Solved: Re: VRF-Lite Help needed

awickers · ‎04-16-2008

Hi given this is my first post please excuse any glaring errors,

My problem is I am having issues reaching the internet from our 3845 router using

VRF the setup is as follows

I have a 3845 router with a DS3 Cct connected to my provider. One T3 sub-interface goes to our providers MPLS cloud and then to our other offices. The other subinterface on the T3 is connected to our Providers Internet service, the 3845 has two LAN interfaces G0/0 & G0/1.

G0/0 is connected to our Local LAN and is our office default G/W. G0/1 is currently configured with a temporary Internet Address for testing purposes.

BGP is running between the 3845 and the providers PE router for MPLS cloud connectivity. BGP is also running between our 3845 and PE router for Internet connectivity. I have already implemented filtering on the BGP config that stops updates for the Internet subnet appearing on the MPLS network and the other way round stopping the updates for the MPLS routes appearing on the Internet subnet.

I have implemented VRF to ensure traffic separation between the internal and internet traffic but the Internet traffic does not flow between G0/1 and the internet, any help would be gratefully received.

Router config available as soon as someone requests it

Jon Marshall · ‎04-16-2008

Andrew

You need to modify your BGP config. For the DIA vrf you need to create an address-family under your BGP config for the Internet Peering. This way you should not need to filter between the 2 BGP peerings although i can't tell from your config how the BGP routes are getting redistributed into your local routing protocol (if at all).

So your BGP config would be something along the lines of

router bgp 64610

no synchronization

bgp log-neighbor-changes

network 10.z.z.z mask 255.255.240.0 --> Office LAN subnet

redistribute static

neighbor x.x.x.x remote-as 6745 ïƒ MPLS peering

neighbor x.x.x.x ebgp-multihop 4

neighbor x.x.x.x version 4

neighbor x.x.x.x distribute-list 10 out

no auto-summary

address-family ipv4 vrf DIA

neighbor y.y.y.y remote-as 3549 ïƒ Internet peering

neighbor y.y.y.y version 4

network 208.50.120.32 mask 255.255.255.224

Not sure where you want to redistribute static so i have left it in the main BGP config.

The main BGP config is for your internal network. The address-family is for your DIA vrf.

Jon

View solution in original post

Jon Marshall · ‎04-16-2008

Could you provide a few more details plus config.

1) What vrf have you assigned Gi0/1 into.

2) What vrf is gi0/2 in.

3) Have you allocated your T3 subinterfaces into vrf's ?

What traffic flows ie. internal to external and vice-versa are you trying to segregate.

Jon

awickers · ‎04-16-2008

Jon

Thanks for the prompt reply the config has the answers to question 1, 2 & 3.

The traffic segregation needed is as follows

Gi0/0 <-> s2/0.16 for internal traffic

Gi0/1 <-> S2/0.518 for Internet traffic.

Behind the Gi0/1 interface is a Checkpoint firewall cluster and various web servers etc. so all Internet traffic from internal users etc would first come via the internal interface of the Checkpoint and then to the Gi0/1 interface.

Hope this make sense.

Regards Andrew

****************

3845 config

ip vrf DIA

description *** DIA VRF Instance ***

rd 3549:2

route-target export 3549:2

route-target import 3549:2

!

interface GigabitEthernet0/1

description *** Local Internet Connection ***

ip vrf forwarding DIA

ip address 208.50.120.33 255.255.255.224

!

interface Serial2/0.518 point-to-point

description ***** Internet Connection ****

bandwidth 12000

ip vrf forwarding DIA

ip address 207.138.94.182 255.255.255.252

frame-relay interface-dlci 518

!

router bgp 64610

no synchronization

bgp log-neighbor-changes

network 10.z.z.z mask 255.255.240.0 --> Office LAN subnet

network 208.50.120.32 mask 255.255.255.224 --> Test IP subnet

redistribute static

neighbor x.x.x.x remote-as 6745 ïƒ MPLS peering

neighbor x.x.x.x ebgp-multihop 4

neighbor x.x.x.x version 4

neighbor x.x.x.x distribute-list 10 out

neighbor y.y.y.y remote-as 3549 ïƒ Internet peering

neighbor y.y.y.y local-as 64875

neighbor y.y.y.y version 4

neighbor y.y.y.y prefix-list DIA-out out

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 10.z.z.z

ip route vrf DIA 0.0.0.0 0.0.0.0 y.y.y.y

!

ip prefix-list DIA-out seq 5 permit 208.50.120.32/27

ip prefix-list DIA-out seq 10 deny 0.0.0.0/0

access-list 10 deny 208.50.120.32 0.0.0.31

access-list 10 permit any

*********************

Regards Andrew

Jon Marshall · ‎04-16-2008

Andrew

You need to modify your BGP config. For the DIA vrf you need to create an address-family under your BGP config for the Internet Peering. This way you should not need to filter between the 2 BGP peerings although i can't tell from your config how the BGP routes are getting redistributed into your local routing protocol (if at all).

So your BGP config would be something along the lines of

router bgp 64610

no synchronization

bgp log-neighbor-changes

network 10.z.z.z mask 255.255.240.0 --> Office LAN subnet

redistribute static

neighbor x.x.x.x remote-as 6745 ïƒ MPLS peering

neighbor x.x.x.x ebgp-multihop 4

neighbor x.x.x.x version 4

neighbor x.x.x.x distribute-list 10 out

no auto-summary

address-family ipv4 vrf DIA

neighbor y.y.y.y remote-as 3549 ïƒ Internet peering

neighbor y.y.y.y version 4

network 208.50.120.32 mask 255.255.255.224

Not sure where you want to redistribute static so i have left it in the main BGP config.

The main BGP config is for your internal network. The address-family is for your DIA vrf.

Jon

awickers · ‎04-16-2008

Jon

Many Thanks, I will add th eaddress family and let you know what happens

Regards Andrew

awickers · ‎04-16-2008

Jon

Many thanks this has fixed the problem and I now have Internet connectivity.

Regards Andrew

Jon Marshall · ‎04-16-2008

Andrew

No problem, glad to have helped.

Jon

mheusing · ‎04-16-2008

Hi,

The usual setup for BGP in your scenario is a BGP session from the global routing table and another session from within the VRF. That would change your BGP config to:

router bgp 64610

no synchronization

bgp log-neighbor-changes

network 10.z.z.z mask 255.255.240.0 --> Office LAN subnet

redistribute static

neighbor x.x.x.x remote-as 6745 ïƒ MPLS peering

neighbor x.x.x.x ebgp-multihop 4

neighbor x.x.x.x version 4

neighbor x.x.x.x distribute-list 10 out

no auto-summary

!

address-family ipv4 vrf DIA

neighbor y.y.y.y remote-as 3549 ! Internet peering

neighbor y.y.y.y local-as 64875

neighbor y.y.y.y version 4

neighbor y.y.y.y prefix-list DIA-out out

no auto-summary

network 208.50.120.32 mask 255.255.255.224 --> Test IP subnet

redistribute static

exit-address-family

The assumption is that "y.y.y.y" is reachable from VRF DIA. In your given example the VRF DIA only has a default route and likely the return traffic is the issue.

Can you check your BGP sessions with "show ip bgp summary" in the current implementation and additionally with "show ip bgp vpnv4 vrf DIA summary" in my example?

In your example it *might* show "idle" wheres it should really show the number of received routes.

A side note: Your prefix list

ip prefix-list DIA-out seq 5 permit 208.50.120.32/27

ip prefix-list DIA-out seq 10 deny 0.0.0.0/0

can either be simplified to:

ip prefix-list DIA-out seq 5 permit 208.50.120.32/27

because there is an implicit deny at the end, or you might want to consider using

ip prefix-list DIA-out seq 5 permit 208.50.120.32/27

ip prefix-list DIA-out seq 10 deny 0.0.0.0/0 le 32

with statement 10 equal to a "deny any" for visibility in the configuration.

The statement ip prefix-list DIA-out seq 10 deny 0.0.0.0/0 will only deny the default route.

Hope this helps! Please rate all posts.

Regards, Martin

Jon Marshall · ‎04-16-2008

Martin

I don't think the prefix list and distribute list are needed. I think Andrew had to use them because both peerings were under the global BGP config. By moving the DIA vrf to an address-family and only having the network 208.50.120.32 advertised from there i think they can safely be removed.

Jon

mheusing · ‎04-16-2008

Hi Jon,

hm. ... Yes and No. Technically speaking if all informations given above apply, you are right. BUT, first, this is BGP to the internet and you should have filters in place. In fact I would recommend an outbound AS path list as well preventing any update with a non-empty path.

You may call it paranoia, but I have seen so many unprotected enterprise BGP routers ...

Second, internet access is likely provided to hosts, which will need both, internet and intranet access. So, after the testing stage is over, there will be some connectivity between both worlds. This also means that internal routes need to be in the internet VRF. I was also thinking about that time ...

That are the reasons why I left the filter in place.

Regards, Martin

awickers · ‎04-16-2008

Martin

Thanks for the information and yes y.y.y.y is reachable from VRF DIA, I will implement your's and Jon's solution and let you know what happens

Regards andrew

awickers · ‎04-16-2008

Martin

Here is the output of the sh ip bgp... both before and after the changes to add address-family commands.

BGP status before address-family commands added

router# sh ip bgp summ

BGP router identifier y.y.y.y, local AS number 64610

BGP table version is 522671, main routing table version 522671

162 network entries using 19440 bytes of memory

162 path entries using 8424 bytes of memory

10/8 BGP path/bestpath attribute entries using 1240 bytes of memory

5 BGP AS-PATH entries using 120 bytes of memory

1 BGP extended community entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

Bitfield cache entries: current 2 (at peak 4) using 60 bytes of memory

BGP using 29308 total bytes of memory

BGP activity 248323/248160 prefixes, 259426/259263 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

x.x.x.x 4 6745 35376 33843 522671 0 0 1w3d 59

y.y.y.y 4 3549 33236 34513 0 0 0 03:10:47 Idle

BGP status after address-family commands added

router# sh ip bgp summ

BGP router identifier y.y.y.y, local AS number 64610

BGP table version is 522671, main routing table version 522671

162 network entries using 19440 bytes of memory

162 path entries using 8424 bytes of memory

12/8 BGP path/bestpath attribute entries using 1488 bytes of memory

6 BGP AS-PATH entries using 144 bytes of memory

1 BGP extended community entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

Bitfield cache entries: current 2 (at peak 4) using 60 bytes of memory

BGP using 29580 total bytes of memory

BGP activity 248324/248160 prefixes, 259427/259263 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

x.x.x.x 4 6745 35389 33856 522671 0 0 1w3d 59

y.y.y.y 4 3549 33236 34513 0 0 0 03:17:00 Idle

router# sh ip bgp vpnv4 vrf DIA

BGP table version is 8, local router ID is y.y.y.y

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 3549:2 (default for vrf DIA)

r> 0.0.0.0 207.138.94.181 0 64875 3549 i

*> 208.50.120.32/27 0.0.0.0 0 32768 i

router#show ip bgp vpnv4 vrf DIA summ

BGP router identifier y.y.y.y, local AS number 64610

BGP table version is 8, main routing table version 8

2 network entries using 280 bytes of memory

2 path entries using 136 bytes of memory

12/2 BGP path/bestpath attribute entries using 1488 bytes of memory

6 BGP AS-PATH entries using 144 bytes of memory

1 BGP extended community entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

Bitfield cache entries: current 2 (at peak 4) using 60 bytes of memory

BGP using 2132 total bytes of memory

BGP activity 248324/248160 prefixes, 259427/259263 paths, scan interval 15 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

207.138.94.181 4 3549 233 136 8 0 0 00:05:44 1

Regards Andrew

awickers · ‎04-16-2008

Martin

Many thanks this has fixed the problem and I now have Internet connectivity.

Regards Andrew