Jeff Fitzwater jfitz at Princeton.EDU
Mon Feb 23 14:41:53 EST 2009

On Feb 23, 2009, at 1:59 PM, schilling wrote:

> I am not clear about your "route-map match subs, set vrf". If your  
> two specific subnets are in one campus core, you need to put them in  
> to VRF ESNET by "ip forwarding vrf ESNET". If these two specific  
> subnets are distributed in your campus core, you need to use end-to- 
> end vrf-lite or MPLS, and put them in VRF ESNET.  One in the VRF  
> ESNET, you can then advertise them to your ESNET eBGP peering. If  
> your have more specific subnet within the two subnets, "ip route vrf  
> ESNET yourTwoSubnet2ESNET null 0" will populate a static route in  
> your VRF ESNET, so you can advertise them to your ESNET eBGP.  
> Existing more specific traffic will be routed in your VRF ESNET, and  
> non specific are dropped.
   Maybe I am missing something about how to implement VRF.
The VRF is configured on our ISP edge router "A" , which is also the  
RIP default source for our other 3 core routers.  So router "A" has a  
vlan and physical port for each of the three core routers "B, C, D".    
On vlan interface to router "B", which receives traffic from the two  
subnets of interest (along with other subnet traffic, but not allowed  
to ESNET) , I thought that I could have a route-map that MATCHES an  
ACL for the two subnets, and SET VRF VFR-ESNET so that if the match is  
true it would send traffic to the VRF-ESNET to first check its route  
table.  Once there, if the DEST was not to ESNET , it would use a  
default to the global and be forwarded as usual.
	I didn't even get to the point of trying the route-map because I  
couldn't get statics in the VRF so the vrf bgp would announce the two  
subnets to esnet.  ( It's the next hop issue.  If the static next hop  
is not reachable then it does not get installed).

Well I thought it sounded good.


> On Mon, Feb 23, 2009 at 10:55 AM, Jeff Fitzwater  
> <jfitz at princeton.edu> wrote:
> This question was posted earlier, before I opened ticket with CISCO.
> Router is 6500 with 720-CXL running SXI code.
> 1.  I have router "A" which is used to connect to our three ISPs  
> ( two I1s and  one I2 connection with full BGP), and also receives  
> all our internal campus traffic via RIP default path.    Router "A"  
> announces default to campus.
> 2. I now need to add a new special ESNET.GOV ISP which cannot be  
> used by the majority of our campus except for two subnets.   These  
> two subnets will still have access to the other three ISPs for  
> normal path selection but have the option of choosing an ESNET route  
> if needed.
> 3. So the original thinking was to create the VRF for ESNET which  
> would have its own ESNET route table and tell the two special  
> subnets (using route-map match subs, set vrf ) to check the ESNET  
> table first and if route is not in table then fall thru to global.
> 4. I can't just have one route table that includes the ESNET routes,  
> because ESNET announces some more specific routes and there may be  
> hosts that normally use the I1 path to these DSTs, but now see a  
> more specific path and try to use it and fail because it is not  
> allowed by ESNET outbound ACL.
> I have BGP peering working in VRF ( can see prefixes from ESNET in  
> VRF table), but cannot announce our two subnet prefixes because they  
> do not show up in VRF route table.  So getting static back to global  
> would fix this and other issue with DEFAULT to global.   When I try  
> to add static routes they never show up because the next hop is not  
> present in VRF table or the command fails stating that...  "Invalid  
> next-hop address (it's this router)".
> I was hoping that just adding a static DEFAULT in VRF pointing to  
> global would do everything I needed, but cannot get it to work even  
> after trying all permutations of the command.  "ip route vrf vrf- 
> esnet global"
> Also tried "ip route vrf vrf-esnet loopback3  
> global"   Loopback3 was created with RFC-1918 IP and had  
> "vrf forwarding" added on this loopback.  This also failed.
> Creating an internal path between the VRF router and the global  
> router is stopping all this from working.
> I have a ticket open with CISCO but they are saying I have to add an  
> external link with two physical ports on vrf.   This will not work  
> for us.
> Does anybody know how to get statics working between VRF and global  
> table,  if its even possible.
> Really stuck!
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list