Hi Harold,

The setup is very simple. There are two devices configured, one is Cisco ASR 1002 router, running 16.12.04 version and another device is HP Thin Client PC. PC is running Windows 11. 

IP Configuration on the PC:

IP: 172.16.100.1, Subnet Mask: 255.255.255.0, Gateway: 172.16.100.254

Configuration on the router:

vrf definition A
rd 123:123
route-target export 123:123
route-target import 123:123
!
address-family ipv4
exit-address-family
!

interface Loopback0
description Loopback
vrf forwarding A
ip address 192.168.100.1 255.255.255.255
!

interface GigabitEthernet0/1/0
description To PC
ip vrf receive A
ip address 172.16.100.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
ip policy route-map GRT_TO_VRF
no shutdown
!

interface GigabitEthernet0/1/1
description To Firewall 
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
no shutdown
!
interface GigabitEthernet0/1/1.123
description "Firewall Management"
encapsulation dot1Q 123
vrf forwarding A
ip address 4.0.100.2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
no cdp enable
!

ip access-list standard Leak_Route
10 permit 172.16.100.1 log

route-map GRT_TO_VRF permit 10
match ip address Leak_Route
set ip vrf A next-hop 4.0.100.3

Hi @jhonnywblue ,

Your route-map for the policy routing sets the next-hop to 4.0.100.3, which does exist.

Can you try the following instead:

interface GigabitEthernet0/1/0

no ip vrf receive A
no ip policy route-map GRT_TO_VRF

!

ip route 4.0.100.0 255.255.255.248 GigabitEthernet0/1/1.123

ip route vrf A 172.16.100.1 255.255.255.255 GigabitEthernet0/1/0 172.16.100.1

After changing the configuration, I can ping 4.0.100.2 from the PC

PC1#ping 4.0.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.0.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
PC1#
*Sep 20 01:58:47.465: ICMP: echo reply rcvd, src 4.0.100.2, dst 172.16.100.1, topology BASE, dscp 0 topoid 0
*Sep 20 01:58:47.468: ICMP: echo reply rcvd, src 4.0.100.2, dst 172.16.100.1, topology BASE, dscp 0 topoid 0
*Sep 20 01:58:47.471: ICMP: echo reply rcvd, src 4.0.100.2, dst 172.16.100.1, topology BASE, dscp 0 topoid 0
*Sep 20 01:58:47.474: ICMP: echo reply rcvd, src 4.0.100.2, dst 172.16.100.1, topology BASE, dscp 0 topoid 0
*Sep 20 01:58:47.478: ICMP: echo reply rcvd, src 4.0.100.2, dst 172.16.100.1, topology BASE, dscp 0 topoid 0

Regards,

I thought I tried this already. It did not work for me. I will give a shot. If it doesn't work then I think I have to change the PC to give a try. The next-hop in the route-map exist. It's on the firewall. I just did not provide the firewall configuration here. 

Hi Harold,

I tried removing those vrf and route-map commands from the interface and configured the router with two static routes but still couldn't ping the PC (172.16.100.1) using the vrf interface. I tried both the interfaces (Loopback and 0/1/1.123) to ping the PC and both failed.

Hi @jhonnywblue ,

The routes I included in my previous message did not permit pinging from the loopback interface, but should be fine if you ping from 0/1/1.123. Can you please show us the ping command that you are using?

You would need to add the following route to the global routing table to ping from the lo0 interface:

ip route 192.168.100.1 255.255.255.255 Loopback0

Regards,

I understood that the route for pinging from loopback interface was not there. I added that route to test out but that did not work for me. 

Here is the ping command I am using

ping vrf A 172.16.100.1 source Gi 0/1/1.123

ping vrf A 172.16.100.1 source Loopback0

None of the pings were successful. 

Hi @jhonnywblue ,

This works for me with a CSR1000v running 16.12.5. The issue might be with the way the ASR1000 ESP handles the communication between the GRT and the VRF.

Regards,

That could be the reason. Need to look more into the route leak on ASR 1002. 

Thank you for all your help and support. Appreciate it. If I find the solution I will post it here. 

Hi @jhonnywblue ,

What is it that you are trying to achieve? Is the goal for the PC to be able to reach the router interfaces in the VRF or for the PC to reach something beyond the router VRF (i.e. 4.0.100.3)?

The latter should work.

Regards,