[c-nsp] vrf-lite question

Wayne Lee linkconnect at googlemail.com
Mon Nov 10 18:40:37 EST 2008


Hello

I've been playing with vrf-lite in dynamips and I've hit a problem.

I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0


R1-------R0-------R2
            |
            |
            |
          R4

cust1 and cust2 import from GW and GW imports from cust1 and cust2.

The problem I'm having is that cust1 can reach cust2 via GW and
vice-versa. I'm using OSPF and BGP to redistribute but I do not know
how to stop the customer VRF's from seeing each other, they do need
internet access via GW which will be performing NAT and allow inbound
ipsec connections to the different VRF's (R4 will be a Netscreen
firewall in the data-centre)

ip vrf cust1
 rd 172.16.1.1:100
 route-target export 172.16.1.1:100
 route-target import 172.16.1.1:100
 route-target import 10.254.254.254:300
!
ip vrf cust2
 rd 172.16.2.1:200
 route-target export 172.16.2.1:200
 route-target import 172.16.2.1:200
 route-target import 10.254.254.254:300
!
ip vrf juniperGW
 rd 10.254.254.254:300
 route-target export 10.254.254.254:300
 route-target import 10.254.254.254:300
 route-target import 172.16.1.1:100
 route-target import 172.16.2.1:200

interface FastEthernet1/0
 description link to R1
 ip vrf forwarding cust1
 ip address 172.16.1.254 255.255.255.0
 duplex half
!
interface FastEthernet2/0
 description link to R2
 ip vrf forwarding cust2
 ip address 172.16.2.254 255.255.255.0
 duplex half
!
interface FastEthernet3/0
 description link to R3
 ip address 172.16.254.1 255.255.255.252
 duplex half
!
interface FastEthernet4/0
 description juniper gateway to internet
 ip vrf forwarding juniperGW
 ip address 10.254.254.254 255.255.255.0
 duplex half
!
router ospf 11 vrf cust1
 log-adjacency-changes
 capability vrf-lite
 network 172.16.1.0 0.0.0.255 area 11
!
router ospf 12 vrf cust2
 log-adjacency-changes
 capability vrf-lite
 network 172.16.2.0 0.0.0.255 area 12
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 passive-interface default
 no passive-interface FastEthernet3/0
 network 172.16.254.0 0.0.0.255 area 0
!
router ospf 10 vrf juniperGW
 log-adjacency-changes
 capability vrf-lite
 network 10.254.254.0 0.0.0.255 area 10
!
router bgp 65400
 no synchronization
 bgp router-id 10.10.254.254
 bgp log-neighbor-changes
 no auto-summary
 !
 address-family ipv4 vrf juniperGW
 redistribute ospf 10
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf cust2
 redistribute ospf 12
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf cust1
 redistribute ospf 11
 no auto-summary
 no synchronization
 exit-address-family
!
ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253
ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253

The end result I'm working towards will have ADSL PPPoA interfaces in
each VRF and the Netscreen will provide internet access and VPN to
other sites where we do not terminate the ADSL

Thanks for your time


Wayne


More information about the cisco-nsp mailing list