Solved: Select a VRF on a Catalyst 9500 based on IP of VPN pool

Brian Green · ‎06-03-2024

I have a scenario where I have anyconnect vpns terminating to a Cisco FTD (configured with FMC). There are multiple connection profiles, that have separate ip pools, which then enter a catalyst 9500 L3 switch (main router) with multiple vrfs. I would like one connection profile to route to the global vrf and another connection profile to connect to another vrf.

simplified architecture would look like

VPN client->FTD->catalyst switch -> vrf1/vrf global

Currently the global/default vrf has no issue and works as expected.

I have created a route map pointing to an acl that has the source IP of the ip pool that I wish to route to a specific vrf

route-map SDEV-PBR permit 10
match ip address SDEV-PBR !something like permit ip 172.24.67.0 0.0.0.255 any
set vrf sdev-w2-vrf-test

and then apply it to the interface of the incoming interface vlan

interface Vlan481
ip policy route-map SDEV-PBR

with the route-map applied the vrf vpn cannot pass traffic; if I take away that route map, it works the same as the global vpn.

I receive no hits on my ACL or no packets on my routemap though. The fact that it changes behavior with the route-map applied makes me think I'm properly identifying the traffic, but may have something mis-configured.

show route-map
route-map SDEV-PBR, permit, sequence 10
Match clauses:
ip address (access-lists): SDEV-PBR
Set clauses:
vrf sdev-w2-vrf-test
Policy routing matches: 0 packets, 0 bytes

I don't know if I need to configure something else to select the vrf, or if my hardware is not capable.

paul driver · ‎06-05-2024

Hello
if i understand your request correctly then you will need the following:

GRT:
extended acl with anyconnect users subnet as source/port destination subnet
route-map calling the extended acl and set ip next-hop towards vrf
static route of the vrf subnet on the switch pointing towards the vrf physical interface

VRF rib
static route of the GRT anyconnect subnet next hop ip of the anyconnect interfac specifying the global route table

Example:
anyconnect subnet = 1.1.1.1/24, interface gig0/0
VRF subnet - 2.2.2.1/24, interface gig0/1

ip access-list extended VRF_ACL
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

route-map VRF_rm
match ip address VRF_ACL
set ip next-hop 2.2.2.2

int gig0/0
ip policy route -map VRF_rm

ip route 2.2.2.0 255.255.255.0 gig0/1
ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2 global

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

MHM Cisco World · ‎06-03-2024

So the link between SW and FTD is in global and you need only anyconnect subnet to be in specific vrf and other not ?

MHM

Brian Green · ‎06-03-2024

Yes, this is correct

MHM Cisco World · ‎06-04-2024

Dont worry' I will update ypu max tomorrow

Thanks for waiting

MHM

MHM Cisco World · ‎06-05-2024

Now

We need to build VRF piece by piece

First you need route-map which you already did

Second you need ip vef recieve <vrf name>

Until this point ping from any IP in vrf to ftd interface IP if sucess then

Third you need (this step I dont so sure) static route with vrf aware in SW toward ftd interface IP

These three steps

MHM

Brian Green · ‎06-05-2024

Thank you,

This makes sense. I tried adding the ip vrf receive to the interface, but it does not appear to be an available command on this vlan interface for some reason.

SW-1(config-if)#ip vrf ?
autoclassify Enable IP VRF Autoclassify feature
forwarding Configure forwarding table
select Enable VRF selection
sitemap Configure route-map for routes received from this site

I'm not sure if this is a limitation on the 9500-48y4ca hardware or if it is a license issue, or potentially an SDM template (it is set for core).

MHM Cisco World · ‎06-05-2024

let me check the keyword you appear to you

MHM

paul driver · ‎06-05-2024

Hello
if i understand your request correctly then you will need the following:

GRT:
extended acl with anyconnect users subnet as source/port destination subnet
route-map calling the extended acl and set ip next-hop towards vrf
static route of the vrf subnet on the switch pointing towards the vrf physical interface

VRF rib
static route of the GRT anyconnect subnet next hop ip of the anyconnect interfac specifying the global route table

Example:
anyconnect subnet = 1.1.1.1/24, interface gig0/0
VRF subnet - 2.2.2.1/24, interface gig0/1

ip access-list extended VRF_ACL
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

route-map VRF_rm
match ip address VRF_ACL
set ip next-hop 2.2.2.2

int gig0/0
ip policy route -map VRF_rm

ip route 2.2.2.0 255.255.255.0 gig0/1
ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2 global

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Brian Green · ‎06-05-2024

Thank you Paul,

The key to finding my solution was the "global" command at the end of the ip route vrf statement.

Using your example, I had

ip route 2.2.20 255.255.255.0 gig0/1

ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2

and

ip route 1.1.1.0 255.255.255.0 1.1.1.2

I removed

ip route 1.1.1.0 255.255.255.0 1.1.1.2
ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2

and made it just

ip route vrf VRF 1.1.1.0 255.255.255.0 1.1.1.2 global

and traffic started passing

paul driver · ‎06-06-2024

Hello Brian
Glad to hear you have got it working

The global command in the vrf static is basically telling the vrf rib to route via the Global route table (GRT) for that subnet

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul