[c-nsp] vrf-lite question
Wayne Lee
linkconnect at googlemail.com
Mon Nov 10 18:40:37 EST 2008
Hello
I've been playing with vrf-lite in dynamips and I've hit a problem.
I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0
R1-------R0-------R2
|
|
|
R4
cust1 and cust2 import from GW and GW imports from cust1 and cust2.
The problem I'm having is that cust1 can reach cust2 via GW and
vice-versa. I'm using OSPF and BGP to redistribute but I do not know
how to stop the customer VRF's from seeing each other, they do need
internet access via GW which will be performing NAT and allow inbound
ipsec connections to the different VRF's (R4 will be a Netscreen
firewall in the data-centre)
ip vrf cust1
rd 172.16.1.1:100
route-target export 172.16.1.1:100
route-target import 172.16.1.1:100
route-target import 10.254.254.254:300
!
ip vrf cust2
rd 172.16.2.1:200
route-target export 172.16.2.1:200
route-target import 172.16.2.1:200
route-target import 10.254.254.254:300
!
ip vrf juniperGW
rd 10.254.254.254:300
route-target export 10.254.254.254:300
route-target import 10.254.254.254:300
route-target import 172.16.1.1:100
route-target import 172.16.2.1:200
interface FastEthernet1/0
description link to R1
ip vrf forwarding cust1
ip address 172.16.1.254 255.255.255.0
duplex half
!
interface FastEthernet2/0
description link to R2
ip vrf forwarding cust2
ip address 172.16.2.254 255.255.255.0
duplex half
!
interface FastEthernet3/0
description link to R3
ip address 172.16.254.1 255.255.255.252
duplex half
!
interface FastEthernet4/0
description juniper gateway to internet
ip vrf forwarding juniperGW
ip address 10.254.254.254 255.255.255.0
duplex half
!
router ospf 11 vrf cust1
log-adjacency-changes
capability vrf-lite
network 172.16.1.0 0.0.0.255 area 11
!
router ospf 12 vrf cust2
log-adjacency-changes
capability vrf-lite
network 172.16.2.0 0.0.0.255 area 12
!
router ospf 1
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
passive-interface default
no passive-interface FastEthernet3/0
network 172.16.254.0 0.0.0.255 area 0
!
router ospf 10 vrf juniperGW
log-adjacency-changes
capability vrf-lite
network 10.254.254.0 0.0.0.255 area 10
!
router bgp 65400
no synchronization
bgp router-id 10.10.254.254
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf juniperGW
redistribute ospf 10
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf cust2
redistribute ospf 12
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf cust1
redistribute ospf 11
no auto-summary
no synchronization
exit-address-family
!
ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253
ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253
The end result I'm working towards will have ADSL PPPoA interfaces in
each VRF and the Netscreen will provide internet access and VPN to
other sites where we do not terminate the ADSL
Thanks for your time
Wayne
More information about the cisco-nsp
mailing list