[c-nsp] VRF and STATIC ROUTE to GLOBAL

[schilling]

#core B
ip vrf ESNET
.
.
int vlan100
 desc no1 prefix for ESNET
 ip address 192.168.100.1 255.255.255.0
 ip forwarding vrf ESNET
int vlan101
 desc no2 prefix for ESNET
 ip address 192.168.101.1 255.255.255.0
 ip forwarding vrf ESNET
int vlan200
 desc VRF ESNET to edge A global
 ip address 192.168.200.1 255.255.255.252
 ip forwarding vrf ESNET
int vlan300
 desc VRF ESNET to edge A VRF ESNET
 ip address 192.168.300.1 255.255.255.252
 ip forwarding vrf ESNET

ip route vrf ESNET 0.0.0.0 0.0.0.0 192.168.200.2


#edge A
ip vrf ESNET
.
.
int vlan200
 desc global to core B VRF ESNET
 ip address 192.168.200.2 255.255.255.252
int vlan300
 desc VRF ESNET to core B VRF ESNET
 ip address 192.168.300.2 255.255.255.252
 ip forwarding vrf ESNET


ip route 192.168.100.0 255.255.254.0 192.168.200.1
ip route vrf ESNET 192.168.100.0 255.255.254.0 192.168.300.1


You also want to have a iBGP between edge A and core B over vlan300 to
propagate ESNET prefixes to core B.

sh ip route vrf ESNET on both core B and edge A should have all your
specific ESNET two network, ESNET BGP learned prefixes, and directly
connected networks.

Corresponding static routes could be done by RIP, concept should be the
same.

Schilling




On Mon, Feb 23, 2009 at 2:41 PM, Jeff Fitzwater <jfitz at princeton.edu> wrote:

>
> On Feb 23, 2009, at 1:59 PM, schilling wrote:
>
> I am not clear about your "route-map match subs, set vrf". If your two
> specific subnets are in one campus core, you need to put them in to VRF
> ESNET by "ip forwarding vrf ESNET". If these two specific subnets are
> distributed in your campus core, you need to use end-to-end vrf-lite or
> MPLS, and put them in VRF ESNET.  One in the VRF ESNET, you can then
> advertise them to your ESNET eBGP peering. If your have more specific subnet
> within the two subnets, "ip route vrf ESNET yourTwoSubnet2ESNET null 0" will
> populate a static route in your VRF ESNET, so you can advertise them to your
> ESNET eBGP. Existing more specific traffic will be routed in your VRF ESNET,
> and non specific are dropped.
>
>   Maybe I am missing something about how to implement VRF.
> The VRF is configured on our ISP edge router "A" , which is also the RIP
> default source for our other 3 core routers.  So router "A" has a vlan and
> physical port for each of the three core routers "B, C, D".   On vlan
> interface to router "B", which receives traffic from the two subnets of
> interest (along with other subnet traffic, but not allowed to ESNET) , I
> thought that I could have a route-map that MATCHES an ACL for the two
> subnets, and SET VRF VFR-ESNET so that if the match is true it would send
> traffic to the VRF-ESNET to first check its route table.  Once there, if the
> DEST was not to ESNET , it would use a default to the global and be
> forwarded as usual.
>  I didn't even get to the point of trying the route-map because I couldn't
> get statics in the VRF so the vrf bgp would announce the two subnets to
> esnet.  ( It's the next hop issue.  If the static next hop is not reachable
> then it does not get installed).
>
> Well I thought it sounded good.
>
>
> Jeff
>
>
> On Mon, Feb 23, 2009 at 10:55 AM, Jeff Fitzwater <jfitz at princeton.edu>wrote:
>
>> This question was posted earlier, before I opened ticket with CISCO.
>>
>> Router is 6500 with 720-CXL running SXI code.
>>
>>
>> 1.  I have router "A" which is used to connect to our three ISPs ( two I1s
>> and  one I2 connection with full BGP), and also receives all our internal
>> campus traffic via RIP default path.    Router "A" announces default to
>> campus.
>>
>> 2. I now need to add a new special ESNET.GOV ISP which cannot be used by
>> the majority of our campus except for two subnets.   These two subnets will
>> still have access to the other three ISPs for normal path selection but have
>> the option of choosing an ESNET route if needed.
>>
>> 3. So the original thinking was to create the VRF for ESNET which would
>> have its own ESNET route table and tell the two special subnets (using
>> route-map match subs, set vrf ) to check the ESNET table first and if route
>> is not in table then fall thru to global.
>>
>> 4. I can't just have one route table that includes the ESNET routes,
>> because ESNET announces some more specific routes and there may be hosts
>> that normally use the I1 path to these DSTs, but now see a more specific
>> path and try to use it and fail because it is not allowed by ESNET outbound
>> ACL.
>>
>>
>>
>> I have BGP peering working in VRF ( can see prefixes from ESNET in VRF
>> table), but cannot announce our two subnet prefixes because they do not show
>> up in VRF route table.  So getting static back to global would fix this and
>> other issue with DEFAULT to global.   When I try to add static routes they
>> never show up because the next hop is not present in VRF table or the
>> command fails stating that...  "Invalid next-hop address (it's this
>> router)".
>>
>>
>>
>> I was hoping that just adding a static DEFAULT in VRF pointing to global
>> would do everything I needed, but cannot get it to work even after trying
>> all permutations of the command.  "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0
>> 0.0.0.0 global"
>>
>>
>>
>> Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10
>> global"   Loopback3 was created with RFC-1918 IP and had "vrf forwarding"
>> added on this loopback.  This also failed.
>>
>>
>> Creating an internal path between the VRF router and the global router is
>> stopping all this from working.
>>
>> I have a ticket open with CISCO but they are saying I have to add an
>> external link with two physical ports on vrf.   This will not work for us.
>>
>>
>> Does anybody know how to get statics working between VRF and global table,
>>  if its even possible.
>>
>>
>> Really stuck!
>>
>>
>>
>> Jeff Fitzwater
>> OIT Network Systems
>> Princeton University
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>