Re: VRF-Lite not working with Inspection

mhattar · ‎01-23-2014

Hi all,

I've been trying to get this to work , but it appears to be a bug of some sort .

I have two VRFs configured on a physicall 1811 running (C181X-ADVIPSERVICESK9-M), Version 15.1(4)M6

one is called inside facing the LAN and one is called outside facing the WAN side. The two VRFs are connected via a GRE tunnel. F0 , Tu0 are part of "outside" and T1 and VL1 are part of inside. Routing is working fine and I can ping 4.2.2.2 , and NATting is set up on the outside VRF and it's also working fine , I can access the internet etc.

traffic flows this way in the outbound direction :

vlan 1--> Lo1 --> Tu 1 --> Tu0 --> Lo0 --> Fa0

and vice versa in the inbound .

Internet traffic works fine , I add inspection to Tu0 to create openings in the WAN ACL for traffic coming in the return direction, do show inspect sessions , works fine , then add the WAN ACL to Fa0, and it doesn't seem to work . Basically inspection (CBAC) and ACLs don't seem to work with VRFs.

I attached the config for reference.

Note: I'm doing this for QoS in the inbound direction since VL interface don't take QoS policy in outbound direction .but that's irrelevant.

Any help would be appreciated!

Thanks,

Murad

Vasilii Mikhailovskii · ‎01-24-2014

Hello, Murad.

Coudl you please provide a configuration that is not working (I mean configure and apply ACL, add inspection)?

mhattar · ‎01-24-2014

Hello MikhailovskyVV,

Sorry forgot

interface Tunnel0

ip vrf forwarding outside

ip address 10.3.3.3 255.255.255.0

ip inspect INSPECTION in

ip nat inside

ip virtual-reassembly in

tunnel source Loopback0

tunnel destination 10.1.3.4

interface FastEthernet0

ip vrf forwarding outside

ip access-group Outside_IN in

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

I noticed that if I disable cef things start working again , so could it be a software bug ?

Cheers,

Vasilii Mikhailovskii · ‎01-24-2014

Hello, Murad.

Sorry, but I've never had such design.

You could try another IOS.

Btw, why do you run such a complicated configuration?

The router has two L3 interfaces, so it ought to be enough for any QoS design.

mhattar · ‎01-24-2014

Hi Mikhailovsky ,

yes it is a bit complex for what we're trying to acheive, it appears that ISR routers have a bit of a limitation despite having more than one layer 3 interface , the VLAN interface does not accept a QoS policy in the outbound direction, thus Cisco suggested creating two VRFs with a tunnel in between and applying the policy on the tunnel , thus acheiving QoS on traffic in the inbound direction for branch offices.

I'm thinking of trying it on an 891 instead of an 1811 and with a newer image and see if the issue persists.

Cheers,

Murad

Vasilii Mikhailovskii · ‎01-25-2014

Hello, Murad.

What is the issue if you put outbound QoS on F1 interface?

Could you provide any link, where Cisco suggests to build such a design to have simple outbound QoS?