Re: VRF with Vlan HSRP under Wan Side (BGP) on Cisco 9300

Xx20GaryL21xX · ‎08-22-2022

Hi Everyone,

BGP (Wan Site) is the production internet which are working properly now.

We would like to

setup Vlan HSRP with Primary and Secondary IP subnet on Vlan 172 route to Wan Site (BGP) on VRF
setup the static route interVlan 172 Primary and secondary IP subnet which able to ping with each other.

Please give any suggestion on it, if I'm incorrect on my configuration of static route and HSRP route to Wan site.

Thanks a lot.

Site A

BGP (WAN site)

interface GigabitEthernet1/1/1
description ISP-Core-SiteA_G1/1
no switchport
ip address 10.100.248.5 255.255.255.252
speed nonegotiate

interface GigabitEthernet2/1/1
description ISP-Core-SiteB_G2/4
no switchport
ip address 10.100.248.20 255.255.255.252
speed nonegotiate

interface Vlan221
ip address 221.126.192.100 255.255.255.240

router bgp 64990
bgp router-id 10.100.248.5
bgp log-neighbor-changes
bgp dampening 5 1900 2000 10

network 172.24.44.0 mask 255.255.255.192
network 221.126.192.100 mask 255.255.255.240
network 221.126.192.112 mask 255.255.255.240
neighbor 10.100.248.1 remote-as 65303
neighbor 10.100.248.1 route-map PRIORITY_REDIST out
neighbor 10.100.248.9 remote-as 65303
neighbor 10.100.248.9 route-map PRIORITY_REDIST out

ip access-list standard VL172
10 permit 172.24.33.0 0.0.0.63
20 permit 172.24.44.0 0.0.0.63
ip access-list standard VL221
10 permit 221.126.192.96 0.0.0.15
ip access-list standard VL222
10 permit 221.126.192.112 0.0.0.15

ip access-list standard 1
10 permit 221.126.192.96 0.0.0.15
20 permit 172.24.33.0 0.0.0.63
30 permit 172.24.44.0 0.0.0.63
40 deny any log
ip access-list standard 2
10 permit 221.126.192.96 0.0.0.15
20 deny any log
30 permit 221.126.192.112 0.0.0.15

route-map PRIORITY_REDIST permit 10
match ip address VL172

route-map PRIORITY_REDIST permit 20
match ip address VL221

route-map PRIORITY_REDIST permit 30
match ip address VL222
set as-path prepend 64990 64990

Static route intervlan 172 (Primary and Secondary IP subnet)

ip route 172.24.44.0 255.255.255.192 172.24.33.2

HSRP with VRF

ip route 172.24.33.0 255.255.255.192 221.126.192.100
ip route 172.24.44.0 255.255.255.192 221.126.192.100
ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.5
ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.20

int Vlan172
vrf forwarding PBL
ip address 172.24.44.2 255.255.255.192 secondary
ip address 172.24.33.2 255.255.255.192
standby 0 ip 172.24.33.3
standby 0 ip 172.24.44.3 secondary
standby 0 priority 120
standby 0 preempt
standby 0 track 1 decrement 20

interface GigabitEthernet1/1/1
description ISP-Core-SiteA_G1/1
vrf forwarding PBL
no switchport
ip address 10.100.248.5 255.255.255.252
speed nonegotiate

interface GigabitEthernet2/1/1
description ISP-Core-SiteB_G2/4
vrf forwarding PBL
no switchport
ip address 10.100.248.20 255.255.255.252
speed nonegotiate

Site B

BGP (WAN site)

interface GigabitEthernet1/1/1
description ISP-Core-SiteB_Gi2/6
no switchport
ip address 10.100.248.15 255.255.255.252
speed nonegotiate

interface GigabitEthernet2/1/1
description ISP-Core-SiteA_Gi1/2
no switchport
ip address 10.100.248.30 255.255.255.252
speed nonegotiate

interface Vlan222
ip address 221.126.192.112 255.255.255.240

router bgp 64990
bgp router-id 10.100.248.15
bgp log-neighbor-changes
bgp dampening 5 1900 2000 10
network 172.24.33.0 mask 255.255.255.192
network 172.24.44.0 mask 255.255.255.192
network 221.126.192.100 mask 255.255.255.240
network 221.126.192.112 mask 255.255.255.240
neighbor 10.100.248.5 remote-as 65303
neighbor 10.100.248.5 route-map PRIORITY_REDIST out
neighbor 10.100.248.13 remote-as 65303
neighbor 10.100.248.13 route-map PRIORITY_REDIST out

ip access-list standard VL172
10 permit 172.24.33.0 0.0.0.63
20 permit 172.24.44.0 0.0.0.63
ip access-list standard VL221
10 permit 221.126.192.96 0.0.0.15
ip access-list standard VL222
10 permit 221.126.192.112 0.0.0.15

ip access-list standard 1
10 permit 221.126.192.112 0.0.0.15
20 permit 172.24.33.0 0.0.0.63
30 permit 172.24.44.0 0.0.0.63
40 deny any log
ip access-list standard 2
10 permit 221.126.192.112 0.0.0.15
20 deny any log
30 permit 221.126.192.96 0.0.0.15

route-map PRIORITY_REDIST permit 10
match ip address VL172

route-map PRIORITY_REDIST permit 20
match ip address VL221

route-map PRIORITY_REDIST permit 30
match ip address VL222
set as-path prepend 64990 64990

Static route intervlan 172 (Primary and Secondary IP subnet)

ip route 172.24.44.0 255.255.255.192 172.24.33.62

HSRP with VRF

ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.15
ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.30
ip route 172.24.33.0 255.255.255.192 221.126.192.112
ip route 172.24.44.0 255.255.255.192 221.126.192.112

int Vlan 172
vrf forwarding PBL
ip address 172.24.44.62 255.255.255.192 secondary
ip address 172.24.33.62 255.255.255.192
standby 0 ip 172.24.33.3
standby 0 ip 172.24.44.3 secondary
standby 0 priority 120
standby 0 preempt
standby 0 track 1 decrement 20

interface GigabitEthernet1/1/1
description ISP-Core-SiteB_Gi2/6
vrf forwarding PBL
no switchport
ip address 10.100.248.15 255.255.255.252
speed nonegotiate

interface GigabitEthernet2/1/1
description ISP-Core-SiteA_Gi1/2
vrf forwarding PBL
no switchport
ip address 10.100.248.30 255.255.255.252
speed nonegotiate

MHM Cisco World · ‎08-24-2022

are the WAN and HSRP Peer in same VRF ? if not router can not forward traffic

Xx20GaryL21xX · ‎08-24-2022

Hi MHW,

We do not have VRF as Wan Site (BGP) setting upper sample when we setup the BGP setting.

The VRF would like to additional add on the New HSRP configuration and route to Wan site.

how to do the forward traffic as same VRF between Wan and HSRP peer?

We would like to keep it sample.

The Static route as route to Wan and intervlan 172, correct?

Do we set for these route for primary and secondary route as below:

ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.15
ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.30 20

Site A

Static route intervlan 172 (Primary and Secondary IP subnet)

ip route 172.24.44.0 255.255.255.192 172.24.33.2

HSRP with VRF

ip route 172.24.33.0 255.255.255.192 221.126.192.100
ip route 172.24.44.0 255.255.255.192 221.126.192.100
ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.5
ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.20

Site B

Static route intervlan 172 (Primary and Secondary IP subnet)

ip route 172.24.44.0 255.255.255.192 172.24.33.62

HSRP with VRF

ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.15
ip route vrf PBL 0.0.0.0 0.0.0.0 10.100.248.30
ip route 172.24.33.0 255.255.255.192 221.126.192.112
ip route 172.24.44.0 255.255.255.192 221.126.192.112

We would like to add it on BGP on same VRF name as following:

Site A

BGP (WAN site)

interface GigabitEthernet1/1/1
description ISP-Core-SiteA_G1/1

vrf fowarding PBL
no switchport
ip address 10.100.248.5 255.255.255.252
speed nonegotiate

interface GigabitEthernet2/1/1
description ISP-Core-SiteB_G2/4

vrf fowarding PBL
no switchport
ip address 10.100.248.20 255.255.255.252
speed nonegotiate

interface Vlan221
ip address 221.126.192.100 255.255.255.240

router bgp 64990
bgp router-id 10.100.248.5
bgp log-neighbor-changes
bgp dampening 5 1900 2000 10

address-family ipv4 vrf PBL

network 172.24.44.0 mask 255.255.255.192

network 221.126.192.100 mask 255.255.255.240
network 221.126.192.112 mask 255.255.255.240
neighbor 10.100.248.1 remote-as 65303
neighbor 10.100.248.1 route-map PRIORITY_REDIST out
neighbor 10.100.248.9 remote-as 65303
neighbor 10.100.248.9 route-map PRIORITY_REDIST out

ip access-list standard VL172
10 permit 172.24.33.0 0.0.0.63
20 permit 172.24.44.0 0.0.0.63
ip access-list standard VL221
10 permit 221.126.192.96 0.0.0.15
ip access-list standard VL222
10 permit 221.126.192.112 0.0.0.15

ip access-list standard 1
10 permit 221.126.192.96 0.0.0.15
20 permit 172.24.33.0 0.0.0.63
30 permit 172.24.44.0 0.0.0.63
40 deny any log
ip access-list standard 2
10 permit 221.126.192.96 0.0.0.15
20 deny any log
30 permit 221.126.192.112 0.0.0.15

route-map PRIORITY_REDIST permit 10
match ip address VL172

route-map PRIORITY_REDIST permit 20
match ip address VL221

route-map PRIORITY_REDIST permit 30
match ip address VL222
set as-path prepend 64990 64990

Site B

BGP (WAN site)

interface GigabitEthernet1/1/1
description ISP-Core-SiteB_Gi2/6
no switchport

vrf fowarding PBL
ip address 10.100.248.15 255.255.255.252
speed nonegotiate

interface GigabitEthernet2/1/1
description ISP-Core-SiteA_Gi1/2

vrf fowarding PBL
no switchport
ip address 10.100.248.30 255.255.255.252
speed nonegotiate

interface Vlan222
ip address 221.126.192.112 255.255.255.240

router bgp 64990
bgp router-id 10.100.248.15
bgp log-neighbor-changes
bgp dampening 5 1900 2000 10

address-family ipv4 vrf PBL
network 172.24.33.0 mask 255.255.255.192
network 172.24.44.0 mask 255.255.255.192
network 221.126.192.100 mask 255.255.255.240
network 221.126.192.112 mask 255.255.255.240
neighbor 10.100.248.5 remote-as 65303
neighbor 10.100.248.5 route-map PRIORITY_REDIST out
neighbor 10.100.248.13 remote-as 65303
neighbor 10.100.248.13 route-map PRIORITY_REDIST out

ip access-list standard VL172
10 permit 172.24.33.0 0.0.0.63
20 permit 172.24.44.0 0.0.0.63
ip access-list standard VL221
10 permit 221.126.192.96 0.0.0.15
ip access-list standard VL222
10 permit 221.126.192.112 0.0.0.15

ip access-list standard 1
10 permit 221.126.192.112 0.0.0.15
20 permit 172.24.33.0 0.0.0.63
30 permit 172.24.44.0 0.0.0.63
40 deny any log
ip access-list standard 2
10 permit 221.126.192.112 0.0.0.15
20 deny any log
30 permit 221.126.192.96 0.0.0.15

route-map PRIORITY_REDIST permit 10
match ip address VL172

route-map PRIORITY_REDIST permit 20
match ip address VL221

route-map PRIORITY_REDIST permit 30
match ip address VL222
set as-path prepend 64990 64990

Am I right?