[c-nsp] Re: Interfacing between VRF and global across interface in one router

Joe Maimon jmaimon at ttec.com
Tue Jan 18 07:45:46 EST 2005



Joe Maimon wrote:

> Does anybody know of a way to create an interface between two VRF's or 
> a VRF and the global table inside one router?
>
I seem to have gotten the tunnels and loopback method to work (heavily 
edited config below). I dont actualy like this because of loopback 
proccess switching and because of MTU overhead since tunnels sourced 
from loopback seem to be constrained to max of 1490.



rt11#
rt11#sh conf
Using 10246 out of 126968 bytes
!
version 12.3
!
hostname rt11
!
boot-start-marker
boot system disk0:rsp-jk9o3sv-mz.123-8.T6.bin
boot-end-marker
!
!
ip vrf PRIVATE
description PRIVATE networks
rd 100:5
route-target export 100:5
route-target import 100:5
!
!
!
interface Tunnel0
ip address 66.66.66.253 255.255.255.252
tunnel source Loopback0
tunnel destination 66.66.66.2
!
interface Tunnel1
ip vrf forwarding PRIVATE
ip address 66.66.66.254 255.255.255.252
ip nat outside
ip virtual-reassembly
tunnel source Loopback1
tunnel destination 66.66.66.1
!
!
interface Loopback0
ip address 66.66.66.1 255.255.255.255
!
interface Loopback1
ip vrf forwarding PRIVATE
ip address 66.66.66.2 255.255.255.255
!  
interface Port-channel1
no ip address
ip route-cache policy
ip route-cache flow
full-duplex
no cdp enable
!
interface Port-channel1.1
encapsulation dot1Q 1 native
!
interface Port-channel1.3
encapsulation dot1Q 3
ip vrf forwarding PRIVATE
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0/0
no ip address
ip route-cache policy
ip route-cache flow
full-duplex
channel-group 1
!
interface FastEthernet0/1/0
no ip address
ip route-cache policy
ip route-cache flow
full-duplex
channel-group 1
!
router rip
version 2
redistribute connected
redistribute static
passive-interface default
no passive-interface Port-channel1.3
no passive-interface Tunnel0
no passive-interface Tunnel1
network 66.66.66.0
no auto-summary
!
address-family ipv4 vrf PRIVATE
!yes the router will rip to itself
redistribute connected
network 66.66.66.0
network 10.0.0.0
no auto-summary
exit-address-family
!
ip classless
ip route 66.66.66.2 255.255.255.255 Loopback1
ip route vrf PRIVATE 66.66.66.1 255.255.255.255 Loopback0 66.66.66.1
!
ip nat inside source list inside-nat-rules interface Tunnel1 vrf PRIVATE 
overload
!
!
ip access-list extended inside-nat-rules
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip 10.0.0.0 0.255.255.255 any
 deny   ip any any
!
end

Strangely enough ping the vrf loopback address from global fails and 
vice versa



More information about the cisco-nsp mailing list