Configure Route Leaking Between Global and VRF Routing with PBR

Diagram

Interface to Internet

interface Ethernet0/0
description Outside
ip vrf forwarding INTERNET
ip address 192.0.0.1 255.255.255.252

Interface Inside in the GRT (Global Routing Table)

interface Ethernet0/1
description Inside
ip address 192.168.1.254 255.255.255.0

Leaking default route to internet

ip route 0.0.0.0 0.0.0.0 Ethernet0/0 192.0.0.2

NAT configuration

ip nat inside source list NAT interface Ethernet0/0 overload
access-list NAT permit 192.168.1.0 0.0.0.255

PBR configuration

ip prefix-list PREF seq 5 permit 192.168.1.0/24
!
route-map PBR permit 10
  match ip address 101
  set global
!
access-list 101 permit ip any 192.168.1.0 0.0.0.255

interface Ethernet0/0
 ip policy route-map PBR

Verification

Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.0.0.1:7 192.168.1.1:7 8.8.8.8:7 8.8.8.8:7

Router#sh ip policy
Interface      Route map
Ethernet0/0    PBR

Router#sh route-map
route-map PBR, permit, sequence 10
  Match clauses:
    ip address (access-lists): 101
  Set clauses:
    global
  Policy routing matches: 25 packets, 2850 bytes

 

 

 

BGP multipath with RR

The idea is to receive more than one path – i.e the best path calculate by the RR)

All routers are connected to the RR.

Extract of the configuration on the RR

router bgp 65000
bgp router-id 10.1.1.1
bgp log-neighbor-changes
bgp additional-paths select best 2
bgp additional-paths send
neighbor IBGP peer-group
neighbor IBGP remote-as 65000
neighbor IBGP update-source Loopback0
neighbor IBGP route-reflector-client
neighbor IBGP advertise additional-paths best 2
maximum-paths ibgp 2

The RR accepts two paths, and advertise additional paths on the same session.

Extract on one bgp client

router bgp 65000
bgp router-id 10.1.1.2
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 65000
neighbor 10.1.1.1 update-source Loopback0
neighbor 10.1.1.1 next-hop-self
neighbor 10.1.1.1 additional-paths receive
maximum-paths ibgp 2

The client supports two paths and could receive more than one path from the same neighbor.

More information:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-16/irg-xe-16-book/bgp-additional-paths.html

OSPF Router-ID lookup

By default ospf display Router-ID like IP address.

It’s possible to change this behavior and replace by a name.

Before:

R1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.0.31.31 0 FULL/ - 00:00:39 10.0.99.2 Ethernet0/1
10.0.130.130 0 FULL/ - 00:00:36 10.0.10.2 Ethernet0/2

After:

ip host R3 10.0.130.130
ip host R2 10.0.31.31


ip ospf name-lookup

R1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
R2 0 FULL/ - 00:00:38 10.0.99.2 Ethernet0/1
R3 0 FULL/ - 00:00:36 10.0.10.2 Ethernet0/2

Of course, fix the router-id.

 

 

 

 

PPPoE configuration example with CHAP

Client:

interface Ethernet0/0
 no ip address
 ip virtual-reassembly in
 pppoe enable
 pppoe-client dial-pool-number 1
end

!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname User1
 ppp chap password 0 Password1
 ppp ipcp route default     << To install default route
end


Server:

username User1 password 0 Password1
!
!
bba-group pppoe Group10
 virtual-template 10


interface Virtual-Template10
 ip unnumbered Loopback0
 ip mtu 1492
 peer default ip address pool Pool10
 ppp authentication chap

interface Ethernet0/2
 ip address 10.0.0.1 255.255.255.252
 pppoe enable group Group10


ip local pool Pool10 10.0.0.2


Verification:

client#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES manual up up
<..>
Ethernet1/3 unassigned YES TFTP administratively down down
Dialer1 10.0.0.2 YES IPCP up up
NVI0 unassigned NO unset up up
Virtual-Access1 unassigned YES unset up up
server# sh ppp all
Interface/ID OPEN+ Nego* Fail- Stage Peer Address Peer Name
------------ --------------------- -------- --------------- --------------------
Vi2.1 LCP+ CHAP+ IPCP+ LocalT 10.0.0.2 User1

server# sh subscriber session brief
Current Subscriber Information: Total sessions 1

Uniq ID Interface State Up-time Identifier
6 Vi2.1 authen 00:12:49 User1

 

 

 

DMVPN with IPSEC

Case 1 without VRF

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key MyKey address 0.0.0.0
!
!
crypto ipsec transform-set TRANS esp-aes
 mode transport
!
crypto ipsec profile PROF_DMVPN
 set transform-set TRANS

interface Tunnel0
 <...>
 tunnel source e0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile PROF_DMVPN

Case 2 with VRF

crypto keyring CCIE vrf VRF1
 pre-shared-key address 0.0.0.0 0.0.0.0 key MyKey
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
!
crypto ipsec transform-set TRANS esp-aes
 mode transport
!
crypto ipsec profile PROF_DMVPN
 set transform-set TRANS

interface Tunnel0
 <..>
 tunnel source e0/0
 tunnel mode gre multipoint
 tunnel vrf VRF1
 tunnel protection ipsec profile PROF_DMVPN