[c-nsp] Import VRF routes then change next-hop

Ramcharan, Vijay A vijay.ramcharan at verizonbusiness.com
Fri Dec 4 10:08:07 EST 2009 

It broke in a bad way. I.e Trying to set the next hop via an import map
is not reliable and does strange things like singling out a a particular
subnet and removing it from the BGP table, even though that subnet is
directly connected in that VRF. 

Vijay Ramcharan 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay
A
Sent: Tuesday, December 01, 2009 3:16 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Import VRF routes then change next-hop

Hi all, 

I have a couple of switches (6509E, Sup 720 3CXL, 12.2.33 SXI1) that are
running VRF lite for a couple of VRFs. 
One of the VRFs connects to a pair of external routers and receives a
number of routes via iBGP. 
Sandwiched between that external VRF and the other VRF is a firewall. 

I needed to import the routes from the external VRF into the other VRF
that sits behind that firewall. 
I set the proper import targets in my firewalled VRF and the routes are
imported. 
I now need to change the next hop of those imported routes so that the
firewalled VRF uses the firewall as its next-hop for those imported
routes. 

The only solution I've found that actually works is the following
route-map used as an "import map" in the firewalled VRF.  

route-map import_mpls_to_firewall_vrf permit 10
  Match clauses:
    extcommunity (extcommunity-list filter):77
  Set clauses:
    ip vrf firewall_vrf next-hop 10.10.10.1
    ip next-hop 10.10.10.1

I tried reading some documentation but I'm not making much headway into
understanding why I need both of those "set" commands. 

If I just use the "set ip vrf <blah>" clause the routes are imported but
the next hop is not changed at which point I need to statically point
the next hop at the firewall for the routes to become valid. 

If I just use the "set ip next-hop" command, the next hop is changed but
traffic isn't forwarded out of the firewall VRF. 

Once I use both commands, the next-hop is changed and traffic is
properly forwarded. 
Is my setup above correct or am I doing something wrong? 

Thanks much. 

Vijay Ramcharan
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________

______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________

More information about the cisco-nsp mailing list