cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5094
Views
5
Helpful
7
Replies

Route leaking between Service VPN and Transport VPN (0)

lishengtao
Level 1
Level 1

Scenario:

  - Service VPN connects to a LAN with a prefix which is routable on underlay network (say MPLS VPN)

  - NAT on VPN0 uplink interface (facing MPLS)  is not enabled

  - eBGP peering is established over uplink and exchanging routes properly

 

I tested a centralized control-policy as shown below and applied it, and did not see routes imported from vpn1 to vpn0. 

vsmart1# show running-config policy
policy
   lists

     site-list site122
        site-id 122
      vpn-list vpn0
        vpn 0
      !
      vpn-list vpn1
        vpn 1
       !   
    !
    control-policy import-vpn1-to-vpn0
        sequence 10
            match route
               vpn-list vpn1
            !  
            action accept
               export-to  vpn-list vpn0
          ! 
        !
        default-action accept

 

The above config is referenced by https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.3/04Segmentation/03Segmentation_(VPN)_Configuration_Examples.

 

Question:  Do I miss anything?  Or Is route leaking between VPN 0 and Service VPN supported without NAT enabled on uplink?

 

Thanks!

Shen

 

1 Accepted Solution

Accepted Solutions

looks like this, for vEdge this is the only option. But maybe we can take a loot to this issue from another angle? What is the actual requirement?

View solution in original post

7 Replies 7

ekhabaro
Cisco Employee
Cisco Employee
you can't leak routes between service side and transport side (VPN 0). export-to is intended for service VPNs route leaking.

Thanks for the quick clarification.
In the above scenario, since 1:1 NAT is not supported on transport VPN, port forwarding seems to be the only option to allow external network to access the server on LAN, correct? Is there any other option?
Thanks!

looks like this, for vEdge this is the only option. But maybe we can take a loot to this issue from another angle? What is the actual requirement?

Thanks again for the clarification! 

Hi,

 

So is there a way to route leak between a Services VPN <-> VPN0 (MPLS) on a vEdge?

 

 

Thanks

Old response but you can NAT on the transport interface than a centralised policy which matches source -> destination prefixes you want to route out to global and set the action to route to NAT VPN. Ensure you have a route at your site like a default to get to the vEdge the rest of the routing should take care of itself with the PAT NAT.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco