[c-nsp] VRF weirdness on 12.3(14)T4

Rolf Mendelsohn rolf-web at cyberops.biz
Thu Feb 9 22:20:39 EST 2006 

Hi Everyone,

I have the below config working perfectly on 12.4(1a), however when running 
12.3(14)T4 no traffic get passed from the Fa0/1 to the other subinterfaces in 
the vrf (Fa0/0.20 - Fa0/0.37). I am relatively new to vrf's and was wondering 
if there were any major configuration errors here.

I have to do a route-map for inbound traffic on fa0/0.10 & fa0/1 because this 
is connected to a monitoring network which is pinging remote wireless routers 
which are connected to fa0/1.

a sh ip route vrf looks identical on both images.
a sh ip vrf look identical on both images
sh logging doesn't show anything strange on 12.3(14)T4.

Any idea's?


service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service dhcp
!
hostname gw1.lda1.ao
!
boot-start-marker
boot-end-marker
!
logging buffered 65535 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone GMT+1 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip vrf Client1-vpn
 rd 33763:100
 route-target export 33763:100
 route-target import 33763:100
!
ip vrf mateba-vpn
 description VRF for Mateba VPN
 rd 37763:300
!
ip vrf others
 rd 33763:200
 route-target export 33763:200
 route-target import 33763:200
!
ip domain name maxnet.ao
ip name-server X.Y.48.10
ip name-server X.Y.52.10
!
!
spanning-tree portfast bpduguard
!
!
class-map match-all inet-256k-out
  description Match IP packets from the Internet to this VPN
 match input-interface FastEthernet0/0
 match access-group 150
!
!
policy-map Client1-sede-limit
  description Limit Input from Client1 to reasonable rate
 class class-default
  police cir 2560000
    conform-action transmit
    exceed-action drop
policy-map reg256
  description Policy Map for a Normal 256K Service(only necessary for Ethernet 
Customers)
 class class-default
  police cir 256000
    conform-action transmit
    exceed-action drop
!
!
!
interface FastEthernet0/0
 description Trunk Backhaul link Back to Predio Policia
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/0.2
 description Management + Monitoring VLAN
 encapsulation dot1Q 2
 ip vrf receive Client1-vpn
 ip vrf receive others
 ip address 10.253.1.8 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip policy route-map monitor-in
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.10
 description Temporary and future Transit Ethernet
 encapsulation dot1Q 10
 ip address X.Y.48.42 255.255.255.248
 ip nat outside
 no snmp trap link-status
 no cdp enable
 service-policy input reg256
 service-policy output reg256
!
interface FastEthernet0/0.20
 description Client1 Aeroporto - 128k (Cidadela)
 encapsulation dot1Q 20
 ip vrf forwarding Client1-vpn
 ip address 172.16.99.8 255.255.255.128
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
!
interface FastEthernet0/0.21
 description Client1 Neves Bendinha - 128k (Cidadela)
 encapsulation dot1Q 21
 ip vrf forwarding Client1-vpn
 ip address 172.16.98.8 255.255.255.128
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
!
interface FastEthernet0/0.22
 description Client1 Cazenga - 128k (Cidadela)
 encapsulation dot1Q 22
 ip vrf forwarding Client1-vpn
 ip address 172.16.92.136 255.255.255.128
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
!

Interfaces 0.23-0.36 removed for the sake of brevity.

!
interface FastEthernet0/0.37
 description Client1 Minint - 128k (Predio Policia)
 encapsulation dot1Q 37
 ip vrf forwarding Client1-vpn
 ip address 172.16.24.1 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
!
interface FastEthernet0/0.39
 description Client1 Filda - 128k (Cidadela)
 encapsulation dot1Q 39
 ip vrf forwarding Client1-vpn
 ip address 172.16.253.8 255.255.255.128
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.520
 description Mateba VPN - Viana(256k)
 encapsulation dot1Q 520
 ip vrf forwarding mateba-vpn
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.521
 description Mateba VPN - Maculusso(256k)
 encapsulation dot1Q 521
 ip vrf forwarding mateba-vpn
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.522
 description Mateba VPN - Intermarket(256k)
 encapsulation dot1Q 522
 ip vrf forwarding mateba-vpn
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/1
 description Link to Client1 Sede + Old Base Station
 ip vrf receive Client1-vpn
 ip vrf receive others
 ip address 10.254.0.1 255.255.255.0
 ip route-cache flow
 ip policy route-map in-Client1-in-others
 load-interval 30
 duplex auto
 speed 10
 service-policy input Client1-sede-limit
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.Y.48.41
ip route 192.168.1.0 255.255.255.192 10.254.0.2
ip route X.Y.48.0 255.255.240.0 10.253.1.10
ip route X.Y.49.162 255.255.255.255 FastEthernet0/0.520 192.168.0.1
ip route vrf Client1-vpn 172.16.8.0 255.255.248.0 10.254.0.4
ip route vrf Client1-vpn 172.16.88.0 255.255.255.128 10.254.0.4
ip route vrf Client1-vpn 192.168.20.0 255.255.255.0 10.254.0.4
ip route vrf mateba-vpn 0.0.0.0 0.0.0.0 X.Y.48.41 global
ip route vrf others 10.2.0.0 255.255.0.0 10.254.0.2
ip route vrf others 10.2.16.0 255.255.252.0 10.253.1.1
ip route vrf others 10.3.24.0 255.255.252.0 10.253.1.1
ip route vrf others 10.3.40.0 255.255.252.0 10.253.1.1
ip route vrf others 10.254.10.0 255.255.255.0 10.253.1.1
ip route vrf others 192.168.100.0 255.255.255.0 10.253.1.10
ip flow-export version 5
ip flow-export destination 10.253.1.9 2055
!
no ip http server
ip nat pool mateba-int X.Y.49.160 X.Y.49.161 prefix-length 31
ip nat inside source list 50 pool mateba-int vrf mateba-vpn overload
ip nat inside source static 192.168.0.1 X.Y.49.162 vrf mateba-vpn
!
access-list 1 permit any
access-list 2 deny   any
access-list 6 permit 1.0.0.0 0.255.255.255
access-list 6 deny   any
access-list 8 permit 0.0.0.0
access-list 8 deny   any
access-list 9 deny   0.0.0.0
access-list 9 permit any
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 20 permit 172.16.0.0 0.7.255.255
access-list 20 permit 192.168.20.0 0.0.0.255
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 60 permit 10.252.0.0 0.3.255.255
access-list 60 permit X.Y.48.0 0.0.0.255
access-list 105 permit ip 10.253.1.0 0.0.0.255 host 10.253.1.8
access-list 110 permit ip 10.253.1.0 0.0.0.255 172.16.0.0 0.7.255.255
access-list 120 permit ip 10.253.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 130 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 150 deny   ip any 192.168.0.0 0.0.255.255
access-list 150 deny   ip any 10.0.0.0 0.255.255.255
access-list 150 deny   ip any 172.16.0.0 0.15.255.255
access-list 150 permit ip any any
snmp-server community noneexgfdgd RW 2
snmp-server community XYZ
no cdp run
route-map monitor-in deny 5
 description Match Traffic from Management Net to Router
 match ip address 105
!
route-map monitor-in permit 10
 description Match Traffic from Management Net to Client1
 match ip address 110
 set vrf Client1-vpn
!
route-map monitor-in permit 20
 description Match Traffic from Management Net to BCI+Banco Sol
 match ip address 120
 set vrf others
!
route-map monitor-in permit 30
 description Match Traffic from Client2+Client3 SEDE to Client2+Client3
 match ip address 130
 set vrf others
!
route-map in-Client1-in-others permit 10
 description Match IP's from Client1 to Manangement Net
 match ip address 20
 set vrf Client1-vpn
!
route-map in-Client1-in-others permit 20
 description Match IP's from Client2+Client3 to Management Net
 match ip address 10
 set vrf others
!
!
control-plane
!
banner motd ^C
======================================================
MAXNET - gw1.lda1.ao - Cisco 1841
UNAUTHORISED ACCESS PROHIBITED
For support call tel. +244-222-391037 / 228-740156
======================================================
^C
!
line con 0
 exec-timeout 30 0
 logging synchronous
line aux 0
line vty 0 4
 access-class 60 in
 exec-timeout 30 0
 transport input telnet
 transport output telnet
line vty 5 15
 access-class 60 in
 exec-timeout 30 0
 transport input telnet
 transport output telnet
!
end


-- 
Rolf Mendelsohn
Internet Technologies Angola
Cell:  +244-92-3524981

More information about the cisco-nsp mailing list