Re: Inter-VLAN routing between VLAN interfaces in different VRFs

tim-armstrong · ‎08-02-2019

I am trying to allow clients in vrf 'I' and vrf 'V' to access a NTP server in vrf 'NTP'. With my current configuration this is not working. For example, and likewise for all other clients, 'VRF-I-Client-1' (10.1.31.100) can ping the SVI for VLAN 50 in vrf NTP (10.3.50.254), but CANNOT ping the 'NTP-Server' within that same subnet (10.3.50.201).

Interestingly enough, i can ping the ntp-server from the switch using the vrf I routing table when sourcing the ping from vlan31, but can't ping from a client attached to vlan31. Is this normal behavior? Ping results shown below.

Question: How can I modify configuration (or concept) to allow for all clients in vrf I and vrf V to access the NTP-server? Is this normal behavior of my configuration, or is this a GNS3 issue or IOS/IOU issue?

I have included the ping results, routing tables for each vrf, and the running config. I have implemented vrf-lite with import/export statements in the vrf definitions to share routes and am using BGP to redistribute connected.

VLAN/VRFs

VLAN 50 SVI is associated with vrf NTP (10.3.50.254)

VLAN 31 SVI is associated with vrf I (10.1.31.254)

VLAN 32 SVI is associated with vrf V (10.1.32.254)

endpoints:

NTP Server - 10.3.50.201 /24

VRF-I-client 1 - 10.1.31.100

VRF-I-client 2 - 10.1.31.101

VRF-V-client 1 - 10.1.32.100

VRF-V-client 1 - 10.1.32.101

GNS3 environment:

GNS3 version: 2.1.21

GNS3 running on Ubuntu Linux

This example GNS3 architecture is a simplified mock-up of a larger environment i have to focus on a single issue with Inter-vlan routing between vlans on different VRFs.

ping results:

ping NTP-Serverfrom L3-Switch source vlan31 (Success)

L3-Switch#ping vrf I 10.3.50.201 source vlan31

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.3.50.201, timeout is 2 seconds:

Packet sent with a source address of 10.1.31.254

!!!!!

ping NTP-Server from L3-Switch source vlan32 (Success)

L3-Switch#ping vrf V 10.3.50.201 source vlan32

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.3.50.201, timeout is 2 seconds:

Packet sent with a source address of 10.1.32.254

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

ping NTP-Server from VRF-I-Client-1 (Success)

VPCS> ping 10.3.50.254

84 bytes from 10.3.50.254 icmp_seq=1 ttl=255 time=0.395 ms

84 bytes from 10.3.50.254 icmp_seq=2 ttl=255 time=0.540 ms

ping NTP-Server from VRF-I-Client-1 (FAIL)

VPCS> ping 10.3.50.201

10.3.50.201 icmp_seq=1 timeout

10.3.50.201 icmp_seq=2 timeout

L3-Switch##show ip route vrf NTP

Routing Table: NTP

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

...

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

B 10.1.31.0/24 is directly connected, 07:08:00, Vlan31

L 10.1.31.254/32 is directly connected, Vlan31

B 10.1.32.0/24 is directly connected, 07:00:53, Vlan32

L 10.1.32.254/32 is directly connected, Vlan32

C 10.3.50.0/24 is directly connected, Vlan50

L 10.3.50.254/32 is directly connected, Vlan50

L3-Switch#show ip route vrf I

Routing Table: I

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

...

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.1.31.0/24 is directly connected, Vlan31

L 10.1.31.254/32 is directly connected, Vlan31

B 10.3.50.0/24 is directly connected, 07:08:32, Vlan50

L 10.3.50.254/32 is directly connected, Vlan50

L3-Switch#show ip route vrf V

Routing Table: V

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

...

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.1.32.0/24 is directly connected, Vlan32

L 10.1.32.254/32 is directly connected, Vlan32

B 10.3.50.0/24 is directly connected, 07:09:28, Vlan50

L 10.3.50.254/32 is directly connected, Vlan50

Running Config L3-Switch

......

!

vrf definition I

description Virtual Router I

rd 65000:11

!

address-family ipv4

route-target export 6500:11

route-target import 6500:50

exit-address-family

!

vrf definition NTP

description Virtual Router NTP to all devices

rd 65000:50

!

address-family ipv4

route-target export 6500:50

route-target import 6500:11

route-target import 6500:12

exit-address-family

!

vrf definition V

description Virtual Router V

rd 65000:12

!

address-family ipv4

route-target export 6500:12

route-target import 6500:50

exit-address-family

!

no aaa new-model

clock timezone EST -5 0

!

vtp domain sitex

vtp mode transparent

udld aggressive

no ip icmp rate-limit unreachable

!

no ip domain-lookup

ip domain-name sitex.af.mil

ip cef

no ipv6 cef

authentication mac-move permit

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 31

name A1-I

!

vlan 32

name A1-V

!

vlan 50

name NTP

!

vlan 99

name PARKING

!

vlan 200

name NATIVE

no cdp run

!

ip tcp synwait-time 5

!

class-map match-any non-client-nrt-class

!

policy-map port_child_policy

class non-client-nrt-class

!

interface Ethernet0/0

description Link to SW-A1

switchport trunk allowed vlan 31,32,101

switchport trunk encapsulation dot1q

switchport trunk native vlan 200

switchport mode trunk

switchport nonegotiate

!

interface Ethernet0/1

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet0/2

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet0/3

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet1/0

description NTP-D

switchport access vlan 50

switchport mode access

switchport nonegotiate

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet1/1

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet1/2

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet1/3

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet2/0

description VRF-I-Client

switchport access vlan 31

switchport mode access

switchport nonegotiate

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet2/1

description VRF-I-Client-2

switchport access vlan 31

switchport mode access

switchport nonegotiate

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet2/2

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet2/3

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet3/0

description VRF-V-Client-1

switchport access vlan 32

switchport mode access

switchport nonegotiate

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet3/1

description VRF-V-Client-2

switchport access vlan 32

switchport mode access

switchport nonegotiate

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet3/2

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Ethernet3/3

switchport access vlan 99

switchport mode access

switchport nonegotiate

switchport port-security mac-address sticky

switchport port-security

shutdown

no cdp enable

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan31

description A1-I

vrf forwarding I

ip address 10.1.31.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

!

interface Vlan32

description A1-V

vrf forwarding V

ip address 10.1.32.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

!

interface Vlan50

vrf forwarding NTP

ip address 10.3.50.254 255.255.255.0

!

interface Vlan99

description PARKING

no ip address

shutdown

!

router bgp 100

bgp log-neighbor-changes

!

address-family ipv4 vrf I

redistribute connected

exit-address-family

!

address-family ipv4 vrf NTP

redistribute connected

exit-address-family

!

address-family ipv4 vrf V

redistribute connected

exit-address-family

!

ip forward-protocol nd

!

....

Giuseppe Larosa · ‎08-02-2019

Hello Tim,

your VRF configurations are correct as NTP VRF imports the other two VRF route-target exported RT value(s) and viceversa the other two are importing RT o VRF NTP and also you have configured MP BGP for all the VRFs.

Verify on all emulated hosts including the VPCS the default gateway settings.

Edit:

also one of the emulated hosts may have a SW firewall running this could explain asymmetry on ping results.

Hope to help

Giuseppe

tim-armstrong · ‎08-02-2019

Giuseppe,

Thanks very much for your response and feel better that you confirmed my import/exports and MP-BGP configurations. I went to confirm a few things and did find a systemic issue with my config. I have attached the entire running configuration as I added two new vlans with SVIs that are in the default VRF. I added interfaces to clients in those two new VLANs (10, 20), thus removing any potential vrf issues from the picture.

After testing, I am having the exact same issue. From client on vlan 10 (10.3.10.100), I can ping local subnet SVI (10.3.10.254). I can ping the SVI of vlan 20 (10.3.20.254). But again I can't ping the client in vlan 20 (10.3.20.100). Removing the VRF complexity, i still can't ping across vlans from client to client. Feel like i am missing something simple, but can't place it.

Do you see anything?

Ping results - New tests

L3-Switch#ping 10.3.10.100 source vlan20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.10.100, timeout is 2 seconds:
Packet sent with a source address of 10.3.20.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW-A3-500#ping 10.3.10.100 source vlan20

from VLAN20 Client (10.3.20.100)

VPCS> ping 10.3.10.254
84 bytes from 10.3.10.254 icmp_seq=1 ttl=255 time=1.747 ms
84 bytes from 10.3.10.254 icmp_seq=2 ttl=255 time=0.697 ms

# this still not working...
VPCS> ping 10.3.10.100
10.3.10.100 icmp_seq=1 timeout
10.3.10.100 icmp_seq=2 timeout

RUNNING CONFIG

!
! Last configuration change at 09:17:29 EST Fri Aug 2 2019
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname L3-Switch
!
boot-start-marker
boot-end-marker
!
!
vrf definition I
description Virtual Router I
rd 65000:11
!
address-family ipv4
route-target export 6500:11
route-target import 6500:50
exit-address-family
!
vrf definition NTP
description Virtual Router NTP to all devices
rd 65000:50
!
address-family ipv4
route-target export 6500:50
route-target import 6500:11
route-target import 6500:12
exit-address-family
!
vrf definition V
description Virtual Router V
rd 65000:12
!
address-family ipv4
route-target export 6500:12
route-target import 6500:50
exit-address-family
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
clock timezone EST -5 0
!
!
!
!
!
vtp domain sitex
vtp mode transparent
udld aggressive

no ip icmp rate-limit unreachable
!
!
!
no ip domain-lookup
ip domain-name sitex.af.mil
ip cef
no ipv6 cef
authentication mac-move permit
!
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name test-default
!
vlan 20
name test-default20
!
vlan 21
name A2-I
!
vlan 31
name A1-I
!
vlan 32
name A1-V
!
vlan 50
name NTP
!
vlan 99
name PARKING
!
!
vlan 200
name NATIVE
no cdp run
!
ip tcp synwait-time 5
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
description Link to SW-A1-904
switchport trunk allowed vlan 31,32,101
switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport mode trunk
switchport nonegotiate
!
interface Ethernet0/1
switchport access vlan 99
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security
shutdown
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/2
switchport access vlan 99
switchport mode access
switchport nonegotiate
shutdown
duplex auto
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/3
switchport access vlan 99
switchport mode access
switchport nonegotiate
shutdown
duplex auto
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet1/0
description NTP-D
switchport access vlan 50
switchport mode access
switchport nonegotiate
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet1/1
switchport access vlan 99
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security
shutdown
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet1/2
switchport access vlan 99
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security
shutdown
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet1/3
switchport access vlan 99
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security
shutdown
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet2/0
description VRF-I-Client
switchport access vlan 31
switchport mode access
switchport nonegotiate
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet2/1
description VRF-I-Client-2
switchport access vlan 31
switchport mode access
switchport nonegotiate
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet2/2
description VRF-I-Client
switchport access vlan 21
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.7966.6805
switchport port-security
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet2/3
description VRF-I-Client
switchport access vlan 21
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet3/0
description VRF-V-Client-1
switchport access vlan 32
switchport mode access
switchport nonegotiate
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet3/1
description VRF-V-Client-2
switchport access vlan 32
switchport mode access
switchport nonegotiate
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet3/2
description default-vrf-vlan10
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.7966.6807
switchport port-security
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet3/3
description default-vrf-vlan20
switchport access vlan 20
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.7966.6806
switchport port-security
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan10
ip address 10.3.10.254 255.255.255.0
!
interface Vlan20
ip address 10.3.20.254 255.255.255.0
!
interface Vlan21
vrf forwarding I
ip address 10.2.21.254 255.255.255.0
!
interface Vlan31
description A1-I
vrf forwarding I
ip address 10.1.31.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
!
interface Vlan32
description A1-V
vrf forwarding V
ip address 10.1.32.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
no ip route-cache
!
interface Vlan50
vrf forwarding NTP
ip address 10.3.50.254 255.255.255.0
!
interface Vlan99
description PARKING
no ip address
shutdown
!

router bgp 100
bgp log-neighbor-changes
!
address-family ipv4 vrf I
redistribute connected
exit-address-family
!
address-family ipv4 vrf NTP
redistribute connected
exit-address-family
!
address-family ipv4 vrf V
redistribute connected
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
ip http authentication local
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Thanks,
Tim

Running config.

Giuseppe Larosa · ‎08-02-2019

Hello Tim,

again your multilayer switch configuration is fine and even removing VRFs from the network test you cannot ping client to client in different Vlans.

The possible issues here are on the emulated hosts:

a) check if every emulated host has the appropriate default gateway = SVI IP address on same Vlan

b) check if emulated hosts have any form of SW firewall enabled that may prevent sending back ICMP echo reply. If emulated hosts are windows based check the windows firewall settings, if they are linux based check iptables.

Hope to help

Giuseppe