cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
760
Views
0
Helpful
4
Replies

Issue with VRF Change

Ninjabean
Level 1
Level 1

We are getting a new link from our ISP to our core router, which uses VRF -  the current VRF config is:

 

Connectivity goes from the LAN, to the 6500, to the firewall, back to the 6500, and then out the VRF "Internet" table to the ISP next hop.

 

6500

VRF Internet 0.0.0.0 0.0.0.0 1.1.1.1

Int g5/9

 

 description ***Uplink to Internet***

 ip vrf forwarding Internet

 ip address 1.1.1.2 255.255.255.252

end

 

Int vlan 990

 description OUTSIDE VLAN

 ip vrf forwarding Internet

 ip address 1.1.2.0 255.255.255.0 <--this is a block of /24 external addresses we have

end

 

5/6 is vlan 990

 

I have changed it to:

 

VRF Internet 0.0.0.0 0.0.0.0 2.2.2.1

 

Int g5/8

 description ***New Uplink to Internet***

 ip vrf forwarding Internet

 ip address 2.2.2.2 255.255.255.252

end

 

 

I have tested the link directly and it works just fine when not routing through VRF.  The interesting thing is I can leave the new next hop as the default route in VRF, and the connectivity remains, but as soon as I kill port 5/9 (the old connection) everything drops. I have done an extended ping from port 5/8 through vrf out to the internet and it works fine. This is my first experience with VRF so I figure I am simply missing something. I have also checked on the firewall (which hangs off the 6500) and there are no ACLs or anything blocking traffic.

1 Accepted Solution

Accepted Solutions

Posting for anyone with a similar issue:

 

Turns out that the ISP had a static route pointing to our old IP address for our block of IP addresses that we own.  Once that route was changed to our new external address, the issue was resolved. This makes sense, as traffic way flowing out the new link just fine, but when it tried to get back, it could only be routed to the old link.

View solution in original post

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Ninjabean,

the presence of the firewall makes your network more complex to troubleshoot.

 

However, from what you are reporting I would check with your ISP if they have configured the correct static routes on the new Internet uplink to you.

 

>> The interesting thing is I can leave the new next hop as the default route in VRF, and the connectivity remains, but as soon as I kill port 5/9 (the old connection) everything drops. I have done an extended ping from port 5/8 through vrf out to the internet and it works fine.

 

The above behaviour can be caused by missing static routes on ISP new uplink on their side.

They need static routes for your public IP subnets with next-hop 2.2.2.2 and they need to redistribute those static routes into BGP in their router.

On the old link the static routes are correctly configured on ISP side and redistributed into BGP.

The fact that you can ping for example 8.8.8.8 using

ping vrf Internet 8.8.8.8 source 2.2.2.2

 

IT means the connected subnet 2.2.2.0/30 is published in the ISP BGP network.

When you shut down the old link there is no return path for your public IP subnets.

 

The firewall is actually before your network change that is in vrf Internet only,  and it should not create problems.

 

Hope to help

Giuseppe

 

 

This is my first experience with VRF so I figure I am simply missing something. I have also checked on the firewall (which hangs off the 6500) and there are no ACLs or anything blocking traffic.

That is very helpful. I will get with our assigned engineer - I appreciate the response.

Our ISP has said that it is not them (go figure) so I also have a TAC case open now. We determined that they see traffic flowing to me, and I see traffic flowing to them, but neither are getting traffic back oddly enough. Will report back with the solution.

Posting for anyone with a similar issue:

 

Turns out that the ISP had a static route pointing to our old IP address for our block of IP addresses that we own.  Once that route was changed to our new external address, the issue was resolved. This makes sense, as traffic way flowing out the new link just fine, but when it tried to get back, it could only be routed to the old link.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: