WCCP inside VRF

Hi Team,
I have one issue with WCCP redirection inside VRF. Here is my scenario:
PE router config (MPLS edge)
ip vrf aaa
rd 10:1
route-target both 10:1
int facing CE router
ip vrf forwarding aaa
ip address x.x.x.x x.x.x.x
mpls bgp forwarding
router bgp 10
<classic MP-BGP config>
address-family vpnv4 vrf aaa
neighbor <CE router> remote-as 100
neighbor <CE router> activate
neighbor <CE router> send-label
CE router (using VRF lite)
ip vrf aaa
rd 100:1
route-target both 100:1
ip wccp vrf aaa 61
ip wccp vrf aaa 62
int facing PE router
ip vrf forwarding aaa
ip address c.c.c.c c.c.c.c
ip wccp vrf aaa 62 redirect in
ip bgp mpls forwarding
int facing WAAS
ip vrf forwarding aaa
ip address w.w.w.w w.w.w.w
int LAN
ip vrf forwarding aaa
ip address l.l.l.l l.l.l.l
ip wccp vrf aaa 61 redirect in
router bgp 100
address-family vpnv4 vrf aaa
neighbor <PE router> remote-as 10
neighbor <PE router> activate
neighbor <PE router> send-label
<classic network advertising>
WAE config is classis WCCP with hash assignment and negotiated GRE return method. CE router does not have any issues detecting WAE appliance.
Now the mentioned issue:
Traffic from LAN to PE is being redirected OK. No issues here. But return traffic from PE router is not redirected to WAE appliance despite the fact that WCCP "redirect in" command is configured under CE WAN interface. When I remove "neighbor <CE router> send-label" command under "
address-family vpnv4 vrf aaa" on PE router, CE router starts to redirect traffic from PE to WAE appliance (but I loose label information on CE). When I configure this command back, redirection stops.
So my question is why this command is causing CE router not to redirect traffic from PE to LAN on its WAN interface? I was not able to find any restrictions regarding VRF lite and WCCP. I am using 15.2(3)T1 IOS version.
Many thanks for any inputs.
Regards,
Stan

hi Stan,
I´m not really into VRF troubleshooting but you should check this info;
If a Cisco WAAS NME-WAE network module or Cisco WAE appliance is used at a branch location and the service provider cannot strip off the labels, WCCP can be used with a route-leaking option as long as there are no overlapping IP addresses. ( that sounds like your design)
look for WCCP Deployment
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_C11-560131.pdf
good luck!

Similar Messages

When will wccp be vrf aware on 6500

wccp is vrf aware for many plataforms, when will wccp vrf aware on 6500 plataform? Someone knows the roadmap for this feature?

Zach Seils wrote:VRF-aware WCCP will not be supported on the 6500 platform until the next-generation Supervisor (SUP-2T).
Hi Zach, is this a limitation of the Sup 720 (as in, the hardware can't support it), or will a future IOS release be able to support VRF aware WCCP on the Sup 720?

Is wccp v2 VRF aware?

Is there a version of IOS code available that has VRF support for WCCP.
Thanks

Eddie,
yes, it is on our todo list.
I would suggest you to contact you sales team to inform them you need this feature.
They have the power to make things move faster sometimes :-)
Gilles.

EoMPLS inside VRF possible?

I'm trying to only mpls what I need to mpls and nothing else.
Here's the idea:
interface te1/1
ip address x.x
mtu 9000
...etc..
interface te1/1.50
encap dot1q 50
ip address x.x.x.x
mpls ip
vrf forwarding VRF2
..etc..
Mpls only running on te1/1.50 and not te1/1
Te1/1.50 is in a VRF instance, running ldp inside of it which reduces the labels that the router assigns (because apparently there's no way to make mpls and ldp ONLY assign labels to what you want to run mpls with, unless there's some command to get rid of it from assigning labels to everything in the IGP)
Anyways, I DO NOT want to run mpls on te1/1, or on the main routing instance on the router at all. I want it and the labels to stay inside a VRF so that only mpls traffic goes over te1/1.50 and absolutely no mpls traffic on te1/1 main interface.
I want to use l2circuits (xconnect) inside of this.
Using a Sup720, Is this possible?
The reason for this is that when I enable MPLS on te1/1 , it encapsulates (routes that are sourced from routers behind the directly connected) and doesn't encapsulate routes sourced from the neighbor, even if I have no xconnects or anything set it seems to push labels onto things going to certain destinations in the IGP (with the label it assigned for that IP next hop).
If there was a way to change that default behaviour where it doesn't encapsulate IP packets at all, unless I specifically run a xconnect, that would work.
Very basic configuration, but it's driving me crazy, it's a mixture of juniper and cisco equipment. I was thinking of running another ospf area on the ciscos and using another loopback and setting ldp to peer with that , but you can't have multiple loopbacks on junipers in the same routing instance.

Let me rephrase what I want to do.
I want to have the main interface pass IP traffic ONLY. (te1/1)
and I want the subinterface to pass MPLS traffic ONLY. LDP will run on
the subinterface.
I've already tested this, and it works with l2 circuits, the problem is
that without a VRF, the IGP will either
route the loopback over te1/1 or te1/1.50 which means ALL traffic to
that router can only go over one of these
links at a time. I want to simulate having two independent links to
another router, one for mpls, one for non mpls.
My testing indicated that routing all traffic through te1/1 works with
l2circuit to the junipers.
Routing ALL traffic through te1/1.50 (IGP cost being lower) works.
What I can't do is get it to send MPLS traffic only over .50 even if
mpls/ldp is only enabled on .50 it doesn't seem
to have any sense that it needs to use that path for the MPLS because
the loopback of the adjacent router in the IGP
has the best path out te1/1 and not te1/1.50. LDP obviously doesn't
know that an interface is or isn't mpls able.
If I had a cisco environment only, what I'd do is create another ospf
area, only put the .50 interfaces in that ospf area
create a loopback1 , use that as the router id for the other area..
Basically have another set of loopbacks and another
instance of OSPF just for the MPLS. But I cannot do this due to Juniper
not supporting this type of configuration.
So I want to create a VRF , and run an instance of ospf/ldp inside of
it, and create l2 circuits but it doesn't seem to be
working because mpls seems to be based on 'global' and not per vrf
configuration for l2 circuit xconnect.
I could be wrong but in my testing I couldn't get it to work. Could be
the juniper end also. Getting Juniper to operate with Cisco is
a pain in certain circumstances like this.
I know about the conditional label advertisement to neighbors. I simply
do not want the device to even assign labels unless I tell
it to. I don't want to have to build an access list for everything I
want to advertise to a neighbor, instead I want to build a list
of what labels it will create and send and use. Right now it creates a
label for every single adjacency in CEF and also looks like
every /32 in the IGP if I am not mistaken.
Paul

Filtering OSPF routes from MPBGP to BGP speaker in the same VRF

I'm wondering if anyone has some ideas they an share on this.
Assume the following:
- CE1 is speaking *iBGP and OSPF to PE1 inside vrf foo
- PE1 is mutually redistributing CE1's OSPF table with MPBGP
- PE1 exchanges MPBGP routes with PE2.
- PE2 is mutually redistributing CE2's OSPF table with MPBGP
- CE2 is speaking *iBGP and OSPF to PE2 inside vrf foo
So the problem is that the OSPF routes redistributed into MPBGP from via one CE are being announced to the other CE via the PE-CE BGP process. Because those routes are already being received by the CE via the PE-CE OSPF process, they are showing up in the CE's BGP table as RIB failures.
Is there any way to filter those out? I've tried setting and matching tags and communities from within various redistribution points on the PE, but I can't seem to keep them out of the CE's BGP table.

are you sure you are using iBGP on both sides and not eBGP?
I'm asking because routes learnt by PE1 from CE via iBGP ( meaning same BGP AS number on CE1 and PE1 vrf foo) will not be propagated to CE2, because an iBGP route learned by a BGP speaker in not pushed to another iBGP speaker.
So it means that a show ip bgp neighbor vrf foo advertised routes on PE2 shall show that no routes from CE1 are being advertised to CE2.
As mentionned earlier, changing BGP admin distance is an option. Let BGP have a better distance on your CEs and this should do the trick :
router bgp xxx
distance bgp 20 20 20
Then after clearing bgp session, the rib failures are gone as OSPF is AD 110 and BGP is now AD 20 ( also remember that BGP does not annouces rib failure routes to other BGP peers)
cheers

Reflexive ACLs in VRFs

Are there caveats with outbound reflexive ACL inside VRFs?
I'm working in a lab environment and notice the reflective ACLs work fine for inbound traffic, but fail for outbound. For example, they will work when I ping the switch, but not when I do a ping from the switch.
This is a 6503-E, SUP32, 12.2(33)SXH8b

Hello everyone,
just in case someone will face the same problem in the future:
the solution is simple:
- delete the superadmin-User
- restart DTR
- create superadmin and log on to the Developer Studio with the new user
Then the ACLs can be maintained again.
Best regards,
Cornelia

WLC and WCCP

Hi there
we would like to redirect some WLANs on a WLC to a proxy server, but for this we would need WCCP. Because we have a Nexus 7000 in the core layer and I am not sure if Nexus supports WCCP in VRF, I wanted to ask if there is an easy way to redirect the traffic directly on the WLC (maybe with WCCP or something else)?
Thanks a lot in advance and best regards
Dominic

The reality of the interfaces, is that they are not L3 interfaces. They are still a L2 interface. Dynamic interfaces require an IP address, so that the WLC knows when you do a L3 roam.
For example, Building A has Data on vlan 15 10.15.1.x, Building B Data is vlan 15 10.115.1.x. If you roam between the buildings, we need to know that you need to be L3 and anchor the traffic back to Building A's WLC, and not locally switch the traffic out of Building B's WLC. If we dont' know this, you would have issues, until the device tried to re-IP itself for the new subnet.
HTH,
Steve
Please remember to rate helpful posts or to mark the quesiton as answered so that it can be found later.

WAVE-694-K9 support vrf?

dear all,
heres my issue, my WAVE-694-K9 encounter an error / not optimizing the traffic. this because i used vrf in WCCP router to redirect traffic to same destination with 2 sub interface-- so i need vrf to distinguish, from source 'a' destined to subinterface 'a' and from source 'b' destined to subinterface 'b'. before i implement the vrf in WCCP Router, the traffic is optimized. so, in my thought that vrf isnt support WAVE-694-K9. is that true?
or can i use the command " ip wccp vrf [vrf-name] " in router WCCP? so the WAVE-694-K9 know wccp redirect vrf.
thanks for any advice.

Hi,
You need to dedicate one WAAS appliance per VRF.or WCCP can be used with a route-leaking option as long as there are no overlapping IP addresses
Refer #
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_C11-560131.pdf
Regards,
Bala

Ipv6 dhcp inside AToM

Hello everyone.
I was experimenting with ipv6 dhcp using the following topology:
7609s ----------mpls core-------- 7609s -------SWITCH---------client PC
\________vpws_________/
Idea of this experiment is that on a first router I have configured ipv6 dhcp server for vrf CLIENT. dhcp server was enabled on a SVI inside vrf, which also serves as AC for vpws. So I was trying to emulate L2 connectivity between a client and a server. VPWS works, L2 connectivity exists, static dual stack was successfully tested. But a strange behavior is observed with ipv6 dhcp design both for managed and other flags. Specifically RA messages are lost. In a router debug RA are sent to FF02::1 address but never reach a client (wireshark). Although other dhcp parameters like domain name, dns servers or ipv6 address (managed flag) are received without a problem. Client doesn't see a router.
So are the messages sent to FF02::1 address transparently passed through vpws?

Hi Yusuf,
You need to do a configure a few things on the router interface for DHCPv6 to be used instead of SLAAC.
interface vlan10
ipv6 address 2001:DB8:12FF:1::1/64
ipv6 nd prefix 2001:DB8:12FF:1::/64 no-advertise <++++++ will prevent SLAAC from taking place
ipv6 nd managed-config-flag <+++++ tells the workstation it should get its IPv6 address from DHCP
ipv6 nd other-config-flag <++++++ tells the workstation to get other config (dns server, domain name, etc) from DHCP
Regards

Nexus 6004 EIGRP Relationship between the two switches

Hi All,
I will try to explain this as best as I can. In our current TEST LAB we have a Pair of Cisco ASA5585x running in Active/Passive mode. We use a VRF transit to connect the 10 GB interface to a Pair of Cisco Nexus 6004 (L3) switches running vPC between them. Downstream we also have a pair of Cisco 9372 switches (L2) also running vPC between the two.
As of right now we have EIGRP neighbor relationship formed between the two N6K's and the ASA.
ASA
ciscoasa# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.230.9 Te0/8.451 12 01:30:25 1 200 0 52
0 172.16.230.10 Te0/8.451 12 01:30:25 1 200 0 48
The ASA formed relationship with both N6K's
SWITCH1
Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#
SWITCH2
Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#
Both Nexus Switches formed EIGRP neighbors using the vPC Peer-Link. There is enough documentation out there that strongly suggest not to use vPC Peer-Links for EIGRP anything.
We do have additional interfaces available on the 6K's that we can use as a cross connect for EIGRP. What we are having trouble understanding how we can force EIGRP traffic over those ports?
Here is a complete Switch config:
Switch1
Nexus6-1# sh run
feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp
vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 1
peer-keepalive destination 10.200.50.2 source 10.200.50.1 vrf peer-keepalive
delay restore 120
interface Vlan1
interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100
interface Vlan651
interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100
interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link
interface port-channel102
switchport mode trunk
vpc 102
interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet1/6
interface Ethernet1/7
description vPC Peer Link 1.7 to Nexus 9372 PRI
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet1/8
interface Ethernet1/9
interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet2/2
interface Ethernet2/7
description vPC Peer Link 2.1 to Nexus SEC
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet2/8
interface Ethernet8/1
description keep-alive peer-link to ALNSWI02
no switchport
vrf member peer-keepalive
ip address 10.200.50.1/30
interface Ethernet8/2
description Uplink to ASA
switchport mode trunk
interface Ethernet8/3
interface mgmt0
vrf member management
ip address 172.16.52.3/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
passive-interface default
default-information originate
vrf Inside
autonomous-system 100
default-information originate
poap transit
Nexus6-1#
Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#
Nexus6-1# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.2) VRF Inside
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451
Nexus6-1# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po99 up 1,451,652,680
vPC status
id Port Status Consistency Reason Active vlans
102 Po102 up success success 1,451,652,6
80
Nexus6-1# sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p
VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8c60.4f2d.2ffc
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33219 (priority 32768 sys-id-ext 451)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Desg FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
VLAN0652
Spanning tree enabled protocol rstp
Root ID Priority 33420
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33420 (priority 32768 sys-id-ext 652)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
VLAN0680
Spanning tree enabled protocol rstp
Root ID Priority 33448
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33448 (priority 32768 sys-id-ext 680)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Nexus6-1#
Switch2
Nexus6-2# sh run
!Command: show running-config
!Time: Sat Feb 12 19:02:44 2011
version 7.0(1)N1(1)
hostname Nexus6-2
feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp
vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context P2P_Inside_VRF
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 2
peer-keepalive destination 10.200.50.1 source 10.200.50.2 vrf peer-keepalive
delay restore 120
interface Vlan1
interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.10/29
ip router eigrp 100
no ip passive-interface eigrp 100
interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.3/22
ip router eigrp 100
interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link
interface port-channel102
switchport mode trunk
vpc 102
interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet1/2
interface Ethernet1/6
interface Ethernet1/7
description vPC Link 1.7 to Nexus 9372 SEC
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet1/8
interface Ethernet1/12
interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet2/2
interface Ethernet2/6
interface Ethernet2/7
description vPC Link 2.1 to Nexus PRI
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet2/8
interface Ethernet2/12
interface Ethernet8/1
description keep-alive peer-link to ALNSWI01
no switchport
vrf member peer-keepalive
ip address 10.200.50.2/30
interface Ethernet8/2
description Uplink to ASA
switchport mode trunk
switchport trunk allowed vlan 1,451,652,680
interface Ethernet8/3
interface Ethernet8/20
interface mgmt0
vrf member management
ip address 172.16.52.4/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
vrf Inside
autonomous-system 100
default-information originate
poap transit
logging logfile messages 6
Nexus6-2#
Nexus6-2#
Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#
Nexus6-2# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.3) VRF Inside
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451
Nexus6-2#
Nexus6-2#
Nexus6-2# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po99 up 1,451,652,680
vPC status
id Port Status Consistency Reason Active vlans
102 Po102 up success success 1,451,652,6
80
Nexus6-2#
Nexus6-2#
Nexus6-2# sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 3
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p
VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8c

Jon,
Are you ready for the mass confusion?
when Looking at the ASA EIGRP neighbors output here is what I see.
ASA# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
3   172.16.230.1            Te0/8.450        13 16:45:14 1    200   0   64
2   172.16.230.2            Te0/8.450        11 16:45:14 1    200   0   84
1   172.16.230.10           Te0/8.451        11 16:45:20 1    200   0   178
0   172.16.230.9            Te0/8.451        13 16:45:20 1    200   0   148
For simplicity sake lets just concetrate on Interface TenGigabit0/8.451 which is the SVI on the Nexus switch that is VLAN451
From the Nexus Switch 6004 that is directly connected to the ASA here is what I see
SWI01# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H   Address                 Interface       Hold Uptime SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
0   172.16.8.3              Vlan680         10   17:04:30 54   324   0   177
1   172.16.230.10           Vlan451         11   16:59:10 819 4914 0   178
2   172.16.230.11           Vlan451         14   16:53:48 24   144   0   20
The Inside VRF that is tied to both SVI's on the Switch vlans 451 and 680 is in EIGRP 100 on the switch
SWI01# sh run int vlan 451
interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100
SWI01# sh run int vlan 680
interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100
hsrp 1
    authentication text test
    preempt
    priority 250
    ip 172.16.8.1
so you with me so far?
If you are you have noticed that on the ASA neighbors the ASA sees 172.16.230.11 as a neighbor which is the Secondary Nexus SW. That is becauise they all share the same subnet.
172.16.230.8/29
Brakedown:
PRI Nexus 6004 - 172.16.230.9
SEC NEXUS 6004 - 172.16.230.10
PRI ASA 5585x - 172.16.230.11
SEC ASA 5585x - 172.16.230.12
Because the ASA EIGRP network is a /29 it learns the Secondary Nexus via the Primary Nexus.
I am not sure that the link we created between the two Nexus Switches is doing anything but consuming ports right now.
SWI01# sh run int ethernet 8/9
interface Ethernet8/9
description EIGRP PORT to Secondary Nexus
switchport mode trunk
switchport trunk allowed vlan 450-451
SWI02# sh run int ethernet 8/9
interface Ethernet8/9
description EIGRP PORT to Primary Nexus
switchport mode trunk
switchport trunk allowed vlan 450-451
So the SVI's that go up to the ASA for inspection are 450 and 451. The network SVI's are 600 and 680 all of them live on the switch, and 680, and 600 are extended over the peer links down to the 9372's.
I think that we are breaking the golden rule of vPC BUT.. I am not 100% sure. Some of the documents read that we should not be allowing network vlans over peer links, but then how do you extend the vlans down to the leaf switch?
This is giving me nightmares at the moment…
does this make sense?

Redundant access from MPLS VPN to global routing table

Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

Hi Andris,
I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
dot1q will be ok as well.
This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
Example:
PE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0/0.1 point-to-point
description customer VPN access
ip vrf customer
ip address 10.1.1.1 255.255.255.252
interface Serial0/0.2 point-to-point
description customer Internet access
ip address 192.168.1.1 255.255.255.252
router rip
address-family ipv4 vrf customer
version 2
network 10.0.0.0
no auto-summary
redistribute bgp 65000 metric 5
router bgp 65000
neighbor 192.168.1.2 remote-as 65001
address-family ipv4 vrf customer
redistribute rip
CE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0.1 point-to-point
description VPN access
ip address 10.1.1.2 255.255.255.252
interface Serial0.2 point-to-point
description Internet access
ip address 192.168.1.2 255.255.255.252
router bgp 65001
neighbor 192.168.1.1 remote-as 65000
router rip
version 2
network 10.0.0.0
no auto-summary
Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
Regards
Martin

Disconnect VPN Client

Hi,
I have installed a VPN Server using Easy VPN Server.
What is the command to show VPN Clients connecting to the VPN server?
How do I disconnect a VPN Client connection?
Cheers,
peiwai

Thanks!
That's what you need to do:
1. Session monitoring
show crypto session summary
R100#sh crypto session summary Group ezvpngrp has 1 connections   User (Logins)   cisco (1)Group ezvpngrp2 has 1 connections   User (Logins)   cisco2 (1)
show crypto session and show cryption session detail will provide more details
2. User administrative disconnect:
R100#clear crypto session ?
active    Clears HA-enabled crypto sessions in the active state
fvrf      Front-door VRF
ikev2     Clear ikev2 sessions
isakmp    Clear crypto sessions belonging to the group
ivrf      Inside VRF
local     Clear crypto sessions for a local crypto endpoint
remote    Clear crypto sessions for a remote IKE peer
standby   Clears HA-enabled crypto sessions in the standby state
username Clear crypto sessions of a user
clear crypto session username vpnuser would disconnect the user with the name vpnuser
Let me know if this answer your question.
Cheers,

Import/Exporting iVRF routes in IPsec iVRF/FVRF environment

Hi,
I am currently terminating a number of IPsec VPNs into customers' 'inside' VRFs (iVRFs) with the 'classic' crypto-map applied in a separate Front-Door VRF (FVRF) on an ASR1k. I now want to export a VPN route from one iVRF into another VRF using MP-BGP. This works as expected in as far as the VPN prefix makes it into the BGP table, but not into the RIB - it would appear that this may be by design and a route with a next-hop in the FVRF (i.e. the VPN RRI route) cannot be exported from the VRF and imported into another VRF. Is there any workaround for this; the only one solution which looks like it might work is to import/export these routes using another VRF and back-to-back VASI interfaces, using ordinary BGP to leak routes. Another possible solution is also to use sVTIs instead of classic crypto (thus avoiding the RRI route), but this doesn't address the need to support classic crypto.
Cheers,
Matt

Hi,
I am currently terminating a number of IPsec VPNs into customers' 'inside' VRFs (iVRFs) with the 'classic' crypto-map applied in a separate Front-Door VRF (FVRF) on an ASR1k. I now want to export a VPN route from one iVRF into another VRF using MP-BGP. This works as expected in as far as the VPN prefix makes it into the BGP table, but not into the RIB - it would appear that this may be by design and a route with a next-hop in the FVRF (i.e. the VPN RRI route) cannot be exported from the VRF and imported into another VRF. Is there any workaround for this; the only one solution which looks like it might work is to import/export these routes using another VRF and back-to-back VASI interfaces, using ordinary BGP to leak routes. Another possible solution is also to use sVTIs instead of classic crypto (thus avoiding the RRI route), but this doesn't address the need to support classic crypto.
Cheers,
Matt

Cisco ASR 9922 CGNAT VSM Module

Hello,
I want to deploy cg nat 44 on a newly purchased ASR 9922 with VSM module on it.
Test Scenario is like this - 2 different inside one vrf (PRIVATE) and one global will be mappped to
one global outside.I have configured but Interface Service App is not coming up. Please see the configuration and recommend what to do . is there any feature for VSM module with 5.1.2 ?
1. sh install committed
Node 0/3/CPU0 [LC] [SDR: Owner]
Boot Device: mem:
Boot Image: /disk0/asr9k-os-mbi-5.1.2/lc/0x3C0266/mbiasr9k-lc-x86e.vm
Committed Packages:
disk0:asr9k-mini-px-5.1.2
disk0:asr9k-services-infra-5.1.2
disk0:asr9k-mcast-px-5.1.2
disk0:asr9k-mpls-px-5.1.2
disk0:asr9k-services-px-5.1.2
Node 0/4/CPU0 [LC] [SDR: Owner]
Boot Device: mem:
Boot Image: /disk0/asr9k-os-mbi-5.1.2/lc/0x3C0266/mbiasr9k-lc-x86e.vm
Committed Packages:
disk0:asr9k-mini-px-5.1.2
disk0:asr9k-services-infra-5.1.2
disk0:asr9k-mcast-px-5.1.2
disk0:asr9k-mpls-px-5.1.2
disk0:asr9k-services-px-5.1.2
==========================================
RP/0/RP0/CPU0:PO561_CORE_1#sh run
Wed Sep 24 08:24:33.373 UTC
Building configuration...
!! IOS XR Configuration 5.1.2
!! Last configuration change at Wed Sep 24 08:24:10 2014 by admin
vrf PRIVATE
address-family ipv4 unicast
virtual-service enable
virtual-service btribcgn
vnic interface TenGigE0/3/1/0
vnic interface TenGigE0/3/1/1
vnic interface TenGigE0/3/1/2
vnic interface TenGigE0/3/1/3
vnic interface TenGigE0/3/1/4
vnic interface TenGigE0/3/1/5
vnic interface TenGigE0/3/1/6
vnic interface TenGigE0/3/1/7
vnic interface TenGigE0/3/1/8
vnic interface TenGigE0/3/1/9
vnic interface TenGigE0/3/1/10
vnic interface TenGigE0/3/1/11
activate
virtual-service btribcgnat
vnic interface TenGigE0/4/1/0
vnic interface TenGigE0/4/1/1
vnic interface TenGigE0/4/1/2
vnic interface TenGigE0/4/1/3
vnic interface TenGigE0/4/1/4
vnic interface TenGigE0/4/1/5
vnic interface TenGigE0/4/1/6
vnic interface TenGigE0/4/1/7
vnic interface TenGigE0/4/1/8
vnic interface TenGigE0/4/1/9
vnic interface TenGigE0/4/1/10
vnic interface TenGigE0/4/1/11
activate
redundancy
iccp
group 1
mlacp node 1
mlacp system mac 0000.0000.0001
mlacp system priority 1
mlacp connect timeout 0
member
neighbor 172.16.100.2
backbone
interface HundredGigE0/5/0/0
isolation recovery-delay 100
group 2
mlacp node 2
mlacp system mac 0000.0000.0002
mlacp system priority 2
mlacp connect timeout 0
member
neighbor 172.16.100.2
backbone
interface HundredGigE0/5/0/0
isolation recovery-delay 100
control-plane
management-plane
inband
interface all
allow Telnet
ipv4 virtual address 172.16.3.1 255.255.255.0
interface Bundle-Ether1
lacp switchover suppress-flaps 100
mlacp iccp-group 1
mlacp switchover type revertive
mlacp switchover recovery-delay 40
bundle wait-while 0
interface Bundle-Ether1.4
ipv4 address 172.16.4.254 255.255.255.0
encapsulation dot1q 4
interface Bundle-Ether1.5
ipv4 address 172.16.5.254 255.255.255.0
encapsulation dot1q 5
interface Bundle-Ether2
lacp switchover suppress-flaps 100
mlacp iccp-group 2
mlacp switchover type revertive
mlacp switchover recovery-delay 40
bundle wait-while 0
interface Bundle-Ether3
description ****** LINK_TO_3750_1 *****
interface Bundle-Ether3.50 l2transport
encapsulation dot1q any
interface Bundle-Ether11
description ****** LINK_TO_PO65_AGG_1 *****
interface Bundle-Ether11.1
ipv4 address 172.16.1.5 255.255.255.252
encapsulation dot1q 11
interface Bundle-Ether11.50 l2transport
encapsulation dot1q any
interface Bundle-Ether12
description ****** LINK_TO_PO65_AGG_2 *****
interface Bundle-Ether12.1
ipv4 address 172.16.1.9 255.255.255.252
encapsulation dot1q 12
interface Bundle-Ether12.50 l2transport
encapsulation dot1q any
interface Bundle-Ether13
description ****** LINK_TO_PO65_AGG_3 *****
interface Bundle-Ether13.1
ipv4 address 172.16.1.13 255.255.255.252
encapsulation dot1q 13
interface Bundle-Ether13.2
ipv4 address 11.1.1.1 255.255.255.0
encapsulation dot1q 132
interface Bundle-Ether13.3
vrf PRIVATE
ipv4 address 22.22.22.1 255.255.255.252
encapsulation dot1q 133
interface Loopback0
ipv4 address 172.16.100.1 255.255.255.255
interface MgmtEth0/RP0/CPU0/0
ipv4 address 172.16.3.2 255.255.255.0
interface MgmtEth0/RP0/CPU0/1
shutdown
interface MgmtEth0/RP1/CPU0/0
ipv4 address 172.16.3.3 255.255.255.0
interface MgmtEth0/RP1/CPU0/1
shutdown
i
interface TenGigE0/3/1/0
interface TenGigE0/3/1/1
interface TenGigE0/3/1/2
interface TenGigE0/3/1/3
interface TenGigE0/3/1/4
interface TenGigE0/3/1/5
interface TenGigE0/3/1/6
interface TenGigE0/3/1/7
interface TenGigE0/3/1/8
interface TenGigE0/3/1/9
interface TenGigE0/3/1/10
interface TenGigE0/3/1/11
interface TenGigE0/4/1/0
interface TenGigE0/4/1/1
interface TenGigE0/4/1/2
interface TenGigE0/4/1/3
interface TenGigE0/4/1/4
interface TenGigE0/4/1/5
interface TenGigE0/4/1/6
interface TenGigE0/4/1/7
interface TenGigE0/4/1/8
interface TenGigE0/4/1/9
interface TenGigE0/4/1/10
interface TenGigE0/4/1/11
interface ServiceApp1
vrf PRIVATE
ipv4 address 12.12.12.1 255.255.255.252
service cgn btribcgn service-type nat44
interface ServiceApp2
interface ServiceApp3
ipv4 address 23.23.23.1 255.255.255.252
service cgn btribcgn service-type nat44
interface ServiceInfra1
ipv4 address 1.1.1.1 255.255.255.252
service-location 0/3/CPU0
interface ServiceInfra2
ipv4 address 2.2.2.1 255.255.255.252
service-location 0/4/CPU0
interface HundredGigE0/2/0/0
shutdown
interface HundredGigE0/2/0/1
shutdown
interface HundredGigE0/5/0/0
description ***** LINK TO PO561_CORE_2 *****
ipv4 address 172.16.1.1 255.255.255.252
interface HundredGigE0/5/0/1
shutdown
router static
address-family ipv4 unicast
11.0.0.0/24 172.16.3.254
214.16.64.0/24 ServiceApp3
vrf PRIVATE
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
service cgn btribcgn
service-location preferred-active 0/3/CPU0
service-type nat44 nat1
inside-vrf PRIVATE
map address-pool 214.16.64.0/24
end
RP/0/RP0/CPU0:PO561_CORE_1#
======================
Wed Sep 24 08:24:59.780 UTC
ServiceApp1 is down, line protocol is down
Interface state transitions: 0
Hardware is SEAPP SVI Interface
Internet address is 12.12.12.1/30
MTU 1514 bytes, BW 20480000 Kbit (Max: 20480000 Kbit)
reliability Unknown, txload Unknown, rxload Unknown
Encapsulation service_base, loopback not set,
Last input Unknown, output Unknown
Last clearing of "show interface" counters Unknown
Input/output data rate is disabled.
=================
ServiceInfra1 is up, line protocol is up
Interface state transitions: 5
Hardware is SEINFRA SVI Interface
Internet address is 1.1.1.1/30
MTU 1514 bytes, BW 1024 Kbit (Max: 1024 Kbit)
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation service_base, loopback not set,
Last input never, output 00:00:00
Last clearing of "show interface" counters never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 3000 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 0 broadcast packets, 0 multicast packets
788 packets output, 985000 bytes, 0 total output drops
Output 0 broadcast packets, 0 multicast packets

Hi Tural,
yes, it's a VSM running a 5.2.0 (I've seen it running 5.1.1 too in the past).
Config:
vrf Inside
address-family ipv4 unicast
virtual-service enable
virtual-service CGN
vnic interface TenGigE0/3/1/0
vnic interface TenGigE0/3/1/1
vnic interface TenGigE0/3/1/2
vnic interface TenGigE0/3/1/3
vnic interface TenGigE0/3/1/4
vnic interface TenGigE0/3/1/5
vnic interface TenGigE0/3/1/6
vnic interface TenGigE0/3/1/7
vnic interface TenGigE0/3/1/8
vnic interface TenGigE0/3/1/9
vnic interface TenGigE0/3/1/10
vnic interface TenGigE0/3/1/11
activate
hw-module service cgn location 0/3/CPU0
interface TenGigE0/3/1/0
interface TenGigE0/3/1/1
interface TenGigE0/3/1/2
interface TenGigE0/3/1/3
interface TenGigE0/3/1/4
interface TenGigE0/3/1/5
interface TenGigE0/3/1/6
interface TenGigE0/3/1/7
interface TenGigE0/3/1/8
interface TenGigE0/3/1/9
interface TenGigE0/3/1/10
interface TenGigE0/3/1/11
interface ServiceApp11
vrf Inside
ipv4 address 1.1.1.1 255.255.255.252
service cgn VSM service-type nat44
interface ServiceApp12
ipv4 address 1.1.2.1 255.255.255.252
service cgn VSM service-type nat44
interface ServiceInfra3
ipv4 address 1.4.3.1 255.255.255.248
service-location 0/3/CPU0
service cgn VSM
service-location preferred-active 0/3/CPU0
service-type nat44 nat44-vsm
inside-vrf Inside
map address-pool 11.22.33.0/24
end
We can verify the state of the VM and the version of packages loaded (cgn 5.2.0 ova)
RP/0/RSP0/CPU0:Inter#show virtual-service detail name CGN
Wed Sep 24 22:35:32.456 UTC
Virtual Service CGN Detail
CGN:
State : Activated
Node name : 0/3/CPU0
Node status : Install Mgr Ready, SDR Mgr Ready
UUID : be9eec4e-3fca-56bf-ab08-dc31216825fc
Package information
Name : asr9k-vsm-cgv6-5.2.0.00.ova
Path : /harddisk:/520/asr9k-vsm-cgv6-5.2.0.00.ova
Application
Name : CGv6
Installed version : 1.0
Description : Carrier Grade NAT
Signing
Key type : Unknown Package
Method : SHA1
Licensing
Name : Not Available
Version : Not Available
Activated profile name : None
Resource reservation
Disk : 10000MB
Memory : 32768MB
CPU : 71 (system CPU %)
VCPU : 57
Attached devices
# Type Name Alias
1 NIC net1 net1
2 NIC net1 net1
3 NIC net1 net1
4 NIC net1 net1
5 NIC net1 net1
6 NIC net1 net1
7 NIC net1 net1
8 NIC net1 net1
9 NIC net1 net1
10 NIC net1 net1
11 NIC net1 net1
12 NIC net1 net1
13 Serial/shell None serial0
14 Serial/aux None serial1
15 HDD hda DD_10GB_UM_local
16 CDROM hdc ide0-1-0
17 Watchdog None None
Network interfaces:
Name
TenGigE0/3/1/0
TenGigE0/3/1/1
TenGigE0/3/1/2
TenGigE0/3/1/3
TenGigE0/3/1/4
TenGigE0/3/1/5
TenGigE0/3/1/6
TenGigE0/3/1/7
TenGigE0/3/1/8
TenGigE0/3/1/9
TenGigE0/3/1/10
TenGigE0/3/1/11
Resource admission (without profile)
Disk space : 10000MB
Memory : 32768MB
CPU : 100% system CPU
VCPUs : 57 (sockets:3 cores:19 threads:1)
RP/0/RSP0/CPU0:Inter#
ServiceApp and ServiceInfra status:
RP/0/RSP0/CPU0:Inter#sh int serviceapp11 brief
Wed Sep 24 22:35:47.038 UTC
Intf Intf LineP Encap MTU BW
Name State State Type (byte) (Kbps)
SA11 up up service_base 1514 20480000
RP/0/RSP0/CPU0:Inter#sh int serviceapp12 brief
Wed Sep 24 22:35:54.034 UTC
Intf Intf LineP Encap MTU BW
Name State State Type (byte) (Kbps)
SA12 up up service_base 1514 20480000
RP/0/RSP0/CPU0:Inter#sh int serviceinfra3 brief
Wed Sep 24 22:36:02.501 UTC
Intf Intf LineP Encap MTU BW
Name State State Type (byte) (Kbps)
SI3 up up service_base 1514 1024
RP/0/RSP0/CPU0:Inter#
Best regards,
Nicolas.

STATIC-FORWARD IOS-XR

Hi guys,
A want to know how can configure a NAT statics on the ASR9000, the ASR have de IOS-XR 4.3.4 and the configuration is the next:
hw-module service cgn location 0/4/CPU0
interface ServiceInfra 1
ipv4 address 100.10.200.253 255.255.255.252
service-location 0/4/CPU0
interface Gigabitethernet 0/0/0/19
description INSIDE
vrf ivrf1
ipv4 address 192.168.0.254 255.255.255.0
interface ServiceApp1
desciption INBOUND INSIDE TO ISM
vrf ivrf1
ipv4 address 100.10.200.1 255.255.255.252
service cgn prueba service-type nat44
interface ServiceApp2
description OUTBOUND OUTSIDE
ipv4 address 100.10.200.5 255.255.255.252
service cgn prueba service-type nat44
router static
address-family ipv4 unicast
191.20.20.0/24 ServiceApp2
vrf ivrf1
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
service cgn prueba
service-location preferred-active 0/4/CPU0
service-type nat44 nat1
portlimit 65535
alg ActiveFTP
alg rtsp
alg pptpAlg
inside-vrf ivrf1
map address-pool 191.20.20.0/24
protocol udp
session initial timeout 30
session active timeout 120
protocol tcp
session initial timeout 120
session active timeout 1800
protocol icmp
timeout 60
refresh-direction Outbound
The configuration above is working perfect and i can reach internet, now a need to migrate the next configuration of nat static to the ASR9000
ip nat inside source static tcp 192.168.0.205 3299 191.20.20.205 3299 extendable
Can help please..
Would greatly appreciate if you could help me
Thanks.
Fredy Caceres

Hi Fredy,
Please see link below,
https://supportforums.cisco.com/document/11939006/cgv6-ism-cgnnat44-deployment-guide#static-port-forwarding
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-3/cg_nat/command/reference/b_cgnat_cr43xasr9k/b_cgnat_cr42crs_chapter_01.html#wp2900083483
Best Regards,
Bheem

WCCP inside VRF

Similar Messages

Maybe you are looking for