cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1406
Views
9
Helpful
29
Replies

accept in OSPF routes announced from the router itself

Ab26
Level 1
Level 1

Hi, I have a the following scenario:
LAN 11 <=> R1 (VRF-1 and OSPF 1) <=> R3 LAN 12 and internal FW
Internet FW <=> R1 (VRF-2 and OSPF 2) <=> R3 LAN 12 and internal FW

I want the VRF-1 subnets to go the internal FW and then come back to R1 but on VRF-2. Is there anyway to implement this?
When I run "show ip route VRF-2" command VRF-1 subnets don't apprear. When I run "show ip ospf 2 database" I see the ADV Router for VRF-1 sunbets is the router itself but with the ip address of VRF-1

Any suggestion on how can I force R1 to accept in VRF-1 subnets in VRF-2 routing table? 
BTW R3 is not a VRF aware router and it peers with both VRFs on the same OSPF area 0

1 Accepted Solution

Accepted Solutions

Hello @Ab26 ,

VRF aware PBR requires a different configuration in the route map set command

see

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-15/configuration_guide/rtng/b_1715_rtng_9500_cg/configuring_vrf_aware_pbr.html?dtid=osscdc000283

set ip vrf vrf-name next-hop ip-address [ip-address]: Indicates where to route IPv4 packets that pass a match criteria of a route map using the next-hop specified for the VRF.

in your case it becomes

route-map RM-PBR-exit-01 permit 10
match ip address To_Internet
set ip vrf VRF-2 next-hop <next-hop-in-VLAN-20>

Edit:

corrected the suggested command adding ip keyword according to provided configuration guide link

Hope to help

Giuseppe

 

View solution in original post

29 Replies 29

You want traffic to pass via FW ? What you try here ?

MHM

exactly 
Pass through the internal FW => go out on VRF-2 => out to the internet 

!!

MHM

thanks I'll read through the link. However, it's not my team who handle the FWs nor they are Cisco

Helllo
can you post a topology diagram if applicable to show the traffic path you desire?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ab26
Level 1
Level 1

Ab26_0-1724105772737.png

Show ip ospf 2 database
Link ID           ADV Router    Age Seq# Checksum Tag
10.10.10.0    10.10.1.1       405 0x8001928D 0x00ABF8 3489726128
10.10.11.0    10.10.1.1       670 0x8000001B 0x00EFD9 3489726128

10.10.1.1 is the router ID for OSPF 1. Subnets 10.10.10.0 and 10.10.11.0 are the ones I want to get on VRF-2 routing table

!!! 

MHM

Hello
So at present these routes and hosts of those routes exist in ospf1 on vrf 1 and both vrfs will be isoated from each other so do you wish to route leak between the two vrfs?


Edited- is this a duplicate post  with this?- here


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul, the second post is other part of the problem. I didn't want to complicate the post here nor the there

What I'm trying to achieve is to force the traffic from to use VRF-2 as an exist VRF towards the internet as it's designed for. What actually is happing is the same prefixes received on the internet router from both VRFs

Hello @Ab26 ,

according to your network diagram the non VRF aware router R3 has two OSPF adjacencies one in VRF-1 and one in VRF-2. It is likely receiving a default route in OSPF 2 VRF 2. And the FW is downstream R3. Have you configured PBR on router R3 to make the traffic to go to the internal FW ?

Because without it the traffic would bypass the FW if the network topology is this. router R3 the not VRF aware router accepts the LSAs from multi VRF R1 because it does not check the down bit DN bit and it routes traffic from subnets directly to the VRF2 logical subinterface.

In addition to this R1 must keep separate OSPF databases in the two VRFs for the same reason to avoid to bypass the internal FW.

Hope to help

Giuseppe

 

Thanks Giuseppe! Your answer is very thought full. unfortunately I can't access R3 as it belongs to a third party, I can ask them for some traffic manipulation not PBR.
I have thought of using PBR on my side. The network is bigger than the diagram just for the simplicity I draw only 2 routers.
In fact R1 is connected to R2.
Now the BPR I used for the test was:

ip access-list extended To_Internet
permit ip any host 8.8.8.8
permit tcp any host 8.8.8.8 eq 53
!
route-map RM-PBR-exit-01 permit 10
match ip address To_Internet
set interface vlan20
!
interface vlan 10
vrf forwarding VRF-1
ip policy route-map RM-PBR-exit-01
!
interface vlan 20
vrf forwarding VRF-2

Unfortunately this PBR didn't work. Do you think BPR would do the job if it's implemented on R2? If yes, what should I correct?

Hello @Ab26 ,

VRF aware PBR requires a different configuration in the route map set command

see

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-15/configuration_guide/rtng/b_1715_rtng_9500_cg/configuring_vrf_aware_pbr.html?dtid=osscdc000283

set ip vrf vrf-name next-hop ip-address [ip-address]: Indicates where to route IPv4 packets that pass a match criteria of a route map using the next-hop specified for the VRF.

in your case it becomes

route-map RM-PBR-exit-01 permit 10
match ip address To_Internet
set ip vrf VRF-2 next-hop <next-hop-in-VLAN-20>

Edit:

corrected the suggested command adding ip keyword according to provided configuration guide link

Hope to help

Giuseppe

 

That’s absolutely a good advice. I was looking if I have change the VRF in the PBR. I’ll test that tonight (in 12 hours time) and see how it works

Hello @Ab26 ,

I think you need a similar symmetric PBR on SVI vlan 20 for the return traffic.

Traffic from host 8.8.8.8 to subnet the one under vlan 10 to be sent to vrf VRF-1.

I have also corrected the proposed command in previuos post.

Hope to help

Giuseppe

Review Cisco Networking for a $25 gift card