Hi Folks, (Sorry, this is long, and rather convoluted) I'm not sure if I'm trying to do something that I shouldn't be, but here's what I'm doing. I have a CCR1009 at SY3, acting as our core router. Dual-gig bond to our upstreams (delivered as VLAN's from three different providers), and dual-gig bond to our main switch. All customer and internal vlans live on that internal bond interface, with interfaces up on each for routing. A few of those vlans live in VRF's (backup network, management network, SAN network(s), etc), and the CCR has IP's on the vlans for those VRF's, so I can do NAT out so the devices on them have internet access. That's all good, though I do have the question - should I be able to ping the CCR IP for one of the VRF VLAN's from another subnet on our network? Can't ping the IP's inside the VRF, just the one on the CCR itself. Now I've finally replaced the flock of cisco 877W's at my home office with a CRS109 and an RB951 (Ethernet-over-Power link to the garage doesn't pass vlan tags, so I've been running GRE tunnels on the 877's, and now I'll just run an EoIP tunnel with bridged vlans). So today I've fired up an EoIP tunnel, which works nicely. I then tried extending one of the VRF's across the tunnel, and it seems to be working nicely. i.e. moved the IP address on the CCR vlan1202 to bridge_vlan1202 (which is a bridge with vlan1202 and eoip_wyong_vlan1202 in it). And then on the CRS, I created a vlan1202 on ether2-master, and on eoip_sy3, and then created bridge_vlan1202 on both interfaces, and then added bridge_vlan1202 into a new VRF, and added an IP address in. Now, I can ping from a host on the VRF at SY3, to the router at home, so Im assuming the bridging etc is working. So now, I want workstations at home to be able to route into that VRF. But not hosts in the DMZ (publicly addressable), and not hosts on our 'visitors' vlan. can I do that? If so, any suggestions on how? :) And while I'm asking.. I need to bring up two more of those VRF+VLAN combo's bridged from SY3 - and then take them from the CRS to the RB951 in the garage for easy provisioning and testing of new servers before taking them to sydney.. Is there an easier way to simply bridge from the CRS to the RB951 across an ethernet link which doesn't support vlan tags? Or do i use EoIP and config and bridge the vlans? Thanks, Damien -- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder