[c-nsp] VPN Reverse Route Injection gateway in VRF

Ronan Mullally ronan at iol.ie
Mon Sep 14 12:54:52 EDT 2009 

(First post on the list, so please be gentle!)

I'm working on a VPN solution which creates multiple VRFs and assigns VPN
traffic into a particular VRF based on it's ISAKMP profile and a dynamic
crypto-map.  The application in hand is a CPE management network - each
CPE device builds a VPN tunnel back to a cisco router which constructs a
CPE VRF.

It all works works fine, up to a point.  I use Reverse Route Injection to
add routes into each VRF.  I've static routes configured in the VRF
directing outbound traffic via the correct front-door VRF:

 router> show crypto route
 Routes created in table CPE
 172.31.0.65/255.255.255.255 [1/0] via 1.2.3.4 tag 100
                                 on Port-channel1.99 RRI

 router> sh ip route vrf CPE

 S       172.31.0.65/32 [1/0] via 1.2.3.4
      1.0.0.0/23 is subnetted, 1 subnets
 S       1.2.2.0 [1/0] via 1.2.2.1, Port-channel1.99

1.2.3.4 represents public IP addresses.  I foresee a problem when I try
to terminate VPN tunnels from CPE devices that are not on public IP
addresses, but instead are part of another VRF using private IP ranges:

 router show crypto route
 Routes created in table CPE
 172.31.1.0/255.255.255.255 [1/0] via 10.0.0.102 tag 100
                                 on Port-channel1.1100 RRI

 router> sh ip route vrf CPE
 S       172.31.1.0/32 [1/0] via 10.0.0.102

I can use "reverse-route remote-peer A.B.C.D gateway" I get the route to
the remote host sent via the correct interface:

 router> sh ip route vrf CPE
 S       172.31.1.0/32 [1/0] via 10.0.0.102
       10.0.0.0/32 is subnetted, 1 subnets
 S       10.0.0.102 [1/0] via 10.0.0.4, Port-channel1.1100

My problem arises when we end up with overlapping address ranges in two
different (front door) VRFs, so I would expect to see something like:

 router> sh ip route vrf CPE
 S       172.31.1.0/32 [1/0] via 10.0.0.102
 S       172.31.1.1/32 [1/0] via 10.0.0.102
       10.0.0.0/32 is subnetted, 1 subnets
 S       10.0.0.102 [1/0] via 10.0.0.4, Port-channel1.1100
 S       10.0.0.102 [1/0] via 10.0.0.5, Port-channel1.1101

The first being in VRF A, the second in VRF B.

My questions are:

 - I expect this will be a problem, am I right? (ie there's no magic
   that will ensure packets for go via the right VRF and not get load
   balanced across two different VRFs, is there?)

 - Is there a way around the problem?  Careful address assignment to
   avoid collisions is all I can think of.

What I really need is to be able to specify an interface/VRF in the first
route, for example:

 router> sh ip route vrf CPE
 S       172.31.1.0/32 [1/0] via 10.0.0.102, Port-channel1.1100 (or vrf A)
 S       172.31.1.1/32 [1/0] via 10.0.0.102, Port-channel1.1101 (or vrf B)

Any advice would be very welcome.


-Ronan

More information about the cisco-nsp mailing list