i am currently connecting a callmanager to a local firewall <192.168.1.x> to a cisco 2801 (eth0/0 at 69.x.x.x) to a t1 (s0/3/0) with two sub interfaces 500.1 (isp private for sip) and 500.2 (isp connection to public internet) My problem is that eth0 is set for vrf forwarding internet and all traffic goes to the 500.2 interface. I need traffic that goes to a 172.30.16.x to go to 500.1. Is there a way to add a route that will do this? Any help is appreciated.
Here is the current config it that helps anyone diagnose the issue. I've replaced a few of the IP octects with Xs to keep some of it halfway confidential.
ip vrf internet rd 1:1 route-target export 1:1 route-target import 1:1 ! ! ip subnet-zero no ip source-route no ip domain lookup no cdp run no ip finger ! no ip http server no ip http authentication timeout no ip http timeout-policy ! ip cef ! ip classless ! class-map match-any voice-traffic match ip dscp ef match protocol rtp class-map match-any voice-signaling match ip dscp af41 match protocol sip ! policy-map llq-policy class voice-traffic priority percent 90 set ip dscp ef class voice-signaling bandwidth percent 9 set ip dscp af41 class class-default set ip dscp 0 fair-queue ! ! card type t1 0 1 ! network-clock-participate wic 1 network-clock-select 1 t1 0/0/0 ! controller t1 0/0/0 framing esf linecode b8zs channel-group 0 timeslots 1-24 speed 64 ! ! ! ! interface Serial0/0/0:0 no ip address encapsulation frame-relay frame-relay lmi-type ansi no cdp enable no fair-queue max-reserved-bandwidth 100 service-policy output llq-policy no shutdown ! interface Serial0/3/0:0.501 point-to-point description => Internet via ISP
ip vrf forwarding internet ip address 205.x.x.254 255.255.255.252 ip access-group NOSPOOF in no cdp enable frame-relay interface-dlci 501 IETF no shutdown ! interface Serial0/3/0:0.502 point-to-point description => MPLS VPN via ISP ip address 205.x.x.210 255.255.255.252 no cdp enable frame-relay interface-dlci 502 IETF no shutdown ! ! interface FastEthernet0/0 description => To public interface of Internet firewall ip vrf forwarding internet ip address 169.130.x.x 255.255.255.240 no ip redirect no ip directed-broadcast no ip proxy-arp speed auto duplex auto no shutdown ! interface FastEthernet0/1 description => UNUSED no ip redirect no ip directed-broadcast no ip proxy-arp no ip address speed auto duplex auto shutdown ! ip classless ! ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0.502 ! ip route vrf internet 0.0.0.0 0.0.0.0 Serial0/0/0:0.501 ! !no scheduler allocate ! voice-card 0 ! voice service voip fax protocol pass-through g711ulaw modem passthrough nse codec g711ulaw sip rel1xx disable bind control source-interface Serial0/0/0:0.502 bind media source-interface Serial0/0/0:0.502 !
Someone virtualized the router into two separate routing tables; a good thing when landing internet and private circuits on a single device.
Instead of trying to route Call Manager traffic in untrusted space why not send it out a trusted path? Does the firewall have a trusted interface that can route to the WAN? Is there a L3 switch near the call manager that could serve as it's L3 gateway? This would allow the L3 switch to route trusted (WAN) traffic appropriately and send internet traffic to the firewall.
The config was basically given to me by the ITSP/ISP for use with their system because they are providing both the SIP trunk as well as the internet connection so I'm not sure how i could control any of the design part short of telling it how to route.
I'm more of a LAN so the VRF part of the config somewhat eludes me. I'm at a point where I can ping the SIP trunk internally from the 2801, but not from any device behind the 2801.
Chris, Can you please elaborate? I'm trying to get this to work without changing any actual wiring if possible.. so config only.
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...