cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2697
Views
0
Helpful
1
Replies

{SOLVED} VRF problem. Ping reply works but no data flow.

rmlestraden
Level 1
Level 1

Hello there,

I  have been breaking my head over the past few day's and I cant get this  to work. Perhaps I am making a mistake in the config but I cant see what  is wrong with it.

The  problem is that I can ping the host's in the other network. And if i do  a port scan form subnet 1 to subnet 2 I get open ports. For example if I  open the webbrowser and go from 10.0.2.x to 10.0.1.x than I get only  port status open. But no page. If I want to telnet from router to router  I get no telnet session only status open.

The provider uses an IPVPN between the 2 10.0.x.x networks. So when connected on

Dialer2 you will have only those 2 subnets.

The Dialer1 is for internet use and does not have any issues at all.

I posted this question in the wrong section of the forum @

https://supportforums.cisco.com/message/3718385#3718385 So ignore that post

Marcin repled with the following:

What you're describing is most likely a problem with MTU (if ping  works and TCP connect port scan returns opens ports) or some very odd  problem with forwarding.

BTW - this section of forums if for crypto VPNs not MPLS and such ;-)

M.


I contacted the provider this morning again and they keep saying that there is no problem with tghe IPVPN.

But what can it be

Current configuration : 5575 bytes

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname HD1

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200

logging console critical

!

no aaa new-model

!

memory-size iomem 10

clock timezone GMT 1 0

clock summer-time GMT date

!

!

no ip source-route

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip vrf data

rd 65535:1

!

ip vrf voice

rd 65535:2

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 10.0.1.1 10.0.1.49

!

ip dhcp pool DATA

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 213.144.235.254

option 43 hex 3a02.0005.ff

!

ip dhcp pool VOICE

network 10.0.1.0 255.255.255.0

default-router 10.0.1.1

dns-server 213.144.235.1

option 66 ip 10.0.1.2

!

!

no ip bootp server

no ip domain lookup

ip domain name net.lan

ip name-server 213.144.235.1

ip name-server 213.144.235.2

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO887VA-K9 sn

!

!

archive

log config

  hidekeys

username admin privilege 15 secret 5 pass

!

!

!

!

!

controller VDSL 0

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

!

!

!

!

!

interface Ethernet0

no ip address

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description Internet_DATA_PVC1

pvc 0/33

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0.2 point-to-point

description VOICE_PVC2

pvc 0/34

  vbr-rt 200 200

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

!

!

interface FastEthernet0

ip vrf forwarding voice

no ip address

!

interface FastEthernet1

ip vrf forwarding voice

no ip address

!

interface FastEthernet2

description Ethernet poort 3

switchport access vlan 2

no ip address

!

interface FastEthernet3

description Ethernet poort 4

switchport access vlan 2

no ip address

!

interface Vlan2

description Internet_DATA_VLAN

ip vrf forwarding data

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan1

description VOICE_VLAN

ip vrf forwarding voice

ip address 10.0.1.1 255.255.255.0

ip tcp adjust-mss 1452

!

interface Dialer1

ip vrf forwarding data

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username user password 7 pass

no cdp enable

!

interface Dialer2

ip vrf forwarding voice

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication pap callin

ppp pap sent-username user password 7 pass

no cdp enable

!

ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns view vrf data default

no ip nat service sip udp port 5060

ip nat inside source list 101 interface Dialer1 vrf data overload

ip route vrf data 0.0.0.0 0.0.0.0 Dialer1

ip route vrf voice 0.0.0.0 0.0.0.0 Dialer2

!

logging trap debugging

access-list 23 permit 10.0.1.0 0.0.0.255

access-list 23 permit 10.0.2.0 0.0.0.255

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 23 permit 83.232.161.0 0.0.0.255

access-list 23 permit 82.94.79.0 0.0.0.255

access-list 23 permit 84.246.25.0 0.0.0.255

access-list 23 permit 172.31.255.0 0.0.0.255

access-list 23 permit 213.144.0.0 0.0.255.255

access-list 23 permit 92.65.31.32 0.0.0.7

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

access-list 100 permit tcp any any

access-list 100 permit udp any any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 103 permit ip 10.0.1.0 0.0.0.255 any

access-list 103 permit ip 10.0.2.0 0.0.0.255 any

access-list 103 permit tcp 10.0.2.0 0.0.0.255 any

access-list 103 permit tcp 10.0.1.0 0.0.0.255 any

access-list 103 permit udp 10.0.2.0 0.0.0.255 any

access-list 103 permit udp 10.0.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

no cdp run

!

!

control-plane

^C

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

logging synchronous

login local

transport input telnet

!

!

end

Config 2

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Current configuration : 5772 bytes

!

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname STR

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200

logging console critical

!

no aaa new-model

!

memory-size iomem 10

clock timezone GMT 1 0

clock summer-time GMT date Mar 30 2002 1:00 Oct 26 2035 1:59

!

!

no ip source-route

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip vrf data

rd 65535:1

route-target export 65535:1

route-target import 65535:1

!

ip vrf voice

rd 65535:2

route-target export 65535:2

route-target import 65535:2

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.49

ip dhcp excluded-address 10.0.2.1 10.0.2.49

!

ip dhcp pool DATA

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 213.144.235.254

option 43 hex 3a02.0005.ff

!

ip dhcp pool VOICE

network 10.0.2.0 255.255.255.0

default-router 10.0.2.1

dns-server 213.144.235.1

option 66 ip 10.0.1.2

!

!

no ip bootp server

no ip domain lookup

ip domain name net.lan

ip name-server 213.144.235.1

ip name-server 213.144.235.2

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO887VA-K9 sn

!

!

archive

log config

  hidekeys

username user privilege 15 secret 5 pass

!

!

!

!

!

controller VDSL 0

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

!

!

!

!

!

interface Ethernet0

no ip address

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description internet_DATA_PVC1

pvc 0/33

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0.2 point-to-point

description VOICE_PVC2

pvc 0/34

  vbr-rt 200 200

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

!

!

interface FastEthernet0

description Ethernet poort 3

ip vrf forwarding voice

no ip address

!

interface FastEthernet1

ip vrf forwarding voice

no ip address

!

interface FastEthernet2

description Ethernet poort 3

switchport access vlan 2

no ip address

!

interface FastEthernet3

description Ethernet poort 4

switchport access vlan 2

no ip address

!

interface Vlan2

description internet_DATA_VLAN

ip vrf forwarding data

ip address 192.168.2.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan1

description VOICE_VLAN

ip vrf forwarding voice

ip address 10.0.2.1 255.255.255.0

ip tcp adjust-mss 1452

!

interface Dialer1

ip vrf forwarding data

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username user password 7 pass

no cdp enable

!

interface Dialer2

ip vrf forwarding voice

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication pap callin

ppp pap sent-username user password 7 pass

no cdp enable

!

ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns view vrf data default

no ip nat service sip udp port 5060

ip nat inside source list 101 interface Dialer1 vrf data overload

ip route vrf data 0.0.0.0 0.0.0.0 Dialer1

ip route vrf voice 0.0.0.0 0.0.0.0 Dialer2

!

logging trap debugging

access-list 23 permit 10.0.2.0 0.0.0.255

access-list 23 permit 10.0.1.0 0.0.0.255

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 23 permit 83.232.161.0 0.0.0.255

access-list 23 permit 82.94.79.0 0.0.0.255

access-list 23 permit 84.246.25.0 0.0.0.255

access-list 23 permit 172.31.255.0 0.0.0.255

access-list 23 permit 213.144.0.0 0.0.255.255

access-list 23 permit 92.65.31.32 0.0.0.7

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

access-list 100 permit tcp any any

access-list 100 permit udp any any

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 permit ip 10.0.2.0 0.0.0.255 any

access-list 103 permit ip 10.0.1.0 0.0.0.255 any

access-list 103 permit tcp 10.0.2.0 0.0.0.255 any

access-list 103 permit tcp 10.0.1.0 0.0.0.255 any

access-list 103 permit udp 10.0.2.0 0.0.0.255 any

access-list 103 permit udp 10.0.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

no cdp run

!

!

control-plane

!

!

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

logging synchronous

login local

transport input telnet

!

!

end

1 Reply 1

rmlestraden
Level 1
Level 1

The problem has been resolved. It was the line provider that made a mistake bij giving the wrong line speed at the second pvc.

After they made the correct changes the connection was made between the 2 routers over the IPVPN

Router config Check

Router firmware Check

First pvc Check

Second pvc but now check

Ipvpn and data flow check

Connection has ben made check

Review Cisco Networking for a $25 gift card