Hi Peter,

In first case, where it happens to work is i had a switch in which its one interface is configured as VRF RED and other interface of the switch is connected to firewall (which is in global routing domain). What i have done is configured static route for each VRF subnet in VRF domain and it results in routing entry of VRF routes in Global routing table. Also i had Global routing prefixes are configured via Static routes in VRF routing table. e.g.

Switch Interfaces

10.0.56.5 255.255.255.252 ( VRF RED) Int gi1/0/1 ( Connected to VRF Interface on Core switch)

10.0.56.129 255.255.255.128 Fa1/0/1 connected to Firewall)

Routes configured on switch are:

ip route 10.0.56.5 255.255.255.252 gi1/0/1

ip route vrf RED 10.0.56.128 255.255.255.128 fa1/0/1 10.0.56.130

This config works as it seems that the Switch is sitting in between VRF and Global routing table and allowing to enter the next hop ip address.

My problematic situation is say for example switch in above case is also having some connected vlan interfaces in global routing domain. and i enter the commamds as follow

ip route vrf RED 10.0.110.0 255.255.255.0 vlan 110 10.0.110.1

it doesn't ping, although it is present in VRF RED's routing table across the VRF domain via OSPF and reverse route entry in global routing table entry is also present configured via static routes.

Please let me know if you want further inputs.

I roamed around the forums and found that we can import the routes from global routing table to vrf via "BGP Support for ipv4 Prefix Import".

I can see the prefixes in switches vrf routing table as "B" via BGP and redistributed across the vrf ospf domain.

but still i doesnt pings from switch's global interface to interface in vrf.

Link for reference

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2273a/1

Regards

Hitesh Vinzoda

Hi Hitesh,

if 10.0.110.1 is the ip address of the switch itself, it's expected not to work.

You have two solutions:

- BGP import v4 route as describe in your link reference. You first need to redistribute your VLAN into BGP

- VRF select: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Service%20Providers&topic=MPLS&topicID=.ee8558c&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd353fc

You are talking about switched so not sure if those features are supported.

HTH

Laurent.

Hi Laurent,

Thanks for reply.

- BGP import v4 route as describe in your link reference. You first need to redistribute your VLAN into BGP

I have done it as illustrated in the post for redistribution vlan into BGP and than into OSPF instance of VRF. the Vlan subnets are propagated down the VRF. But could you help me out in leaking VRF routes in global routing table, Shall i proceed with the static routes as illustrated above...?

Im testing this setup on 3750 12.2 IP services, if successfull will be deployed on 4507R 12.2(50)SG1.

TIA

Hitesh Vinzoda

Laurent,

Wow. I did not know about this until you pointed it out. Thank you very much indeed!

Best regards,

Peter

Hitesh,

I gave it a few tries. The fact is that in a VRF, I can't define a static route pointing just to a global LAN interface because the IOS complains that it is not a point-to-point interface and therefore it needs a next-hop address. However, obviously, the BGP using the Prefix Import functionality is able to do it.

The solution with the BGP Prefix Import is probably the most clean here. However, you are saying that despite the routes being present in the VRF, you can not ping them.

I have configured three routers in a row called PC, R1 and R2. The network between PC and R1 is 192.168.12.0/24, the network between R1 and R2 is 10.0.23.0/24. This is a configuration that works for me:

On PC:

hostname PC

!

interface FastEthernet0/0

ip address 192.168.12.1 255.255.255.0

no shutdown

!

ip route 0.0.0.0 0.0.0.0 192.168.12.2

R1:

hostname R1

!

ip vrf V1

rd 1:1

import ipv4 unicast map RM_Conn

!

interface Loopback0

ip address 10.255.255.1 255.255.255.255

ip ospf 1 area 0

!

interface FastEthernet0/0

ip vrf forwarding V1

ip address 192.168.12.2 255.255.255.0

no shutdown

!

interface FastEthernet0/1

ip address 10.0.23.2 255.255.255.0

ip ospf 1 area 0

no shutdown

!

router ospf 1

redistribute static subnets

!

router bgp 64512

redistribute connected

!

ip route 192.168.12.0 255.255.255.0 FastEthernet0/0

!

route-map RM_Conn permit 10

On R2:

hostname R2

!

interface Loopback0

ip address 10.255.255.2 255.255.255.255

ip ospf 1 area 0

!

interface FastEthernet0/1

ip address 10.0.23.3 255.255.255.0

ip ospf 1 area 0

no shutdown

Note that on R1, I have a static route in global table pointing to the VRF network between PC and R1 and I redistribute it into OSPF so that R2 knows about it.

Now, from PC, observe these pings:

PC#ping 10.255.255.1 ! Pinging the lo0 on R1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.255.255.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

PC#ping 10.0.23.2 ! Pinging the Fa0/1 on R1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.23.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

PC#ping 10.0.23.3 ! Pinging the Fa0/1 on R2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

Here, I am pinging two directly connected interfaces on R1 - the lo0 and the Fa0/1. I am also pinging the Fa0/1 on R2 to test the reachability beyond R1. As you can see, the pings are successful.

PC#ping 10.255.255.2 ! Pinging the lo0 on R2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.255.255.2, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

The last ping does not work because on R1, the VRF V1 does not contain route to lo0 on R2 - I have not imported nor defined it, so it is normal that it does not work.

Can you compare your configuration with this one?

Best regards,

Peter

Hi Peter,

I will give a try with the config you just posted. can you please tell me what we are matching under route-map in R1's config?

route-map RM_Conn permit 10

is it prefixes or interfaces..?

Regards

Hitesh Vinzoda

Hello,

That route-map is empty and works simply as "permit any" for the sake of simplicity here.

If you were to implement a selective route-map, you should use a prefix list or an ACL in the route-map. I am not sure if the route-map can refer to interfaces because it basically filters networks that are present in the BGP database. Give it a try :)

Best regards,

Peter

Hi Peter,

As i m at home i dont have access to Lab equipments. but the config looks this below and attached is the topology for your reference

ip vrf vendor

import ipv4 unicast map GLOBAL

router bgp 1

redistribute connected route-map CONNECTED_BGP

address-family ipv4 vrf vendor

interface vlan 110

ip address 10.0.110.1 255.255.255.0

ip prefix-list GLOBAL permit 10.0.110.1/24

route-map CONNECTED_BGP

match interface vlan 110

route-map GLOBAL

match ip address prefix GLOBAL

int vlan 70

ip vrf forwading vendor

ip address 10.0.70.4 255.255.255.0

router ospf 10 vrf vendor

network 10.0.70.4 255.255.255.0 area 0

ip route 10.0.70.0 255.255.255.0 vlan 70

ip route 10.0.255.1 255.255.255.0 vlan 70 (interface down the vrf)

TIA

Hitesh Vinzoda

Hitesh,

Can you please also describe where are the PCs located when you are trying to do that ping, and what exact IP address are you trying to ping? I am trying to visualize the entire path from the PC to the destination IP and back to the PC.

Best regards,

Peter

Im trying with extended ping from source as vlan 110 on vrf switch (ref Diag) and destination address as 10.0.255.2 ( in vrf)

Regards

Hitesh Vinzoda

Hi Peter and Laurent,

After comments from both of you. I was able to successfully ping the vrf interface from GRT. The functional config is posted below,

Many thanks to both of you for helping me on this issue. One more question before we end this discussion. My vlan 110 is in GRT and is functional and i m going to change it as suggested by Laurent (ip vrf receive vrf-name). I think that it is not going to impact any connectivity issues for vlan 110 in GRT. please advice

Regards

Hitesh Vinzoda

Functional config

==================

ip routing

!

!

ip vrf SAS

rd 100:1

!

vlan 70,109-110,200,251

!

interface GigabitEthernet1/0/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan70

ip vrf forwarding SAS

ip address 10.4.70.4 255.255.255.0

!

interface Vlan110

ip vrf select source

ip vrf receive SAS

ip address 10.4.110.1 255.255.255.0

!

router ospf 10 vrf SAS

log-adjacency-changes

redistribute connected subnets

network 10.4.70.0 0.0.0.255 area 0

IDC-TEST#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets

C 10.4.110.0 is directly connected, Vlan110

IDC-TEST#sh ip route vr

IDC-TEST#sh ip route vrf SAS

Routing Table: SAS

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.4.70.0/24 is directly connected, Vlan70

C 10.4.110.0/24 is directly connected, Vlan110

O 10.4.255.0/30 [110/2] via 10.4.70.2, 00:03:27, Vlan70

IDC-TEST#sh ip route sta

IDC-TEST#sh ip route static

IDC-TEST#

IDC-TEST#ping vrf SAS

Protocol [ip]:

Target IP address: 10.4.255.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.4.110.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.4.255.2, timeout is 2 seconds:

Packet sent with a source address of 10.4.110.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

IDC-TEST#

Hi Hitesh,

I am glad you got it working. If it works for you I would personally say that you can go with it but as I do not have enough experiences with the VRF Source Select feature I would like ask Laurent to give his final opinion here.

Best regards,

Peter