I've been trying to get this to work , but it appears to be a bug of some sort .
I have two VRFs configured on a physicall 1811 running (C181X-ADVIPSERVICESK9-M), Version 15.1(4)M6
one is called inside facing the LAN and one is called outside facing the WAN side. The two VRFs are connected via a GRE tunnel. F0 , Tu0 are part of "outside" and T1 and VL1 are part of inside. Routing is working fine and I can ping 22.214.171.124 , and NATting is set up on the outside VRF and it's also working fine , I can access the internet etc.
traffic flows this way in the outbound direction :
vlan 1--> Lo1 --> Tu 1 --> Tu0 --> Lo0 --> Fa0
and vice versa in the inbound .
Internet traffic works fine , I add inspection to Tu0 to create openings in the WAN ACL for traffic coming in the return direction, do show inspect sessions , works fine , then add the WAN ACL to Fa0, and it doesn't seem to work . Basically inspection (CBAC) and ACLs don't seem to work with VRFs.
I attached the config for reference.
Note: I'm doing this for QoS in the inbound direction since VL interface don't take QoS policy in outbound direction .but that's irrelevant.
yes it is a bit complex for what we're trying to acheive, it appears that ISR routers have a bit of a limitation despite having more than one layer 3 interface , the VLAN interface does not accept a QoS policy in the outbound direction, thus Cisco suggested creating two VRFs with a tunnel in between and applying the policy on the tunnel , thus acheiving QoS on traffic in the inbound direction for branch offices.
I'm thinking of trying it on an 891 instead of an 1811 and with a newer image and see if the issue persists.
That's a very good point , the limitation was that in this scenario we won't be able to utilize the integrated VLAN interface ports that are on the router, so we would need another separate physical switch and connect that to port Fa1 .
The document also references another solution where this could potentially work , physical loopback cable between FA1 and the vlan interface of the router , move the config (from the vlan interface to fa1 / ip address , nat inside , inspection, etc) , default the vlan interface , turn it on and give it no IP address , so it acts as a dump flat switch .. this seems more stable than VRF setup.
btw : I rebooted the router without changing ANY config , and it seems to be working , with CEF enabled.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...