Solved: vrf internet through a vti

josebash · ‎12-14-2023

Hello Guys.

I have few VRF in one site, I can't figure out why I can't get a VRF traffic to the internet through the VTI tunnel, site A to B

I already tried with PBR and it doesn't work.

Goal. From Site A I want VRF LAN 10.200.30.0/24 to be able to get the internet from Site B instead of the local provider.

Site B (HUB) vti:

interface Tunnel102
description HQ
ip vrf forwarding VRF_CUST_10
ip address 10.1.2.1 255.255.255.252
ip mtu 1472
ip nat inside
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 76.82.178.110
tunnel key 20170815

ip nat inside source list VRF_CUST_30_WAN interface GigabitEthernet0/0/0 vrf VRF_CUST_30 overload

ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 199.180.x.113
ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 199.180.x.113

ip access-list extended VRF_CUST_30_WAN
permit ip 10.1.30.0 0.0.0.255 any
permit ip 10.200.30.0 0.0.0.255 any







Site A (spoke) or client

interface Tunnel102
description CF_HQ
ip vrf forwarding VRF_CUST_10
ip address 10.1.2.2 255.255.255.252
ip mtu 1472
ip nat inside
ip load-sharing per-packet
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 199.180.x.114
tunnel key 20170815
tunnel path-mtu-discovery
tunnel vrf ISP

ip nat inside source list VRF_CUST_30_WAN interface Tunnel102 vrf VRF_CUST_30 overload

ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 10.1.2.1

ip access-list extended VRF_CUST_30_WAN
permit ip 10.200.30.0 0.0.0.255 any
deny ip 10.200.30.0 0.0.0.255 10.10.25.0 0.0.0.255
deny ip 10.200.30.0 0.0.0.255 172.16.250.0 0.0.0.255

What is the trick?

Can anyone help out?

Thanks in advance.

Let me know if you need anything else.

Thanks.

MHM Cisco World · ‎12-14-2023

Site B (HUB) vti:

interface Tunnel102
description HQ
ip address 10.1.2.1 255.255.255.252
ip mtu 1472
ip nat inside
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 76.82.178.110
tunnel key 20170815

Last steps

Config static route for siteA subnet toward siteA end IP of tunnel (this in hub)

Config overload NATing in Hub for SiteA LAN

MHM

View solution in original post

paul driver · ‎12-14-2023

Hello
You show differing VRFs for the tunnel and static routes is this correct?
I would say you do not require nat on SiteA tunnel and per pack load sharing on either site tunnel, Also suggest allowing the advertisement of a default route dynamically to Site A from Site B instead of a hardcoding a default static route

As for Site B, Is the wan interface supposed to be in a different vrf as the tunnel interfaces or is it a typo?
Laslty Site A lan subnet 10.200.30.0/24 should be reachable via ospf and you only require the more specific defined default static defined.


Site A
no ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 10.1.2.1
no  ip nat inside source list VRF_CUST_30_WAN interface Tunnel102 vrf VRF_CUST_30 overload
no ip access-list extended VRF_CUST_30_WAN

int  tunnel 102
no ip nat inside
no ip load-sharing per-packet
ip vrf forwarding VRF_CUST_30

router ospf 10 vrf  VRF_CUST_30
capability vrf-lite

Site B
no ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 199.180.x.113
no ip access-list extended VRF_CUST_30_WAN

int  tunnel 102
no ip load-sharing per-packet
ip vrf forwarding VRF_CUST_30

ip access-list extended VRF_CUST_30_WAN
permit ip 10.200.30.0 0.0.0.255 any

router ospf 10 vrf  VRF_CUST_30
capability vrf-lite
default information-originate metric-type 1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

MHM Cisco World · ‎12-14-2023

No need I will check what you sharing

MHM

MHM Cisco World · ‎12-14-2023

interface Tunnel102
description CF_HQ
ip vrf forwarding VRF_CUST_10
ip address 10.1.2.2 255.255.255.252
ip mtu 1472
ip nat inside
ip load-sharing per-packet
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 199.180.x.114
tunnel key 20170815
tunnel path-mtu-discovery
tunnel vrf ISP

No need NAT' NAT needing in Hub to make subnet access internet

ip route vrf VRF_CUST_10 0.0.0.0 0.0.0.0 10.1.2.1

<- why you use different vrf in default route ? You need to use _10 not _30

10.200.30.0

<- this LAN must be in same VRF as tunnel i.e. _10

MHM

MHM Cisco World · ‎12-14-2023

Site B (HUB) vti:

interface Tunnel102
description HQ
ip address 10.1.2.1 255.255.255.252
ip mtu 1472
ip nat inside
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf 10 area 1
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 76.82.178.110
tunnel key 20170815

Last steps

Config static route for siteA subnet toward siteA end IP of tunnel (this in hub)

Config overload NATing in Hub for SiteA LAN

MHM

josebash · ‎12-14-2023

I tried what you recommended to me. I created a new VTI30
in the SPOKE. Both tunnels are up and can ping each other.


interface Tunnel30
description CF_HQ
ip vrf forwarding VRF_CUST_30
ip address 10.4.2.2 255.255.255.252
ip mtu 1472
ip nat inside
ip load-sharing per-packet
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 199.180.x.114
tunnel key 20170845
tunnel path-mtu-discovery
tunnel vrf ISP

I tried these two, one at a time and no luck.

ip nat inside source list VRF_CUST_30_WAN interface GigabitEthernet0/0/0 vrf VRF_CUST_30 overload
ip nat inside source list VRF_CUST_30_WAN interface Tunnel30 vrf VRF_CUST_30 overload

I tried what you recommended me. I created a new VTI30


in the SPOKE
interface Tunnel30
description CF_HQ
ip vrf forwarding VRF_CUST_30
ip address 10.4.2.2 255.255.255.252
ip mtu 1472
ip nat inside
ip load-sharing per-packet
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 199.180.x.114
tunnel key 20170845
tunnel path-mtu-discovery
tunnel vrf ISP

I tried these two, one at a time, and no luck.
ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 10.4.2.1

access list is the same:

ip access-list extended VRF_CUST_30_WAN
permit ip 10.200.30.0 0.0.0.255 any
deny ip 10.200.30.0 0.0.0.255 10.10.25.0 0.0.0.255
deny ip 10.200.30.0 0.0.0.255 172.16.250.0 0.0.0.255



#THE HUB
interface Tunnel30
description CF_HQ
ip vrf forwarding VRF_CUST_30
ip address 10.4.2.1 255.255.255.252
ip mtu 1472
ip nat inside
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel destination 76.82.X.110
tunnel key 20170845
tunnel path-mtu-discovery
tunnel vrf ISP

When I try to ping from the SPOKE

ping vrf VRF_CUST_30 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

When I connect it to nat network it says not internet.
I know I'm missing something.

Please help me.

thanks.

paul driver · ‎12-14-2023

Hello
You show differing VRFs for the tunnel and static routes is this correct?
I would say you do not require nat on SiteA tunnel and per pack load sharing on either site tunnel, Also suggest allowing the advertisement of a default route dynamically to Site A from Site B instead of a hardcoding a default static route

As for Site B, Is the wan interface supposed to be in a different vrf as the tunnel interfaces or is it a typo?
Laslty Site A lan subnet 10.200.30.0/24 should be reachable via ospf and you only require the more specific defined default static defined.


Site A
no ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 10.1.2.1
no  ip nat inside source list VRF_CUST_30_WAN interface Tunnel102 vrf VRF_CUST_30 overload
no ip access-list extended VRF_CUST_30_WAN

int  tunnel 102
no ip nat inside
no ip load-sharing per-packet
ip vrf forwarding VRF_CUST_30

router ospf 10 vrf  VRF_CUST_30
capability vrf-lite

Site B
no ip route vrf VRF_CUST_30 0.0.0.0 0.0.0.0 199.180.x.113
no ip access-list extended VRF_CUST_30_WAN

int  tunnel 102
no ip load-sharing per-packet
ip vrf forwarding VRF_CUST_30

ip access-list extended VRF_CUST_30_WAN
permit ip 10.200.30.0 0.0.0.255 any

router ospf 10 vrf  VRF_CUST_30
capability vrf-lite
default information-originate metric-type 1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

josebash · ‎12-14-2023

After I removed the NAT rules, access from Site A, and added the IP nat on the Hub and added

default information-originate metric-type 1 to the new router ospf 30 vrf VRF_CUST_30

I was able to route traffic through the tunnel.

Thank you very much

MHM Cisco World · ‎12-14-2023

You are so welcome friend

Have a nice day

MHM