Use an export map on the GW to only export the routes for GW and not the other custs.
Ben -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wayne Lee Sent: Tuesday, 11 November 2008 10:11 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] vrf-lite question Hello I've been playing with vrf-lite in dynamips and I've hit a problem. I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0 R1-------R0-------R2 | | | R4 cust1 and cust2 import from GW and GW imports from cust1 and cust2. The problem I'm having is that cust1 can reach cust2 via GW and vice-versa. I'm using OSPF and BGP to redistribute but I do not know how to stop the customer VRF's from seeing each other, they do need internet access via GW which will be performing NAT and allow inbound ipsec connections to the different VRF's (R4 will be a Netscreen firewall in the data-centre) ip vrf cust1 rd 172.16.1.1:100 route-target export 172.16.1.1:100 route-target import 172.16.1.1:100 route-target import 10.254.254.254:300 ! ip vrf cust2 rd 172.16.2.1:200 route-target export 172.16.2.1:200 route-target import 172.16.2.1:200 route-target import 10.254.254.254:300 ! ip vrf juniperGW rd 10.254.254.254:300 route-target export 10.254.254.254:300 route-target import 10.254.254.254:300 route-target import 172.16.1.1:100 route-target import 172.16.2.1:200 interface FastEthernet1/0 description link to R1 ip vrf forwarding cust1 ip address 172.16.1.254 255.255.255.0 duplex half ! interface FastEthernet2/0 description link to R2 ip vrf forwarding cust2 ip address 172.16.2.254 255.255.255.0 duplex half ! interface FastEthernet3/0 description link to R3 ip address 172.16.254.1 255.255.255.252 duplex half ! interface FastEthernet4/0 description juniper gateway to internet ip vrf forwarding juniperGW ip address 10.254.254.254 255.255.255.0 duplex half ! router ospf 11 vrf cust1 log-adjacency-changes capability vrf-lite network 172.16.1.0 0.0.0.255 area 11 ! router ospf 12 vrf cust2 log-adjacency-changes capability vrf-lite network 172.16.2.0 0.0.0.255 area 12 ! router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface default no passive-interface FastEthernet3/0 network 172.16.254.0 0.0.0.255 area 0 ! router ospf 10 vrf juniperGW log-adjacency-changes capability vrf-lite network 10.254.254.0 0.0.0.255 area 10 ! router bgp 65400 no synchronization bgp router-id 10.10.254.254 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf juniperGW redistribute ospf 10 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust2 redistribute ospf 12 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust1 redistribute ospf 11 no auto-summary no synchronization exit-address-family ! ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253 ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253 The end result I'm working towards will have ADSL PPPoA interfaces in each VRF and the Netscreen will provide internet access and VPN to other sites where we do not terminate the ADSL Thanks for your time Wayne _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/