09-05-2019 11:21 AM
We are getting a new link from our ISP to our core router, which uses VRF - the current VRF config is:
Connectivity goes from the LAN, to the 6500, to the firewall, back to the 6500, and then out the VRF "Internet" table to the ISP next hop.
6500
VRF Internet 0.0.0.0 0.0.0.0 1.1.1.1
Int g5/9
description ***Uplink to Internet***
ip vrf forwarding Internet
ip address 1.1.1.2 255.255.255.252
end
Int vlan 990
description OUTSIDE VLAN
ip vrf forwarding Internet
ip address 1.1.2.0 255.255.255.0 <--this is a block of /24 external addresses we have
end
5/6 is vlan 990
I have changed it to:
VRF Internet 0.0.0.0 0.0.0.0 2.2.2.1
Int g5/8
description ***New Uplink to Internet***
ip vrf forwarding Internet
ip address 2.2.2.2 255.255.255.252
end
I have tested the link directly and it works just fine when not routing through VRF. The interesting thing is I can leave the new next hop as the default route in VRF, and the connectivity remains, but as soon as I kill port 5/9 (the old connection) everything drops. I have done an extended ping from port 5/8 through vrf out to the internet and it works fine. This is my first experience with VRF so I figure I am simply missing something. I have also checked on the firewall (which hangs off the 6500) and there are no ACLs or anything blocking traffic.
Solved! Go to Solution.
09-10-2019 09:44 AM
Posting for anyone with a similar issue:
Turns out that the ISP had a static route pointing to our old IP address for our block of IP addresses that we own. Once that route was changed to our new external address, the issue was resolved. This makes sense, as traffic way flowing out the new link just fine, but when it tried to get back, it could only be routed to the old link.
09-05-2019 11:47 AM
Hello Ninjabean,
the presence of the firewall makes your network more complex to troubleshoot.
However, from what you are reporting I would check with your ISP if they have configured the correct static routes on the new Internet uplink to you.
>> The interesting thing is I can leave the new next hop as the default route in VRF, and the connectivity remains, but as soon as I kill port 5/9 (the old connection) everything drops. I have done an extended ping from port 5/8 through vrf out to the internet and it works fine.
The above behaviour can be caused by missing static routes on ISP new uplink on their side.
They need static routes for your public IP subnets with next-hop 2.2.2.2 and they need to redistribute those static routes into BGP in their router.
On the old link the static routes are correctly configured on ISP side and redistributed into BGP.
The fact that you can ping for example 8.8.8.8 using
ping vrf Internet 8.8.8.8 source 2.2.2.2
IT means the connected subnet 2.2.2.0/30 is published in the ISP BGP network.
When you shut down the old link there is no return path for your public IP subnets.
The firewall is actually before your network change that is in vrf Internet only, and it should not create problems.
Hope to help
Giuseppe
This is my first experience with VRF so I figure I am simply missing something. I have also checked on the firewall (which hangs off the 6500) and there are no ACLs or anything blocking traffic.
09-05-2019 11:51 AM
09-05-2019 02:13 PM
09-10-2019 09:44 AM
Posting for anyone with a similar issue:
Turns out that the ISP had a static route pointing to our old IP address for our block of IP addresses that we own. Once that route was changed to our new external address, the issue was resolved. This makes sense, as traffic way flowing out the new link just fine, but when it tried to get back, it could only be routed to the old link.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide