Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6034
Views
0
Helpful
14
Replies

setting up vrf in router 2911 and distribution switch 3560G catalyst

Go to solution
joffreyjoffrey77
Level 1
Level 1

‎05-10-2013 09:17 PM - edited ‎03-07-2019 01:18 PM

I have 50Mbps from ISP and i want to split into 5 client's each 10Mbps from router to distribution switch catalyst 3560G via vlan

int gig0/0 - ISP

int gig0/1 - to port 22 on SwitchCore under vlan 5

int gig0/1.10 - Client-2

int gig0/1.11 - Client-1

I can't get out to internet

What config i miss?

=================================

I configured in this way on R1:

!

ip vrf Client-1

rd 11.11.11.5:11

!

ip vrf Client-2

rd 11.11.11.1:10

!

______________________________

!

interface GigabitEthernet0/0

description *** ISP PiPe ***

ip address 125.212.50.54 255.255.255.252

duplex full

speed auto

!

interface GigabitEthernet0/1

description *** LAN PiPe ***

ip address 121.97.65.61 255.255.255.240

duplex full

speed 1000

!

interface GigabitEthernet0/1.10

description Client-2

bandwidth 10000

encapsulation dot1Q 10

ip vrf forwarding Client-2

ip address 11.11.11.1 255.255.255.252

no ip redirects

no ip proxy-arp

rate-limit input 10000000 3750000 3750000 conform-action transmit exceed-action drop

rate-limit output 10000000 3750000 3750000 conform-action transmit exceed-action drop

no cdp enable

!

interface GigabitEthernet0/1.11

description Client-1

bandwidth 10000

encapsulation dot1Q 11

ip vrf forwarding Client-1

ip address 11.11.11.5 255.255.255.252

no ip redirects

no ip proxy-arp

rate-limit input 10000000 3750000 3750000 conform-action transmit exceed-action drop

rate-limit output 10000000 3750000 3750000 conform-action transmit exceed-action drop

no cdp enable

!

ip route 0.0.0.0 0.0.0.0 125.212.50.53

==================================================

I configured in this way on catalyst 3560G:  <--- this switch is already exist on the network i just use this to maximized the equipments

SwitchCore#show run

Building configuration...

Current configuration : 8467 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname SwitchCore

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

clock timezone CST 8

system mtu routing 1500

vtp mode transparent

ip subnet-zero

ip routing

no ip domain-lookup

ip domain-name mydomain.com

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

spanning-tree vlan 1,99-114,200-210 priority 24576

!

vlan internal allocation policy ascending

!

vlan 5

name ISP PiPe

!

vlan 10

name Client-2

!

vlan 11

name Client-1

!

vlan 99

name vlan-name

!

vlan 100

name vlan-name

!

vlan 200

name vlan-name

!

interface GigabitEthernet0/19

description *** Client-1 ***

switchport access vlan 11

switchport mode access

!

interface GigabitEthernet0/20

description *** Client-2 ***

switchport access vlan 10

switchport mode access

!

interface GigabitEthernet0/22

description *** ISP PiPe ***

switchport access vlan 5

switchport mode access

!

interface GigabitEthernet0/25

!

interface GigabitEthernet0/26

!

interface GigabitEthernet0/27

!

interface GigabitEthernet0/28

!

!

!

interface Vlan5

description Connected-From-R1_ISP_PiPe

ip address 121.97.65.62 255.255.255.240

!

interface Vlan10

description Client-2

ip address 11.11.11.1 255.255.255.252

!

interface Vlan11

description Client-1

ip address 11.11.11.5 255.255.255.252

!

interface Vlan99

description *** vlan-name ***

ip address 192.168.99.2 255.255.255.0

!

interface Vlan100

description *** vlan-name ***

ip address 10.10.2.2 255.255.255.128

!

interface Vlan200

description *** vlan-name ***

ip address 10.10.0.3 255.255.254.0

!

ip default-gateway 192.168.1.1

ip classless

ip route 10.10.0.0 255.255.254.0 192.168.1.1

ip route 11.11.0.0 255.255.254.0 121.97.65.161

no ip http server

Labels:
0 Helpful
5 Accepted Solutions

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎05-10-2013 11:29 PM

Hello, there are no default routes for your VRFs
If you do show ip route vrf Client-1 and same for 2 I do not think you will see the default route. You need to tell the VRF to use the global routing table.
E.g. Ip route vrf Client-1 0.0.0.0 0.0.0.0 x.x.x.x global

and also noted duplicate IPs on the router and the switch. Is this correct? Is there a trunk from the switch to the router?

You do not need ip default-gateway on the switch. Because it has more than 1 svi you need to set the static default route instead like ip route 0.0.0.0 0.0.0.0 x.x.x.x

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Bilal Nawaz

‎05-11-2013 01:58 AM

I think i've come up with a solution for you. We'll have to use VRF's if you want overlapping addresses. I'll try to demonstrate with this example here:

Here I have switch 1 where my clients are connected - I am only showing a PC who is client 1 with an IP of 11.11.11.100.

It has a default gateway of the VRF which is 11.11.11.1 on R1.

I am doing 'router on a stick' - this involves creating sub-interfaces on the router with the correct encapsulation and a trunk being configured on SW1.

Wherever my clients are connected I just have to put them in the right VLAN.

lets say client is connected to the SW1 on fa1/11.

The configuration would be:

interface fa1/11

switchport

switchport mode access

switchport access vlan 1

just a simple access port. Please NOTE: I have not configured any addresses on the switch! its only doing my Layer 2. I'll leave all the hard work for the router to do - router's are built to route :-)

Here is the configuration of SW1:

hostname SW1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!        

!

!        

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

description UPLINK TO R1

switchport trunk allowed vlan 1-5,1002-1005

switchport mode trunk

duplex full

speed 100

!

interface FastEthernet1/1

!

interface FastEthernet1/2

!

interface FastEthernet1/3

!

interface FastEthernet1/4

!

interface FastEthernet1/5

!

interface FastEthernet1/6

!

interface FastEthernet1/7

!

interface FastEthernet1/8

!

interface FastEthernet1/9

!

interface FastEthernet1/10

!

interface FastEthernet1/11

description CLIENT-1

switchport

switchport mode access

switchport access vlan 1

!

interface FastEthernet1/12

description CLIENT-2

switchport

switchport mode access

switchport access vlan 2

!

interface FastEthernet1/13

description CLIENT-3

switchport

switchport mode access

switchport access vlan 3

!

interface FastEthernet1/14

description CLIENT-4

switchport

switchport mode access

switchport access vlan 4

!        

interface FastEthernet1/15

description CLIENT-5

switchport

switchport mode access

switchport access vlan 5

SW1#show vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                               active    Fa1/11

2    VLAN0002                         active    Fa1/12

3    VLAN0003                         active    Fa1/13

4    VLAN0004                         active    Fa1/14

5    VLAN0005                         active    Fa1/15

Just a simple config with my layer 2 in place.

No routes needed, no SVI interfaces needed.

Lets go over to R1 where the VRF magic happens.

R1#show run

Building configuration...

Current configuration : 2387 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

!

ip vrf client-1

rd 1:11

!        

ip vrf client-2

rd 2:22

!

ip vrf client-3

rd 3:33

!

ip vrf client-4

rd 4:44

!

ip vrf client-5

rd 5:55

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

interface FastEthernet0/0

ip address 125.212.50.54 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

speed 100

full-duplex

!

interface FastEthernet0/1.11

encapsulation dot1Q 1 native

ip vrf forwarding client-1

ip address 11.11.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

interface FastEthernet0/1.22

encapsulation dot1Q 2

ip vrf forwarding client-2

ip address 22.22.22.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

interface FastEthernet0/1.33

encapsulation dot1Q 3

ip vrf forwarding client-3

ip address 33.33.33.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!        

interface FastEthernet0/1.44

encapsulation dot1Q 4

ip vrf forwarding client-4

ip address 44.44.44.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

interface FastEthernet0/1.55

encapsulation dot1Q 5

ip vrf forwarding client-5

ip address 55.55.55.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 125.212.50.53

ip route vrf client-1 0.0.0.0 0.0.0.0 125.212.50.53 global

ip route vrf client-2 0.0.0.0 0.0.0.0 125.212.50.53 global

ip route vrf client-3 0.0.0.0 0.0.0.0 125.212.50.53 global

ip route vrf client-4 0.0.0.0 0.0.0.0 125.212.50.53 global

ip route vrf client-5 0.0.0.0 0.0.0.0 125.212.50.53 global

!

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-1 overload

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-2 overload

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-3 overload

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-4 overload

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-5 overload

!

ip access-list extended MY_NAT

permit ip any any

This configuration will allow you to have a default route to the global routing table and be allowed to route out towards the internet. It's important to remember NAT. And I have included the relevant configuration for NAT for all of your VRF's

GLOBAL ROUTING TABLE:

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 125.212.50.53 to network 0.0.0.0

     125.0.0.0/30 is subnetted, 1 subnets

C       125.212.50.52 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [1/0] via 125.212.50.53

VRF ROUTING TABLE FOR CLIENT-1

R1#show ip route vrf client-1

Routing Table: client-1

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 125.212.50.53 to network 0.0.0.0

     11.0.0.0/24 is subnetted, 1 subnets

C       11.11.11.0 is directly connected, FastEthernet0/1.11

S*   0.0.0.0/0 [1/0] via 125.212.50.53

As you can see the default route has been introduced to the routing table - I want to try and ping outbound from this VRF just to see if I can get to that 100.0.0.1 address out in the internet....

R1#ping vrf client-1 100.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms

R1#

*Mar  1 00:43:18.795: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [15]

*Mar  1 00:43:18.811: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [15]

*Mar  1 00:43:18.815: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [16]

*Mar  1 00:43:18.831: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [16]

*Mar  1 00:43:18.831: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [17]

*Mar  1 00:43:18.851: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [17]

*Mar  1 00:43:18.855: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [18]

*Mar  1 00:43:18.875: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [18]

*Mar  1 00:43:18.879: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [19]

*Mar  1 00:43:18.891: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [19]

As you can see - the ping was successful and NAT took place and correctly translated the VRF's address. Lets look at it from the INTERNET router's perspective. This time I'll try to ping the 10.0.0.1 address from the client.

INTERNET#

*Mar  1 01:32:05.239: IP: tableid=0, s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1 (Loopback1), routed via RIB

*Mar  1 01:32:05.239: IP: s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1, len 100, rcvd 4

*Mar  1 01:32:05.243: IP: tableid=0, s=10.0.0.1 (local), d=125.212.50.54 (FastEthernet0/0), routed via FIB

*Mar  1 01:32:05.243: IP: s=10.0.0.1 (local), d=125.212.50.54 (FastEthernet0/0), len 100, sending

*Mar  1 01:32:05.263: IP: tableid=0, s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1 (Loopback1), routed via RIB

*Mar  1 01:32:05.263: IP: s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1, len 100, rcvd 4

*Mar  1 01:32:05.263: IP: tableid=0, s=10.0.0.1 (local), d=125.212.50.54 (FastEthernet0/0), routed via FIB

*Mar  1 01:32:05.267: IP: s=10.0.0.1 (local), d=125.212.50.54 (FastEthernet0/0), len 100, sending

*Mar  1 01:32:05.307: IP: tableid=0, s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1 (Loopback1), routed via RIB

*Mar  1 01:32:05.307: IP: s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1, len 100, rcvd 4

So INTERNET router see's the NAT traffic from 125.212.50.54 which is good, because it will reply back to our WAN address - we are able to ping the 10.0.0.1 address successfully.

When I try to ping from client 1 to client 2 - I have no route to get to it and it should fail, so I'll test this:

R1#ping vrf client-1 22.22.22.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 22.22.22.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

R1#

*Mar  1 00:58:17.819: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [25]

*Mar  1 00:58:17.839: NAT: s=125.212.50.53, d=125.212.50.54->11.11.11.1 [17]

*Mar  1 00:58:17.843: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [26]

*Mar  1 00:58:19.839: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [27]

*Mar  1 00:58:19.855: NAT: s=125.212.50.53, d=125.212.50.54->11.11.11.1 [18]

*Mar  1 00:58:19.855: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [28]

*Mar  1 00:58:21.855: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [29]

*Mar  1 00:58:21.887: NAT: s=125.212.50.53, d=125.212.50.54->11.11.11.1 [19]

It tries to use the default route - hence why we see the NAT attempts, but will not be able to get there so it fails!

So in summary

  1. your clients should have the default gateway of the VRF address
  2. you need to have a trunk from your switch to the router instead of a routed interface or access port
  3. make sure that the SVI's for these client vlans do not exist on the switch (for the client vlans, the switch should only be layer 2)!
  4. simple access port required for clients - just like your config too
  5. ensure default route exist within the routing table
  6. create the routes for your vrf's pointing to the global routing table
  7. create the acl for NAT and the NAT statements to correctly NAT outbound traffic

Quite a bit to take in - if you have any questions about this, i'll be happy to help!

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Message was edited by: Bilal Nawaz

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to joffreyjoffrey77

‎05-13-2013 02:23 AM

Hello - I'm glad that the solution worked for you! I was unsure if I explained well enough, but seems as though you got the hang of the method!

You can try to Police the traffic instead of rate-limiting on the sub-if's.

E.g. at the moment we have this:

interface FastEthernet0/1.11

encapsulation dot1Q 1 native

ip vrf forwarding client-1

ip address 11.11.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

So what we can do instead is this:

conf t

!

ip access-list extended LIMIT_10MB

permit ip any any

!

class-map match-any LIMIT_10MB

match access-group name LIMIT_10MB

!

Policy-map LIMIT_10MB

class LIMIT_10MB

  police 10000000 conform-action transmit  exceed-action drop

!

interface FastEthernet0/1.11

no rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

no rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

In your case the interfaces are different. Then save the config and test your speed again.

This will police all your traffic to 9.765625 Mbits.

Hope this helps.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to joffreyjoffrey77

‎05-14-2013 02:58 AM

Hello,

1) Leave it as it is. the config is Additional config!

2) you can limit on each sub interface as I suggested in my post with these commands below:

conf t

!

interface fa0/1.11

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

!

interface fa0/1.22

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

3) If your interface fa0/1.33 is only 2 Mbps then you can do this:

conf t

!

ip access-list extended LIMIT_2MB

permit ip any any

!

class-map match-any LIMIT_2MB

match access-group name LIMIT_2MB

!

Policy-map LIMIT_2MB

class LIMIT_2MB

  police 2000000 conform-action transmit  exceed-action drop

!

interface fa0/1.33

service-policy input LIMIT_2MB

service-policy output LIMIT_2MB

===============================================================================

Your config will look like this:

################ LEAVE ACL AS THEY ARE - THEYRE LIKE THIS FOR FUTURE REQUIREMENTS

ip access-list extended LIMIT_10MB

permit ip any any

ip access-list extended LIMIT_2MB

permit ip any any

ip access-list extended MY_NAT

permit ip any any

############################################################

################ TO LIMIT FOR 2 MB

class-map match-any LIMIT_2MB

match access-group name LIMIT_2MB

!

Policy-map LIMIT_2MB

class LIMIT_2MB

  police 2000000 conform-action transmit  exceed-action drop

!

############################################################

################ TO LIMIT FOR 10 MB

class-map match-any LIMIT_10MB

match access-group name LIMIT_10MB

!

Policy-map LIMIT_10MB

class LIMIT_10MB

  police 10000000 conform-action transmit  exceed-action drop

############################################################

################ APPLY SERVICE POLICY TO INTERFACES

interface fa0/1.11

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

!

interface fa0/1.22

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

!

interface fa0/1.33

service-policy input LIMIT_2MB

service-policy output LIMIT_2MB

And this should be it. I hope this is more clear for you. Just remember to take out the rate limit commands as they arent doing much for you.

Hope this helps

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to joffreyjoffrey77

‎05-14-2013 04:16 AM

Hello,

I created MY_NAT for your NAT statements only.

I created LIMIT_10MB specifically for your 10MB limit policy

I created LIMIT_2MB specifically for your 2MB limit policy

These are separate ACL's used for different things. The NAT statement should be:

ip nat inside source list MY_NAT interface GigabitEthernet0/0 vrf Client-1 overload

It is only to make it visably clear and more defined as to what the Access Lists are used for, hence the names I used

MY_NAT is for NAT

LIMIT_10MB is for limiting to 10MB in the service policy etc.....

Hope this makes things clear.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎05-10-2013 11:29 PM

Hello, there are no default routes for your VRFs
If you do show ip route vrf Client-1 and same for 2 I do not think you will see the default route. You need to tell the VRF to use the global routing table.
E.g. Ip route vrf Client-1 0.0.0.0 0.0.0.0 x.x.x.x global

and also noted duplicate IPs on the router and the switch. Is this correct? Is there a trunk from the switch to the router?

You do not need ip default-gateway on the switch. Because it has more than 1 svi you need to set the static default route instead like ip route 0.0.0.0 0.0.0.0 x.x.x.x

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
joffreyjoffrey77
Level 1
Level 1
In response to Bilal Nawaz

‎05-11-2013 12:02 AM

Thanks Bilal,

by the way here's my answer on your questions:

E.g. Ip route vrf Client-1 0.0.0.0 0.0.0.0 x.x.x.x global

answer: Ip route vrf Client-1 0.0.0.0 0.0.0.0 121.97.65.61 global

is in way ? with the word global at end.?

______

and also noted duplicate IPs on the router and the switch. Is this correct?

answer:

router port:

interface GigabitEthernet0/1

description *** LAN PiPe ***

ip address 121.97.65.61 255.255.255.240

switch port:

interface GigabitEthernet0/22

description *** ISP PiPe ***

switchport access vlan 5

switchport mode access

interface Vlan5

description Connected-From-R1_ISP_PiPe

ip address 121.97.65.62 255.255.255.240

they have diff ip .61 on router & .62 on switch

____

Is there a trunk from the switch to the router?

answer:

Switch:

interface GigabitEthernet0/22

description *** ISP PiPe ***

switchport access vlan 5

switchport mode access

Router:

interface GigabitEthernet0/1

description *** LAN PiPe ***

ip address 121.97.65.61 255.255.255.240

________

You do not need ip default-gateway on the switch. Because it has more than 1 svi you need to set the static default route instead like ip route 0.0.0.0 0.0.0.0 x.x.x.x

answer:

this is existing switch, and im afraid to change on this

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to joffreyjoffrey77

‎05-11-2013 01:06 AM

It seems like you may be trying to implement two different solutions. One is router on a stick. The other is just simple routing. Was there a specific reason for using the VRF's? We could make it really easy for ourselves without the use of VRF's :-)

If I get this straight, you have two clients - you want to limit their bandwidth. And you dont want them to be able to talk to each other?

I assume this is the reason for the VRF? If so, then I can try to give you a fairly simple solution.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
joffreyjoffrey77
Level 1
Level 1
In response to Bilal Nawaz

‎05-11-2013 01:56 AM

yes, that's i want,

my specific reason i config vrf's overlapping address, after i implement vrf's no overlapped happen and also sub-interfaces for bandwidth limiting and saving ports

on existing switchcore is working properly and function perfectly

in the other hand, i create another network using another cisco router 2911 and i use the existing switch core cause have 8 orts available,

on this, i need to workout router 2911 -> switchcore -> client's

with the bandwidth limiting DL & UL, cannot see each other, and can use public ip's for there individual server's implemented

can i request your simple solution as you said earlier then i try to implement

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Bilal Nawaz

‎05-11-2013 01:58 AM

I think i've come up with a solution for you. We'll have to use VRF's if you want overlapping addresses. I'll try to demonstrate with this example here:

Here I have switch 1 where my clients are connected - I am only showing a PC who is client 1 with an IP of 11.11.11.100.

It has a default gateway of the VRF which is 11.11.11.1 on R1.

I am doing 'router on a stick' - this involves creating sub-interfaces on the router with the correct encapsulation and a trunk being configured on SW1.

Wherever my clients are connected I just have to put them in the right VLAN.

lets say client is connected to the SW1 on fa1/11.

The configuration would be:

interface fa1/11

switchport

switchport mode access

switchport access vlan 1

just a simple access port. Please NOTE: I have not configured any addresses on the switch! its only doing my Layer 2. I'll leave all the hard work for the router to do - router's are built to route :-)

Here is the configuration of SW1:

hostname SW1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!        

!

!        

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

description UPLINK TO R1

switchport trunk allowed vlan 1-5,1002-1005

switchport mode trunk

duplex full

speed 100

!

interface FastEthernet1/1

!

interface FastEthernet1/2

!

interface FastEthernet1/3

!

interface FastEthernet1/4

!

interface FastEthernet1/5

!

interface FastEthernet1/6

!

interface FastEthernet1/7

!

interface FastEthernet1/8

!

interface FastEthernet1/9

!

interface FastEthernet1/10

!

interface FastEthernet1/11

description CLIENT-1

switchport

switchport mode access

switchport access vlan 1

!

interface FastEthernet1/12

description CLIENT-2

switchport

switchport mode access

switchport access vlan 2

!

interface FastEthernet1/13

description CLIENT-3

switchport

switchport mode access

switchport access vlan 3

!

interface FastEthernet1/14

description CLIENT-4

switchport

switchport mode access

switchport access vlan 4

!        

interface FastEthernet1/15

description CLIENT-5

switchport

switchport mode access

switchport access vlan 5

SW1#show vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                               active    Fa1/11

2    VLAN0002                         active    Fa1/12

3    VLAN0003                         active    Fa1/13

4    VLAN0004                         active    Fa1/14

5    VLAN0005                         active    Fa1/15

Just a simple config with my layer 2 in place.

No routes needed, no SVI interfaces needed.

Lets go over to R1 where the VRF magic happens.

R1#show run

Building configuration...

Current configuration : 2387 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

!

ip vrf client-1

rd 1:11

!        

ip vrf client-2

rd 2:22

!

ip vrf client-3

rd 3:33

!

ip vrf client-4

rd 4:44

!

ip vrf client-5

rd 5:55

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

interface FastEthernet0/0

ip address 125.212.50.54 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

speed 100

full-duplex

!

interface FastEthernet0/1.11

encapsulation dot1Q 1 native

ip vrf forwarding client-1

ip address 11.11.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

interface FastEthernet0/1.22

encapsulation dot1Q 2

ip vrf forwarding client-2

ip address 22.22.22.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

interface FastEthernet0/1.33

encapsulation dot1Q 3

ip vrf forwarding client-3

ip address 33.33.33.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!        

interface FastEthernet0/1.44

encapsulation dot1Q 4

ip vrf forwarding client-4

ip address 44.44.44.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

interface FastEthernet0/1.55

encapsulation dot1Q 5

ip vrf forwarding client-5

ip address 55.55.55.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 125.212.50.53

ip route vrf client-1 0.0.0.0 0.0.0.0 125.212.50.53 global

ip route vrf client-2 0.0.0.0 0.0.0.0 125.212.50.53 global

ip route vrf client-3 0.0.0.0 0.0.0.0 125.212.50.53 global

ip route vrf client-4 0.0.0.0 0.0.0.0 125.212.50.53 global

ip route vrf client-5 0.0.0.0 0.0.0.0 125.212.50.53 global

!

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-1 overload

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-2 overload

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-3 overload

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-4 overload

ip nat inside source list MY_NAT interface FastEthernet0/0 vrf client-5 overload

!

ip access-list extended MY_NAT

permit ip any any

This configuration will allow you to have a default route to the global routing table and be allowed to route out towards the internet. It's important to remember NAT. And I have included the relevant configuration for NAT for all of your VRF's

GLOBAL ROUTING TABLE:

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 125.212.50.53 to network 0.0.0.0

     125.0.0.0/30 is subnetted, 1 subnets

C       125.212.50.52 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [1/0] via 125.212.50.53

VRF ROUTING TABLE FOR CLIENT-1

R1#show ip route vrf client-1

Routing Table: client-1

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 125.212.50.53 to network 0.0.0.0

     11.0.0.0/24 is subnetted, 1 subnets

C       11.11.11.0 is directly connected, FastEthernet0/1.11

S*   0.0.0.0/0 [1/0] via 125.212.50.53

As you can see the default route has been introduced to the routing table - I want to try and ping outbound from this VRF just to see if I can get to that 100.0.0.1 address out in the internet....

R1#ping vrf client-1 100.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms

R1#

*Mar  1 00:43:18.795: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [15]

*Mar  1 00:43:18.811: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [15]

*Mar  1 00:43:18.815: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [16]

*Mar  1 00:43:18.831: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [16]

*Mar  1 00:43:18.831: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [17]

*Mar  1 00:43:18.851: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [17]

*Mar  1 00:43:18.855: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [18]

*Mar  1 00:43:18.875: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [18]

*Mar  1 00:43:18.879: NAT: s=11.11.11.1->125.212.50.54, d=100.0.0.1 [19]

*Mar  1 00:43:18.891: NAT*: s=100.0.0.1, d=125.212.50.54->11.11.11.1 [19]

As you can see - the ping was successful and NAT took place and correctly translated the VRF's address. Lets look at it from the INTERNET router's perspective. This time I'll try to ping the 10.0.0.1 address from the client.

INTERNET#

*Mar  1 01:32:05.239: IP: tableid=0, s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1 (Loopback1), routed via RIB

*Mar  1 01:32:05.239: IP: s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1, len 100, rcvd 4

*Mar  1 01:32:05.243: IP: tableid=0, s=10.0.0.1 (local), d=125.212.50.54 (FastEthernet0/0), routed via FIB

*Mar  1 01:32:05.243: IP: s=10.0.0.1 (local), d=125.212.50.54 (FastEthernet0/0), len 100, sending

*Mar  1 01:32:05.263: IP: tableid=0, s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1 (Loopback1), routed via RIB

*Mar  1 01:32:05.263: IP: s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1, len 100, rcvd 4

*Mar  1 01:32:05.263: IP: tableid=0, s=10.0.0.1 (local), d=125.212.50.54 (FastEthernet0/0), routed via FIB

*Mar  1 01:32:05.267: IP: s=10.0.0.1 (local), d=125.212.50.54 (FastEthernet0/0), len 100, sending

*Mar  1 01:32:05.307: IP: tableid=0, s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1 (Loopback1), routed via RIB

*Mar  1 01:32:05.307: IP: s=125.212.50.54 (FastEthernet0/0), d=10.0.0.1, len 100, rcvd 4

So INTERNET router see's the NAT traffic from 125.212.50.54 which is good, because it will reply back to our WAN address - we are able to ping the 10.0.0.1 address successfully.

When I try to ping from client 1 to client 2 - I have no route to get to it and it should fail, so I'll test this:

R1#ping vrf client-1 22.22.22.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 22.22.22.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

R1#

*Mar  1 00:58:17.819: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [25]

*Mar  1 00:58:17.839: NAT: s=125.212.50.53, d=125.212.50.54->11.11.11.1 [17]

*Mar  1 00:58:17.843: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [26]

*Mar  1 00:58:19.839: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [27]

*Mar  1 00:58:19.855: NAT: s=125.212.50.53, d=125.212.50.54->11.11.11.1 [18]

*Mar  1 00:58:19.855: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [28]

*Mar  1 00:58:21.855: NAT: s=11.11.11.1->125.212.50.54, d=22.22.22.1 [29]

*Mar  1 00:58:21.887: NAT: s=125.212.50.53, d=125.212.50.54->11.11.11.1 [19]

It tries to use the default route - hence why we see the NAT attempts, but will not be able to get there so it fails!

So in summary

  1. your clients should have the default gateway of the VRF address
  2. you need to have a trunk from your switch to the router instead of a routed interface or access port
  3. make sure that the SVI's for these client vlans do not exist on the switch (for the client vlans, the switch should only be layer 2)!
  4. simple access port required for clients - just like your config too
  5. ensure default route exist within the routing table
  6. create the routes for your vrf's pointing to the global routing table
  7. create the acl for NAT and the NAT statements to correctly NAT outbound traffic

Quite a bit to take in - if you have any questions about this, i'll be happy to help!

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Message was edited by: Bilal Nawaz

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
joffreyjoffrey77
Level 1
Level 1
In response to Bilal Nawaz

‎05-11-2013 09:58 PM

Hi Bilal,

im on leave, as soon as possible i do it on my network

hoping your positive response is on my side until the network running perfectly and i wish you part of it

i rate correct answer after applying the commands

thanks

0 Helpful

Go to solution
joffreyjoffrey77
Level 1
Level 1
In response to Bilal Nawaz

‎05-12-2013 06:04 PM

Hi Bilal,

It work great smooth and perfectly now i can surf on internet on existing switch i have

however, i have another problem, in bandwidth,

here's my config:

rate-limit input 10000000 3750000 3750000 conform-action transmit exceed-action drop

rate-limit output 10000000 3750000 3750000 conform-action transmit exceed-action drop

cisco standard burst in bytes , however

if test my speed. it booms right away more than 10Mbps

i want it to be, UL and DL for 10Mbps

did i miss something? or should i put:

bandwidth 10000

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to joffreyjoffrey77

‎05-13-2013 02:23 AM

Hello - I'm glad that the solution worked for you! I was unsure if I explained well enough, but seems as though you got the hang of the method!

You can try to Police the traffic instead of rate-limiting on the sub-if's.

E.g. at the moment we have this:

interface FastEthernet0/1.11

encapsulation dot1Q 1 native

ip vrf forwarding client-1

ip address 11.11.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

So what we can do instead is this:

conf t

!

ip access-list extended LIMIT_10MB

permit ip any any

!

class-map match-any LIMIT_10MB

match access-group name LIMIT_10MB

!

Policy-map LIMIT_10MB

class LIMIT_10MB

  police 10000000 conform-action transmit  exceed-action drop

!

interface FastEthernet0/1.11

no rate-limit input 10000000 5000 5000 conform-action transmit exceed-action drop

no rate-limit output 10000000 5000 5000 conform-action transmit exceed-action drop

!

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

In your case the interfaces are different. Then save the config and test your speed again.

This will police all your traffic to 9.765625 Mbits.

Hope this helps.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
joffreyjoffrey77
Level 1
Level 1
In response to Bilal Nawaz

‎05-14-2013 02:26 AM

Hi Bilal,

i follow your config and i did is this:

!

class-map match-any LIMIT_10Mbps

match access-group name LIMIT_10Mbps

!

!

policy-map LIMIT_10Mbps

class LIMIT_10Mbps

    police 10000000 conform-action transmit  exceed-action drop

!

!

ip access-list extended LIMIT_10Mbps

permit ip any any

ip access-list extended MY_NAT

permit ip any any

!

ip nat inside source list LIMIT_10Mbps interface GigabitEthernet0/0 vrf Client-1 overload

interface GigabitEthernet0/2.10

no rate-limit input 10000000 3750000 3750000 conform-action transmit exceed-action drop

no rate-limit output 10000000 3750000 3750000 conform-action transmit exceed-action drop

___________

there's no command like this in my router 2911.

only have service-family

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

______________________

should i delete this:

1.

ip access-list extended MY_NAT

permit ip any any

and

replace this:

ip access-list extended LIMIT_10MB

permit ip any any

or

i can leave it and add this new access-list limit_10mb

______________

2.

how to deploy the LIMIT_10MB on every each sub-interfaces?


interface FastEthernet0/1.11

encapsulation dot1Q 1

ip vrf forwarding client-1

ip address 11.11.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface FastEthernet0/1.22

encapsulation dot1Q 1

ip vrf forwarding client-1

ip address 22.22.22.1 255.255.255.0

ip nat inside

ip virtual-reassembly

___________

3.


And if / what if my:

interface FastEthernet0/1.33 is only 2Mbps, then how to solve this?

___________

can you give me config on:

interface FastEthernet0/1.22 - 10Mbps

interface FastEthernet0/1.11 - 10Mbps

interface FastEthernet0/1.33 - 2Mbps

in access-list:

ip access-list extended LIMIT_10MB

ip access-list extended MY_NAT

should leave this two.. or it must only 1 of them remain coz of conflict

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to joffreyjoffrey77

‎05-14-2013 02:58 AM

Hello,

1) Leave it as it is. the config is Additional config!

2) you can limit on each sub interface as I suggested in my post with these commands below:

conf t

!

interface fa0/1.11

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

!

interface fa0/1.22

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

3) If your interface fa0/1.33 is only 2 Mbps then you can do this:

conf t

!

ip access-list extended LIMIT_2MB

permit ip any any

!

class-map match-any LIMIT_2MB

match access-group name LIMIT_2MB

!

Policy-map LIMIT_2MB

class LIMIT_2MB

  police 2000000 conform-action transmit  exceed-action drop

!

interface fa0/1.33

service-policy input LIMIT_2MB

service-policy output LIMIT_2MB

===============================================================================

Your config will look like this:

################ LEAVE ACL AS THEY ARE - THEYRE LIKE THIS FOR FUTURE REQUIREMENTS

ip access-list extended LIMIT_10MB

permit ip any any

ip access-list extended LIMIT_2MB

permit ip any any

ip access-list extended MY_NAT

permit ip any any

############################################################

################ TO LIMIT FOR 2 MB

class-map match-any LIMIT_2MB

match access-group name LIMIT_2MB

!

Policy-map LIMIT_2MB

class LIMIT_2MB

  police 2000000 conform-action transmit  exceed-action drop

!

############################################################

################ TO LIMIT FOR 10 MB

class-map match-any LIMIT_10MB

match access-group name LIMIT_10MB

!

Policy-map LIMIT_10MB

class LIMIT_10MB

  police 10000000 conform-action transmit  exceed-action drop

############################################################

################ APPLY SERVICE POLICY TO INTERFACES

interface fa0/1.11

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

!

interface fa0/1.22

service-policy input LIMIT_10MB

service-policy output LIMIT_10MB

!

interface fa0/1.33

service-policy input LIMIT_2MB

service-policy output LIMIT_2MB

And this should be it. I hope this is more clear for you. Just remember to take out the rate limit commands as they arent doing much for you.

Hope this helps

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
joffreyjoffrey77
Level 1
Level 1
In response to Bilal Nawaz

‎05-14-2013 03:35 AM

how about this i just confused:

which i should use ? MY_NAT earlier you create and the new one is LIMIT_10Mbps for overloading

ip nat inside source list LIMIT_10Mbps interface GigabitEthernet0/0 vrf Client-1 overload

ip nat inside source list MY_NAT interface GigabitEthernet0/0 vrf Client-1 overload

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to joffreyjoffrey77

‎05-14-2013 04:16 AM

Hello,

I created MY_NAT for your NAT statements only.

I created LIMIT_10MB specifically for your 10MB limit policy

I created LIMIT_2MB specifically for your 2MB limit policy

These are separate ACL's used for different things. The NAT statement should be:

ip nat inside source list MY_NAT interface GigabitEthernet0/0 vrf Client-1 overload

It is only to make it visably clear and more defined as to what the Access Lists are used for, hence the names I used

MY_NAT is for NAT

LIMIT_10MB is for limiting to 10MB in the service policy etc.....

Hope this makes things clear.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
joffreyjoffrey77
Level 1
Level 1
In response to Bilal Nawaz

‎05-14-2013 05:02 AM

Hi Bilal,

i would like to say thank you very much for solving this problem

once again many thanks

all config's are smooth and perfectly running

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to joffreyjoffrey77

‎05-14-2013 07:31 AM

You're welcome :-)   - Thank you for your kind comments and helpful ratings! Happy to help.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card