[c-nsp] VRF/SVI Question

Andrew Alston aa at tenet.ac.za
Fri Aug 10 08:25:50 EDT 2007


Hi All,

Am hoping someone here can give me a cleaner solution to what I'm doing as
detailed below.  Since at the moment I have a feeling the solution I have in
place only works because of "features that may end up being fixed" in the
future.

This is a 7606 RSP720 running SRB1 btw.

Ok, I have a tunnel interface (GRE) on a router, the interface is in the
global zone as outbound traffic going out of the tunnel shouldn't pass
through the vrf for a variety of reasons.

Inbound, there is a policy based route that matches on interface tunnel 2
and drops it into the vrf like so:

ip policy route-map pbr-in

route-map pbr-in permit 10
 match interface Tunnel2
 set vrf INBOUND-TRAFFIC
!

That vrf then has a static route to another router, so that inbound traffic
gets sent to a point where we do bandwidth shaping etc.

The router announces xxx.xxx.0.0/16 as a less specific, that is statically
routed to null0 purely for announcement purposes.

So far... so good... all of this works... Now comes the problem... on the
same router there are a series of SVI's with attached /24s in the same
network.

Now, in the vrf all traffic inbound follows the vrf default route to another
router, including when it attempts to flow to the SVI's.  If I import the
/16 into the vrf (which is easy to do, its announced in BGP), because that's
statically routed in the global to null0, the vrf sends all traffic to
null0, ignoring the more specifics in the global (kind of expected).

You cannot statically route to a loopback on the router in the global
(%Invalid next hop address (it's this router))

You have to have the networks announced in bgp to import them into the
vrf...

So the hack that I came up with was to add network statements for each /24
in the bgp configs, then do an aggregate-address xxx.xxx.0.0 255.255.0.0
summary-only.  Strangely, this allows the import into the vrf of the /24s to
work, though it strikes me as broken behavior.

Anyone got a cleaner solution to get directly connected routes into a VRF?
:)

Andrew Alston
TENET - Chief Technology Officer





More information about the cisco-nsp mailing list