08-07-2011 03:28 AM - edited 03-04-2019 01:12 PM
Hi
We have the requirement to setup a public wifi access point for customers.
To setup the public wifi network and ensure it is completely separated form our corporate network we have chosen to use a VRF at both the data center side and branch office side. Between the data center and the branch office we are going to run a GRE tunnel within our WAN.
So far we have configured the VRF, public interface and the tunnel - from the branch office and data center we can ping both ends of the tunnel and on the data center side we can ping our upstream however once we setup the default route on the branch VRF we cannot ping any network aside from the VRF network 172.12.1.0
Any help or suggestions greatly appreciated
Extracted configuration below;
Router 2 (Branch)
---------------------------------
interface Tunnel0
ip vrf forwarding PublicNet
ip address 172.16.1.2 255.255.255.252
ip tcp adjust-mss 1436
tunnel source 192.168.53.1
tunnel destination 192.168.50.4
end
!
ip route vrf PublicNet 0.0.0.0 0.0.0.0 Tunnel0 172.16.1.1
!
ip vrf PublicNet
description Public Netwrk
!
Router 1 (Datacenter)
--------------------------------------------
interface FastEthernet0/1.903
encapsulation dot1Q 903
ip vrf forwarding PublicNet
ip address 202.xxx.xxx.xxx 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no cdp enable
!
interface Tunnel0
ip vrf forwarding PublicNet
ip address 172.16.1.1 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1436
tunnel source 192.168.50.4
tunnel destination 192.168.53.1
!
ip route vrf PublicNet 0.0.0.0 0.0.0.0 202.xxx.xxx.xxx (upstream)
Solved! Go to Solution.
08-07-2011 04:36 AM
example
ip nat pool POOL1 202.x.x.1 202.x.x1.prefix-length 24
ip nat inside source route-map map1 pool POOL1 vrf PublicNet overload
access-list 10 permit your wifi internal rnage
route-map map1 permit 10
match ip address 10
and do not forget to put ip nat inside in the tunnel interface and ipnat out sid eon the outsid einterface of the DC device
HTH
if helpful Rate
08-07-2011 03:40 AM
Luke,
Are you suggesting that after you add the default route on the Branch router, it actually breaks the existing connectivity? Can you please provide the show ip route vrf PublicNet from your Branch router after the default route to the VRF is added? Also, after adding the default route, is it still possible to ping both ends of the tunnel?
On your data center site, the default route pointing to the 202.x.x.x next hop should use the keyword global - I do not see you using that in your configuration example, i.e. it should be like this:
ip route vrf PublicNet 0.0.0.0 0.0.0.0 202.x.x.x global
Best regards,
Peter
08-07-2011 03:51 AM
Hi Peter
i think the 202.x.x.x is already in the VRF so no need to the global key word :
Router 1 (Datacenter)
--------------------------------------------
interface FastEthernet0/1.903
encapsulation dot1Q 903
ip vrf forwarding PublicNet
ip address 202.xxx.xxx.xxx 255.255.255.0
i think as you requested show pi route could help to see whats going on when the default route being added
when the default route added are the tunnles stay up ? can you still ping both end of the tunnels ?
i am just thinking if its tunnel recursive routing problem and if the tunnel vrf command required
08-07-2011 03:59 AM
can you try to use the tunnel source as the interface not IP
for example tunnel source interface vlan x or fax/x on both end where the interface is the source interface of the GRE and destination of the other end GRE tunnel
08-07-2011 04:00 AM
Hi Marwanshawi & Peter and thanks for the response.
Mawanshawi is correct - we have the 202.xxx.xxx.xxx.xxx upstream in the VRF already.
Below are a sh ip route vrf PublicNet from both routers;
Branch Office
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
172.16.0.0/30 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
S* 0.0.0.0/0 [1/0] via 172.16.1.1, Tunnel0
Data Center
Gateway of last resort is 202.xxx.xxx.xxx to network 0.0.0.0
172.16.0.0/30 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
C 202.xxx.xxx.xxx/24 is directly connected, FastEthernet0/1.903
S* 0.0.0.0/0 [1/0] via 202.xxx.xxx.xxx
08-07-2011 04:09 AM
Thanks marwanshawi
Just tried changing the tunnel source to the actual Interfaces as mentioned with no luck.
From each router I can ping either end of the tunnel OK.
What is strange is that from the Branch Router I can ping the IP of FastEthernet0/1.903 (part of the VRF & the internet interface) located on the data centers router however nothing else apart from that IP which is assigned to the
FastEthernet0/1.903 interface.
Branch Router
ping vrf PublicNet 202.xxx.xxx.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.xxx.xxx.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/28/32 ms
ping vrf PublicNet 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/28 ms
Data Center
interface FastEthernet0/1.903
encapsulation dot1Q 903
ip vrf forwarding PublicNet
ip address 202.xxx.xxx.199 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
end
---EDIT----
Forgot to add a trace route - tracing from the branch to say google.com I can see the packet hitting the data center tunnel interface then nothing.
traceroute vrf PublicNet 74.125.237.19
Type escape sequence to abort.
Tracing the route to 74.125.237.19
1 172.16.1.1 40 msec 36 msec 24 msec
2 * * *
3 * * *
4 * * *
Message was edited by: Luke Fuller
08-07-2011 04:24 AM
quick question, is this to go out to the internet ? if yes do you need to NAT in the DC befor eyou send it to the internet over 202.x.x.x ?
08-07-2011 04:27 AM
Ahh. Forgot NAT - however I should be able to get basic connetivity without NAT ?
Also is setting up NAT in a VRF much diffrent to a standard NAT setup ?
08-07-2011 04:36 AM
example
ip nat pool POOL1 202.x.x.1 202.x.x1.prefix-length 24
ip nat inside source route-map map1 pool POOL1 vrf PublicNet overload
access-list 10 permit your wifi internal rnage
route-map map1 permit 10
match ip address 10
and do not forget to put ip nat inside in the tunnel interface and ipnat out sid eon the outsid einterface of the DC device
HTH
if helpful Rate
08-07-2011 04:45 AM
by the way
inotice in the routing table of the DC
Data Center
Gateway of last resort is 202.xxx.xxx.xxx to network 0.0.0.0
172.16.0.0/30 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
C 202.xxx.xxx.xxx/24 is directly connected, FastEthernet0/1.903
S* 0.0.0.0/0 [1/0] via 202.xxx.xxx.xxx
there is only conencted and defautl route there is not route poitng to the tunnel ointerface for the branch networks
you need to have a routing protcol or a static route in the DC point to the branch tunnel interface as next hop for branch subnets that are part of your vrf/wifi ! otherwise internal subnet wont be able to get the traffic back fronm the DC
08-07-2011 04:51 AM
Thanks marwanshawi
Just added the NAT as suggested by your post & sample config and this now works.
And thanks for the reminder re the subnet routes on the branch office side.
Much apperiated.
08-07-2011 04:56 AM
glad to know that and thaks for the rating
08-07-2011 05:07 AM
Hi Marvan,
Good work!
Best regards,
Peter
08-07-2011 05:39 AM
Thanks Peter
08-07-2011 10:41 PM
will this work on a standard 3560 switch?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide