Re: vrf routing to isp/itsp problem

jchadtapp · ‎10-23-2010

i am currently connecting a callmanager to a local firewall <192.168.1.x> to a cisco 2801 (eth0/0 at 69.x.x.x) to a t1 (s0/3/0) with two sub interfaces 500.1 (isp private for sip) and 500.2 (isp connection to public internet) My problem is that eth0 is set for vrf forwarding internet and all traffic goes to the 500.2 interface. I need traffic that goes to a 172.30.16.x to go to 500.1. Is there a way to add a route that will do this? Any help is appreciated.

jchadtapp · ‎10-23-2010

Here is the current config it that helps anyone diagnose the issue. I've replaced a few of the IP octects with Xs to keep some of it halfway confidential.

ip vrf internet
rd 1:1
route-target export 1:1
route-target import 1:1
!
!
ip subnet-zero
no ip source-route
no ip domain lookup
no cdp run
no ip finger
!
no ip http server
no ip http authentication timeout
no ip http timeout-policy
!
ip cef
!
ip classless
!
class-map match-any voice-traffic
match ip dscp ef
match protocol rtp
class-map match-any voice-signaling
match ip dscp af41
match protocol sip
!
policy-map llq-policy
class voice-traffic
priority percent 90
set ip dscp ef
class voice-signaling
bandwidth percent 9
set ip dscp af41
class class-default
set ip dscp 0
fair-queue
!
!
card type t1 0 1
!
network-clock-participate wic 1
network-clock-select 1 t1 0/0/0
!
controller t1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
!
!
!
interface Serial0/0/0:0
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
no cdp enable
no fair-queue
max-reserved-bandwidth 100
service-policy output llq-policy
no shutdown
!
interface Serial0/3/0:0.501 point-to-point
description => Internet via ISP

ip vrf forwarding internet
ip address 205.x.x.254 255.255.255.252
ip access-group NOSPOOF in
no cdp enable
frame-relay interface-dlci 501 IETF
no shutdown
!
interface Serial0/3/0:0.502 point-to-point
description => MPLS VPN via ISP
ip address 205.x.x.210 255.255.255.252
no cdp enable
frame-relay interface-dlci 502 IETF
no shutdown
!
!
interface FastEthernet0/0
description => To public interface of Internet firewall
ip vrf forwarding internet
ip address 169.130.x.x 255.255.255.240
no ip redirect
no ip directed-broadcast
no ip proxy-arp
speed auto
duplex auto
no shutdown
!
interface FastEthernet0/1
description => UNUSED
no ip redirect
no ip directed-broadcast
no ip proxy-arp
no ip address
speed auto
duplex auto
shutdown
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0.502
!
ip route vrf internet 0.0.0.0 0.0.0.0 Serial0/0/0:0.501
!
!no scheduler allocate
!
voice-card 0
!
voice service voip
fax protocol pass-through g711ulaw
modem passthrough nse codec g711ulaw
sip
rel1xx disable
bind control source-interface Serial0/0/0:0.502
bind media source-interface Serial0/0/0:0.502
!

end
!
write mem
!

gatlin007 · ‎10-24-2010

This appears to be more of a design issue.

Someone virtualized the router into two separate routing tables; a good thing when landing internet and private circuits on a single device.

Instead of trying to route Call Manager traffic in untrusted space why not send it out a trusted path? Does the firewall have a trusted interface that can route to the WAN? Is there a L3 switch near the call manager that could serve as it's L3 gateway? This would allow the L3 switch to route trusted (WAN) traffic appropriately and send internet traffic to the firewall.

Chris

jchadtapp · ‎10-24-2010

The config was basically given to me by the ITSP/ISP for use with their system because they are providing both the SIP trunk as well as the internet connection so I'm not sure how i could control any of the design part short of telling it how to route.

I'm more of a LAN so the VRF part of the config somewhat eludes me. I'm at a point where I can ping the SIP trunk internally from the 2801, but not from any device behind the 2801.

Chris, Can you please elaborate? I'm trying to get this to work without changing any actual wiring if possible.. so config only.

Thanks