Hello @a.aljiledi ,

you cannot achieve inter VRF routing at host level with standard methods of playing with route targets.

A solution that is a workaround is to have a routed link with one side in vrf VLAN888 and one side in VRF Vlan777.

This link has to use a subnet not used anywhere

interface gi1/0/1

descrption inter VRF link

no switchport

vrf forwarding VLAN888

ip address 10.88.77.1 255.255.255.252

int gi1/0/2

description inter VRF link 777 to 888

no switchport

vrf forwarding VLAN777

ip address 10.88.77.2 255.255.255.2

access-list 120 remark ACL forPBR VRF VLAN888

access-list 120 permit ip host 80.80.80.100 host 70.70.70.100

access-list 121 remark ACL for PBR VRF VLAN777

access-list 121 permit ip host 70.70.70.100 host 80.808.80.100

PBR works in in rx direction

route-map PBR-VLAN888

match address 120

set ip next-hop 10.88.77.2

route-map PBR-VLAN777

match address 121

set ip next-hop 10.88.77.1

interface Vlan888

ip policy route-map PBR-VLAN888

interface Vlan777

ip policy route-map PBR-VLAN777

This configuratiion works if the two SVI intwrfaces are the default gateways for the hosts in their respective subnets.,

the two L3 ports need to be cabled with a wire.

Hope to help

Giuseppe

This is not work for me::

interface Vlan777
ip vrf forwarding VLAN777
ip address 70.70.70.1 255.255.255.0
ip policy route-map PBR-Test1
!
interface Vlan888
ip vrf forwarding VLAN888
ip address 80.80.80.1 255.255.255.0
ip policy route-map PBR-Test2
!
interface Vlan2020
ip address 20.20.20.1 255.255.255.0
!
interface Vlan3030
ip address 30.30.30.1 255.255.255.0
!
!
!
ip access-list extended Test1
10 permit ip host 70.70.70.20 host 80.80.80.20
ip access-list extended Test2
10 permit ip host 80.80.80.20 host 70.70.70.20
!
!
route-map PBR-Test2 permit 11
match ip address Test2
set ip next-hop 30.30.30.1
!
route-map PBR-Test1 permit 10
match ip address Test1
set ip next-hop 20.20.20.1

Also, I have tried to add these routes on global but still not working

ip route 70.70.70.0 255.255.255.0 Vlan777
ip route 80.80.80.0 255.255.255.0 Vlan888

i tried the same scenario on Cisco Nexus by just adding a loopback interface and create a static route on each VRF and loopback interface IP as a next hop ,,, it is works on nexus...

'Hello @a.aljiledi ,

can you provide more details on your Nexus configuration ?

is the loopback in Global routing table or in a VRF ?

Thanks in advance

Best Regards

Giuseppe

Hello @a.aljiledi ,

it cannot work because

SVI VLAN 2020 and SVI Vlan 3030 are not members of the two VRFs you would like to make to communicate so this is wrong in theory and practice.

In addition the two SVI are using different IP subnets. This is another problem you need a common subnet to have valid next-hops you cannot "jump" without a common ground ...

of course even using SVIs you stiil need to cable with a wire an access port in VLAN2020 to an access port in VLAN 3030

>>

Also, I have tried to add these routes on global but still not working

ip route 70.70.70.0 255.255.255.0 Vlan777
ip route 80.80.80.0 255.255.255.0 Vlan888

You are lucky they didn't work otherwise you would have bypassed your firewall for all hosts in the two subnets.

Try to implement following my suggestions on my previuos post in this thread.

I know it is a dumb solution that it is not scalable but it should work.

Hope to help

Giuseppe

Hello

---

@a.aljiledi wrote:

Example::

 

i need a host from vlan888 80.80.80.100 to access 70.70.70.100 without routing it to the firewall....

 

interface Vlan777
ip vrf forwarding VLAN777
ip address 70.70.70.1 255.255.255.0
!
interface Vlan888
ip vrf forwarding VLAN888
ip address 80.80.80.1 255.255.255.0

---

Try the following
ip route 70.70.70.0 255.255.255.0 Vlan777 < for global rib entry
ip route 80.80.80. 255.255.255.0 Vlan888  < for global rib entry
ip route vrf 777 80.80.80.100  255.255.255.255 80.80.80.100  global < for global vrf entry
ip route vrf 888 70.70.70.100  255.255.255.255 70.70.70.100  global < for global vrf entry