Solved: Re: accept in OSPF routes announced from the router itself - Page 2

Ab26 · ‎08-19-2024

Hi, I have a the following scenario:
LAN 11 <=> R1 (VRF-1 and OSPF 1) <=> R3 LAN 12 and internal FW
Internet FW <=> R1 (VRF-2 and OSPF 2) <=> R3 LAN 12 and internal FW

I want the VRF-1 subnets to go the internal FW and then come back to R1 but on VRF-2. Is there anyway to implement this?
When I run "show ip route VRF-2" command VRF-1 subnets don't apprear. When I run "show ip ospf 2 database" I see the ADV Router for VRF-1 sunbets is the router itself but with the ip address of VRF-1

Any suggestion on how can I force R1 to accept in VRF-1 subnets in VRF-2 routing table?
BTW R3 is not a VRF aware router and it peers with both VRFs on the same OSPF area 0

Ab26 · ‎08-20-2024

@Giuseppe Larosa now I have tested the following PBR but unfortunately the ACL didn't get any match. Can you see if I did any mistake here

ip access-list extended To_Internet
permit ip any host 8.8.8.8
permit tcp any host 8.8.8.8 eq 53
!
route-map RM-PBR-EXIT permit 10
match ip address To_Internet
set ip vrf VRF-2 next-hop 192.168.20.3
## 192.168.20.3 is the IP address of VLAN 20 on R3 ##
!
interface vlan 10
vrf forwarding VRF-1
ip policy route-map RM-PBR-exit-01
!
interface vlan 20
vrf forwarding VRF-2
ip address 192.168.20.2 255.255.255.0

MHM Cisco World · ‎08-20-2024

!!!

MHM

Ab26 · ‎08-20-2024

Thanks for your helping MHM !

I tried half of the PBR just to see if there's any hit on the ACL. But none is received, that's what confuses me

Giuseppe Larosa · ‎08-20-2024

Hello @Ab26 ,

how have you done the tests ?

the user traffic needs to be generated by an external device not by using ping on the router itssef ( locally generated traffic is not processed by standard PBR it would require local PBR that is applied in global config)

You should also apply the PBR in the SVI VLAN 20 for return traffic to make a complete test.

Hope to help

Giuseppe

Ab26 · ‎08-20-2024

Thanks for your reply @Giuseppe Larosa ! I tested the ping from a device on the LAN side. I’ve also applied 2 ways PBR as you suggested, but unfortunately no hit has come on the either ACLs

Giuseppe Larosa · ‎08-20-2024

Hello @Ab26 ,

can you post a show version of the device ?

Also for some multilayer switches to use PBR you may need to change the SDM template to save the configuration and to reload the device.

Also try to use a set command without the vrf keyword just to understand if there is an issue with VRF aware PBR.

Hope to help

Giuseppe

MHM Cisco World · ‎08-20-2024

!!!
MHM

Ab26 · ‎08-20-2024

I didn't get what you mean

Do you mean that I have to use "capability vrf-lite" command under the OSPF config?

MHM Cisco World · ‎08-20-2024

Do you mean that I have to use "capability vrf-lite" command under the OSPF config?

are you even use OSPF as I suggest ?

MHM

Ab26 · ‎08-20-2024

I don’t understand what do you mean? Can you elaborate? I’ve stated on original post that this is an OSPF setup and can’t see anything different on your lab from i have in my network

MHM Cisco World · ‎08-20-2024

!!!

MHM

Ab26 · ‎08-20-2024

wrong post

MHM Cisco World · ‎08-20-2024

!!!

MHM

Ab26 · ‎08-20-2024

Thanks @MHM Cisco World !

1- I will have to read a bit about "capability vrf-lite" command. This we don't usually implement.
2- The FW router (R3 in my case) runs as you said one OSPF process. This router is not Cisco and I don't have access to. It should only have simple OSPF config

MHM Cisco World · ‎08-20-2024

!!!

MHM