Solved: Re: Datacenter to branch GRE Tunnel and VRF

Luke Fuller · ‎08-07-2011

Hi

We have the requirement to setup a public wifi access point for customers.

To setup the public wifi network and ensure it is completely separated form our corporate network we have chosen to use a VRF at both the data center side and branch office side. Between the data center and the branch office we are going to run a GRE tunnel within our WAN.

So far we have configured the VRF, public interface and the tunnel - from the branch office and data center we can ping both ends of the tunnel and on the data center side we can ping our upstream however once we setup the default route on the branch VRF we cannot ping any network aside from the VRF network 172.12.1.0

Any help or suggestions greatly appreciated

Extracted configuration below;

Router 2 (Branch)

---------------------------------

interface Tunnel0

ip vrf forwarding PublicNet

ip address 172.16.1.2 255.255.255.252

ip tcp adjust-mss 1436

tunnel source 192.168.53.1

tunnel destination 192.168.50.4

end

!

ip route vrf PublicNet 0.0.0.0 0.0.0.0 Tunnel0 172.16.1.1

!

ip vrf PublicNet

description Public Netwrk

!

Router 1 (Datacenter)

--------------------------------------------

interface FastEthernet0/1.903

encapsulation dot1Q 903

ip vrf forwarding PublicNet

ip address 202.xxx.xxx.xxx 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

no cdp enable

!

interface Tunnel0

ip vrf forwarding PublicNet

ip address 172.16.1.1 255.255.255.252

ip virtual-reassembly

ip tcp adjust-mss 1436

tunnel source 192.168.50.4

tunnel destination 192.168.53.1

!

ip route vrf PublicNet 0.0.0.0 0.0.0.0 202.xxx.xxx.xxx (upstream)

Marwan ALshawi · ‎08-07-2011

example

ip nat pool POOL1 202.x.x.1 202.x.x1.prefix-length 24

ip nat inside source route-map map1 pool POOL1 vrf PublicNet overload

access-list 10 permit your wifi internal rnage

route-map map1 permit 10

match ip address 10

and do not forget to put ip nat inside in the tunnel interface and ipnat out sid eon the outsid einterface of the DC device

HTH

if helpful Rate

View solution in original post

Peter Paluch · ‎08-07-2011

Luke,

Are you suggesting that after you add the default route on the Branch router, it actually breaks the existing connectivity? Can you please provide the show ip route vrf PublicNet from your Branch router after the default route to the VRF is added? Also, after adding the default route, is it still possible to ping both ends of the tunnel?

On your data center site, the default route pointing to the 202.x.x.x next hop should use the keyword global - I do not see you using that in your configuration example, i.e. it should be like this:

ip route vrf PublicNet 0.0.0.0 0.0.0.0 202.x.x.x global

Best regards,

Peter

Marwan ALshawi · ‎08-07-2011

Hi Peter

i think the 202.x.x.x is already in the VRF so no need to the global key word :

Router 1 (Datacenter)

--------------------------------------------

interface FastEthernet0/1.903

encapsulation dot1Q 903

ip vrf forwarding PublicNet

ip address 202.xxx.xxx.xxx 255.255.255.0

i think as you requested show pi route could help to see whats going on when the default route being added

when the default route added are the tunnles stay up ? can you still ping both end of the tunnels ?

i am just thinking if its tunnel recursive routing problem and if the tunnel vrf command required

Marwan ALshawi · ‎08-07-2011

can you try to use the tunnel source as the interface not IP

for example tunnel source interface vlan x or fax/x on both end where the interface is the source interface of the GRE and destination of the other end GRE tunnel

Luke Fuller · ‎08-07-2011

Hi Marwanshawi & Peter and thanks for the response.

Mawanshawi is correct - we have the 202.xxx.xxx.xxx.xxx upstream in the VRF already.

Below are a sh ip route vrf PublicNet from both routers;

Branch Office

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

172.16.0.0/30 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Tunnel0

S* 0.0.0.0/0 [1/0] via 172.16.1.1, Tunnel0

Data Center

Gateway of last resort is 202.xxx.xxx.xxx to network 0.0.0.0

172.16.0.0/30 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Tunnel0

C 202.xxx.xxx.xxx/24 is directly connected, FastEthernet0/1.903

S* 0.0.0.0/0 [1/0] via 202.xxx.xxx.xxx

Luke Fuller · ‎08-07-2011

Thanks marwanshawi

Just tried changing the tunnel source to the actual Interfaces as mentioned with no luck.

From each router I can ping either end of the tunnel OK.

What is strange is that from the Branch Router I can ping the IP of FastEthernet0/1.903 (part of the VRF & the internet interface) located on the data centers router however nothing else apart from that IP which is assigned to the

FastEthernet0/1.903 interface.

Branch Router

ping vrf PublicNet 202.xxx.xxx.199

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.xxx.xxx.199, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/28/32 ms

ping vrf PublicNet 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/28 ms

Data Center

interface FastEthernet0/1.903

encapsulation dot1Q 903

ip vrf forwarding PublicNet

ip address 202.xxx.xxx.199 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no cdp enable

end

---EDIT----

Forgot to add a trace route - tracing from the branch to say google.com I can see the packet hitting the data center tunnel interface then nothing.

traceroute vrf PublicNet 74.125.237.19

Type escape sequence to abort.

Tracing the route to 74.125.237.19

1 172.16.1.1 40 msec 36 msec 24 msec

2 * * *

3 * * *

4 * * *

Message was edited by: Luke Fuller

Marwan ALshawi · ‎08-07-2011

quick question, is this to go out to the internet ? if yes do you need to NAT in the DC befor eyou send it to the internet over 202.x.x.x ?

Luke Fuller · ‎08-07-2011

Ahh. Forgot NAT - however I should be able to get basic connetivity without NAT ?

Also is setting up NAT in a VRF much diffrent to a standard NAT setup ?

Marwan ALshawi · ‎08-07-2011

example

ip nat pool POOL1 202.x.x.1 202.x.x1.prefix-length 24

ip nat inside source route-map map1 pool POOL1 vrf PublicNet overload

access-list 10 permit your wifi internal rnage

route-map map1 permit 10

match ip address 10

and do not forget to put ip nat inside in the tunnel interface and ipnat out sid eon the outsid einterface of the DC device

HTH

if helpful Rate

Marwan ALshawi · ‎08-07-2011

by the way

inotice in the routing table of the DC

Data Center

Gateway of last resort is 202.xxx.xxx.xxx to network 0.0.0.0

172.16.0.0/30 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Tunnel0

C 202.xxx.xxx.xxx/24 is directly connected, FastEthernet0/1.903

S* 0.0.0.0/0 [1/0] via 202.xxx.xxx.xxx

there is only conencted and defautl route there is not route poitng to the tunnel ointerface for the branch networks

you need to have a routing protcol or a static route in the DC point to the branch tunnel interface as next hop for branch subnets that are part of your vrf/wifi ! otherwise internal subnet wont be able to get the traffic back fronm the DC

Luke Fuller · ‎08-07-2011

Thanks marwanshawi

Just added the NAT as suggested by your post & sample config and this now works.

And thanks for the reminder re the subnet routes on the branch office side.

Much apperiated.

Marwan ALshawi · ‎08-07-2011

glad to know that and thaks for the rating

Peter Paluch · ‎08-07-2011

Hi Marvan,

Good work!

Best regards,

Peter

Marwan ALshawi · ‎08-07-2011

Thanks Peter

john.dejesus · ‎08-07-2011

will this work on a standard 3560 switch?