(First post on the list, so please be gentle!) I'm working on a VPN solution which creates multiple VRFs and assigns VPN traffic into a particular VRF based on it's ISAKMP profile and a dynamic crypto-map. The application in hand is a CPE management network - each CPE device builds a VPN tunnel back to a cisco router which constructs a CPE VRF.
It all works works fine, up to a point. I use Reverse Route Injection to add routes into each VRF. I've static routes configured in the VRF directing outbound traffic via the correct front-door VRF: router> show crypto route Routes created in table CPE 172.31.0.65/255.255.255.255 [1/0] via 1.2.3.4 tag 100 on Port-channel1.99 RRI router> sh ip route vrf CPE S 172.31.0.65/32 [1/0] via 1.2.3.4 1.0.0.0/23 is subnetted, 1 subnets S 1.2.2.0 [1/0] via 1.2.2.1, Port-channel1.99 1.2.3.4 represents public IP addresses. I foresee a problem when I try to terminate VPN tunnels from CPE devices that are not on public IP addresses, but instead are part of another VRF using private IP ranges: router show crypto route Routes created in table CPE 172.31.1.0/255.255.255.255 [1/0] via 10.0.0.102 tag 100 on Port-channel1.1100 RRI router> sh ip route vrf CPE S 172.31.1.0/32 [1/0] via 10.0.0.102 I can use "reverse-route remote-peer A.B.C.D gateway" I get the route to the remote host sent via the correct interface: router> sh ip route vrf CPE S 172.31.1.0/32 [1/0] via 10.0.0.102 10.0.0.0/32 is subnetted, 1 subnets S 10.0.0.102 [1/0] via 10.0.0.4, Port-channel1.1100 My problem arises when we end up with overlapping address ranges in two different (front door) VRFs, so I would expect to see something like: router> sh ip route vrf CPE S 172.31.1.0/32 [1/0] via 10.0.0.102 S 172.31.1.1/32 [1/0] via 10.0.0.102 10.0.0.0/32 is subnetted, 1 subnets S 10.0.0.102 [1/0] via 10.0.0.4, Port-channel1.1100 S 10.0.0.102 [1/0] via 10.0.0.5, Port-channel1.1101 The first being in VRF A, the second in VRF B. My questions are: - I expect this will be a problem, am I right? (ie there's no magic that will ensure packets for go via the right VRF and not get load balanced across two different VRFs, is there?) - Is there a way around the problem? Careful address assignment to avoid collisions is all I can think of. What I really need is to be able to specify an interface/VRF in the first route, for example: router> sh ip route vrf CPE S 172.31.1.0/32 [1/0] via 10.0.0.102, Port-channel1.1100 (or vrf A) S 172.31.1.1/32 [1/0] via 10.0.0.102, Port-channel1.1101 (or vrf B) Any advice would be very welcome. -Ronan _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/