lite is a leaner cut down version of MPLS-VRF.
    Where in MPLS-VRF you need labels for VPN traffic switching, you dont need labels in VRF-lite.
    VRF-lite mainly relies on routing using multiple virtual routing instances created for each vrf for switching traffic. There is no label switching for VRF-lite.
    Since there is no label switching, you need to populate VRF's on every hop on your network. For example |Lan--PE1---PE2---PE3--Lan|
    PE1 has 2 vrf's connected to a local lan, to route these VRF's to the other end(PE3), you will need to have dedicated interfaces(or subinterfaces on each hop and enable routing instances for each VRF on each hop.
    But with MPLS-VRF you need to just enable the VRF's on PE1 and PE3 with MPBGP and Label Switching enabled.
    So the advantage of VRF-Lite is to have virtualization of your sub-networks a smaller scale. If you have a big network, you may very well consider implementing MPLS (even though you may be an enterprise).
    HTH-Cheers,
    Swaroop

  • Need help on VRF lite

    I have implement VRF lite feature for one of the customer...it's working fine..But i m not so clear of following command ...........Can any one explane the same.
    router ospf 511 vrf abc
    capability vrf-lite <--------What is use of this command..is this is reletaed to BGP to OSPF redistribution..?

    Hi,
    VRF lite converts the router into multiple virtual routers each one with its separated routing table, interfaces and routing protocols.
    The OSPF Support for Multi-VRF on CE Routers feature provides the capability of suppressing provider edge (PE) checks that are needed to prevent loops when the PE is performing a mutual redistribution of packets between the OSPF and BGP protocols. When VPN routing and forward (VRF) is used on a router that is not a PE (that is, one that is not running BGP), the checks can be turned off to allow for correct population of the VRF routing table with routes to IP prefixes.
    When the OSPF process is associated with the VRF, several checks are performed when link-state advertisements (LSAs) are received. PE checks are needed to prevent loops when the PE is performing a mutual redistribution between OSPF and BGP interfaces. In some situations, performing PE checks might not be desirable. The concept of VRFs can be used on a router that is not a PE router (that is, a router that is not running BGP). With the capability vrf-lite command, the checks can be turned off to allow correct population of the VRF routing table with routes to IP prefixes.
    This command suppresses the Provider Edge (PE) specific checks on a router when the OSPF process is associated with the VRF.
    HTH, please do rate all helpful posts,
    Mohammed Mahmoud.

Maybe you are looking for

  • Query performance based on condition value

    Hi, I have a simple query which is actually on a view dwdb_dba.actl_partinfo_cust. Please see query bellow select * from dwdb_dba.actl_partinfo_cust WHERE insertdatetime=(select max(insertdatetime) from dwdb_dba.actl_partinfo_cust Where system_source

  • My iPod now turns off after failing to turn off.

    When my iPod couldn't turn off and the battery drained, I deleted "the song" when the problem came, full-charged it via the computer and it haven't occurred again. I occurs to me: 1-Sometimes certain files get corrupted, for example word files, and g

  • MATERIAL DOES NOT EXISTS OR NOT ACTIVATED

    Dear Experts, I want to change Material Master data. I have downloaded the material list from data base table MARC plant data for materials. i want to  extend the material master view. but system is issuing the error message - Material dose not exist

  • Can't get my wireless to work.. PLEASE HELP!!!

     I thought I was computer savvy and told a friend at work that has an issue with her internet that I could fix it. I am having more trouble than I thought. She told me it was a Windows 7 and it is a Dell Windows XP Professional service pack 3. I am n

  • Error-PDFDocumentRuntimeException: Failed to  UPDATEDATAINPDF

    Dear all,   I have tried to deployed a online adobe interactive form.If i put the codes belows in the wdDoInit() at the  controller, Zbapi_Alm_Notif_Create_Input input = new Zbapi_Alm_Notif_Create_Input();      input.setNotifheader(new Bapi2080_Nothd