Routing zwischen VRF

[daking]

das sollte mit einem mix aus NAT,static route-leaking und BGP funzen (dann kann man das auch auf weiter Kunden erweitern) - das inter vrf routing ist mit gleichen p2p interface adressen ein wenig strange - das sollte man nochmal überdenken.
Hier die Config des Core Routers (warum sind da keine Routernamen in der Grafik - ok next time). Also der Router in der Mitte.
---snip
ip vrf vrf11
rd 1:1
export map TAG
route-target export 1:1
route-target import 1:1
route-target import 99:99 !e-comm für inter-vrf
!
ip vrf vrf12
rd 2:2
export map TAG
route-target export 2:2
route-target import 2:2
route-target import 99:99 !e-comm für inter-vrf
!
router bgp 64000
no bgp default ipv4-unicast
bgp log-neighbor-changes
!
address-family ipv4 vrf vrf11
no synchronization
redistribute ospf 1000 vrf A metric 100 route-map INTER_VRF !IGP oder was immer in der VRF
exit-address-family
!
address-family ipv4 vrf vrf12
no synchronization
redistribute ospf 2000 vrf B metric 100 route-map INTER_VRF !IGP oder was immer in der VRF
exit-address-family
!
ip nat pool VRF_A 9.9.1.0 9.9.1.254 netmask 255.255.255.0 !was auch immer Richtung Global
ip nat pool VRF_B 9.9.2.0 9.9.2.254 netmask 255.255.255.0 !was auch immer Richtung Global
ip nat inside source route-map NAT pool VRF_A vrf vrf11
ip nat inside source route-map NAT pool VRF_B vrf vrf12
!
ip route vrf A 10.88.0.0 255.255.0.0 <OIF_to_FW> <FW> global
ip route vrf B 10.88.0.0 255.255.0.0 <OIF_to_FE> <FW> global
!
ip access-list standard LEAK
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
!
ip access-list extended NAT-PERMIT
permit ip 192.168.0.0 0.0.255.255 10.88.0.0 0.0.255.255
!
route-map TAG permit 10
match ip address LEAK
set extcommunity rt 99:99 additive !ADD RT for INTRAVRF
!
route-map INTER_VRF permit 10
match ip address LEAK
!
!
route-map NAT permit 10
match ip address NAT-PERMIT

==> Routen auf der FW und CO Richtung Nat Bereich nicht vergessen
C1_A#ping 192.168.2.1 source loopback 0 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 244/369/492 ms
!
C1_A#ping 10.88.2.1 source loopback 0 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.88.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!.
Success rate is 83 percent (5/6), round-trip min/avg/max = 268/318/408 ms
!
C2_A#ping 10.88.2.1 source lo0 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.88.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!.
Success rate is 80 percent (4/5), round-trip min/avg/max = 272/341/416 ms
!
CORE#sh ip route vrf A | beg last
Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 10.5.5.1, 01:12:30, FastEthernet1/1
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
O 10.1.1.0/30 [110/2] via 10.5.5.1, 01:12:30, FastEthernet1/1
C 10.5.5.0/30 is directly connected, FastEthernet1/1
L 10.5.5.2/32 is directly connected, FastEthernet1/1
S 10.88.0.0/16 [1/0] via 192.168.254.1, FastEthernet2/0
192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.1 [110/3] via 10.5.5.1, 01:12:30, FastEthernet1/1
192.168.2.0/32 is subnetted, 1 subnets
B 192.168.2.1 [20/100] via 10.5.5.1 (vrf12), 01:12:14, FastEthernet1/0
CORE#
==>5.5.5.1 (interessant)
==> hoffe ich habe nichts vergessen..
na ja mal sehen


hope this helps

ciao

[glady]

WOW
Danke für Deine ausführliche Lösungs-Beschreibung!