[c-nsp] help with one-armed routing
Bruce Pinsky
bep at whack.org
Thu Mar 17 01:43:24 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kevin Graham wrote:
| If the second interface (assuming fas 0/1) is entirely standalone, a
| VRF-lite config like:
|
| ip vrf onefiveone
| rd 0:0
| int fas 0/1
| ip vrf forwarding onefiveone
| ip address 192.168.151.128 255.255.255.0
| ip route vrf onefiveone 192.158.55.0 255.255.255.0 192.168.151.254
| ip route vrf onefiveone 0.0.0.0 0.0.0.0 192.168.151.1
|
| ...would do the trick w/o the need for PBR or ACL's to accomplish what
| you're describing.
|
Well, yes and no. Assuming he has a version that supports VRF Lite, there
are still a couple of issues. Let's look at his req'ts:
- - It cannot allow any traffic to pass through, it can only bounce traffic.
~ *VRF can accomplish this*
- - if the source IP is 192.168.151.0 /24 then route it - if it is not that,
then drop it.
~ *VRF can't enforce that without Strict RPF or access-lists*
- - if the destination IP is 192.158.55.0.0 / 24 then send it to
192.168.151.254
~ *VRF can accomplish as you suggest*
- - otherwise, send the traffic to 192.69.151.1
~ *That next-hop is in a different subnet than the VRF. VRF can only
handle that if there is a way to reach that subnet within the VRF. There
needs to be a route to the next-hop that points back out the fas0/1 or
another interface that is part of the VRF.*
So, it may be possible, but there are some additional things that will
likely need to be added.
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCOScLE1XcgMgrtyYRAoZfAKCMQuyvOBeXiSyS0eS5EZUYEw3WoACeJ7pn
T08CUBDO5ell5J3zFrfOHEE=
=/pw7
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list