cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

222
Views
0
Helpful
1
Replies
Highlighted
Beginner

PBR on ASA - can't reach device on other side of interface

Working in GNS3. Trying to reach a device that is on global routing from a VRF (more VRF's to come).

I got the  PBR setup so I can reach the IP of the interface, but I can't ping/reach the device connected to it.

 

I've attached a diagram. Basically the 2 routers on the bottom will be 2 different VRF's ont he ASA. I want to be able to reach the equipment connected to that gi1 or connected to the switch via BDI200/vlan200

 

I can ping the gi1 interface IP - but not the other side of the /30

 

ASR#ping 40.130.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.130.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
ASR#ping vrf A 40.130.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.130.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASR#ping vrf A 40.130.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.130.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

 

 

here is my relevant config:

!
no aaa new-model
!
ip vrf A
 rd 400:40
!
ip vrf B
 rd 500:50
!
ip vrf Voice
 rd 200:20
 route-target export 200:20
!

!
interface GigabitEthernet1
 description direcly connected Equip
 ip vrf receive A
 ip address 40.130.1.1 255.255.255.252
 ip policy route-map AccessPBR
 negotiation auto
!
interface GigabitEthernet2
 description TO SWITCH
 no ip address
 negotiation auto
 service instance 200 ethernet
  description VOICE
  encapsulation dot1q 200
  rewrite ingress tag pop 1 symmetric
  bridge-domain 200
 !
!
interface GigabitEthernet3
 description TO PROVIDER_A
 no ip address
 speed 1000
 no negotiation auto
 service instance 400 ethernet
  description TO CUSTOMER A
  encapsulation dot1q 400
  rewrite ingress tag pop 1 symmetric
  bridge-domain 400
 !
 service instance 500 ethernet
  description to CUSTOMER B
  encapsulation dot1q 500
  rewrite ingress tag pop 1 symmetric
  bridge-domain 500
 !
!
interface GigabitEthernet4
 description to PROVIDER_B
 no ip address
 speed 1000
 no negotiation auto
 service instance 400 ethernet
  description TO CUSTOMER A
  encapsulation dot1q 400
  rewrite ingress tag pop 1 symmetric
  bridge-domain 400
 !
 service instance 500 ethernet
  description to CUSTOMER B
  encapsulation dot1q 500
  rewrite ingress tag pop 1 symmetric
  bridge-domain 500
 !
!
interface BDI200
 ip address 40.130.0.1 255.255.255.252
!
interface BDI400
 description CUSTOMER A
 ip vrf forwarding A
 ip address 10.10.40.2 255.255.255.0
 ip policy route-map AccessPBR
!
interface BDI500
 description CUSTOMER B
 ip vrf forwarding B
 ip address 10.10.50.2 255.255.255.0
!
router bgp 100
 bgp log-neighbor-changes
 !
 address-family ipv4
  network 40.130.0.0 mask 255.255.255.0
  network 40.130.1.0 mask 255.255.255.0
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute connected
  redistribute static
  neighbor 10.10.40.1 remote-as 100
  neighbor 10.10.40.1 activate
  neighbor 10.10.40.3 remote-as 100
  neighbor 10.10.40.3 activate
 exit-address-family
 !
 address-family ipv4 vrf B
  redistribute connected
  redistribute static
  neighbor 10.10.50.1 remote-as 100
  neighbor 10.10.50.1 activate
  neighbor 10.10.50.3 remote-as 100
  neighbor 10.10.50.3 activate
 exit-address-family
!
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route vrf Voice 40.130.1.0 255.255.255.252 GigabitEthernet1 40.130.1.2
!
ip access-list standard VOICE2VRF_A
 permit 40.130.0.0 0.0.255.255
ip access-list standard VRF2VOICE
 permit 192.168.0.0 0.0.255.255
 permit 10.10.0.0 0.0.255.255
!
!
!
route-map AccessPBR permit 10
 match ip address VRF2VOIC
 set global
 set ip global next-hop 40.130.1.1
!
route-map AccessPBR permit 20
 match ip address VOICE2VRF_A
 set vrf A
!
!
!

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: PBR on ASA - can't reach device on other side of interface

disregard. I was on the right track. just had some TYPO's... killers.

View solution in original post

1 REPLY 1
Beginner

Re: PBR on ASA - can't reach device on other side of interface

disregard. I was on the right track. just had some TYPO's... killers.

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here