How to terminate multiple VRF interface on single outside int of firewall

hillolnath · ‎07-18-2005

Here are are following configuration.

PE1 :(cisco 5509 series switch)

ip vrf wholesaler1

rd 10:10

route-target export 10:10

route-target import 10:10

ip vrf wholesaler2

rd 10:11

route-target export 10:11

route-target import 10:11

ip cef

interface Loopback0

ip address 137.172.0.2 255.255.255.255

no ip route-cache

no ip mroute-cache

interface Vlan100 (created between two PE)

ip address 202.61.12.1 255.255.255.240

ip directed-broadcast

tag-switching ip

!

interface Vlan200 (created betwwen PE1 to alteon switch)

ip vrf forwarding wholesaler1

ip address 202.61.12.241 255.255.255.252

interface Vlan201 (created betwwen PE1 to alteon switch)

ip vrf forwarding wholesaler2

ip address 202.61.12.245 255.255.255.252

router ospf 1

network 137.172.0.2 0.0.0.0 area 0

network 202.61.12.1 0.0.0.0 area 0

passive-interface lo0

router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 137.172.0.3 remote-as 18192

neighbor 137.172.0.3 update-source lo0

no auto-summary

!

address-family ipv4 vrf wholesaler1

neighbor 202.61.12.241 remote-as 18192

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf wholesaler1

neighbor 202.61.12.245 remote-as <as other than 18192>

no auto-summary

no synchronization

address-family vpnv4

neighbor 137.172.0.3 activate

neighbor 137.172.0.3 send-community extended

no auto-summary

exit-address-family

PE2 (cisco 5505 switch) :

ip vrf wholesaler1

rd 10:10

route-target export 10:10

route-target import 10:10

ip vrf wholesaler2

rd 10:11

route-target export 10:11

route-target import 10:11

ip cef

interface Loopback0

ip address 137.172.0.3 255.255.255.255

interface Vlan100 (PE-to-PE)

ip address 202.61.12.3 255.255.255.240

ip directed-broadcast

ip pim sparse-dense-mode

tag-switching ip

!

interface Vlan200 (PE-to-CE)

ip address 202.61.15.65 255.255.255.252

ip vrf forwarding wholesaler1

interface Vlan201 (PE-to-CE)

ip address 202.61.15.69 255.255.255.252

ip vrf forwarding wholesaler1

!

router ospf 1

network 137.172.0.3 0.0.0.0 area 0

network 202.61.12.3 0.0.0.0 area 0

passive-interface lo0

!

router bgp 1

bgp log-neighbor-changes

neighbor 137.172.0.2 remote-as 1

neighbor 137.172.0.2 update-source lo0

!

address-family ipv4 vrf wholesaler1

neighbor 202.61.15.66 remote-as 1414

no auto-summary

no synchronization

exit-address-family

address-family ipv4 vrf wholesaler1

neighbor 202.61.15.70 remote-as 1415

no auto-summary

no synchronization

exit-address-family

address-family vpnv4

neighbor 137.172.0.2 act

neighbor 137.172.0.2 send-community extended

no auto-summary

exit-address-family

_____________________________________

Firewall is connected with nortel alteon switch???my question are below:-

Is it necessary to put ip vrf forwarding command towards nortel alteon switch??can i connect alteon switch to over one vlan interface with 5509 switch???

johansens · ‎07-19-2005

You are using the Alteon switch to loadbalance to several firewalls? And you want to have only one inside interface?

If so, and you can guarantee the Alteon switch doesn't allow packets to return to the MPLS-cloud without first getting checked by the firewalls, then you could setup a central VRF to deliver this functionality.

If you want to have separate inside firewall interfaces, then you could configure as you specified with the each vrf also located on the central side with each one having a VLAN-if into the central firewall..

I have put together a sample config for a central service:

On PE1:

! You dont need the wholesaler1/2 here unless you have something directly connected in these VRFs

no ip vrf wholesaler1

no ip vrf wholesaler2

ip vrf fw

rd 10:1

route-target import 10:99

route-target export 10:1

!

interface Vlan200

description To Central Firewall Service

ip vrf forwarding fw

ip address 202.61.12.241 255.255.255.252

!

! Use the same BGP AS on your routers.. use RR if needed

!

router bgp 18192

neighbor 137.172.0.3 remote-as 18192

neighbor 137.172.0.3 update-source lo0

!

! and the rest of your bgp-config

!

address-family ipv4 vrf fw

redistribute static

default-information originate

exit-address-family

!

address-family vpnv4

neighbor 137.172.0.3 activate

neighbor 137.172.0.3 send-community extended

no auto-summary

exit-address-family

ip route vrf fw 0.0.0.0 0.0.0.0 202.61.12.242

On PE2:

ip vrf wholesaler1

rd 10:10

route-target export 10:10

route-target export 10:99

route-target import 10:10

route-target import 10:1

!

ip vrf wholesaler2

rd 10:11

route-target export 10:11

route-target export 10:99

route-target import 10:11

route-target import 10:1

!

! Use the same BGP AS on your routers.. use RR if needed

!

router bgp 18192

neighbor 137.172.0.2 remote-as 18192

neighbor 137.172.0.2 update-source lo0

!

! and the rest of your bgp-config

!

address-family vpnv4

neighbor 137.172.0.2 activate

neighbor 137.172.0.2 send-community extended

no auto-summary

exit-address-family

!

Did it help?

hillolnath · ‎07-19-2005

Hi Johansens,

Thanks for your reply.I am going to configure according to your suggestion,but did you want to say by doing above config am i able to ping all customers CEs from Alteon switch or from firewall?

So on PE1 I only configured FW vrf & forward it through VLAN200 & on PE2 configured diffrent vrf ...one for each customer & forward it to respective VLAN.Am I right?

johansens · ‎07-20-2005

I referred to the Alteon switch as if it has a Layer3 routing-function. It's the Layer3 next-hop and it's associated upstream next-hops which will be able to ping all the customers CEs and networks..

Yes, on PE1 it's the central VRF (fw) and on PE2 the different customer VRFs into their respective VLANs.

Did it help?

hillolnath · ‎07-21-2005

Hi Johansens,

Once again thanks for your reply...yes you are right.Alteon switch has layer-3 routing function.After applying above configuration I am able to ping all customers from alteon switch but not able to ping alteon switch or upstream devices from customer's device.From customer point of view when i put SH IP ROUTE command i get only default BGP route.

B* 0.0.0.0 20\0

I think this is alright,but I am not able to ping Alteaon switch???

Can you explain why it happens??

johansens · ‎07-22-2005

Hi again,

First of all, do this:

On PE1:

router bgp 18192

address-family vpnv4

neighbor 137.172.0.3 next-hop-self

exit-address-family

On PE2:

router bgp 18192

address-family vpnv4

neighbor 137.172.0.2 next-hop-self

exit-address-family

And try again.

If you can't ping the 202.61.12.242 address from the CE's, but you can ping the CE's from the 202.61.12.242 address, then there is something strange going on.

From: http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac253/packet_service_provider_solution0900aecd800e015f.html

MPLS VPN Forwarding—Basic troubleshooting steps

So, you have received report of a VPN traffic outage:

1. First, verify "VRF ping" from PE1 to PE2.

2. If passed, then either CE->PE or PE->CE might be the problem=>not a MPLS core problem. Stop and check whether the packets are getting dropped by ingress LC on PE.

3. If failed, then MPLS core might be the problem. Proceed.

4. "Ping" ingress PE to egress PE to verify the IP reachability.

5. If failed, STOP and verify egress PE's route hop by hop.

6. If passed, traceroute PE1->PE2 and PE2->PE1 to ensure the PE-to-PE LSP setup.

7. Check for the labels in each line of the traceroute output (watch out for the PHP).

8. If traceroute fails for some reason, stop and verify the label on every hop.

9. If good, the problem might be very specific to the HW on either PE or P routers. Find out if HW is dropping the packets.

Did it help?