[c-nsp] VRF and STATIC ROUTE to GLOBAL

Luan Nguyen luan at netcraftsmen.net
Mon Feb 23 14:24:06 EST 2009 

Instead of an external link with 2 physical ports, you could try to create a
GRE tunnel with 2 loopback interfaces.

interface Loopback0
 ip address 10.10.10.1 255.255.255.0
!
interface Loopback10
 ip address 10.10.100.1 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding NSP
 ip address 172.16.1.1 255.255.255.0
 tunnel source Loopback0
 tunnel destination 10.10.100.1
!
interface Tunnel2
 ip address 172.16.1.2 255.255.255.0
 tunnel source Loopback10
 tunnel destination 10.10.10.1


Then run OSPF...etc.  I haven't try static route, but pretty sure it would
work.

router ospf 100 vrf NSP
 router-id 10.10.10.1
 log-adjacency-changes
 redistribute bgp 65535 subnets
 network 10.10.10.1 0.0.0.0 area 0
 network 172.16.1.1 0.0.0.0 area 0
!
router ospf 1
 router-id 10.10.100.1
 log-adjacency-changes
 network 10.10.100.1 0.0.0.0 area 0
 network 172.16.1.2 0.0.0.0 area 0

Regards,

++++++++++++++++++++++++++++++++++++++++++++++++
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/
[Mobile] 703-953-9116
+++++++++++++++++++++++++++++++++++++++++++++++++

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater
Sent: Monday, February 23, 2009 10:56 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL

This question was posted earlier, before I opened ticket with CISCO.

Router is 6500 with 720-CXL running SXI code.


1.  I have router "A" which is used to connect to our three ISPs ( two  
I1s and  one I2 connection with full BGP), and also receives all our  
internal campus traffic via RIP default path.    Router "A" announces  
default to campus.

2. I now need to add a new special ESNET.GOV ISP which cannot be used  
by the majority of our campus except for two subnets.   These two  
subnets will still have access to the other three ISPs for normal path  
selection but have the option of choosing an ESNET route if needed.

3. So the original thinking was to create the VRF for ESNET which  
would have its own ESNET route table and tell the two special subnets  
(using route-map match subs, set vrf ) to check the ESNET table first  
and if route is not in table then fall thru to global.

4. I can't just have one route table that includes the ESNET routes,  
because ESNET announces some more specific routes and there may be  
hosts that normally use the I1 path to these DSTs, but now see a more  
specific path and try to use it and fail because it is not allowed by  
ESNET outbound ACL.



I have BGP peering working in VRF ( can see prefixes from ESNET in VRF  
table), but cannot announce our two subnet prefixes because they do  
not show up in VRF route table.  So getting static back to global  
would fix this and other issue with DEFAULT to global.   When I try to  
add static routes they never show up because the next hop is not  
present in VRF table or the command fails stating that...  "Invalid  
next-hop address (it's this router)".



I was hoping that just adding a static DEFAULT in VRF pointing to  
global would do everything I needed, but cannot get it to work even  
after trying all permutations of the command.  "ip route vrf vrf-esnet  
0.0.0.0 0.0.0.0 0.0.0.0 global"



Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3  
10.10.10.10 global"   Loopback3 was created with RFC-1918 IP and had  
"vrf forwarding" added on this loopback.  This also failed.


Creating an internal path between the VRF router and the global router  
is stopping all this from working.

I have a ticket open with CISCO but they are saying I have to add an  
external link with two physical ports on vrf.   This will not work for  
us.


Does anybody know how to get statics working between VRF and global  
table,  if its even possible.


Really stuck!



Jeff Fitzwater
OIT Network Systems
Princeton University

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list