[c-nsp] Need help with F-VRF

Luan Nguyen luan.m.nguyen at gmail.com
Thu Jan 24 11:21:07 EST 2008 

I am doing 2 dmvpn tunnels.  One using the primary, one using the vrf.  They
both terminate into the same hub router.
NAT config:
ip nat inside source route-map NAT_SEC_WAN interface FastEthernet0/0
overload
route-map NAT_SEC_WAN permit 10
 match ip address PAT_ACL_1
 match interface FastEthernet0/0
ip access-list extended PAT_ACL_1
 permit ip 10.7.1.0 0.0.0.255 any

VRF
ip vrf fvrf
interface FastEthernet0/0
 ip vrf forwarding fvrf
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 100
ip route vrf fvrf 0.0.0.0 0.0.0.0 FastEthernet-nexthop
ip route 0.0.0.0 0.0.0.0 Primary-interface track 500

I was tracking failover, but with F-VRF, probably no need to anymore.
I need the lan to be outside, because normally, it would go out the primary
non-vrf wan interface.


A ping from the host on the lan to 4.2.2.2

Site7R1#show ip cache flow
IP packet size distribution (506 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448
480
   .000 .146 .363 .162 .298 .000 .013 .000 .000 .000 .000 .000 .009 .000
.005

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  4 active, 4092 inactive, 94 added
  4226 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
  0 active, 1024 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec)
Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-other           37      0.0         1    44      0.0       1.8      15.5
UDP-NTP             39      0.0         1    76      0.0       0.0      15.1
UDP-other            1      0.0         4   261      0.0       0.1      15.3
ICMP                13      0.0         5   100      0.0       7.6      15.4
Total:              90      0.0         2    76      0.0       1.8      15.3

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP
Pkts
Fa0/1         10.7.1.2        Fa0/0         4.2.2.2               01 0000
0800     5
Fa0/0         4.2.2.2         Fa0/0          Fa0/0-IP             01 0000
0000     5


Site7R1#show ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp Fa0/0-IP:13      10.7.1.2:13       4.2.2.2:13         4.2.2.2:13

Seem like the return nat doesn't work.  Maybe i should use debug ip packet
detail :)

Thanks.

lmn


On Jan 24, 2008 10:49 AM, Tim Franklin <tim at pelican.org> wrote:

> On Thu, January 24, 2008 3:20 pm, Luan Nguyen wrote:
>
> > I have a router with dual WAN and one of them is in a VRF-lite, nothing
> > there but another default route.
> > I would like to be able to utilize that default route once the primary
> WAN
> > is down.
>
> If there's *nothing* in it but a default route, why is it in a VRF?  What
> are you trying to achieve with two routing tables on the router?
>
> > I have ip route 0.0.0.0 0.0.0.0 SecondaryWAN 250.
> > When the primary interface down, i can see that in the global routing
> > table.   I have NAT and show ip nat trans seems okay.
> > Turn on netflow and doing a source ping, i also see echo-reply packets
> > back
> > from the ping source.
> > The local LAN is not inside the vrf-lite.  Looking inside the vrf
> routing
> > table, i dónt see the local lan.  i cánt do ip route vrf vrf-lite
> > local-lan-net interface-local-lan, since the router doesn't let you do
> it
> > to
> > the broadcast ethernet.
>
> This isn't entirely clear, but if you're doing what it sounds like, a
> route to the LAN interface inside the VRF isn't going to make sense,
> because the LAN interface isn't in the VRF.
>
> Can you post config, and output from the commands you've mentioned?
>
> Regards,
> Tim.
>
>
>

More information about the cisco-nsp mailing list