I have a GRE tunnel from a router (DMZ) in the network that arrives at a CX-OS router (Site0) and the tunnel interface is attached to a non-default VRF (called BYOD) which has a user vlan in it (vlan 100). I have managed to leak the routes necessary for the tunnel to work and I have proved that I can ping the two internal tunnel addresses (near and far ends) from a PC on vlan 100 (both BYOD PCs) and have wiresharked it to prove that the pings from the PC are being encapsulated, going down the trunk to the router at the other end and replies are coming back encapsulated.
So to explain the diagram, the tunnel runs from the DMZ router up to the BYOD vrf on the Site0 router.
(Don't get hung up on the BYOD and DMZ names - there's no firewalling/wierd IoT stuff, it's just names.)
From the DMZ PC I can ping up the tunnel to the loopback of the BYOD VRF and to the gateway (vlan interface address) of vlan 100
So it all looks great except I can't get from the BYOD PC on vlan 100 down the tunnel to any other address. I have created a default route in the BYOD VRF pointing at the tunnel interface and I have tried a more specific route in case there was something weird about the default, but no traffic goes down the tunnel. Also if I ping from the DMZ PC I can see the request coming out to the BYOD PC and the reply going back into Site0 but not being encapsulated and sent back down the tunnel.
The route that works (the tunnel endpoints) looks exactly the same as the one that doesn't apart from one is connected and the other is static and there's an extra hop:
0.0.0.0/0, vrf BYOD <----- no traffic down the tunnel
via tunnel1, [1/0], static
192.168.22.0/30, vrf BYOD <---works fine
via tunnel1, [0/0], connected
I tried this first without the VRF and it all worked fine, so it's something to do with the static route being in a VRF, but surely there's no reason I can't do that?
Any ideas?