CSR in AWS. Advertise out VRF routes

Richard Tapp · ‎09-10-2018

I have just installed a CSR into Amazon AWS and have a query on routing between VPCs.

There is a Public VPC with the CSR Outside interface in and a private VPC with a test server.

The CSR is fully integrated into our private DMVPN and that side seems to be working OK and the CSR can ping the test server.

The issue is that our remote sites can not ping the test server. The routes for the private VPC subnet are advertised out in DMVPN.

I understand that we don’t want the private VPC to route directly through the public VPC as that is not how AWS is supposed to work.

I am guessing the CSR is seeing the server through this interface –

interface VirtualPortGroup0

vrf forwarding GS

ip address 192.168.55.101 255.255.255.0

ip nat inside

and the rest of the config that is relevant

interface GigabitEthernet1

ip address dhcp

ip nat outside

negotiation auto

ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 10.180.100.1

ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 10.180.100.1 global

ip access-list standard GS_NAT_ACL

permit 192.168.35.0 0.0.0.255

Can anyone help with the routing to this server ?

omz · ‎09-10-2018

CSR in AWS Deploymmet -

DMVPN Design -

Richard Tapp · ‎09-10-2018

Thanks, that has given me some other options to try. I have now assigned another interface to the CSR, which is in the private VPC.

It is still not working, as I suspect the test server config is still not 100% (not under my control).

Have a meeting with AWS later on to discuss the issue.

omz · ‎09-10-2018

From personal experience, AWS support is pretty good.

Should help resolve the issue.

Georg Pauwen · ‎09-10-2018

Hello,

off the top of my head, I think you need to add the route below:

ip route 192.168.55.0 255.255.255.0 VirtualPortGroup0