VRF Route leaking to internet

I'm just starting to learn about route leaking today, so I'm still trying to figure this out.
In short, I've created three vlans and put them in a vrf and would like them to access the internet.  At this point, I have vrf created, vlans assigned and a global route leaked from the vrf to the gateway of last resort.  A machine in the vrf is able to ping all three vlan gateways, but cannot still get to the internet.
I have everything on a 6509 core switch, and my firewall is an ASA 5505.  I've also tried putting routing configs in using eigrp, but the vrf networks never made it to the ASA.  Attached are my configs on both.  If anyone could help me with what I'm missing that would be great.  Thanks!
****  6509 Config  ****
lab-core6509#sh run
Building configuration...
Current configuration : 22128 bytes
! Last configuration change at 17:31:43 pst Tue Jan 7 2014 by rmf
! NVRAM config last updated at 12:30:19 pst Tue Jan 7 2014 by rmf
upgrade fpd auto
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
service counters max age 5
hostname lab-core6509
boot-start-marker
boot system flash disk0:s72033-ipservicesk9_wan-mz.122-33.SXI.bin
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone pst -8
clock summer-time PDT recurring
clock calendar-valid
ip subnet-zero
ip dhcp excluded-address 192.168.80.1 192.168.80.9
ip dhcp pool 192.168.80.0/24
   network 192.168.80.0 255.255.255.0
   default-router 192.168.80.1
   domain-name procopio-guest.com
   dns-server 8.8.8.8
ip vrf bingfish
rd 123:1
ip domain-name company.local
mls ip slb purge global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls cef error action reset
spanning-tree mode pvst
diagnostic bootup level minimal
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric timer 15
redundancy
main-cpu
  auto-sync running-config
mode sso
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
interface Port-channel10
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/1
switchport
switchport access vlan 500
switchport mode access
spanning-tree portfast edge
~SNIP~  (I don't think anyone cares about all the interface configs!)
interface Vlan510
description voice server net
ip address 10.90.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan666
ip address 10.90.253.1 255.255.255.0
interface Vlan851
description bingfish client net
ip vrf forwarding bingfish
ip address 10.249.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan852
description bingfish server net
ip vrf forwarding bingfish
ip address 10.249.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan853
description bingfish management net
ip vrf forwarding bingfish
ip address 10.249.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan901
description guest network
ip address 192.168.80.1 255.255.255.0
ip access-group guest-net in
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan912
description internet perimeter
ip address 10.91.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan999
description management net
ip address 10.90.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
router eigrp 200
network 10.0.0.0
address-family ipv4 vrf bingfish
  autonomous-system 99
  network 10.249.1.0 0.0.0.255
  network 10.249.2.0 0.0.0.255
  network 10.249.3.0 0.0.0.255
  redistribute static metric 10000 100 255 1 1500
exit-address-family
ip classless
ip route 0.0.0.0 0.0.0.0 10.91.1.2
ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
no ip http server
no ip http secure-server
ip access-list extended guest-net
deny   ip any 10.0.0.0 0.255.255.255
permit ip any any
control-plane
dial-peer cor custom
line con 0
exec-timeout 30 0
line vty 0 4
exec-timeout 30 0
line vty 5 15
exec-timeout 30 0
ntp logging
ntp authenticate
ntp trusted-key 10
ntp clock-period 17179851
ntp source Vlan500
ntp master
ntp server 10.90.1.50 prefer
end
****  ASA 5505 Config  ****
lab-5505asa# sh run
: Saved
ASA Version 8.2(5)
hostname lab-5505asa
domain-name company.local
names
dns-guard
interface Ethernet0/0
description inside
interface Ethernet0/1
description outside
switchport access vlan 2
interface Ethernet0/2
description dmz
switchport access vlan 4
speed 100
duplex full
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.91.1.2 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.128
ospf cost 10
interface Vlan4
nameif DMZ
security-level 50
ip address 172.16.35.1 255.255.255.0
ospf cost 10
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name company.local
object-group service DM_INLINE_SERVICE_1
service-object tcp eq domain
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host 10.90.1.10
network-object host 10.90.1.11
object-group network DM_INLINE_NETWORK_2
network-object host <outside ip>
network-object host<outside ip>
object-group service DM_INLINE_SERVICE_2
service-object tcp eq domain
service-object udp eq domain
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq 3008
port-object eq 3010
port-object eq ssh
object-group network DM_INLINE_NETWORK_3
network-object 216.9.240.0 255.255.240.0
network-object 68.171.224.0 255.255.224.0
object-group service DM_INLINE_TCP_4 tcp
port-object eq 3268
port-object eq 3269
port-object eq ldap
port-object eq ldaps
object-group network DM_INLINE_NETWORK_6
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_7
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group network DM_INLINE_NETWORK_8
network-object host 172.16.36.45
network-object host 172.16.36.46
object-group service DM_INLINE_TCP_6 tcp
port-object eq 2598
port-object eq citrix-ica
port-object eq www
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host<outside ip>
network-object host <outside ip>
network-object host <outside ip>
object-group network DM_INLINE_NETWORK_5
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group network DM_INLINE_NETWORK_10
network-object host 172.16.36.15
network-object host 172.16.36.42
object-group network xenapp_servers
network-object host 10.90.1.45
network-object host 10.90.1.46
network-object host 10.90.5.54
object-group network xendesktop_servers
network-object host 10.90.1.38
network-object host 10.90.1.54
object-group network DM_INLINE_NETWORK_11
network-object host 172.16.36.10
network-object host 172.16.36.42
network-object 10.80.1.0 255.255.255.0
group-object xenapp_servers
group-object xendesktop_servers
object-group network DM_INLINE_NETWORK_9
network-object host 172.16.36.27
network-object host 172.16.36.31
object-group network DM_INLINE_NETWORK_12
network-object host 74.117.58.150
network-object host 97.95.240.159
object-group network DM_INLINE_NETWORK_13
network-object 10.90.10.0 255.255.255.0
network-object 192.168.80.0 255.255.255.0
network-object 10.249.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_14
network-object 10.90.1.0 255.255.255.0
network-object 10.90.5.0 255.255.255.0
access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_12 any log disable
access-list outside_access_in extended permit tcp any host <outside ip>eq 3389 log disable
access-list outside_access_in extended permit tcp any host<outside ip>eq smtp log disable
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
access-list dmz_access_in extended permit ip any any log disable
access-list inside_access_in extended deny ip host 10.90.100.25 any log disable
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
access-list inside_access_in extended permit tcp host 10.90.1.27 host 172.16.35.11 eq smtp log disable
access-list inside_access_in extended permit ip 10.80.1.0 255.255.255.0 any log disable
access-list inside_access_in extended permit tcp host 10.90.1.33 object-group DM_INLINE_NETWORK_3 eq 3101 log disable
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_14 any object-group DM_INLINE_TCP_2 log disable
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 log disable
access-list inside_access_in extended permit udp host 10.90.1.50 any eq ntp log disable
access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_11 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.27 eq smtp log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.35.10 host 172.16.36.10 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.11 any eq smtp log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 any object-group DM_INLINE_TCP_1 log disable
access-list DMZ_access_in remark rule for cag to owa
access-list DMZ_access_in extended permit tcp host 172.16.35.13 object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_3 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.10 object-group DM_INLINE_TCP_4 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_5 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_6 log disable inactive
access-list slow-down extended permit ip 10.90.0.0 255.255.0.0 any
access-list slow-down extended permit ip any 10.90.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm warnings
logging host inside 10.90.1.65 6/1470
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 10.80.1.0 255.255.255.0
nat (inside) 1 10.90.1.0 255.255.255.0
nat (inside) 1 10.90.5.0 255.255.255.0
nat (inside) 1 192.168.80.0 255.255.255.0
nat (inside) 1 10.249.0.0 255.255.0.0
nat (DMZ) 1 172.16.35.0 255.255.255.0
static (DMZ,outside)<outside ip>172.16.35.10 netmask 255.255.255.255 dns
static (DMZ,outside) <outside ip>172.16.35.55 netmask 255.255.255.255 dns
static (DMZ,outside) <outside ip>172.16.35.50 netmask 255.255.255.255 dns
static (DMZ,outside) <outside ip>172.16.35.60 netmask 255.255.255.255 dns
static (inside,outside) <outside ip>10.90.1.21 netmask 255.255.255.255 dns
static (inside,DMZ) 172.16.36.31 10.90.1.31 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.10 10.90.1.10 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.27 10.90.1.27 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.15 10.90.1.15 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.42 10.90.1.42 netmask 255.255.255.255
static (inside,DMZ) 10.90.1.0 10.90.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.80.1.0 10.80.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.90.5.0 10.90.5.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
router eigrp 200
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 209.242.145.129 1
route inside 10.0.0.0 255.0.0.0 10.91.1.1 1
route inside 10.249.0.0 255.255.0.0 10.91.1.1 1
route inside 192.168.80.0 255.255.255.0 10.91.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.90.1.50 source inside prefer
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9ba1f1f89fa1a88af05e2fc5fdba3090
: end

So it would appear I've solved it by adding a static route in the global routing table back to the subnets in the vrf:
ip classless
ip route 0.0.0.0 0.0.0.0 10.91.1.2
ip route 10.249.1.0 255.255.255.0 Vlan851   <-----------------------
ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
Thanks

Similar Messages

  • CSR1000V VRF Route Leaking vs GNS

    Hi folks,
    working on 2 lab envronments. I have successfully configured VRF route leaking on GNS3, however can't get it working on CSR1000v with same config (only IP's and name's of VRF etc is different). Is there something on the CSR1000v that I have to do that's different from GNS? Is there a reason why the route in GNS is in both the OSPF database and the routing table yet in ESXi it's only in the database?
    OSPF between neighbors
    BGP to do route leaking
    GNS - leaking route 220.0.0.0
    GNS - Neighbor running OSPF has 220.0.0.0 in the database and the routing table for VRF 100
    ESXi - leaking route 45.0.0.0
    ESXi - Neighbor running OSPF has 45.0.0.0 in the database and is NOT in the routing table for VRF cavia
    GNS - 3640's with c3640-js-mz.124-17
    ESXi - CSR1000V with Cisco IOS XE Software, Version 03.12.00.S
    On both labs using BGP to leak routes between VRF's.
    GNS LAB
    VRF's --------------------------------------------------
    ip vrf 100
     rd 100:100
     route-target export 1:100
     route-target import 1:300
    ip vrf 200
     rd 200:200
     route-target export 1:200
     route-target import 1:300
    ip vrf 300
     rd 300:300
     route-target export 1:300
     route-target import 1:100
     route-target import 1:200
    OSPF --------------------------------------------------------------
    router ospf 100 vrf 100
     router-id 4.4.4.4
     log-adjacency-changes
     redistribute bgp 10 subnets
     network 100.0.0.0 0.0.0.3 area 0
     network 0.0.0.0 255.255.255.255 area 0
    router ospf 200 vrf 200
     router-id 44.44.44.44
     log-adjacency-changes
     redistribute bgp 10 subnets
     network 200.0.0.0 0.0.0.3 area 0
     network 0.0.0.0 255.255.255.255 area 0
    BGP -------------------------------------------------------------
    router bgp 10
     no synchronization
     bgp log-neighbor-changes
     no auto-summary
     address-family ipv4 vrf 300
      no synchronization
      network 220.0.0.0 mask 255.255.255.252
     exit-address-family
     address-family ipv4 vrf 200
      redistribute ospf 200 vrf 200
      no synchronization
     exit-address-family
     address-family ipv4 vrf 100
      redistribute ospf 100 vrf 100
      no synchronization
     exit-address-family
    R4#sh ip bgp vpnv4 all
    BGP table version is 17, local router ID is 44.44.44.44
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 100:100 (default for vrf 100)
    *> 10.0.0.0/24      100.0.0.1                2         32768 ?
    *> 100.0.0.0/30     0.0.0.0                  0         32768 ?
    *> 220.0.0.0/30     0.0.0.0                  0         32768 i
    Route Distinguisher: 200:200 (default for vrf 200)
    *> 20.0.0.0/24      200.0.0.1                2         32768 ?
    *> 200.0.0.0/30     0.0.0.0                  0         32768 ?
    *> 220.0.0.0/30     0.0.0.0                  0         32768 i
    Route Distinguisher: 300:300 (default for vrf 300)
    *> 10.0.0.0/24      100.0.0.1                2         32768 ?
    *> 20.0.0.0/24      200.0.0.1                2         32768 ?
    *> 100.0.0.0/30     0.0.0.0                  0         32768 ?
    *> 200.0.0.0/30     0.0.0.0                  0         32768 ?
    *> 220.0.0.0/30     0.0.0.0                  0         32768 i
    -----------------------on neighbor R3 220.0.0.0 (in vrf 300) is in the routing table for vrf 100 as designed----------------------
    R3#sh ip route vrf 100
         220.0.0.0/30 is subnetted, 1 subnets
    O E2    220.0.0.0 [110/1] via 100.0.0.2, 00:29:48, FastEthernet1/0.10
         100.0.0.0/30 is subnetted, 1 subnets
    C       100.0.0.0 is directly connected, FastEthernet1/0.10
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.0.0.0 is directly connected, FastEthernet0/0
    ----------------------OSPF Database on neighbor R3-------------------------------------------
    R3#sh ip ospf data
                OSPF Router with ID (33.33.33.33) (Process ID 200)
                    Router Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum Link count
    33.33.33.33     33.33.33.33     521         0x80000006 0x005A0E 2
    44.44.44.44     44.44.44.44     541         0x80000006 0x001C18 1
                    Net Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum
    200.0.0.2       44.44.44.44     540         0x80000005 0x006820
                    Type-5 AS External Link States
    Link ID         ADV Router      Age         Seq#       Checksum Tag
    220.0.0.0       44.44.44.44     540         0x80000005 0x009BAE 3489660938
                OSPF Router with ID (3.3.3.3) (Process ID 100)
                    Router Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum Link count
    3.3.3.3         3.3.3.3         722         0x80000006 0x008C9F 2
    4.4.4.4         4.4.4.4         581         0x80000006 0x00F845 1
                    Net Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum
    100.0.0.2       4.4.4.4         581         0x80000005 0x00FEA7
                    Type-5 AS External Link States
    Link ID         ADV Router      Age         Seq#       Checksum Tag
    220.0.0.0       4.4.4.4         581         0x80000005 0x00509A 3489660938
    ESXi LAB
    VRF's----------------------------------------------------------
    vrf definition cavia
     rd 1:100
     address-family ipv4
      route-target export 1000:100
      route-target import 1000:300
     exit-address-family
    vrf definition microsoft
     rd 1:200
     address-family ipv4
      route-target export 1000:200
      route-target import 1000:300
     exit-address-family
    vrf definition shared
     rd 1:300
     address-family ipv4
      route-target export 1000:300
      route-target import 1000:100
      route-target import 1000:200
     exit-address-family
    OSPF ----------------------------------------------------------------
    router ospf 100 vrf cavia
     redistribute bgp 50 subnets
     network 172.100.200.0 0.0.0.3 area 0
     network 0.0.0.0 255.255.255.255 area 0
    router ospf 200 vrf microsoft
     redistribute bgp 50 subnets
     network 172.200.200.0 0.0.0.3 area 0
     network 0.0.0.0 255.255.255.255 area 0
    BGP -----------------------------------------------------------------
    router bgp 50
     bgp log-neighbor-changes
     address-family ipv4 vrf cavia
      redistribute ospf 100
     exit-address-family
     address-family ipv4 vrf microsoft
      redistribute ospf 200
     exit-address-family
     address-family ipv4 vrf shared
      network 45.0.0.0 mask 255.255.255.252
     exit-address-family
    ---------------45.0.0.0 is in the correct BGP VRF's----------------
    R8#sh ip bgp vpnv4 all
    BGP table version is 20, local router ID is 8.8.8.8
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
                  r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
                  x best-external, a additional-path, c RIB-compressed, 
    Origin codes: i - IGP, e - EGP, ? - incomplete
    RPKI validation codes: V valid, I invalid, N Not found
         Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 1:100 (default for vrf cavia)
     *>  45.0.0.0/30      0.0.0.0                  0         32768 i
     *>  80.100.0.0/30    172.100.200.1            2         32768 ?
     *>  172.100.100.0/30 172.100.200.1            2         32768 ?
     *>  172.100.100.4/30 172.100.200.1            2         32768 ?
     *>  172.100.200.0/30 0.0.0.0                  0         32768 ?
    Route Distinguisher: 1:200 (default for vrf microsoft)
     *>  45.0.0.0/30      0.0.0.0                  0         32768 i
     *>  80.200.0.0/30    172.200.200.1            2         32768 ?
     *>  172.200.100.0/30 172.200.200.1            2         32768 ?
     *>  172.200.100.4/30 172.200.200.1            2         32768 ?
     *>  172.200.200.0/30 0.0.0.0                  0         32768 ?
    Route Distinguisher: 1:300 (default for vrf shared)
     *>  45.0.0.0/30      0.0.0.0                  0         32768 i
     *>  80.100.0.0/30    172.100.200.1            2         32768 ?
     *>  80.200.0.0/30    172.200.200.1            2         32768 ?
     *>  172.100.100.0/30 172.100.200.1            2         32768 ?
     *>  172.100.100.4/30 172.100.200.1            2         32768 ?
     *>  172.100.200.0/30 0.0.0.0                  0         32768 ?
     *>  172.200.100.0/30 172.200.200.1            2         32768 ?
         Network          Next Hop            Metric LocPrf Weight Path
     *>  172.200.100.4/30 172.200.200.1            2         32768 ?
     *>  172.200.200.0/30 0.0.0.0                  0         32768 ?
    -----------------------on neighbor R1 45.0.0.0 (in vrf shared) is not in the routing table for vrf cavia----------------------
    R1#sh ip route vrf cavia
    Gateway of last resort is 172.100.200.2 to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 172.100.200.2
          80.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
    C        80.100.0.0/30 is directly connected, GigabitEthernet1.1
    L        80.100.0.1/32 is directly connected, GigabitEthernet1.1
    B        80.100.0.4/30 [20/0] via 80.100.0.2, 03:52:22
          172.100.0.0/16 is variably subnetted, 7 subnets, 2 masks
    C        172.100.100.0/30 is directly connected, GigabitEthernet3.1
    L        172.100.100.2/32 is directly connected, GigabitEthernet3.1
    C        172.100.100.4/30 is directly connected, GigabitEthernet2.1
    L        172.100.100.6/32 is directly connected, GigabitEthernet2.1
    B        172.100.101.0/30 [20/0] via 80.100.0.2, 03:52:22
    C        172.100.200.0/30 is directly connected, GigabitEthernet4.1
    L        172.100.200.1/32 is directly connected, GigabitEthernet4.1
    ----------------------OSPF Database on neighbor R1 -------------------------------------------
    R1#
    R1#sh ip ospf data
                OSPF Router with ID (172.100.200.1) (Process ID 100)
                    Router Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum Link count
    172.100.200.1   172.100.200.1   668         0x8000000A 0x009F4E 4
    172.100.200.2   172.100.200.2   681         0x80000007 0x005F5C 1
                    Net Link States (Area 0)
    Link ID         ADV Router      Age         Seq#       Checksum
    172.100.200.1   172.100.200.1   668         0x80000002 0x0012BD
                    Type-5 AS External Link States
    Link ID         ADV Router      Age         Seq#       Checksum Tag
    45.0.0.0        172.100.200.2   441         0x80000002 0x0047E1 3489660978
    80.100.0.4      172.100.200.1   1679        0x80000008 0x00A883 3489725929
    172.100.101.0   172.100.200.1   1679        0x80000008 0x00C4A9 3489725929

    BUMP

  • MPLS VRF Routes Leaking

    I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
    Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
    Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
    What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

    you could do one of the following ways to implement Internet access for L3 MPLS VPN
    1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
    2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.
    inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
    3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
    good luck
    if helpful Rate

  • Nexus 7000 route leak from GRT (default VRF) to other VRF's

    Hello
    We have a Nexus 7000 infrastructure whereby we have had multiple VDC's and VRF's deployed. A requirement has now come about whereby one of these VRF's needs to be able to see our GRT (default VRF) so we need to leak the GRT routes into the VRF and vice versa.
    I have been doing a lot of reading and I am happy with the how this works with inter-VRF route leaking but I seem to missing a few things in respect of how this works with the GRT.
    I have also read on another forum that this is not supported. See link below.
    https://supportforums.cisco.com/document/133711/vrf-configuration-and-verification-nexus-7000
    Does anyone have experience of this? I can also see how this works in IOS and I have GNS3 and got this working.
    We use BGP currently so we are able to use MP-BGP if required.
    Any help would be very useful.

    Hi,
    In Table 14 of the Cisco Nexus 7000 Series NX-OS Verified Scalability Guide the verified limit is specified as 1000 per system i.e., across all VDCs for NX-OS release 5.2, 6.0 and 6.1.
    There is a footnote associated with this number which states:
    With each new VDC configured, the number of configurable VRFs per system is reduced by two as each VDC has a default VRF and management VRFs that are not removable. For example, with 8 configured VDCs on Cisco NX-OS Release 5.2, you can configure up to 984 VRFs per system (either all in one VDC or across VDCs).
    Regards

  • Route leaking from VRF to Global on same router with VLAN interface

    Hi all,
    I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
    interface FastEthernet4
    description ***Connection to WAN***
    ip vrf forwarding FVRF
    ip address 10.0.0.6 255.255.255.0
    interface Vlan100
    description ***LAN***
    ip address 192.168.227.1 255.255.255.0
    So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
    I though I could do that config but it is not possible:
    (config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
    % For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
    OR
    DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
    %Invalid next hop address (it's this router)
    Any ideas are really welcome.
    Best regards,
    Laurent

    Hi,
    I have tried the following solution:
    Add 10.0.0.0 /24 From VRFto Global:
    ip route 10.0.0.0 255.255.255.0 FastEthernet4
    Add 192.168.227.0 /24 from Global to VRF:
    router bgp 64512
    bgp log-neighbor-changes
    address-family ipv4
      no synchronization
      redistribute connected
      no auto-summary
    exit-address-family
    ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
    route-map Global permit 10
    match ip address prefix-list Global-VRF
    ip vrf FVRF
      rd 1:1
      import ipv4 unicast map Global
    So now the VRF table looks like that:
    #      sh ip route vrf FVRF
    C        10.0.0.0/24 is directly connected, FastEthernet4
    S        10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
    L        10.0.0.6/32 is directly connected, FastEthernet4
    B     192.168.227.0/24 is directly connected, 00:15:12, Vlan100
    The Global table looks like this:
    #sh ip route
    Gateway of last resort is 10.1.0.107 to network 0.0.0.0
    D*    0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
           10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
    S        10.0.0.0/24 is directly connected, FastEthernet4
    C        10.1.0.0/24 is directly connected, Tunnel1
    L        10.1.0.227/32 is directly connected, Tunnel1
    C        10.2.0.0/24 is directly connected, Tunnel2
    L        10.2.0.227/32 is directly connected, Tunnel2
    C        10.10.10.227/32 is directly connected, Loopback100
           192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.227.0/24 is directly connected, Vlan100
    L        192.168.227.1/32 is directly connected, Vlan100
    But When I try to ping it still doesn´t work:
    #ping vrf FVRF 192.168.227.1 source fastEthernet 4
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
    Packet sent with a source address of 10.0.0.6
    Success rate is 0 percent (0/5)
    #ping 10.0.0.1 source vlan 100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.227.1
    Success rate is 0 percent (0/5)
    Any ideas?
    Regards,
    Laurent

  • Howto control/filter traffic between VRF-(lite) using route leaking?

    Hi,
    does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?
    Scenario 1:
    I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.
    Scenario 2:
    Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns
    Kind Regards,
    Thorsten

    Thanks.
    That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.
    Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.
    Does cisco offer software for managing this?

  • Assistance Needed: Inter-VRF Routing with MP-BGP

    hello everyone,
    I've been trying to solve a problem for over a day regarding inter-vrf routing using MP-BGP and I can't seem to figure a few things out.
    I have Cisco 1921 which has VRF-JLAN and VRF-JGLOBE with 3 interfaces configured as (g0/0 = vrf JLAN, g0/1=no vrf, g0/2 = dot1q trunk to 2960S). vrf JLAN is a restricted network for users access, dns server, e.t.c. vrf JGLOBE is for Video server and global routing table belongs to Wifi Access. I've been able to seperate all the network and I can route traffic out to the Internet from vrf JLAN and the global route table but where I'm having issues is getting vrf JGLOBE to route traffic using the Global route table.
    For example: vrf JLAN should not be accessed by either Global or vrf JGLOBE. JGLOBE should be able to access vrf JLAN dns server but it should route its internet traffic via Global route table (g0/1). Last JLAN should be able to access 2 networks from the Global route table.
    I've attached my config and diagram so you can better understand what I'm trying to achieve. More light to solving this problem would be much appreciated.
    ip vrf JGLOBE
     rd 65001:2
     export map WIFI
     route-target export 65001:2
    ip vrf JLAN
     rd 65001:1
     import ipv4 unicast map C-GLOBAL
     route-target export 65001:1
     route-target import 65001:1
     route-target import 65001:2
    interface GigabitEthernet0/0
     description LAN-ACCESS-INTERNET [TO Nexthop FIREWALL]
     ip vrf forwarding JLAN
     ip address 192.168.4.3 255.255.255.248
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     ip flow egress
     ip inspect INTERNET-FW out
     ip virtual-reassembly in
     load-interval 30
     duplex auto
     speed auto
    interface GigabitEthernet0/1
     description GLOBAL-Wifi-INTERNET [TO Nexthop - FIREWALL]
     ip address 192.168.5.3 255.255.255.248
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     ip flow egress
     ip inspect GLOBAL-FW in
     ip inspect GLOBAL-FW out
     ip virtual-reassembly in
     load-interval 30
     duplex auto
     speed auto
    interface GigabitEthernet0/2
     no ip address
     duplex auto
     speed auto
    interface GigabitEthernet0/2.3
     description Users LAN
     encapsulation dot1Q 3
     ip vrf forwarding JLAN
     ip address 192.168.30.1 255.255.255.240
    interface GigabitEthernet0/2.4
     description Video Server
     encapsulation dot1Q 4
     ip vrf forwarding JGLOBE
     ip address 10.6.40.1 255.255.255.0
    router ospf 1 vrf JLAN
     router-id 10.6.6.10
     redistribute bgp 65001 subnets
     network 0.0.0.0 255.255.255.255 area 0
    router ospf 2 vrf JGLOBE
     router-id 10.5.7.10
     redistribute bgp 65001 subnets
     network 0.0.0.0 255.255.255.255 area 0
    router bgp 65001
     bgp router-id 10.4.6.4
     bgp log-neighbor-changes
     bgp graceful-restart restart-time 120
     bgp graceful-restart stalepath-time 360
     bgp graceful-restart
     address-family ipv4
      redistribute connected
     exit-address-family
     address-family ipv4 vrf JGLOBE
      redistribute connected
      redistribute ospf 2
     exit-address-family
     address-family ipv4 vrf JLAN
      redistribute connected
      redistribute ospf 1
     exit-address-family
    ip dns view vrf JGLOBE default
    ip dns view vrf JLAN default
    ip route 0.0.0.0 0.0.0.0 192.168.5.1
    ip route vrf JGLOBE 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.5.1
    ip route vrf JLAN 0.0.0.0 0.0.0.0 192.168.4.1 name LAN_INET
    ip prefix-list GLOBAL-INET seq 5 permit 0.0.0.0/0
    ip prefix-list SERVER-NET seq 5 permit 10.6.40.2/32
    ip prefix-list WIFI-NET seq 5 permit 10.254.0.0/22 le 32

    Hi Matt
    Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
    Regards
    Varma

  • Route Leaking in MPLS/VPN Networks (IOX support)

    Hi all,
    I would like to if IOX of CRS-1 can support route leaking between VRF<>Global routing table?
    hhttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtmlttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
    Regards

    Hi,
    You can use the vrf keyword after the prefix you want to join and before specifying the NH. It will tell the router in which VRF the lookup should be done:
    http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.0/routing/command/reference/rr40crs1book_chapter9.html#wp172562637
    The vrf name "default" is reserved to reference the GRT.
    HTH
    Laurent.

  • Route Leaking Issue

    Hi All,
    Still cutting my teeth with MPLS, and i am labbing up some stuff, and i've come accross an issue (or not)
    This maybe by design, i'm not sure.
    I've got a basic P core running OSPF and MPLS. Easy so far.
    I've got 2 PEs, one on each side (still with me )
    Attached to each PE I have a CE, and a Loopback.
    On each side the CE is in one VRF and the Loopback is in another.
    All straighforward so far. Routing is work I am using RIP for the CEs and Redisribute connected for the L-Backs.
    MPBGP is working fine and the routes are being carried accross the core.
    I now want to step it up and bit a try out some route leaking. I have imported routes from the CE VRF to the LBack VRF easily
    on one PE. and vice versa.
    However, the next step is where i get confused. When i import routes to a VRF i would expect to see them
    propagated accross the MPLS core to the same VRF on the other side of the VPN.
    Not sure if it should work like this.
    Any Opinions??
    Thank all
    Stephen

    Hi Stephen,
    As per your senario you wnat to import the route from one vrf to other vrf  , So to achive that you can configure route-target for same.
    Below is the senario :
    CE 1_A--------------                                                         ------------------- CE1_B
                               PE 1 ---------------- P ---------------- PE 2
    CE 2_A--------------                                                         ------------------- CE 2_B
    In above senario
    1] CE1_A & CE 1_B are in CUST_A vrf .
    2] CE2_A & CE 2_B are in CUST_B vrf .
    Now If you want that in CE 1 _A  that is in vrf CUST_A should communicate with only CE2_A that is in vrf CUST_B you ca have different RT , Below is the example for above senario.
    PE1 -
    ip vrf CUST_A
    rd 65000:100
    route-target export 65:100
    route-target import 65:100
    route-target import 65: 20
    route-target export 65: 10
    ip vrf CUST_B
    rd 65000:200
    route-target export 65:100
    route-target import 65:100
    route-target import 65: 10
    route-target export 65: 20
    Here in above config you can see that in CUST_A vrf we had export the RT 65: 10 & that RT is imported by CUST_B vrf & in CUST_B vrf you had exported  65:20 RT & that RT is imported by CUST_A vrf.
    So in now you can see that in CE 1_A & CE 2_A will see each other route in there routing table . This is know as extramet in MPLS.
    Regards
    Chetan Kumar
    http://chetanress.blogspot.com

  • Full internet routing in an internet MPLS VPN

    Is it possible and advisable to run the full internet routing table in a seperate MPLS VRF. A default route is not an option
    With kind regards,
    Mike

    Hi,
    It is not advisable to have full Internet Routing table in a vrf.It is possible that you may run out of memory since different routers have different vrf routes holding capacity.e.g if you are using 12000 series and you have only one vrf configured then you can hold the entire Internet routing table in one vrf.
    Which router you have ? Is it 12000 ?How many vrfs you have ? How many routes have you per vrf ?
    You need to consider the above questions before making the decision.
    -Waris

  • Can I use an airport express as a range extender to a NON apple router using an internet cable (so not wireless)

    can I use an airport express as a range extender to a NON apple router using an internet cable (so not wireless)

    Yes, if the AirPort Express is set up to create a wireless network that uses the exact same wireless network name as the other router and the same wireless network password as the other router.

  • Hi there can anyone help me out.  I have Apple TV and I am trying to connect wirelessly through a zyxel wireless hotspot gateway, I know a tad extreme but a friend had one free,  anyway I can find the router but no Internet connection?

    Hi there can anyone help me out.  I have Apple TV and I am trying to connect wirelessly through a zyxel wireless hotspot gateway, I know a tad extreme but a friend had one free,  anyway I can find the router but no Internet connection?

    The only people who can possibly assist you with this is Apple Customer Relations, call your local Apple contact number and ask for Customer Relations then explain your situation clearly and politely (be firm but don't rant).
    You might want to investiage what the local laws are regarding defective goods and 'fit for use' definitions on warranties etc. Consumer Protection can be a useful tool to use or bargain with if needed ...

  • Running RIP between CPE and PE but rip database on CPE has no vrf routes

    I am running RIP between CPE and PE and it is working - I can see the RIP routes in the VRF routing table. However I cannot see the RIP routes on the CPE, which I need to be able to do.
    PE RIP Config
    router rip
    address-family ipv4 vrf ABC
    redistribute static metric 1
    redistribute bgp 12345
    network XX.0.0.0
    no auto-summary
    exit-address-family
    CPE RIP Config
    router rip
    version 2
    redistribute connected metric 1 route-map Connected
    network XX.0.0.0
    no auto-summary
    route-map Connected permit 10
    description *** Interfaces to be advertised to MPLS Network ***
    match interface Vlan1
    route-map Connected deny 100
    description *** Deny Statement ***
    Thanks in advance for your help
    Regards
    DK

    Hi DK,
    You need to put the "metric #" command in your redistribute bgp configuration under the vrf SAFI in the RIP config on the PE router. This is done to prevent BGP MED (metric) from being used as the RIP metric, which as you would know, has a hop limit of 16.
    router rip
    address-family ipv4 vrf ABC
    redistribute static metric 1
    redistribute bgp 12345 metric 1
    network XX.0.0.0
    no auto-summary
    exit-address-family
    Try that and you should then see your VPN routes showing on the CE when the RIP process refreshes.
    HTH
    Joe.

  • WRT54G router with cable internet problems

    I have a WRT54G wireless router and comcast internet.  The internet works as long as the modem is plugged directly into the computer, but whenever I connect everything through the router I lose the internet.  I'm pretty sure that the router isn't broken or anything because up until a few days ago it was working fine with verizon DSL.  I didn't encounter any problems until the cable modem.  I've tried as many solutions as I could find within the support area and nothing seems to work.  Please help!  Thanks in advance.
    - Bill

    Try this connection first:
    Connect Modem to the back of router using Ethernet cable at the internet port of router.
    Connect another cable from either 1-4 ports from back of router to back of your computer.
    Open routers set up page using http://192.168.1.1 …you will see username & password …leave username blank & in password use admin.
    Under set up look for “mac address clone” sub tab …. Enable it & click “clone my pcs mac”…click save settings.
    Do power cycle & check whether it’s working or not.

  • Im Using iPhone 4. i connected to my home WiFi router for browing internet.. Sometimes its automaltically disconnected and must i off

    Im Using iPhone 4. i connected to my home WiFi router for browing internet.. Sometimes its automaltically disconnected and must i off and on it again for using.. why its happening?

    Look on the support pages for your WiFi router for a firmware update for the router.
    It's hard to say much more without knowing the make, model, and version of your WiFi router and how you have it configured.
    See also http://www.apple.com/support/iphone/wifi/

Maybe you are looking for