Solved: Re: Need help in vrf Routing Configuration. Cannot Ping my host

SajeshB · ‎11-25-2020

Hi Need help in configuration basic topoly diagram is attached below.

My toplogy is like we have a core switch and Distribution switch running VPLS between them
and L2 access Switch connected to distribution switch
Next my firewall is connected to an L2 WAN switch and this WAN switch is connected to Core Switch

So i have configured an VRF,L3 Vlan and l2 vfi on my CoreSwitch and in distribution switch
its L2 Vlan, L2vfi and on my access layer switch only l2 Vlan

I can ping my Firewall Interface of samesubnet from L3 Vlan(VRF) from my coreswitch
but i failed to ping my internal host which is connected to access Layer switch
Then my internal host is able ping the L3 VLan on Coreswitch and my Firewall Interface IP

My internal host is assigned with the static IP, Gateway and DNS.

So i was suspecting an issue with the l2vfi so i have isolated my host and connected it to my
WAN switch still im failing to ping the host from my core but on my same WAN switch Firewall inside interface is also connected i can ping that from my core.

IF static IP was an issue i have built the DHCP Server on my firewall the internal host is getting IP also
from that DHCP Server in Firewall

Checked with the VPLS also they are UP.

Pls find the config for Core , Distribution and access

Core:
MIHAN_CC_SW1#sh run int vlan 636
Building configuration...

Current configuration : 178 bytes
!
interface Vlan636
ip vrf forwarding V636:Intel
ip address 10.58.205.190 255.255.255.192
no ip redirects
xconnect vfi vpls-636
end

MIHAN_CC_SW1#
MIHAN_CC_SW1#sh run vrf V636:Intel
Building configuration...

Current configuration : 456 bytes
ip vrf V636:Intel
rd 64530:636
route-target export 64530:636
route-target import 64530:636
!
!
interface Vlan636
ip vrf forwarding V636:Intel
ip address 10.58.205.190 255.255.255.192
no ip redirects
xconnect vfi vpls-636
!
router bgp 64530
!
address-family ipv4 vrf V636:Intel
redistribute connected
redistribute static
exit-address-family
!
ip route vrf V636:Intel 0.0.0.0 0.0.0.0 10.58.205.189
end

Distribution:
Dist_EB3_EB4#sh run int vlan 636
Building configuration...

Current configuration : 95 bytes
!
interface Vlan636
no ip address
xconnect vfi vpls-636
end

Access:
Vlan 636

int gig1/0/2
switchport mode access
switchport access vlan 636

SajeshB · ‎11-25-2020

I didnt get you are you taking about firewall running in host machine ? If that will be a case i have tried with multiple host the issue is same. I have tried putting one of the host in a Different Vlan (ex Vlan 500) having different VRF(V500:Paypal) and VFi(vpls-500) im able to ping the host from the L3 Vlan 500 of Core.

View solution in original post

Georg Pauwen · ‎11-25-2020

Hello,

the drawing does not match what you describe in your post. What Vlan is the host in, 626,or 636 ? Also, what is the default gateway IP address for the host, and where is that IP address configured ?

SajeshB · ‎11-25-2020

Hi Georg,

Sorry for the Incorrect diagram, I have made the changes now in diagram. Host is also in Same Vlan 636 and Gateway is configured on Core Switch but manual IP and Gateway is added on host system.

Giuseppe Larosa · ‎11-25-2020

Hello @SajeshB ,

I don't think the following configuration is supported

>> interface Vlan636
ip vrf forwarding V636:Intel
ip address 10.58.205.190 255.255.255.192
no ip redirects
xconnect vfi vpls-636
!

you would like SVI Vlan 636 to be at the same time a L3 interface member of VRF V636:Intel and an access link for VPLS vpls-636 that is a L2 only feature.

You can try to use a trick like using a different SVI like VLAN 637 for the L3 features (VRF and IP address) and have a LAN cable connecting an access port in Vlan 637 with an access port in Vlan 636.

Using this trick you may be able to ping the host in VRF from a different SVI.

Hope to help

Giuseppe

SajeshB · ‎11-25-2020

Hi Giuseppe,

Thanks for this, but i have running almost multiple project on this Core Switch i have been using the same Config SVI VLAN for L3 VRF and L2 vfi there is no issue in bidirection ping( From Core to Host and Host to Core).

This is first time i have been facing this where my Core L3 Vlan failed to ping the host But host are able to ping my Core L3 Vlan and Firewall Interface.

Giuseppe Larosa · ‎11-25-2020

Hello @SajeshB ,

good to know

at this point I suspect a SW firewall is running on the host and this can explain the asymmetric behaviour.

Hope to help

Giuseppe

SajeshB · ‎11-25-2020

I didnt get you are you taking about firewall running in host machine ? If that will be a case i have tried with multiple host the issue is same. I have tried putting one of the host in a Different Vlan (ex Vlan 500) having different VRF(V500:Paypal) and VFi(vpls-500) im able to ping the host from the L3 Vlan 500 of Core.

SajeshB · ‎11-25-2020

Hi Giuseppe,

One more thing need to highlight i have isolated the host and connected to the WAN switch were no Vpls is required im still not able to ping if you will see the diagram you will get some clear idea what im saying

Need your help can i do the wireshark capture on the system and really check that my packet are receiving to the host.

And the actually issue started with were my host were able to access the internet but after few second they were losing the connection so when i start pinging the host from the Core they were not reachable and host was able to ping everything. So i suspected something between the packet is getting Drop between Core and Host, maybe something like Return route issue from Core to Host system.