Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
2
Replies

VRF not work

aliver
Level 1
Level 1

‎07-25-2006 05:33 AM - edited ‎03-03-2019 01:26 PM

Hello!

We have cat3550 12.1(19)EA1a and we want to setup VRF in next scheme:

cat3550------(inside)PIX(dmz)----r2600

------------tunnel1-------

r2600 is a exit point of all tunnels and is a point of connection VRF and global routing.

There are two subnets,which we want to connect each other and connect these subnets to the rest net.

we are using two tunnels to 2600 router and VRF

that are a VRF and EIGRP parts from our config:

ip vrf MMM

rd 1016:247

interface Tunnel1

ip vrf forwarding MMM

ip unnumbered Vlan247

tunnel source Loopback0

tunnel destination 192.168.240.254

....

interface Vlan247

ip vrf forwarding MMM

ip address 192.168.247.46 255.255.255.240

no ip redirects

router eigrp 1016

network 192.168.0.37 0.0.0.0

network 192.168.37.0 0.0.0.255

network 192.168.40.128 0.0.0.15

network 192.168.252.32 0.0.0.3

network 192.168.252.36 0.0.0.3

no auto-summary

eigrp router-id 192.168.0.37

no eigrp log-neighbor-changes

ip route 0.0.0.0 0.0.0.0 192.168.252.33

ip route 0.0.0.0 0.0.0.0 192.168.252.37 2

ip route vrf MMM 0.0.0.0 0.0.0.0 Tunnel1

ip route vrf MMM 192.168.247.48 255.255.255.248 Tunnel1

where 192.168.247.48 255.255.255.248 - another subnet in VRF

All nodes from cat3550 in vlan247 must go to inside nodes using VRF and tunnel, all others using usual routing (EIGRP).

So,we want to access mail server 192.168.7.33, which is located in inside net (not VRF), but not successfull.

As I see all packets from node in VLAN247 are go straight on to server (not via tunnel),and back packets go via PIX (because there are no subnets 192.168.247.48 255.255.255.248 and 192.168.247.32 255.255.255.240 in EIGRP routing, and PIX is a default routing point)

and I see PIX log message like this:

Deny tcp src inside:192.168.7.33/110 dst dmz:192.168.247.35/49384 by access-group "acl_inside"

(permit clause is from DMZ to INSIDE zone, not vice versa)

However when i do

telnet 192.168.7.33 110 /vrf MMM

from cat3550

it works fine!

and I see that packets go correctly via tunnel and then via PIX to server.

Accessing between subnets 192.168.247.48 255.255.255.248 and 192.168.247.32 255.255.255.240 is fine too! (why???)

I tried set

ip route vrf MMM 192.168.7.33 255.255.255.255 Tunnel1

but no effect.

What I do wrong? Why does it not work?

I hope I explain clearly.

Thanks!

Labels:
0 Helpful
2 Replies 2

sbilgi
Level 5
Level 5

‎07-31-2006 11:07 AM

Router(config)# snmp-server host host-address [traps | informs][version {1 | 2c | 3 [auth | noauth |priv]}] community-string [udp-port port][notification-type][vrf vrf-name].For more info refer the following URL

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804557c4.html#wp1015359

0 Helpful

aliver
Level 1
Level 1

‎07-31-2006 10:24 PM

I changed IOS to c3550-ipservicesk9-tar.122-25.SEE1 and everything is OK.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card