Solved: MPLS Internet Access from VRF: problem and best practice

pablitomassa82 · ‎02-18-2016

Hi Everybody,

I'm doing some exercise about MPLS VPN and in particular Accessing Internet from a VRF.

As i understand there are 3 standard methods to accomplish that:

1) Using Global Routing Table with another physical interface or subinterface;

2) Using Global Routing Table with static and default-route;

3) Internet provided in a VRF with or without vrf-aware NAT;

I have some problem on point 3. This is my topology:

I had followed the tutorial on youtube called LabMinute SP0014 but i think that there is a mistake on it. I think that the configuration proposed have problem with overlapping ip addresses. Infact in my scenario CE3 can ping 8.8.8.8 but CE1 can't ping 8.8.8.8, but if i shut down PE1 f1/0 CE1 can ping 8.8.8.8.

I've found another explanation that try to explain the same scenario but with a different configuration. Instead of configuring vrf INTERNET and importing in it VRF A and VRF B, it tells that we must configure VRF A and VRF B also in PE2 and so on..

So my question is which is the best practice to accomplish internet in a vrf with overlapping ip address?

Thanks

Paolo

PS: if it's necessary i can upload the configuration

Giuseppe Larosa · ‎02-18-2016

Hello Pablo,

>> May be i should configure also the VRF A and VRF B on PE2 and than import the default route from VRF INTERNET. In this way there are no overlapping ip in the VRF INTERNET...(I think)

yes this should be the way to go. You were asking too much to PE2 how could it discriminate between overlapping addresses coming from two different VRFs defined on PE1?

Hope to help

Giuseppe

View solution in original post

pablitomassa82 · ‎02-18-2016

PE2 CONFIG

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf INTERNET
rd 2.2.2.2:1
route-target export 2.2.2.2:1
route-target import 1.1.1.1:1
route-target import 1.1.1.1:2
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
ip ospf 1 area 0
duplex auto
speed auto
mpls ip
!
interface FastEthernet0/1
ip vrf forwarding INTERNET
ip address 10.0.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf INTERNET
no synchronization
network 0.0.0.0
exit-address-family
!
ip forward-protocol nd
ip route vrf INTERNET 0.0.0.0 0.0.0.0 10.0.1.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-INTERNET interface FastEthernet0/1 vrf INTERNET overload
!
ip access-list extended NAT-INTERNET
permit ip any any
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

PE1 CONFIG

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf A
rd 1.1.1.1:1
route-target export 1.1.1.1:1
route-target import 1.1.1.1:1
route-target import 2.2.2.2:1
!
ip vrf B
rd 1.1.1.1:2
route-target export 1.1.1.1:2
route-target import 1.1.1.1:2
route-target import 2.2.2.2:1
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
ip vrf forwarding A
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding A
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip vrf forwarding B
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 10.0.0.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
mpls ip
!
interface FastEthernet3/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex auto
speed auto
!
router ospf 2 vrf A
log-adjacency-changes
redistribute bgp 1 subnets
network 192.168.1.2 0.0.0.0 area 0
network 192.168.2.1 0.0.0.0 area 0
!
router ospf 3 vrf B
log-adjacency-changes
redistribute bgp 1 subnets
network 192.168.3.1 0.0.0.0 area 0
!
router ospf 1
log-adjacency-changes
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
redistribute ospf 3 vrf B
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
redistribute ospf 2 vrf A
no synchronization
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Masoud Pourshabanian · ‎02-18-2016

Hello,

Configuring VRF Internet is common way.

Please share the output these commands on PE2

Show IP route vrf A

Show IP route vrf B

show IP route VRF Internet

Set "debug ICMP" on GW and ping from CE1 and CE2 and CE3. What do you see?

Masoud

pablitomassa82 · ‎02-18-2016

PE2#show ip vrf A
% No VRF named A

PE2#show ip vrf B
% No VRF named B

I have only VRF INTERNET and i have imported VRF A and VRF B in it

PE2#show ip route vrf INTERNET

Gateway of last resort is 10.0.1.2 to network 0.0.0.0

172.16.0.0/32 is subnetted, 2 subnets
B 172.16.1.1 [200/2] via 1.1.1.1, 00:00:22
B 172.16.2.1 [200/11] via 1.1.1.1, 00:00:22
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.1.0 is directly connected, FastEthernet0/1
B 192.168.1.0/24 [200/0] via 1.1.1.1, 00:00:22
B 192.168.2.0/24 [200/0] via 1.1.1.1, 00:00:22
B 192.168.3.0/24 [200/0] via 1.1.1.1, 00:00:22
S* 0.0.0.0/0 [1/0] via 10.0.1.2

As you can see from the VRF INTERNET table there is only one 172.16.1.1 (the overlapping ip address).

May be i should configure also the VRF A and VRF B on PE2 and than import the default route from VRF INTERNET. In this way there are no overlapping ip in the VRF INTERNET...(I think)

CE3#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/89/120 ms

CE3#ping 8.8.8.8 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/79/96 ms

GW#
*Mar 1 00:05:08.127: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1
*Mar 1 00:05:08.219: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1
*Mar 1 00:05:08.311: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1
*Mar 1 00:05:08.435: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1
*Mar 1 00:05:08.531: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1

CE1#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/95/128 ms

CE1#ping 8.8.8.8 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.....
Success rate is 0 percent (0/5)

*Mar 1 00:08:23.307: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1
GW#
*Mar 1 00:08:26.047: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1
GW#
*Mar 1 00:08:29.183: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1
GW#
*Mar 1 00:08:32.027: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1
GW#
*Mar 1 00:08:34.931: ICMP: echo reply sent, src 8.8.8.8, dst 10.0.1.1

Giuseppe Larosa · ‎02-18-2016

Hello Pablo,

>> May be i should configure also the VRF A and VRF B on PE2 and than import the default route from VRF INTERNET. In this way there are no overlapping ip in the VRF INTERNET...(I think)

yes this should be the way to go. You were asking too much to PE2 how could it discriminate between overlapping addresses coming from two different VRFs defined on PE1?

Hope to help

Giuseppe

pablitomassa82 · ‎02-18-2016

Thanks,

I' like to ask one last thing:

Is it necessary configure VRF INTERNET?

I mean, i could configure on PE2 only VRF A and VRF B and than create one default route for VRF A and one for VRF B without configuring VRF INTERNET...... right?

The benefit of configuring VRF INTERNET is that it allows to configure only one default-route and than redistribute to the other VRF (the process is more automatized) right?

Thanks :)

Masoud Pourshabanian · ‎02-18-2016

As for your question about VRF internet, it is easy to implement if you do not have IP overlap or you can handle overlap on customer side. You just need to play with export and import inVRFs.

If you use global routing table instead, you need to create all VRFs on PE router connected to internet and then use PBR to direct the return traffic to each VRF.

Hope it helps,

Masoud

Masoud Pourshabanian · ‎02-18-2016

Actually, it is complicated when you have overlapped IP.

If you do not have overlapped IP, you do not need to create VRF A and VRF B when VRF INTERNET is configured .

If you have overlapped IP, you need to use other ways. I do not think it is possible with using common Internet VRF. It is possible to use common service such as a server(in your case only 8.8.8.8) but for entire internet address, it is not possible.

Even for a common server, it is complicated. Let me know if you need help with only your scenario( pinging only some specific addresses such as 8.8.8.8, not entire internet;

Masoud

Masoud Pourshabanian · ‎02-18-2016

Check my previous comment before. Check your NAT also.

Do this test also.

Consider two IPs for NAT.

NAT all VRF A IPs to 10.0.1.10

NAT all VRF B IPs to 10.0.1.20

Masoud

a.shwehdi · ‎07-17-2018

Hi

I want ask you can C1 ping to C3 ? because both had a default route in there routing table.