11-24-2009 04:29 AM - edited 03-04-2019 06:47 AM
Hi All
Could you please look at the attached diagram and see if what I am attempting to do is possible and if so could you provide some pointers please.
In the diagram I have two routers connected over the corporate WAN/Internet, each router in a different geographical location.
On each router I have 2 VRF's configured SI and EDU. The IP addresses assigned to the interfaces to which these VRF's are bound are in the same subnet.
What I would like to be able to do next is to configure a GRE tunnel for each VRF so that if I connect the PC on the left to the SI VRF and the PC on the right to the SI VRF traffic between these two nodes will go over the GRE tunnel.
The reason that both VRF's have IP addresses in the same subnet is because the IP addresses on the test nodes (represented by the PC's in the diagram) are not easily changed and may be booked for use by different units in my organization and these units can not share networks.
What I have done so far is as follows (using Dynamips),
The routing tables on the routers are shown below (there is no mention of the 159.xxx subnet's in the routing table of either router)
JAKARTA's routing table
Gateway of last resort is 192.168.50.2 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
C 192.168.50.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.50.2
KALIMANTAN's routing table
Gateway of last resort is 192.168.80.2 to network 0.0.0.0
C 192.168.80.0/24 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
S* 0.0.0.0/0 [1/0] via 192.168.80.2
There are no vrf routes configured on either router.
If anybody could either tell me this is not possible or give me some pointers to what I am doing wrong I would much appreciate it. I should also mention I have never worked with VRFs' before and have oly a little knowledge of GRE tunnels.
Best Regards,
Michael
11-24-2009 04:43 AM
Hello Michael,
to build VRF communication you need to put the GRE tunnel in the VRF
interface tunnel0
ip vrf forwarding XX
on both devices, this creates a point-to-point link in VRF between the two sites
also you need a GRE tunnel for each VRF that needs to be interconnected as you noted
Notice that this works for sure on software based routers but be aware that some multilayer switches like some C4507 allows you to configure this but are not able to send and receive traffic over the GRE tunnel.
Hope to help
Giuseppe
11-24-2009 06:18 AM
Hi Giuseppe
Thanks for the reply. I have tried this and it's sill not working.
What I have done is
Next I configured the Tun0 interfaces as follows
Next I removed and reconfigured the tunnel source & tunnel dest statemetns on the tun0 interface on each router
Tunnel config from "show run" command on JAKARTA
interface Tunnel0
ip vrf forwarding SI
ip address 159.107.178.1 255.255.255.0
tunnel source 192.168.50.1 --> IP address on interface F0/0 (WAN Interface)
tunnel destination 192.168.80.1 --> IP address on F0/0 (WAN Interface) on KALIMANTAN
Tunnel config from "show run" command on KALIMANTAN
interface Tunnel0
ip vrf forwarding SI
ip address 159.107.212.1 255.255.255.0
tunnel source 192.168.80.1 --> IP Address on Interface F0/0 (WAN Interface)
tunnel destination 192.168.50.1 --> IP Address on interface F0/0 (WAN Interface) on JAKARTA
From JAKARTA I then tried to ping 159.xxx.100.1, but this was not successful and likewise pinging 159.xxx.10.1 from KALIMANTAN was unsuccessful.
I expected to see entries in the routing table for the tunnel0 interface but this is not the case (See below)
JAKARTA
Gateway of last resort is 192.168.50.2 to network 0.0.0.0
C 192.168.50.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.50.2
KALIMANTAN
Gateway of last resort is 192.168.80.2 to network 0.0.0.0
C 192.168.80.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.80.2
I have attached the full configuration from each router to this post.
FYI
I am using Dynamips, simulating 3 7206VXR routers, each running 7200 Software (C7200-P-M), Version 12.3(2)T1, RELEASE SOFTWARE (fc2)
Full output from "show ver" command below
KALIMANTAN#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-P-M), Version 12.3(2)T1, RELEASE SOFTWARE (fc2)
Synched to technology version 12.3(1.9)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 22-Aug-03 20:34 by dchih
Image text-base: 0x60008954, data-base: 0x61AEE000
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-P-M), Version 12.3(2)T1, RELEASE SOFTWARE (fc2)
KALIMANTAN uptime is 3 hours, 20 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
Processor board ID 4294967295
R7000 CPU at 150Mhz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
X.25 software, Version 3.0.0.
Bridging software.
PCI bus mb0_mb1 has 400 bandwidth points
PCI bus mb2 has 400 bandwidth points
4 FastEthernet/IEEE 802.3 interface(s)
8 Serial network interface(s)
125K bytes of non-volatile configuration memory.
65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2142
KALIMANTAN#
Again if you could give me an idea of where I have gone wrong it would be much appreciated.
Best Regards,
Michael
11-24-2009 07:21 AM
Hello Michael,
each VRF has its own routing table so:
to see VRF SI routing table you need to use
sh ip route vrf SI
to ping an host in VRF you need to use
ping VRF SI x.x.x.x
and so on each command requires to add VRF vrf-name
you cannot see routing entries for a VRF in the global routing table that you see with conventional sh ip route
Hope to help
Giuseppe
11-24-2009 08:24 AM
Hi Guiseppe
Again many thanks for your reply. Working with VRF's for the first time is kind of confusing
So I have reconfigured the routers just for VRF SI initially and now I that I know the correct commands to use, I can see that there is an entry for the SI vrf (see below)
JAKARTA# sh ip route vrf SI
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
KALIMANTAN#sh ip route vrf SI
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
and both Tunnel interfaces are "UP UP"
Should I be able to ping the tunnel end points with the command ping vrf SI 10.0.0.x from each router? as when I try this the ping fails.
Sorry for all the questions and again thanks a million for you help and advice.
Best Regards,
Michael
11-24-2009 09:34 AM
Hi Michael,
In your attached configs, I do not see any routing protocols configured. You will need to deploy OSPF or EIGRP or BGP.
Here is a sample config for EIGRP and OSPF
11-24-2009 02:31 PM
Hi Reza
Thank you for your response and the example configuration.
Is it not possible to send VRF traffic over a GRE tunnel without using a routing protocol. Just using static routes?
Best Regards,
Michael
11-24-2009 03:12 PM
Michael,
You can use static routes, but routing protocols can load balance the traffic and resiliency are automatically achieved.
Also configuring too many static routes became an administrative burden.
Reza
11-25-2009 01:48 AM
Hi All
I think I am making slow but steady progress.
I have configured two tunnel interfaces Tun0 & Tun1 and these are bound to two different VRF's. Tun0 is bound ot vrf SI and Tun1 is bound ot vrf EDU.
However I can only ping the tunnel end point of tun0.
I have tried first with both tunnels using the same source port and Dest IP address. Then I tried adding a secondary IP address to my WAN interface of both routers and having Tun1 use tha local secondary IP as its source and the remote secondary IP as teh dest, but still I only have connectivity over Tun0.
Not too sure if this is something that I have done incorrectly or if this is a bug/problem with GRE on Dynamips.
Tunnel Configurations
JAKARTA
interface Tunnel0
ip vrf forwarding SI
ip address 10.0.0.1 255.255.255.0
tunnel source 192.168.50.1
tunnel destination 192.168.80.1
!
interface Tunnel1
ip vrf forwarding EDU
ip address 20.0.0.1 255.255.255.0
tunnel source 192.168.51.1
tunnel destination 192.168.81.1
!
interface FastEthernet0/0
ip address 192.168.51.1 255.255.255.0 secondary
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto
KALIMANTAN
interface Tunnel0
ip vrf forwarding SI
ip address 10.0.0.2 255.255.255.0
tunnel source 192.168.80.1
tunnel destination 192.168.50.1
!
interface Tunnel1
ip vrf forwarding EDU
ip address 20.0.0.2 255.255.255.0
tunnel source 192.168.81.1
tunnel destination 192.168.51.1
!
interface FastEthernet0/0
ip address 192.168.81.1 255.255.255.0 secondary
ip address 192.168.80.1 255.255.255.0
duplex auto
speed auto
If anybody has any ideas it would be much appreciated.
Best Regards,
Michael
11-25-2009 04:36 AM
Hello Michael,
the following two tests should work
ping vrf SI 10.0.0.2
ping vrf EDU 20.0.0.2
to see actual VRF routing in action you can add one loopback on each router and the related static routes
int loop55
ip vrf forwarding SI
ip address 10.110.225.1 255.255.255.255
int loop66
ip vrf forwarding EDU
ip address 20.220.250.1 255.255.255.255
on the other router
ip route vrf SI 10.110.225.1 255.255.255.255 tunnel0
ip route vrf EDU 20.220.250.1 255.255.255.255 tunnel1
of course tunnel 1 has to be up: = the tunnel source and tunnel destination have to be reachable and up/up in global routing table
I think you can use the same tunnel source and tunnel destination on both tunnels, this may help.
Hope to help
Giuseppe
11-25-2009 05:52 AM
Hi Guiseppe
I have not managed to get both GRE tunnels up and working at the same time.
What is happening is that I start of with the two routers (Jakarta & Kalimantan) configured with a WAN link. These two routers are connected to a third router acting as the Internet. I can ping the WAN interface on each router from the other.
I then configured the 2 VRF's on each router
SI , RD 100:1
EDU RD 200:
Next I create the tun0 interface one each router. Assign it to the SI VRF with the command "ip vrf forwarding SI". I then assign an IP address to the tun0 interfaces on each router. These IP addresses are in the same /24 subnet.
I then configure the tunnel source, which is the F0/0 (WAN) interface on the local router and the destination IP address, which is the IP address assigned to the WAN interface of the other router. I set the tunnel mode to "gre ip".
At this stage I can ping the opposite routers tunnel end point IP address from each router. All is good.
The problem arises then when I configure the tun1 interfaces.
Same procedure as above, only this interface is assigned to the VRF EDU and the IP addresses assigned to the tun1 interfaces on each router are in a different subnet to that used on tun0. And like tun0, the IP addresses used on both tun1 interfaces belong to the same /24 subnet. The source and destination information is identical to that used on tun0 and again the mode is set to "gre ip".
So now I try my pings again, and I can ping the tun1 end point IP addresses from the opposite router. However I can no longer ping the tun0 end point IP addresses.
I have done some googling and found a post were someone mentioned using tunnel keys on the end points, and I tried this also. I gave both tun0 interfaces the key 1 and both tun1 interfaces the key of 2, but I could still only ping the end point IP addresses of tun1 from the opposite router.It was still not possible to ping the tun0 end point IP addresses. All I got was 5 periods (.....) indication a filed attempt.
I have also tried using loopback interfaces as the tunnel source and destination addresses, but with this configuration I could not get even 1 tunnel up and working.
Google is giving me lots of documents on setting up GRE or setting up VRF's, but so far not much at all on what I am trying to do
Can I ask are there any special considerations to take into account when settign up 2 GRE tunnels with a single VRF assigned to each tunnel?
Again thanks a million for yoru replies and help with this.
Best Regards,
Michael
11-26-2009 09:04 AM
Hello Michael,
>> Can I ask are there any special considerations to take into account when settign up 2 GRE tunnels with a single VRF assigned to each tunnel?
the tunnel key as you have discovered is needed to mutiplex / demultiplex different GRE tunnels using the same tunnel source and the same destination.
Sorry for having missed this point.
to remove this doubt you could do the following:
on each router:
configure a loopback interface in global routing table.
advertise them with any mean static routes or dynamic routes
use these two new loopbacks as tunnel source and tunnel destination for second tunnel
Key point:
the GRE tunnel should work when an extended ping (in global routing table with no vrf option) using tunnel destination as destination and tunnel source as source works
this can be your next execise
I would suggest you some reading like the following
http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html#wp82093
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide