We have cat3550 12.1(19)EA1a and we want to setup VRF in next scheme:
r2600 is a exit point of all tunnels and is a point of connection VRF and global routing.
There are two subnets,which we want to connect each other and connect these subnets to the rest net.
we are using two tunnels to 2600 router and VRF
that are a VRF and EIGRP parts from our config:
ip vrf MMM
ip vrf forwarding MMM
ip unnumbered Vlan247
tunnel source Loopback0
tunnel destination 192.168.240.254
ip vrf forwarding MMM
ip address 192.168.247.46 255.255.255.240
no ip redirects
router eigrp 1016
network 192.168.0.37 0.0.0.0
network 192.168.37.0 0.0.0.255
network 192.168.40.128 0.0.0.15
network 192.168.252.32 0.0.0.3
network 192.168.252.36 0.0.0.3
eigrp router-id 192.168.0.37
no eigrp log-neighbor-changes
ip route 0.0.0.0 0.0.0.0 192.168.252.33
ip route 0.0.0.0 0.0.0.0 192.168.252.37 2
ip route vrf MMM 0.0.0.0 0.0.0.0 Tunnel1
ip route vrf MMM 192.168.247.48 255.255.255.248 Tunnel1
where 192.168.247.48 255.255.255.248 - another subnet in VRF
All nodes from cat3550 in vlan247 must go to inside nodes using VRF and tunnel, all others using usual routing (EIGRP).
So,we want to access mail server 192.168.7.33, which is located in inside net (not VRF), but not successfull.
As I see all packets from node in VLAN247 are go straight on to server (not via tunnel),and back packets go via PIX (because there are no subnets 192.168.247.48 255.255.255.248 and 192.168.247.32 255.255.255.240 in EIGRP routing, and PIX is a default routing point)
and I see PIX log message like this:
Deny tcp src inside:192.168.7.33/110 dst dmz:192.168.247.35/49384 by access-group "acl_inside"
(permit clause is from DMZ to INSIDE zone, not vice versa)
However when i do
telnet 192.168.7.33 110 /vrf MMM
it works fine!
and I see that packets go correctly via tunnel and then via PIX to server.
Accessing between subnets 192.168.247.48 255.255.255.248 and 192.168.247.32 255.255.255.240 is fine too! (why???)
I tried set
ip route vrf MMM 192.168.7.33 255.255.255.255 Tunnel1
I found that VRF work correctly when and only when destination host not in global routing (EIGRP in my case). But this happen with ip of nodes within VLAN, ip address of VLAN on cisco is access correctly anytime.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...