Extranet/ prefixlist

Unanswered Question
Sep 22nd, 2008


I have to configure extranets.

This has to be done for different routers(or subnets) belonging to 2 different vrf's.

Traffic from A to B has to be allowed and denied from B to A.

Could somebody advise me?

Thank you


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
singhsaju Mon, 09/22/2008 - 06:50

Hi Fred,

You can consider doing PAT or dynamic NAT from A to B . PAT will hide your network A .So no traffic can be sent to network A from B.



Pls rate helpful posts

Giuseppe Larosa Mon, 09/22/2008 - 08:45

Hello Fred,

you can implement an MPLS VPN extranet solution to make communication possible between the two VRFs.

On each router belonging to VRF A you can accept TCP sessions only if already established

access-list 123 permit tcp x.x.x.x y.y.y.y any established

access-list 123 deny tcp x.x.x.x y.y.y.y any

access-list 123 permit ip any any

int gx/y

ip vrf forwarding VRF_A

ip access-group 123 out


where x.x.x.x represents the networks of VRF B.

the extranet solution is simply the adding of route-target import command within VRF interfaces

ip vrf VRF_A

route-target import

to be added

ip vrf VRF_B

route-target import

Hope to help



This Discussion