12-14-2023 01:11 AM - last edited on 12-15-2023 01:37 AM by Translator
Hello Guys.
I have few VRF in one site, I can't figure out why I can't get a VRF traffic to the internet through the VTI tunnel, site A to B
I already tried with PBR and it doesn't work.
Goal. From Site A I want VRF LAN 10.200.30.0/24 to be able to get the internet from Site B instead of the local provider.
Site B (HUB) vti:
interface Tunnel102
description HQ
ip vrf forwarding VRF_CUST_10
ip address 10.1.2.1 255.255.255.252
ip mtu 1472
ip nat inside
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 76.82.178.110
tunnel key 20170815
ip nat inside source list VRF_CUST_30_WAN interface GigabitEthernet0/0/0 vrf VRF_CUST_30 overload
ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 199.180.x.113
ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 199.180.x.113
ip access-list extended VRF_CUST_30_WAN
permit ip 10.1.30.0 0.0.0.255 any
permit ip 10.200.30.0 0.0.0.255 any
Site A (spoke) or client
interface Tunnel102
description CF_HQ
ip vrf forwarding VRF_CUST_10
ip address 10.1.2.2 255.255.255.252
ip mtu 1472
ip nat inside
ip load-sharing per-packet
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 199.180.x.114
tunnel key 20170815
tunnel path-mtu-discovery
tunnel vrf ISP
ip nat inside source list VRF_CUST_30_WAN interface Tunnel102 vrf VRF_CUST_30 overload
ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 10.1.2.1
ip access-list extended VRF_CUST_30_WAN
permit ip 10.200.30.0 0.0.0.255 any
deny ip 10.200.30.0 0.0.0.255 10.10.25.0 0.0.0.255
deny ip 10.200.30.0 0.0.0.255 172.16.250.0 0.0.0.255
What is the trick?
Can anyone help out?
Thanks in advance.
Let me know if you need anything else.
Thanks.
Solved! Go to Solution.
12-14-2023 01:31 AM - last edited on 12-15-2023 01:40 AM by Translator
Site B (HUB) vti:
interface Tunnel102
description HQ
ip address 10.1.2.1 255.255.255.252
ip mtu 1472
ip nat inside
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 76.82.178.110
tunnel key 20170815
Last steps
Config static route for siteA subnet toward siteA end IP of tunnel (this in hub)
Config overload NATing in Hub for SiteA LAN
MHM
12-14-2023 03:51 PM - last edited on 12-15-2023 01:57 AM by Translator
Hello
You show differing VRFs for the tunnel and static routes is this correct?
I would say you do not require nat on SiteA tunnel and per pack load sharing on either site tunnel, Also suggest allowing the advertisement of a default route dynamically to Site A from Site B instead of a hardcoding a default static route
As for Site B, Is the wan interface supposed to be in a different vrf as the tunnel interfaces or is it a typo?
Laslty Site A lan subnet 10.200.30.0/24 should be reachable via ospf and you only require the more specific defined default static defined.
Site A
no ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 10.1.2.1
no ip nat inside source list VRF_CUST_30_WAN interface Tunnel102 vrf VRF_CUST_30 overload
no ip access-list extended VRF_CUST_30_WAN
int tunnel 102
no ip nat inside
no ip load-sharing per-packet
ip vrf forwarding VRF_CUST_30
router ospf 10 vrf VRF_CUST_30
capability vrf-lite
Site B
no ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 199.180.x.113
no ip access-list extended VRF_CUST_30_WAN
int tunnel 102
no ip load-sharing per-packet
ip vrf forwarding VRF_CUST_30
ip access-list extended VRF_CUST_30_WAN
permit ip 10.200.30.0 0.0.0.255 any
router ospf 10 vrf VRF_CUST_30
capability vrf-lite
default information-originate metric-type 1
12-14-2023 01:20 AM - edited 12-14-2023 01:22 AM
No need I will check what you sharing
MHM
12-14-2023 01:26 AM - last edited on 12-15-2023 01:39 AM by Translator
interface Tunnel102
description CF_HQ
ip vrf forwarding VRF_CUST_10
ip address 10.1.2.2 255.255.255.252
ip mtu 1472
ip nat inside
ip load-sharing per-packet
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 199.180.x.114
tunnel key 20170815
tunnel path-mtu-discovery
tunnel vrf ISP
No need NAT' NAT needing in Hub to make subnet access internet
ip route vrf VRF_CUST_10 0.0.0.0 0.0.0.0 10.1.2.1
<- why you use different vrf in default route ? You need to use _10 not _30
10.200.30.0
<- this LAN must be in same VRF as tunnel i.e. _10
MHM
12-14-2023 01:31 AM - last edited on 12-15-2023 01:40 AM by Translator
Site B (HUB) vti:
interface Tunnel102
description HQ
ip address 10.1.2.1 255.255.255.252
ip mtu 1472
ip nat inside
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 76.82.178.110
tunnel key 20170815
Last steps
Config static route for siteA subnet toward siteA end IP of tunnel (this in hub)
Config overload NATing in Hub for SiteA LAN
MHM
12-14-2023 01:58 PM - last edited on 12-15-2023 01:53 AM by Translator
I tried what you recommended to me. I created a new VTI30
in the SPOKE. Both tunnels are up and can ping each other.
interface Tunnel30
description CF_HQ
ip vrf forwarding VRF_CUST_30
ip address 10.4.2.2 255.255.255.252
ip mtu 1472
ip nat inside
ip load-sharing per-packet
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 199.180.x.114
tunnel key 20170845
tunnel path-mtu-discovery
tunnel vrf ISP
I tried these two, one at a time and no luck.
ip nat inside source list VRF_CUST_30_WAN interface GigabitEthernet0/0/0 vrf VRF_CUST_30 overload
ip nat inside source list VRF_CUST_30_WAN interface Tunnel30 vrf VRF_CUST_30 overload
I tried what you recommended me. I created a new VTI30
in the SPOKE
interface Tunnel30
description CF_HQ
ip vrf forwarding VRF_CUST_30
ip address 10.4.2.2 255.255.255.252
ip mtu 1472
ip nat inside
ip load-sharing per-packet
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 199.180.x.114
tunnel key 20170845
tunnel path-mtu-discovery
tunnel vrf ISP
I tried these two, one at a time, and no luck.
ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 10.4.2.1
access list is the same:
ip access-list extended VRF_CUST_30_WAN
permit ip 10.200.30.0 0.0.0.255 any
deny ip 10.200.30.0 0.0.0.255 10.10.25.0 0.0.0.255
deny ip 10.200.30.0 0.0.0.255 172.16.250.0 0.0.0.255
#THE HUB
interface Tunnel30
description CF_HQ
ip vrf forwarding VRF_CUST_30
ip address 10.4.2.1 255.255.255.252
ip mtu 1472
ip nat inside
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 76.82.X.110
tunnel key 20170845
tunnel path-mtu-discovery
tunnel vrf ISP
When I try to ping from the SPOKE
ping vrf VRF_CUST_30 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
When I connect it to nat network it says not internet.
I know I'm missing something.
Please help me.
thanks.
12-14-2023 03:51 PM - last edited on 12-15-2023 01:57 AM by Translator
Hello
You show differing VRFs for the tunnel and static routes is this correct?
I would say you do not require nat on SiteA tunnel and per pack load sharing on either site tunnel, Also suggest allowing the advertisement of a default route dynamically to Site A from Site B instead of a hardcoding a default static route
As for Site B, Is the wan interface supposed to be in a different vrf as the tunnel interfaces or is it a typo?
Laslty Site A lan subnet 10.200.30.0/24 should be reachable via ospf and you only require the more specific defined default static defined.
Site A
no ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 10.1.2.1
no ip nat inside source list VRF_CUST_30_WAN interface Tunnel102 vrf VRF_CUST_30 overload
no ip access-list extended VRF_CUST_30_WAN
int tunnel 102
no ip nat inside
no ip load-sharing per-packet
ip vrf forwarding VRF_CUST_30
router ospf 10 vrf VRF_CUST_30
capability vrf-lite
Site B
no ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 199.180.x.113
no ip access-list extended VRF_CUST_30_WAN
int tunnel 102
no ip load-sharing per-packet
ip vrf forwarding VRF_CUST_30
ip access-list extended VRF_CUST_30_WAN
permit ip 10.200.30.0 0.0.0.255 any
router ospf 10 vrf VRF_CUST_30
capability vrf-lite
default information-originate metric-type 1
12-14-2023 09:43 PM - last edited on 12-15-2023 01:57 AM by Translator
After I removed the NAT rules, access from Site A, and added the IP nat on the Hub and added
default information-originate metric-type 1 to the new router ospf 30 vrf VRF_CUST_30
I was able to route traffic through the tunnel.
Thank you very much
12-14-2023 09:49 PM
You are so welcome friend
Have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide