Re: Is it possible ot send VRF traffic over a GRE Tunnel?

keeleym · ‎11-24-2009

Hi All

Could you please look at the attached diagram and see if what I am attempting to do is possible and if so could you provide some pointers please.

In the diagram I have two routers connected over the corporate WAN/Internet, each router in a different geographical location.

On each router I have 2 VRF's configured SI and EDU. The IP addresses assigned to the interfaces to which these VRF's are bound are in the same subnet.

What I would like to be able to do next is to configure a GRE tunnel for each VRF so that if I connect the PC on the left to the SI VRF and the PC on the right to the SI VRF traffic between these two nodes will go over the GRE tunnel.

The reason that both VRF's have IP addresses in the same subnet is because the IP addresses on the test nodes (represented by the PC's in the diagram) are not easily changed and may be booked for use by different units in my organization and these units can not share networks.

What I have done so far is as follows (using Dynamips),

Configured 3 routers, JAKARTA, HALIMANTAN and Internet
Configured WAN IP connectivity as per the diagram, where by from JAKARTA I can ping the F0/0 interface on KALIMANTAN and visa versa.
Configured the VRF's on each router as follows
- JAKARTA
- (config)ip vrf SI
- (config-vrf)rd 100:1
- (config-vrf)exit
- (config)int f2/0
- (config-if)ip vrf forwarding SI
- (config-if)ip add 159.xxx.10.1 255.255.255.0
- (config-if)no shut
- (config-if)exit
- (config)

I have entered a similar configuration for the EDU VRF, changing the VRF name, RD value (200:1) interface & IP assigned to the interface

KALIMANTAN
(config)ip vrf SI
(config-vrf)rd 100:1
(config-vrf)exit
(config)int f2/0
(config-if)ip vrf forwarding SI
(config-if) ip add 159.xxx.100.1 255.255.255.0
(config-if)no shut
(config-if)exit
(config)

Again I have entered a similar configuration for the EDU VRF, changing the VRF name, RD value (200:1), interface & IP assigned to the interface.

I then attempted to set up the GRE Tunnel for the SI VRF as follows
- JAKARTA
- (config)int tun0
- (config-if)ip add 10.0.0.1 255.255.255.0
- (config-if)tunnel source 159.xxx.10.1
- (config-if)tunnel dest 159.xxx.100.1
- (config-if)exit
- (config)

KALIMANTAN
(config)int tun0
(config-if)ip add 10.0.0.2 255.255.255.0
(config-if)tunnel source 159.xxx.100.1
(config-if)tunnel dest 159.xxx.10.1
(config-if)exit
(config)

I then tried to ping 10.0.0.2 from JAKARTA but the pings failed. Likewise pings to 10.0.0.1 from KALIMANTAN also failed.

The routing tables on the routers are shown below (there is no mention of the 159.xxx subnet's in the routing table of either router)

JAKARTA's routing table

Gateway of last resort is 192.168.50.2 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Tunnel0
C    192.168.50.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 192.168.50.2

KALIMANTAN's routing table

Gateway of last resort is 192.168.80.2 to network 0.0.0.0

C    192.168.80.0/24 is directly connected, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Tunnel0
S*   0.0.0.0/0 [1/0] via 192.168.80.2

There are no vrf routes configured on either router.

If anybody could either tell me this is not possible or give me some pointers to what I am doing wrong I would much appreciate it. I should also mention I have never worked with VRFs' before and have oly a little knowledge of GRE tunnels.

Best Regards,

Michael

Giuseppe Larosa · ‎11-24-2009

Hello Michael,

to build VRF communication you need to put the GRE tunnel in the VRF

interface tunnel0

ip vrf forwarding XX

on both devices, this creates a point-to-point link in VRF between the two sites

also you need a GRE tunnel for each VRF that needs to be interconnected as you noted

Notice that this works for sure on software based routers but be aware that some multilayer switches like some C4507 allows you to configure this but are not able to send and receive traffic over the GRE tunnel.

Hope to help

Giuseppe

keeleym · ‎11-24-2009

Hi Giuseppe

Thanks for the reply. I have tried this and it's sill not working.

What I have done is

Removed the "ip vrf forwarding SI/EDU" commands from F2/0 7 F2/1 from both routers
This removed the IP addresses on these interfaces automatically
I then shut down both F2/0 7 F2/1 on both routers

Next I configured the Tun0 interfaces as follows

I added the "ip vrf forwarding SI/EDU" command to the tun0 interface on each router
This removed the 10.0.0.x IP addresses I had previously assigned
I then configued the IP address 159.xxx.10.1 on the tun0 interface on the JAKARTA router
I then configured the IP address 159.xxx.100.1 on the tun0 interface on the KALIMANTAN router

Next I removed and reconfigured the tunnel source & tunnel dest statemetns on the tun0 interface on each router

Tunnel config from "show run" command on JAKARTA

interface Tunnel0
ip vrf forwarding SI
ip address 159.107.178.1 255.255.255.0
tunnel source 192.168.50.1 --> IP address on interface F0/0 (WAN Interface)
tunnel destination 192.168.80.1 --> IP address on F0/0 (WAN Interface) on KALIMANTAN

Tunnel config from "show run" command on KALIMANTAN

interface Tunnel0
ip vrf forwarding SI
ip address 159.107.212.1 255.255.255.0
tunnel source 192.168.80.1 --> IP Address on Interface F0/0 (WAN Interface)
tunnel destination 192.168.50.1 --> IP Address on interface F0/0 (WAN Interface) on JAKARTA

From JAKARTA I then tried to ping 159.xxx.100.1, but this was not successful and likewise pinging 159.xxx.10.1 from KALIMANTAN was unsuccessful.

I expected to see entries in the routing table for the tunnel0 interface but this is not the case (See below)

JAKARTA

Gateway of last resort is 192.168.50.2 to network 0.0.0.0

C 192.168.50.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.50.2

KALIMANTAN

Gateway of last resort is 192.168.80.2 to network 0.0.0.0

C 192.168.80.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.80.2

I have attached the full configuration from each router to this post.

FYI

I am using Dynamips, simulating 3 7206VXR routers, each running 7200 Software (C7200-P-M), Version 12.3(2)T1, RELEASE SOFTWARE (fc2)

Full output from "show ver" command below

KALIMANTAN#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-P-M), Version 12.3(2)T1, RELEASE SOFTWARE (fc2)
Synched to technology version 12.3(1.9)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 22-Aug-03 20:34 by dchih
Image text-base: 0x60008954, data-base: 0x61AEE000

ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-P-M), Version 12.3(2)T1, RELEASE SOFTWARE (fc2)

KALIMANTAN uptime is 3 hours, 20 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"

cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
Processor board ID 4294967295
R7000 CPU at 150Mhz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache
6 slot VXR midplane, Version 2.1

Last reset from power-on
X.25 software, Version 3.0.0.
Bridging software.

PCI bus mb0_mb1 has 400 bandwidth points
PCI bus mb2 has 400 bandwidth points

4 FastEthernet/IEEE 802.3 interface(s)
8 Serial network interface(s)
125K bytes of non-volatile configuration memory.

65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2142

KALIMANTAN#

Again if you could give me an idea of where I have gone wrong it would be much appreciated.

Best Regards,

Michael

Giuseppe Larosa · ‎11-24-2009

Hello Michael,

each VRF has its own routing table so:

to see VRF SI routing table you need to use

sh ip route vrf SI

to ping an host in VRF you need to use

ping VRF SI x.x.x.x

and so on each command requires to add VRF vrf-name

you cannot see routing entries for a VRF in the global routing table that you see with conventional sh ip route

Hope to help

Giuseppe

keeleym · ‎11-24-2009

Hi Guiseppe

Again many thanks for your reply. Working with VRF's for the first time is kind of confusing

So I have reconfigured the routers just for VRF SI initially and now I that I know the correct commands to use, I can see that there is an entry for the SI vrf (see below)

JAKARTA# sh ip route vrf SI

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0

KALIMANTAN#sh ip route vrf SI

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0

and both Tunnel interfaces are "UP UP"

Should I be able to ping the tunnel end points with the command ping vrf SI 10.0.0.x from each router? as when I try this the ping fails.

Sorry for all the questions and again thanks a million for you help and advice.

Best Regards,

Michael

Reza Sharifi · ‎11-24-2009

Hi Michael,

In your attached configs, I do not see any routing protocols configured. You will need to deploy OSPF or EIGRP or BGP.

Here is a sample config for EIGRP and OSPF

router eigrp 100

passive-interface default

no passive-interface Tunnel0

no auto-summary

!

address-family ipv4 vrf example

network xx.xx.xx.0 0.0.0.255

no auto-summary

autonomous-system 100

exit-address-family

router ospf 1 vrf example

log-adjacency-changes

passive-interface default

no passive-interface Tunnel0

network xx.xx.xx.0 0.0.0.255 area 0

HTH

Reza

keeleym · ‎11-24-2009

Hi Reza

Thank you for your response and the example configuration.

Is it not possible to send VRF traffic over a GRE tunnel without using a routing protocol. Just using static routes?

Best Regards,

Michael

Reza Sharifi · ‎11-24-2009

Michael,

You can use static routes, but routing protocols can load balance the traffic and resiliency are automatically achieved.

Also configuring too many static routes became an administrative burden.

Reza

keeleym · ‎11-25-2009

Hi All

I think I am making slow but steady progress.

I have configured two tunnel interfaces Tun0 & Tun1 and these are bound to two different VRF's. Tun0 is bound ot vrf SI and Tun1 is bound ot vrf EDU.

However I can only ping the tunnel end point of tun0.

I have tried first with both tunnels using the same source port and Dest IP address. Then I tried adding a secondary IP address to my WAN interface of both routers and having Tun1 use tha local secondary IP as its source and the remote secondary IP as teh dest, but still I only have connectivity over Tun0.

Not too sure if this is something that I have done incorrectly or if this is a bug/problem with GRE on Dynamips.

Tunnel Configurations

JAKARTA

interface Tunnel0
ip vrf forwarding SI
ip address 10.0.0.1 255.255.255.0
tunnel source 192.168.50.1
tunnel destination 192.168.80.1
!
interface Tunnel1
ip vrf forwarding EDU
ip address 20.0.0.1 255.255.255.0
tunnel source 192.168.51.1
tunnel destination 192.168.81.1
!
interface FastEthernet0/0
ip address 192.168.51.1 255.255.255.0 secondary
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto

KALIMANTAN

interface Tunnel0
ip vrf forwarding SI
ip address 10.0.0.2 255.255.255.0
tunnel source 192.168.80.1
tunnel destination 192.168.50.1
!
interface Tunnel1
ip vrf forwarding EDU
ip address 20.0.0.2 255.255.255.0
tunnel source 192.168.81.1
tunnel destination 192.168.51.1
!
interface FastEthernet0/0
ip address 192.168.81.1 255.255.255.0 secondary
ip address 192.168.80.1 255.255.255.0
duplex auto
speed auto

If anybody has any ideas it would be much appreciated.

Best Regards,

Michael

Giuseppe Larosa · ‎11-25-2009

Hello Michael,

the following two tests should work

ping vrf SI 10.0.0.2

ping vrf EDU 20.0.0.2

to see actual VRF routing in action you can add one loopback on each router and the related static routes

int loop55

ip vrf forwarding SI

ip address 10.110.225.1 255.255.255.255

int loop66

ip vrf forwarding EDU

ip address 20.220.250.1 255.255.255.255

on the other router

ip route vrf SI 10.110.225.1 255.255.255.255 tunnel0

ip route vrf EDU 20.220.250.1 255.255.255.255 tunnel1

of course tunnel 1 has to be up: = the tunnel source and tunnel destination have to be reachable and up/up in global routing table

I think you can use the same tunnel source and tunnel destination on both tunnels, this may help.

Hope to help

Giuseppe

keeleym · ‎11-25-2009

Hi Guiseppe

I have not managed to get both GRE tunnels up and working at the same time.

What is happening is that I start of with the two routers (Jakarta & Kalimantan) configured with a WAN link. These two routers are connected to a third router acting as the Internet. I can ping the WAN interface on each router from the other.

I then configured the 2 VRF's on each router

SI , RD 100:1

EDU RD 200:

Next I create the tun0 interface one each router. Assign it to the SI VRF with the command "ip vrf forwarding SI". I then assign an IP address to the tun0 interfaces on each router. These IP addresses are in the same /24 subnet.

I then configure the tunnel source, which is the F0/0 (WAN) interface on the local router and the destination IP address, which is the IP address assigned to the WAN interface of the other router. I set the tunnel mode to "gre ip".

At this stage I can ping the opposite routers tunnel end point IP address from each router. All is good.

The problem arises then when I configure the tun1 interfaces.

Same procedure as above, only this interface is assigned to the VRF EDU and the IP addresses assigned to the tun1 interfaces on each router are in a different subnet to that used on tun0. And like tun0, the IP addresses used on both tun1 interfaces belong to the same /24 subnet. The source and destination information is identical to that used on tun0 and again the mode is set to "gre ip".

So now I try my pings again, and I can ping the tun1 end point IP addresses from the opposite router. However I can no longer ping the tun0 end point IP addresses.

I have done some googling and found a post were someone mentioned using tunnel keys on the end points, and I tried this also. I gave both tun0 interfaces the key 1 and both tun1 interfaces the key of 2, but I could still only ping the end point IP addresses of tun1 from the opposite router.It was still not possible to ping the tun0 end point IP addresses. All I got was 5 periods (.....) indication a filed attempt.

I have also tried using loopback interfaces as the tunnel source and destination addresses, but with this configuration I could not get even 1 tunnel up and working.

Google is giving me lots of documents on setting up GRE or setting up VRF's, but so far not much at all on what I am trying to do

Can I ask are there any special considerations to take into account when settign up 2 GRE tunnels with a single VRF assigned to each tunnel?

Again thanks a million for yoru replies and help with this.

Best Regards,

Michael

Giuseppe Larosa · ‎11-26-2009

Hello Michael,

>> Can I ask are there any special considerations to take into account when settign up 2 GRE tunnels with a single VRF assigned to each tunnel?

the tunnel key as you have discovered is needed to mutiplex / demultiplex different GRE tunnels using the same tunnel source and the same destination.

Sorry for having missed this point.

to remove this doubt you could do the following:

on each router:

configure a loopback interface in global routing table.

advertise them with any mean static routes or dynamic routes

use these two new loopbacks as tunnel source and tunnel destination for second tunnel

Key point:

the GRE tunnel should work when an extended ping (in global routing table with no vrf option) using tunnel destination as destination and tunnel source as source works

this can be your next execise

I would suggest you some reading like the following

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html#wp82093

Hope to help

Giuseppe