Hello,
We got multiple sites connected to central office, topology is exactly as here http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfodr.html
Every site has its own gre tunnel to the central Cisco 1841 with c1841-advipservicesk9-mz.124-25d.bin
where it is put in non-default vrf.
Equipment in remote sites is an entry-level Cisco 861 with no routing protocols available, except maybe rip.
To simplify configuration in future large scale deployment, I choose to go for router odr, to be able to exchange routes from stub remote routers about their directly connected lan. And it's only route to specific lan I needed, so directly connected wan network should have been filtered by distribute-list statement.
The problem is - when interface tunnel on C1841 is attached to vrf, distribute-list statement is no longer working. All directly connected networks from remote site installed in vrf routing table.
As soon as vrf removed, routing updates are being filtered as expected.
Complete config
C1841:
interface Tunnel16820
ip vrf forwarding untrusted
ip addre 169.254.0.89 255.255.255.252
cdp enable
tunnel source 10.111.2.21
tunnel dest 10.109.106.254
router odr
distribute-list prefix untrusted-in in
ip prefix-list untrusted-in seq 5 permit 10.109.64.0/19 le 32
ip prefix-list untrusted-in seq 10 deny 0.0.0.0/0 le 32
C861
interface Tunnel1
ip addre 169.254.0.90 255.255.255.252
cdp ena
tunnel dest 10.111.2.21
tunnel source 10.109.106.254
cdp run
Relevant "debug cdp ip" on Cisco1841 looking exactly the same for both vrf and non-vrf cases, but final result is different
May 31 05:47:32.302: CDP-IP: Reading prefix 10.109.76.128/25 source 169.254.0.90 via Tunnel16820
May 31 05:47:32.302: CDP-IP: Updating prefix 10.109.76.128/25 in routing table
May 31 05:47:32.302: CDP-IP: Reading prefix 10.109.106.128/25 source 169.254.0.90 via Tunnel16820
May 31 05:47:32.302: CDP-IP: Updating prefix 10.109.106.128/25 in routing table
May 31 05:47:32.302: CDP-IP: Reading prefix 195.190.98.196/30 source 169.254.0.90 via Tunnel16820
May 31 05:47:32.302: CDP-IP: Updating prefix 195.190.98.196/30 in routing table
Result with enabled vrf
rumosro03(config)#do sh ip ro vrf untrusted | i 16820
C 169.254.0.88 is directly connected, Tunnel16820
o 10.109.106.128/25 [160/1] via 169.254.0.90, 00:00:05, Tunnel16820
o 10.109.76.128/25 [160/1] via 169.254.0.90, 00:00:05, Tunnel16820
o 195.190.98.196 [160/1] via 169.254.0.90, 00:00:05, Tunnel16820
Result with disabled vrf:
rumosro03(config-if)#do sh ip ro | i 16820
C 169.254.0.88 is directly connected, Tunnel16820
o 10.109.76.128/25 [160/1] via 169.254.0.90, 00:00:11, Tunnel16820