Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VRF not work

Hello!

We have cat3550 12.1(19)EA1a and we want to setup VRF in next scheme:

cat3550------(inside)PIX(dmz)----r2600

------------tunnel1-------

r2600 is a exit point of all tunnels and is a point of connection VRF and global routing.

There are two subnets,which we want to connect each other and connect these subnets to the rest net.

we are using two tunnels to 2600 router and VRF

that are a VRF and EIGRP parts from our config:

ip vrf MMM

rd 1016:247

interface Tunnel1

ip vrf forwarding MMM

ip unnumbered Vlan247

tunnel source Loopback0

tunnel destination 192.168.240.254

....

interface Vlan247

ip vrf forwarding MMM

ip address 192.168.247.46 255.255.255.240

no ip redirects

router eigrp 1016

network 192.168.0.37 0.0.0.0

network 192.168.37.0 0.0.0.255

network 192.168.40.128 0.0.0.15

network 192.168.252.32 0.0.0.3

network 192.168.252.36 0.0.0.3

no auto-summary

eigrp router-id 192.168.0.37

no eigrp log-neighbor-changes

ip route 0.0.0.0 0.0.0.0 192.168.252.33

ip route 0.0.0.0 0.0.0.0 192.168.252.37 2

ip route vrf MMM 0.0.0.0 0.0.0.0 Tunnel1

ip route vrf MMM 192.168.247.48 255.255.255.248 Tunnel1

where 192.168.247.48 255.255.255.248 - another subnet in VRF

All nodes from cat3550 in vlan247 must go to inside nodes using VRF and tunnel, all others using usual routing (EIGRP).

So,we want to access mail server 192.168.7.33, which is located in inside net (not VRF), but not successfull.

As I see all packets from node in VLAN247 are go straight on to server (not via tunnel),and back packets go via PIX (because there are no subnets 192.168.247.48 255.255.255.248 and 192.168.247.32 255.255.255.240 in EIGRP routing, and PIX is a default routing point)

and I see PIX log message like this:

Deny tcp src inside:192.168.7.33/110 dst dmz:192.168.247.35/49384 by access-group "acl_inside"

(permit clause is from DMZ to INSIDE zone, not vice versa)

However when i do

telnet 192.168.7.33 110 /vrf MMM

from cat3550

it works fine!

and I see that packets go correctly via tunnel and then via PIX to server.

Accessing between subnets 192.168.247.48 255.255.255.248 and 192.168.247.32 255.255.255.240 is fine too! (why???)

I tried set

ip route vrf MMM 192.168.7.33 255.255.255.255 Tunnel1

but no effect.

What I do wrong? Why does it not work?

I hope I explain clearly.

Thanks!

2 REPLIES
Silver

Re: VRF not work

Router(config)# snmp-server host host-address [traps | informs][version {1 | 2c | 3 [auth | noauth |priv]}] community-string [udp-port port][notification-type][vrf vrf-name].For more info refer the following URL

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804557c4.html#wp1015359

New Member

Re: VRF not work

I changed IOS to c3550-ipservicesk9-tar.122-25.SEE1 and everything is OK.

174
Views
0
Helpful
2
Replies