[c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs

David Prall dcp at dcptech.com
Wed Dec 24 16:30:55 EST 2008

Give each VRF a rd, and do an import/export of that rd. Configure BGP, don't
even need to use it as your routing protocol. Each VRF should automagically
have the address family configured. Now under the ip vrf configuration
import the other VRF's rd. Now you have reachability at one location.
Another solution is to create a static route and point it at the physical
interface of the other VRF. You'll need to do this in both directions. 



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay A
> Sent: Wednesday, December 24, 2008 3:41 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
> I've read the doc at
> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vr
> f
> _aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp102
> 7
> 175 and ignoring the restriction about mapping VRF to VRF traffic have
> tried (unsuccessfully) to circumvent this restriction.
> Is it at all possible to terminate an IPSec L2L tunnel in VRF A and
> then
> have traffic exit that VRF A to reach resources located in VRF B or
> possibly the global routing table?
> I see the security implications naturally of allowing traffic from
> remote sites to leak across VRFs but if it's not possible then is there
> some way of providing a "central service" type of resource to a bunch
> of
> different sites (assume each site goes into a different VRF) which
> connect to that resource via IPSec tunnels?
> [Site A]---IPSec tunnel over Internet---[Hub Router--VRF A--]
> 						|
> 						[VRF B]
> 						|
> 					(Central Service)
> Vijay Ramcharan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list