Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
5
Replies

Routing between VRFs does not work in CISCO IR9300 L3 switch

dim_ing
Level 1
Level 1

‎09-25-2024 01:39 AM

Hello,

I am using cisco IR9300 L3 switch and I use the same VRF, VLAN, Routing Config that I had on a router IR1800.

The issue is although I have the "Network Advantage" license I fail to have routing between 2 VRFs whereas in Router it works with the exact same config. For more info I have enable "ip routing" in my L3 switch. Please find below my VRF, SVI, VLAN config

interface Vlan9
ip vrf forwarding wan
ip address dhcp
ip nat outside

!

interface Vlan19
ip vrf forwarding mgmt
ip address 10.252.92.254 255.255.255.0
ip nat inside
no autostate

!

ip route vrf mgmt 0.0.0.0 0.0.0.0 Vlan9 dhcp

!

ip nat inside source list mgmt-nat-acl-wan interface Vlan9 vrf mgmt overload

!
ip access-list extended mgmt-nat-acl-wan
10 deny ip any host 10.252.254.254
20 deny ip 10.252.92.0 0.0.0.255 10.66.32.0 0.0.0.255
21 deny ip 10.252.92.0 0.0.0.255 10.20.50.0 0.0.0.255
22 deny ip 10.252.92.0 0.0.0.255 10.20.80.0 0.0.0.255
23 deny ip 10.252.92.0 0.0.0.255 10.20.60.0 0.0.0.255
24 deny ip 10.253.92.0 0.0.0.255 10.66.32.0 0.0.0.255
30 deny ip 10.248.92.0 0.0.0.255 10.66.32.0 0.0.0.255
33 deny ip 10.248.92.0 0.0.0.255 10.20.60.0 0.0.0.255
34 deny ip 10.248.92.0 0.0.0.255 10.20.80.0 0.0.0.255
35 deny ip 10.248.92.0 0.0.0.255 10.20.50.0 0.0.0.255
36 permit ip host 10.252.92.1 any
40 permit ip host 10.252.92.254 any
50 permit ip host 10.252.92.247 any
60 permit ip host 10.252.92.253 any
61 permit ip host 10.248.92.1 any
62 permit ip host 10.248.92.254 any
72 permit ip 10.252.92.0 0.0.0.255 any
82 permit ip host 10.252.92.2 any

!

interface GigabitEthernet1/0/2
description ETH-2 WAN port 
switchport access vlan 9
!

!
interface GigabitEthernet1/0/5
description ETH-5 PC port
switchport mode trunk

The issue the host 10.252.92.1 is connected to Interface GigabitEthernet1/0/5 and although I can ping the interface on switch 10.252.92.254 I do not have any internet access. The denys in the access list mgmt-nat-acl-wan exist so as to NOT nat IPsec routes already applied. In the end as I said to the router the exact same config works. Does anybody have any idea?

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎09-25-2024 02:14 AM

@dim_ing 

 Routing between VRF will not take place unless you tell the switch how. You can refer to the following documentation.

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/216541-vrf-configuration-examples-on-ios-xe.html

One more observation, if you have a PC connected to the interface GigabitEthernet1/0/5, it should not be a trunk.

 

 

0 Helpful

dim_ing
Level 1
Level 1
In response to Flavio Miranda

‎09-25-2024 02:36 AM

thanks for the link but the issue is the exact same config I have in a Router works and in the L3 switch nope and I do not get why it presents different behaviour

0 Helpful

MHM Cisco World
VIP
VIP
In response to dim_ing

‎09-25-2024 02:40 AM

It platform different even if both use same ios xe.

MHM

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-25-2024 09:17 AM

Hello @dim_ing ,

SVI vlan 9 is under vrf wan

then you have

ip route vrf mgmt 0.0.0.0 0.0.0.0 Vlan9 dhcp

in any case a Catalyst switch may require the usage of a different SDM template to support NAT and VRF together

There is no SDM template on a software based router.

Hope to help

Giuseppe

 

0 Helpful

dim_ing
Level 1
Level 1
In response to Giuseppe Larosa

‎09-26-2024 01:18 AM

Thank you for your answer. But, could you guide me on what to change regarding SDM that you refer?

0 Helpful
Customers Also Viewed These Support Documents