cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2150
Views
5
Helpful
12
Replies

Routing between VRF on Cisco 881

Webwalker
Level 1
Level 1

Hello,

on top of our DMVPN config we have created an additional VRF on a Cisco 881 [15.4(3)M8] which is a second internet connection meant for voice services. Between the LAN VRF and the new additional voice VRF we`ve created a direct physical connection (ethernet cable) to route some IPs from existing VRF to voice VRF.


Problem we are having is that we cannot even ping the IPs of the VLAN interfaces.


interface FastEthernet0
 description Transfer VRF -> connected with cable to FA2
 switchport access vlan 300
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1
 description LAN
 switchport access vlan 101
 no ip address
 duplex full
 speed 100
!
interface FastEthernet2
 description Transfer VRF -> connected with cable to FA0
 switchport access vlan 302
 no ip address
 duplex full
 speed 100
!
interface FastEthernet3
 description LAN
 switchport access vlan 303
 no ip address
 duplex full
 speed 100
!
interface FastEthernet4
 description ISP
 mtu 1492
 ip vrf forwarding internet
 ip address dhcp
 ip access-group 100 in
 duplex auto
 speed auto
!
!
interface Vlan101
 description LAN
 ip vrf forwarding BBNIG
 ip address 10.230.1.1 255.255.255.0
 ip virtual-reassembly in
!
interface Vlan300
 ip vrf forwarding BBNIG
 ip address 10.127.251.33 255.255.255.248
!
interface Vlan302
 ip vrf forwarding SIP
 ip address 10.127.251.34 255.255.255.248
!
interface Vlan303
 description internet for voice
 ip vrf forwarding SIP
 ip address 192.168.8.254 255.255.255.0


ip route vrf SIP 0.0.0.0 0.0.0.0 192.168.8.1
ip route vrf SIP 10.0.0.0 255.0.0.0 10.127.251.33
ip route vrf BBNIG <SIP GTW> 255.255.255.255 10.127.251.34

Any idea why we cannot even ping the 10.127.251.33 / 10.127.251.34 from the opposite VRF even if directly connected?


sh ip route vrf SIP
Gateway of last resort is 192.168.8.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.8.1
      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S        10.0.0.0/8 [1/0] via 10.127.251.33
C        10.127.251.32/29 is directly connected, Vlan302
L        10.127.251.34/32 is directly connected, Vlan302
      192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.8.0/24 is directly connected, Vlan303
L        192.168.8.254/32 is directly connected, Vlan303

 

Thanks,

 

Webwalker

12 Replies 12

omz
VIP Alumni
VIP Alumni

Fa0 connected to Fa2 on the same router like a physical loopback? Is it supposed to work? I am very interested to know.

Why use VRFs if routing between them is required?

a.alekseev
Level 7
Level 7

You must create two static arp to make  this working...

How exactly should these ARP entires be configured?

 

Thanks

Edited:

Hello

Vrf enables you to segregate the router to have multiple routing tables as such each vrf is independent of each other, that why it lets you apply the same subnet/ip address on two different interfaces on the same devices.

 

Now you can route leak between the vrf routing tables and the global routing table of the router if you wish but I would suggest you change one of the vrf's address to a different subnet to avoid any conflict.

You will also need to add statics in your router to make the global rib aware of the vrf ribs.

example:
ip route vrf BBING 10.230.1.1 255.255.255 vlan 300
ip route vrf BBING 10.127.251.33 255.255.255.248 vlan 300
ip route vrf SIP 192.168.8.254 255.255.255.0 vlan 303

 

Also to reach another network in a different vrf you need import that prefix into the vrf table you want to use to reach the opposite vrf prefix, One way to do this is again use static routing or another way would be to import the routes via a route map.

example:

R1
vrf BBNG  1.1.1.1/32 loopback 0
vrf BBNG 10.1.12.1/24  fa0/0  <---connected to R2

ip route vrf  BBING 2.2.2.2 255.255.255.255 10.1.12.2 global

 
or

ip prefix-list vrf-to-R2 permit 2.2.2.2/32
route-map stan-r1
match ip address prefix vrf-to-R2

 

ip vrf BBNG 
import map vrf-to-R2

 


R2
vrf SIP  2.2.2.2/32
vrf SIP 10.1.12.2/24  fa0/0  <---connected to R1
ip route vrf SIP 1.1.1.1 255.255.255.255 10.1.12.1 global

 

or

ip prefix-list vrf-to-R1 permit 1.1.1.1/32
route-map stan-r1
match ip address prefix vrf-to-R1

 

ip vrf SIP 
import map vrf-to-R1

 

 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

It's not correct.
"global" is wrong option in your example.

Hello a.alekseev

From what I can see in this post - It does seem the global keyword IS required so to enable  to tell the vrf rib to check the global routing table for the router for its next hop -  However would you be explain why this isn't required -  it may be I have mis-interpreted the OP?

Also I see no mention of any routing process in the OP or from the route table output , so where does bgp come into this post? 

Lastly the loopbacks was just an example of a logical connected interface in a vrf so the adjacent rtr's could access each other between different vrf tables.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

vrf SIP 10.1.12.2/24 fa0/0 <---connected to R1
ip route vrf 1.1.1.1 255.255.255.255 10.1.12.1 global

first you missed vrf's name
ip route vrf SIP 1.1.1.1 255.255.255.255 10.1.12.1 global

global - where the router should look for next hop.
In you example the router should look for 10.1.12.1 in GRT.
But in your example 10.1.12.1 in vrf SIP (vrf SIP 10.1.12.2/24 fa0/0 <---connected to R1)

Hello

You correct I did miss out the vrf name - that was a typo  (now amended)- However please note this was an example of route leaking ONLY so the Op could use it to his/her own advantage



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

a.alekseev
Level 7
Level 7
you can also do it without a loop...
run bgp
redistribute connected and static in address-family ipv4 vrf XXXX
add route-target community to the vrf definitions
make import/export policy for the vrf definitions

a.alekseev
Level 7
Level 7

Could you show the output

Sh int vlan300
Sh int vlan302

Look for mac addresses. Are they differ?

If not, try to make l3 loop between f0 - f2


P.S. as I said before there is another way to do route leaking...

Hi,

 

yes, we will work on route leaking as well but will first focus on the physical connection.

 

Attached is the output: MACs are the same

 

sh int vlan 300
Vlan300 is up, line protocol is up
  Hardware is EtherSVI, address is e8b7.4809.6df0 (bia e8b7.4809.6df0)
  Internet address is 10.127.251.33/29
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 01:46:20, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     3 packets input, 180 bytes, 0 no buffer
     Received 3 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     35 packets output, 3450 bytes, 0 underruns
     0 output errors, 1 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

 

sh int vlan 302
Vlan302 is up, line protocol is up
  Hardware is EtherSVI, address is e8b7.4809.6df0 (bia e8b7.4809.6df0)
  Internet address is 10.127.251.34/29
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:32:19, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     9 packets input, 540 bytes, 0 no buffer
     Received 9 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     9 packets output, 540 bytes, 0 underruns
     0 output errors, 1 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

 

sh arp vrf SIP
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.127.251.33          35   e8b7.4809.6df0  ARPA   Vlan302
Internet  10.127.251.34           -   e8b7.4809.6df0  ARPA   Vlan302
Internet  192.168.8.1           172   44c3.4653.07c0  ARPA   Vlan303
Internet  192.168.8.254           -   e8b7.4809.6df0  ARPA   Vlan303

 

sh arp vrf BBNIG
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.127.251.33           -   e8b7.4809.6df0  ARPA   Vlan300
Internet  10.230.1.1              -   e8b7.4809.6df0  ARPA   Vlan101
Internet  10.230.1.11             1   2047.47b3.de18  ARPA   Vlan101
Internet  10.230.1.12            79   ecf4.bb66.a739  ARPA   Vlan101
Internet  10.230.1.136           14   a44c.c80c.ff13  ARPA   Vlan101
Internet  10.230.1.138           87   847b.eb0b.9878  ARPA   Vlan101

as you can see .33 and .34 have the same mac  address...

so you loop will not work.

 

Just as an example

Router#sh ip route vrf SIP

Routing Table: SIP
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.8.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.8.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B        10.230.1.0/24 is directly connected (BBNIG), 00:07:36, Ethernet0/0.10
L        10.230.1.1/32 is directly connected, Ethernet0/0.10
      11.0.0.0/32 is subnetted, 1 subnets
B        11.11.11.11 [20/0] via 10.230.1.254 (BBNIG), 00:01:04
      22.0.0.0/32 is subnetted, 1 subnets
S        22.22.22.22 [1/0] via 192.168.8.1
      192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.8.0/24 is directly connected, Ethernet0/0.20
L        192.168.8.254/32 is directly connected, Ethernet0/0.20
Router#sh ip route vrf BBNIG

Routing Table: BBNIG
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.230.1.0/24 is directly connected, Ethernet0/0.10
L        10.230.1.1/32 is directly connected, Ethernet0/0.10
      11.0.0.0/32 is subnetted, 1 subnets
S        11.11.11.11 [1/0] via 10.230.1.254
      22.0.0.0/32 is subnetted, 1 subnets
B        22.22.22.22 [20/0] via 192.168.8.1 (SIP), 00:00:39
      192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
B        192.168.8.0/24 is directly connected (SIP), 00:07:59, Ethernet0/0.20
L        192.168.8.254/32 is directly connected, Ethernet0/0.20
Router#sh ip bgp vpnv4 all
BGP table version is 15, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf SIP)
 *>  10.230.1.0/24    0.0.0.0                  0         32768 ?
 *>  11.11.11.11/32   10.230.1.254             0         32768 ?
 *>  22.22.22.22/32   192.168.8.1              0         32768 ?
 *>  192.168.8.0      0.0.0.0                  0         32768 ?
Route Distinguisher: 1:2 (default for vrf BBNIG)
 *>  10.230.1.0/24    0.0.0.0                  0         32768 ?
 *>  11.11.11.11/32   10.230.1.254             0         32768 ?
 *>  22.22.22.22/32   192.168.8.1              0         32768 ?
 *>  192.168.8.0      0.0.0.0                  0         32768 ?
Router#
Router#sh run
Building configuration...

Current configuration : 1992 bytes
!
! Last configuration change at 13:29:55 MSK Wed Jul 25 2018
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
clock timezone MSK 3 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!


!
ip vrf BBNIG
 rd 1:2
 route-target export 1:2
 route-target export 1:1
 route-target import 1:2
 route-target import 1:1
!
ip vrf SIP
 rd 1:1
 route-target export 1:1
 route-target export 1:2
 route-target import 1:1
 route-target import 1:2
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1000
 description ### for BGP router-id ###
 ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
 no ip address
!
interface Ethernet0/0.10
 encapsulation dot1Q 10
 ip vrf forwarding BBNIG
 ip address 10.230.1.1 255.255.255.0
!
interface Ethernet0/0.20
 encapsulation dot1Q 20
 ip vrf forwarding SIP
 ip address 192.168.8.254 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
router bgp 65000
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf BBNIG
  redistribute connected
  redistribute static route-map STATIC2BGP
 exit-address-family
 !
 address-family ipv4 vrf SIP
  redistribute connected
  redistribute static route-map STATIC2BGP
 exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf SIP 0.0.0.0 0.0.0.0 192.168.8.1
ip route vrf SIP 22.22.22.22 255.255.255.255 192.168.8.1 tag 999
ip route vrf BBNIG 11.11.11.11 255.255.255.255 10.230.1.254 tag 999
!
!
route-map STATIC2BGP permit 10
 match tag 999
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
!
end
Review Cisco Networking for a $25 gift card