06-03-2024 11:23 AM
I have a scenario where I have anyconnect vpns terminating to a Cisco FTD (configured with FMC). There are multiple connection profiles, that have separate ip pools, which then enter a catalyst 9500 L3 switch (main router) with multiple vrfs. I would like one connection profile to route to the global vrf and another connection profile to connect to another vrf.
simplified architecture would look like
VPN client->FTD->catalyst switch -> vrf1/vrf global
Currently the global/default vrf has no issue and works as expected.
I have created a route map pointing to an acl that has the source IP of the ip pool that I wish to route to a specific vrf
route-map SDEV-PBR permit 10
match ip address SDEV-PBR !something like permit ip 172.24.67.0 0.0.0.255 any
set vrf sdev-w2-vrf-test
and then apply it to the interface of the incoming interface vlan
interface Vlan481
ip policy route-map SDEV-PBR
with the route-map applied the vrf vpn cannot pass traffic; if I take away that route map, it works the same as the global vpn.
I receive no hits on my ACL or no packets on my routemap though. The fact that it changes behavior with the route-map applied makes me think I'm properly identifying the traffic, but may have something mis-configured.
show route-map
route-map SDEV-PBR, permit, sequence 10
Match clauses:
ip address (access-lists): SDEV-PBR
Set clauses:
vrf sdev-w2-vrf-test
Policy routing matches: 0 packets, 0 bytes
I don't know if I need to configure something else to select the vrf, or if my hardware is not capable.
Solved! Go to Solution.
06-05-2024 06:25 AM
Hello
if i understand your request correctly then you will need the following:
GRT:
extended acl with anyconnect users subnet as source/port destination subnet
route-map calling the extended acl and set ip next-hop towards vrf
static route of the vrf subnet on the switch pointing towards the vrf physical interface
VRF rib
static route of the GRT anyconnect subnet next hop ip of the anyconnect interfac specifying the global route table
Example:
anyconnect subnet = 1.1.1.1/24, interface gig0/0
VRF subnet - 2.2.2.1/24, interface gig0/1
ip access-list extended VRF_ACL
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
route-map VRF_rm
match ip address VRF_ACL
set ip next-hop 2.2.2.2
int gig0/0
ip policy route -map VRF_rm
ip route 2.2.2.0 255.255.255.0 gig0/1
ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2 global
06-03-2024 11:31 AM
So the link between SW and FTD is in global and you need only anyconnect subnet to be in specific vrf and other not ?
MHM
06-03-2024 11:33 AM
Yes, this is correct
06-04-2024 10:13 AM
Dont worry' I will update ypu max tomorrow
Thanks for waiting
MHM
06-05-2024 03:00 AM
Now
We need to build VRF piece by piece
First you need route-map which you already did
Second you need ip vef recieve <vrf name>
Until this point ping from any IP in vrf to ftd interface IP if sucess then
Third you need (this step I dont so sure) static route with vrf aware in SW toward ftd interface IP
These three steps
MHM
06-05-2024 06:09 AM
Thank you,
This makes sense. I tried adding the ip vrf receive to the interface, but it does not appear to be an available command on this vlan interface for some reason.
SW-1(config-if)#ip vrf ?
autoclassify Enable IP VRF Autoclassify feature
forwarding Configure forwarding table
select Enable VRF selection
sitemap Configure route-map for routes received from this site
I'm not sure if this is a limitation on the 9500-48y4ca hardware or if it is a license issue, or potentially an SDM template (it is set for core).
06-05-2024 06:12 AM
let me check the keyword you appear to you
MHM
06-05-2024 06:25 AM
Hello
if i understand your request correctly then you will need the following:
GRT:
extended acl with anyconnect users subnet as source/port destination subnet
route-map calling the extended acl and set ip next-hop towards vrf
static route of the vrf subnet on the switch pointing towards the vrf physical interface
VRF rib
static route of the GRT anyconnect subnet next hop ip of the anyconnect interfac specifying the global route table
Example:
anyconnect subnet = 1.1.1.1/24, interface gig0/0
VRF subnet - 2.2.2.1/24, interface gig0/1
ip access-list extended VRF_ACL
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
route-map VRF_rm
match ip address VRF_ACL
set ip next-hop 2.2.2.2
int gig0/0
ip policy route -map VRF_rm
ip route 2.2.2.0 255.255.255.0 gig0/1
ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2 global
06-05-2024 08:08 AM
Thank you Paul,
The key to finding my solution was the "global" command at the end of the ip route vrf statement.
Using your example, I had
ip route 2.2.20 255.255.255.0 gig0/1
ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2
and
ip route 1.1.1.0 255.255.255.0 1.1.1.2
I removed
ip route 1.1.1.0 255.255.255.0 1.1.1.2
ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2
and made it just
ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2 global
and traffic started passing
06-06-2024 01:21 AM
Hello Brian
Glad to hear you have got it working
The global command in the vrf static is basically telling the vrf rib to route via the Global route table (GRT) for that subnet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide