[c-nsp] Leaking VRF routes

Ge Moua moua0100 at umn.edu
Tue May 18 12:01:54 EDT 2010 

There were a few requests for this, so I'm just going to post this to 
the distro-list.  This was done about a year and half ago, but I recall 
that this was a working config snippet:
* the idea at the time was to terminate a L2L IPSec tunnel in a given 
VRF "A"
* using VRF-aware IPSec, drop the decrypted traffic to VRF "B"
* one had to export the RD
* also had to run BGP (this was already mentioned in a previous thread)

In the end we decided not to go with this config and just terminate the 
IPSec tunnel in the global table, as the global table already had the 
hooks into the other custom VRF by default.

- Ge



!
ip vrf FVRF-L2L_NTS-TEST
  description VRF Lite * (VRF-Aware IPSec) Front-Door VRF to (MPLS VRF) 
"tc" * Encrypted Data Transport for L-2-L IPSec (Single Customer) "NTS Test"
  rd 217:599
  route-target export 217:1001
  route-target export 217:599
!



!
ip vrf IVRF-L2L_tc
  description VRF Lite * (VRF-Aware IPSec) Inside VRF to (MPLS VRF) "tc" 
* Decrypted Data Transport for L-2-L IPSec (VRF Wide) "UofMn - Twin 
Cities General Campus"
  rd 217:1001
  route-target import 217:599
!



!
router bgp 65535
  no synchronization
  bgp log-neighbor-changes
  no auto-summary
  !
  address-family ipv4 vrf FVRF-L2L_NTS-TEST
   redistribute static
   no synchronization
  exit-address-family
!


ip route vrf FVRF-L2L_NTS-TEST 134.84.4.232 255.255.255.248 134.84.4.222 
name ROUTE-LEAK-TO-IVRF-VIA-BGP-REDIST


!
no ip access-list extended CRYPTO-ACL_NTS-TEST
!
ip access-list extended CRYPTO-ACL_NTS-TEST
  remark ## [START] Extended ACL "CRYPTO-ACL_NTS-TEST" ##
  remark ## Crypto ACL * IPSec Interesting Traffic Between L-2-L IPSec 
End-Points "NTS Test" ##
permit ip any 134.84.4.232 0.0.0.7
  remark ## [END] Extended ACL "CRYPTO-ACL_NTS-TEST" ##


crypto map CRYPTO-MAP_NTS-TEST 1 ipsec-isakmp
  no reverse-route static




--

Regards,
Ge Moua
Network Design Engineer

University of Minnesota | OIT - NTS
--


On 5/18/10 8:15 AM, Ge Moua wrote:
> I've got IOS code snippet for doing this on a 7206vxr with npe-g1; 
> contact me off list if you are interested in seeing this.
>
> -- 
> Regards,
> Ge Moua
> Network Design Engineer
>
> University of Minnesota | OIT - NTS
> -- 
>
>
> On 5/18/10 1:40 AM, Peter Rathlev wrote:
>> On Mon, 2010-05-17 at 22:46 -0500, Dave Weis wrote:
>>> I am doing VRF lite on a 7200 to place PPPoA/PPPoE users into a VRF.
>> You can leak fine just with VRF-Lite, if that's what you're after. You
>> need to enable BGP though.
>>

More information about the cisco-nsp mailing list