VRF-Lite on one 6509; How to route traffic from global to VRF.

Similar Messages

• 2 Gateways Sharing One Subnet - How to route traffic in and see each other?

  Hello,
  First, thanks for your feedback in advance.
  I am rolling over from CheckPoint Security Gateways to Fortinet Gateways so I have set up one of each within my datacenter subnet as I wanted to keep the same subnet 192.168.10.0/24 and just roll over from CheckPoint to Fortinet. 
  My current production datacenter gateway (checkpoint) resides on 192.168.10.1/24 with it's own External IP. 100+ ip-sec vpn tunnels communicate through this gateway and happily talk to several servers on the datacenter side (ex. 192.168.10.20, 192.168.10.22,
  etc)
  Since I am preparing to roll over from CheckPoint to Fortinet, I've placed the new gateway in the same datacenter at 192.168.10.2/24, with its own external IP. I've also dropped in a test server at 192.168.10.121 with the gateway pointing to the new Checkpoint.
  It happily gets out to the internet via the new gateway, 192.168.10.2.
  I can get out to the world via each gateway when I am behind my datacenter and I configure the gateways on each server.  And, they can all see each other and communicate within the 192.168.10.X network.
  However, I cannot go from the a Checkpoint tunnel network (ex: 192.168.50.X) go through the CheckPoint datacenter gateway, 192.168.10.1 (via its tunnel) and hit my Fortinet Test server at 192.168.10.121 (fortinet test server gateway set to 192.168.10.2).
   I have the IP statically set in the CheckPoint's DNS server at 192.168.10.20 to 192.168.10.121, but from the 192.168.50.X or any CheckPoint subnet, I can't ping or connect to it.
  Vice-versa, I can go from a fortinet subnet (192.168.195.X) and hit my test server 192.168.10.121.  However, I cannot go from a Fortinet tunnel network 192.168.195.X, go through my new Fortinet datacenter gateway, 192.168.10.2 (via its tunnel), and
  hit any of my CheckPoint-side servers, 192.168.10.20, 192.168.10.22, etc.
  Specifically, all of my scanners at the 100+ sites scan and send via an smtp server within my datacenter (192.168.10.56).  When I deploy the new gateway, the scanner at the office cannot access this IP address to send the email.
  Is there a way to sync two AD/DNS servers within my Datacenter but with different gateways?   In theory, I'd like the request to come in from the outside (whether a checkpoint network or the new fortinet) it will look into its respective AD/DNS and
  point it to the 192.168.10.56 smtp server.
  It does not have to be AD/DNS, but that was the first idea that popped in my head.  I am definitely open to the most efficient and stable method as I have to roll over 100 sites.
  Thank you again!

  Hi Strike First,
   One issue is that we have over 100 remote sites that we are converting from CheckPoint to Fortinet.  And, we do not have the man power to do a single night cutover as these are offices in remote locations.
  I am a little confused on the layout you are proposing:
  Set up fortinet as the backend firewall, point all internal gateways to this backend firewall, then have this firewall NAT through the current CheckPoint firewall?
  Thank you very much for your guidance.

• How to route traffic across subnets when one NIC is a hyper-V virtual switch?

  Having a bit of a problem with a hyper-V environment which does not seem to route network traffic on two different subnets between each other.
  If it were a purely physical server with two NICs and a gateway set traffic would automatically be forwarded between the two different subnets.
  However when one of those NICs is a hyper-V virtual switch this simple routing no-longer seems to work and no traffic gets forwarded between subnets?
  Situation is:
  Hyper-V server with two NICs
  NIC 1 = 192.168.0/24 - main Internal company network.
  NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router
  Virtualized Domain Controller.
  One or two virtualiszed NICs as necessary
  How then does traffic get routed between these two subnets?  If RRAS has to be configured to do this where is the best place to do it, on the hyper-V host or on the virtualized domain controller?
  Thanks,

  Hi ,
  You can create an internal virtual switch and configure an IP for it (I assume it is 192.168.1.2/24) .
  After you enable RRAS in hyper-v host  there will be two gateways for different subnets  .
  " NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router "
  The problem is here ,if  these VMs need to access internet .
  So , these VMs can not configure their gateway same as the IP of internal virtual switch , you may set VM's gateway as the ADSL internet router's IP meanwhile add a static route entry for every VM .
  Please refer to the Syntax :
  route add -p 192.168.0.0 mask 255.255.255.0 192.168.1.2
  Hope this helps
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• GRC CUP how to pull manager from Global directory or Active directory

  Hi,
  how can i pull manager from global directory or active directory as approver.We are designing dual control approval process.First manager from global directory can approve then role owner.In workflow stages i can only see approvers information has to be entered manaually in CAD.Also i am looking when requestor requesting request,it should automatically fetch manager information on the request page,once user id selected.
  Thanks
  Mushu

  Dear Mushu,
  Two things you need to do
  1.) Maintain the Manager's Field in Active Directory and do mapping in CUP>Configuration>Field Mapping-->LDAP Mapping
  2.) Keep LDAP as authentication system so that whenever a User has to log into the CUP he will do using his network id and his manager is automatically pulled from Active Directory.
  Then in the workflow you can keep the approver determinator as Manager by which the request will routed to the appropriate manager. Hope that helps.
  Edited by: celestemay17 on Dec 8, 2010 12:05 PM

• Migrating Interface from Global to VRF

  Hi All,
  We are trying to move interfaces from global routing table to VRF interface and during that process we are trying to move eigrp belonging to that interface from Global configuration to Address-family ipv4 instance of the eigrp under the VRF .
  We are trying to figure out to populate passive-interface command under the address-family ipv4 vrf .But couldn't find the command supported in 12.2(18)SXF15 for Cisco 7600 router. Do we have to configure the passive-interface command alone in the global eigrp instead of address-family ?. Any help would be really appreciated.
  Thanks
  Regards
  Anantha Subramanian Natarajan

  Anantha,
  "passive-interface" under the "address-family" is only available starting with 12.2(33)SRB.
  In the version you are currently running, configuring "passive-interface" globally will take effect even for specific VRF interfaces though.
  Regards

• Nexus 7000 route leak from GRT (default VRF) to other VRF's

  Hello
  We have a Nexus 7000 infrastructure whereby we have had multiple VDC's and VRF's deployed. A requirement has now come about whereby one of these VRF's needs to be able to see our GRT (default VRF) so we need to leak the GRT routes into the VRF and vice versa.
  I have been doing a lot of reading and I am happy with the how this works with inter-VRF route leaking but I seem to missing a few things in respect of how this works with the GRT.
  I have also read on another forum that this is not supported. See link below.
  https://supportforums.cisco.com/document/133711/vrf-configuration-and-verification-nexus-7000
  Does anyone have experience of this? I can also see how this works in IOS and I have GNS3 and got this working.
  We use BGP currently so we are able to use MP-BGP if required.
  Any help would be very useful.

  Hi,
  In Table 14 of the Cisco Nexus 7000 Series NX-OS Verified Scalability Guide the verified limit is specified as 1000 per system i.e., across all VDCs for NX-OS release 5.2, 6.0 and 6.1.
  There is a footnote associated with this number which states:
  With each new VDC configured, the number of configurable VRFs per system is reduced by two as each VDC has a default VRF and management VRFs that are not removable. For example, with 8 configured VDCs on Cisco NX-OS Release 5.2, you can configure up to 984 VRFs per system (either all in one VDC or across VDCs).
  Regards

• 1 server, 2 networks how to route traffic to both

  Hi i have NW65SP7
  what i'm trying to do is
  1. to have users come in thru the data network (192.168.0.0) and the traffic
  go back out thru the default gateway (192.168.0.1) and
  2. i want LDAP traffic to go in thru the other network (10.1.0.0) and
  backout thru the same networks gateway (10.1.0.1).
  1. works fine and all seems to go up and down the right network, however 2.
  comes down 10.1.0.0 and backout thru the default gateway on 192.168.0.1. I
  don't\can't have this as the firewall rejects the packet as the source and
  destination networks are different ie. the fw sees the packet come in thru
  10.1.0.0 but when the server sends it back out thru 192.168.0.0 the firewall
  rightly drops it
  How do i get 2. to work as i want, can this even be done on NW.
  What i've done so far is
  a. enabled Static Routing
  b. created a default route (192.168.0.1) with a metric of 2
  c. created a network route for 10.1.0.0 (10.1.0.1) with a metric of 1

  "Thorsten Kampe" <[email protected]> wrote in message
  news:[email protected]...
  >* Steven Lim (Mon, 08 Dec 2008 01:57:27 GMT)>
  >> ok i'll try again but i thought that i did expalin it so i'm not sure how
  >> my
  >> second attempt will go ;)
  >
  > Is the NetWare server the router? Which addresses do the server's
  > interfaces have? Which default gateway do the hosts in the network have?
  > Any static routes?
  No the netware server is not the router
  The server has 1 interface but two vlans trunked to the one interface, each
  vlan has a separate IP. I can ping each IP on each of the trunked vlans
  fine. I'm using Broadcom Q57 NICS and the QASP\BASP advanced driver to
  support the trunked vlans. Don't let that confuse the issue though..it's
  basically the same as having two nic interfaces connected to two seperate
  networks in this case lets say 192.168.0.10 and 10.0.0.10
  Just so we're on the same page, we have a very large routed network with
  over 250 subnetworks with 4 10G interconnected core routers each with a 10G
  distribution routers, buildings\user\server networks hang of the
  distribution routers . Client machines are distributed accross the network
  and are not on the same vlan\subnet as the servers.
  A server on 192.168.0.0 will have a default gateway of 192.168.0.1 and
  servers on 10.0.0.0 will have a default gateway of 10.0.0.1 there are no
  clients machines on these subnets....btw we don't really have a 192.168.0.0
  network..i'm just using this as an example.
  The NW server has 1 static route configured as the default gateway on
  192.168.0.1...and i've been trying to work out how to configure another
  static route to make sure that all incoming and outgoing traffic for
  10.0.0.0 stays on 10.0.0.0 or whatever else i need to do to get it working
  >> i have two networks 192.168.0.0 and 10.0.0.0
  >>
  >> 1. I want all traffic that originates from 192.168.0.0 to go back thru
  >> the
  >> 192.168.0.0 gateway on 192.168.0.1 (currently the default gateway
  >> configured
  >> in inetcfg static routing table).
  >
  > In case the NetWare server is the router you only have to enable routing
  > - the server's default gateway is completely irrelevant for that. Of
  > course the hosts in the networks have to have the router as the default
  > gateway (or a static route).
  Clients are fine, lets say that they are on 192.168.1.0 to 192.168.255.0 and
  they have default gateways on their subnets the go thru x.x.x.1 (eg.a
  192.168.1.0 machine will have a default gateway of 192.168.1.1 and a
  192.168.2.0 machine will have a default gateway of 192.168.2.1 etc)
  >> 2. I want all ldap traffic, in my case this will be ldap port 389 and
  >> 636,
  >> that originates from network 10.0.0.0 to go back thru the gateway
  >> 10.0.0.1.
  >
  > Routing is not (application) protocol specific. You can either route all
  > IP packets or none a certain route. Please have a look at the routing
  > table of your computer to see what I mean.
  Yes i understand that routing is not application\protocol specific
  When you say "have a look at the routing table" i assume you mean the
  netware server....i've done that using TCPCON..i can see the issue..just not
  sure how to get it to do what i want
  > Also what you might want is called source routing[1] and this is mostly
  > blocked because it opens a huuuuge security hole.
  >
  >> This is required because the firewall requires that if a response is
  > to go
  >> out to a client then then it must go out over the same network that it
  >> originated from. This is the part that's not currently working. At the
  >> moment the query comes in from 10.0.0.0 and the response tries to goes
  >> out
  >> via the deafult gateway on 192.168.0.1 the firewall blocks the outgoing
  >> traffic....basic stuff!!!
  >
  > I wonder where and how you put that firewall if you have only two
  > subnets and one router. Is this Bordermanager on the NetWare server?
  See above re. the network...the firewall\s are blades within the core
  routers and support virtual firewalls that can be applied to any part of the
  distribution\access layer of the network.
  Does that make any more sense???
  > Thorsten
  > [1] http://en.wikipedia.org/wiki/Source_routing

• HT1751 do any one know how to take music from my iphone to my new computer

  family i had a laptop with my itune library. it crash but my music is on my iphone and now i have a new desk top how do i trasfer my music here for back up if anything happen to my phone

  Have you failed to maintain a bacup copy of your computer?
  The iphone is not a storage/backup device.  The sync is one way - computer to iphone.  The excpetion is itunes purchases:  File>Devices>Transfer Purchases

• How to route traffic to a static public IP address on my private network

  Here is my topology:
  ISP Modem ---------------- (gig0/0) Cisco Router (gig0/1) -----------------Cisco Switch--------------------Server
                                         60.70.80.90             172.16.0.1                     172.16.0.2                         60.70.80.91
  Gateway: 60.70.80.89
  Netmask: 255.255.255.240
  Scenario:
  My ISP has given me 5 static IP addresses in which I want to assign one of them to one of my servers that lies within my private network.  I am wondering what kind of configurations I would need to be able to access my server from outside my private network using one of the static IP addresses that was given from my ISP. Does this need some sort of static NAT on top of the inside/outside NAT I have done on my router? Thanks
  Best Regards,
  Sean

  Duplicate post. 
  Go HERE.

• How to route traffic between two different interfaces

  Hi,
  I need to setup a routing between two different interfaces on a host.
  Inferface ce1 : 192.168.120.12
  Inteface ce2 : 192.168.110.50
  Is it possible to add a route which enables the ce2 interface to catch packets from the ce1 interface ?
  Regards,
  Armin

  The problem is a application which is only able to listen on one interface.
  To fix this, I have to make all packages visible on one interface.

• Multiple devices, one email - how can I see from iPad if I've replied from iPhone.

  Hi, I use both my iPhone and iPad to access my email. When I reply to a message on a device, I get an icon on the email on that device showing that I've replied. However, when I access the same email account from the other device, I don't see a replied icon. Any way I can get the replies synching so that I van see if I've replied across multiple devices?
  (Particularly useful since my wife and I share one of the emails we access so useful to see if the other one of us has replied)
  Thanks
  Ed

  DumpyCorp wrote:
  Any and all help will be appreciated.
  Then go back to your first post and the response in there. There really is a viable solution for your issues in that discussion.
  https://discussions.apple.com/message/22927224#22927224

• HT1766 I did 2 back ups on one date. how can I restore from first back up from same date? I don't see in my list of back ups as 2nd back up overtook first back up.

  I was syncing my iphone with itune and there was a update which system started downloading then something happened and i had to restart my computer. when i restarted my computer, itune started backing up my iphone eventhought there was nothing left on it. now this second back up overtook my first back up
  and in that process i can not back up to my first back up (as its from same date i guess) I have lost all my contacts. I did not have any icloud back up or my contacts are not being backed up locally on my computer either. if anyone knows how to find back up other than listed on back up lists, please help. Thanks

  Can I add my existing, licensed apps to my list of 'Purchases' on the Mac App Store so I don't have to buy them twice?
  No. Only apps purchased from the App Store can be re downloaded for free including updates.

• How to transfer data from my old mac to a new one?, how to transfer data from my old mac to a new one?

  I have a new macbook pro, but didn't transfer  data of my old mac to this one. I cannot find a transfer assistent or other tool to get this done. What is the best way to do this?

  You may find this link very useful:
  http://pondini.org/OSX/Setup.html
  Ciao.

• What is business one ? how is it different from sap R/3,?

  Does B1 needs special expertise in SAP ?can an R/3 consultant run the transactions and customisations in B1 with ease ?please answer my queries.
  REGARDS
  Sunkari

  hi vinod,
  Some of difference between SAP B1 vs SAP R/3,
  1.SAP Business One is SAP's offering for small and mid size companies, while R/3 is SAP's offering for large companies.
  2.SAP Business One is a software that was bought over by SAP and it has been greatly enhanced over time,
  SAP R/3 is indigenous to SAP and it has also undergone various re-engineering over time.Example: SAP ECC.
  3. SAP Business One and SAP R/3 are built on the concept of client/server architecture,.SAP Business One(2-tier) client/server architecture,SAP R/3 is based on a three tier/n-tier client/server architecture.
  Jeyakanthan

• Does any one know how to unlock phone from landscape mode

  my iphone 4 for some reason locked its rotation from landscape to normal how can i fix this

  iPhone User Guide (For iOS 4.2 and 4.3 Software)