[c-nsp] Leaking VRF routes
Ge Moua
moua0100 at umn.edu
Tue May 18 12:01:54 EDT 2010
There were a few requests for this, so I'm just going to post this to
the distro-list. This was done about a year and half ago, but I recall
that this was a working config snippet:
* the idea at the time was to terminate a L2L IPSec tunnel in a given
VRF "A"
* using VRF-aware IPSec, drop the decrypted traffic to VRF "B"
* one had to export the RD
* also had to run BGP (this was already mentioned in a previous thread)
In the end we decided not to go with this config and just terminate the
IPSec tunnel in the global table, as the global table already had the
hooks into the other custom VRF by default.
- Ge
!
ip vrf FVRF-L2L_NTS-TEST
description VRF Lite * (VRF-Aware IPSec) Front-Door VRF to (MPLS VRF)
"tc" * Encrypted Data Transport for L-2-L IPSec (Single Customer) "NTS Test"
rd 217:599
route-target export 217:1001
route-target export 217:599
!
!
ip vrf IVRF-L2L_tc
description VRF Lite * (VRF-Aware IPSec) Inside VRF to (MPLS VRF) "tc"
* Decrypted Data Transport for L-2-L IPSec (VRF Wide) "UofMn - Twin
Cities General Campus"
rd 217:1001
route-target import 217:599
!
!
router bgp 65535
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf FVRF-L2L_NTS-TEST
redistribute static
no synchronization
exit-address-family
!
ip route vrf FVRF-L2L_NTS-TEST 134.84.4.232 255.255.255.248 134.84.4.222
name ROUTE-LEAK-TO-IVRF-VIA-BGP-REDIST
!
no ip access-list extended CRYPTO-ACL_NTS-TEST
!
ip access-list extended CRYPTO-ACL_NTS-TEST
remark ## [START] Extended ACL "CRYPTO-ACL_NTS-TEST" ##
remark ## Crypto ACL * IPSec Interesting Traffic Between L-2-L IPSec
End-Points "NTS Test" ##
permit ip any 134.84.4.232 0.0.0.7
remark ## [END] Extended ACL "CRYPTO-ACL_NTS-TEST" ##
crypto map CRYPTO-MAP_NTS-TEST 1 ipsec-isakmp
no reverse-route static
--
Regards,
Ge Moua
Network Design Engineer
University of Minnesota | OIT - NTS
--
On 5/18/10 8:15 AM, Ge Moua wrote:
> I've got IOS code snippet for doing this on a 7206vxr with npe-g1;
> contact me off list if you are interested in seeing this.
>
> --
> Regards,
> Ge Moua
> Network Design Engineer
>
> University of Minnesota | OIT - NTS
> --
>
>
> On 5/18/10 1:40 AM, Peter Rathlev wrote:
>> On Mon, 2010-05-17 at 22:46 -0500, Dave Weis wrote:
>>> I am doing VRF lite on a 7200 to place PPPoA/PPPoE users into a VRF.
>> You can leak fine just with VRF-Lite, if that's what you're after. You
>> need to enable BGP though.
>>
More information about the cisco-nsp
mailing list