On Feb 23, 2009, at 1:59 PM, schilling wrote:
I am not clear about your "route-map match subs, set vrf". If your
two specific subnets are in one campus core, you need to put them in
to VRF ESNET by "ip forwarding vrf ESNET". If these two specific
subnets are distributed in your campus core, you need to use end-to-
end vrf-lite or MPLS, and put them in VRF ESNET. One in the VRF
ESNET, you can then advertise them to your ESNET eBGP peering. If
your have more specific subnet within the two subnets, "ip route vrf
ESNET yourTwoSubnet2ESNET null 0" will populate a static route in
your VRF ESNET, so you can advertise them to your ESNET eBGP.
Existing more specific traffic will be routed in your VRF ESNET, and
non specific are dropped.
Maybe I am missing something about how to implement VRF.
The VRF is configured on our ISP edge router "A" , which is also the
RIP default source for our other 3 core routers. So router "A" has a
vlan and physical port for each of the three core routers "B, C, D".
On vlan interface to router "B", which receives traffic from the two
subnets of interest (along with other subnet traffic, but not allowed
to ESNET) , I thought that I could have a route-map that MATCHES an
ACL for the two subnets, and SET VRF VFR-ESNET so that if the match is
true it would send traffic to the VRF-ESNET to first check its route
table. Once there, if the DEST was not to ESNET , it would use a
default to the global and be forwarded as usual.
I didn't even get to the point of trying the route-map because I
couldn't get statics in the VRF so the vrf bgp would announce the two
subnets to esnet. ( It's the next hop issue. If the static next hop
is not reachable then it does not get installed).
Well I thought it sounded good.
Jeff
On Mon, Feb 23, 2009 at 10:55 AM, Jeff Fitzwater
<jf...@princeton.edu> wrote:
This question was posted earlier, before I opened ticket with CISCO.
Router is 6500 with 720-CXL running SXI code.
1. I have router "A" which is used to connect to our three ISPs
( two I1s and one I2 connection with full BGP), and also receives
all our internal campus traffic via RIP default path. Router "A"
announces default to campus.
2. I now need to add a new special ESNET.GOV ISP which cannot be
used by the majority of our campus except for two subnets. These
two subnets will still have access to the other three ISPs for
normal path selection but have the option of choosing an ESNET route
if needed.
3. So the original thinking was to create the VRF for ESNET which
would have its own ESNET route table and tell the two special
subnets (using route-map match subs, set vrf ) to check the ESNET
table first and if route is not in table then fall thru to global.
4. I can't just have one route table that includes the ESNET routes,
because ESNET announces some more specific routes and there may be
hosts that normally use the I1 path to these DSTs, but now see a
more specific path and try to use it and fail because it is not
allowed by ESNET outbound ACL.
I have BGP peering working in VRF ( can see prefixes from ESNET in
VRF table), but cannot announce our two subnet prefixes because they
do not show up in VRF route table. So getting static back to global
would fix this and other issue with DEFAULT to global. When I try
to add static routes they never show up because the next hop is not
present in VRF table or the command fails stating that... "Invalid
next-hop address (it's this router)".
I was hoping that just adding a static DEFAULT in VRF pointing to
global would do everything I needed, but cannot get it to work even
after trying all permutations of the command. "ip route vrf vrf-
esnet 0.0.0.0 0.0.0.0 0.0.0.0 global"
Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3
10.10.10.10 global" Loopback3 was created with RFC-1918 IP and had
"vrf forwarding" added on this loopback. This also failed.
Creating an internal path between the VRF router and the global
router is stopping all this from working.
I have a ticket open with CISCO but they are saying I have to add an
external link with two physical ports on vrf. This will not work
for us.
Does anybody know how to get statics working between VRF and global
table, if its even possible.
Really stuck!
Jeff Fitzwater
OIT Network Systems
Princeton University
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/