02-04-2015 12:45 PM - edited 03-05-2019 12:43 AM
Hey people. I'm trying to solve a small VRF Lite project I've been working on. Router has one public interface. I have GRE tunnels going to a VTI. I also created a second tunnel VTI and put it in a VRF so that I could have one plain GRE tunnel and also a second GRE tunnel that supports IPSEC. I can't seem to figure out how to route packets in and out of the VRF and global table. From a tunnel established on the VRF, I would like to ping one of the global table peers networks (or even a loopback interface on the router itself). Below is my config. Any help is appreciated.
ip vrf IPSEC-Customers
rd 65000:1
route-target export 65000:1
route-target import 65000:1
interface Tunnel0
bandwidth 100000
bandwidth inherit
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nat inside
ip nhrp map multicast dynamic
ip nhrp network-id 1011
ip nhrp holdtime 30
ip nhrp registration timeout 30
ip virtual-reassembly
ip tcp adjust-mss 1400
load-interval 30
qos pre-classify
tunnel source 204.12.X.X
tunnel mode gre multipoint
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface Tunnel1
bandwidth 10000
bandwidth inherit
ip vrf forwarding IPSEC-Customers
ip address 10.1.2.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp map multicast dynamic
ip nhrp network-id 1012
ip nhrp holdtime 30
ip nhrp registration timeout 30
ip tcp adjust-mss 1400
load-interval 30
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 50
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
tunnel protection ipsec profile DMVPN1
interface FastEthernet0/0
bandwidth 10000
ip address 204.12.X.X 255.255.2X.X
ip access-group Outside_In in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
router bgp 65000
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf IPSEC-Customers
redistribute connected
redistribute static
no synchronization
exit-address-family
ip route vrf IPSEC-Customers 10.2.7.0 255.255.255.0 10.1.2.3 name Test
02-05-2015 03:42 AM
Hello,
The tunnel source and destination must be in the same vrf for this to work. In another case you can use a tunnel to ride over a vrf if required.
So your global table would then become a vrf, i am not sure if we can do this with the global table... :-/ Using your example below:
ip vrf IPSEC-Customers
rd 65000:1
route-target export 65000:1
route-target import 65000:1
ip vrf GLOBAL
rd 1:1
interface Tunnel0
ip vrf forwarding GLOBAL
bandwidth 100000
bandwidth inherit
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nat inside
ip nhrp map multicast dynamic
ip nhrp network-id 1011
ip nhrp holdtime 30
ip nhrp registration timeout 30
ip virtual-reassembly
ip tcp adjust-mss 1400
load-interval 30
qos pre-classify
tunnel source 204.12.X.X
tunnel mode gre multipoint
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface Tunnel1
bandwidth 10000
bandwidth inherit
ip vrf forwarding IPSEC-Customers
ip address 10.1.2.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp map multicast dynamic
ip nhrp network-id 1012
ip nhrp holdtime 30
ip nhrp registration timeout 30
ip tcp adjust-mss 1400
load-interval 30
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 50
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
tunnel protection ipsec profile DMVPN1
tunnel vrf GLOBAL
interface FastEthernet0/0
ip vrf forwarding GLOBAL
bandwidth 10000
ip address 204.12.X.X 255.255.2X.X
ip access-group Outside_In in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
I haven't tested this myself but I have come across this in my studies. In theory this should work.
hope this helps
Bilal (CCIE #45032)
02-05-2015 07:50 AM
Are you sure about this? I'm afraid to test this since this router is remote from me. The GLOBAL vrf doesn't exist so I would think this would be creating a second vrf like my first one.
Robert
02-05-2015 08:24 AM
Hello Robert, I would strongly advise not to do this since the router is in a remote location.
i think it will be better if you had the router locally or you were present where the router is. Also with this it may be that you have to take a look at things like routing protocols, aaa config / management config etc... and how it will interact for the GLOBAL vrf.
apart from this I cannot think of another way to get this working at the moment.
02-05-2015 11:16 AM
OK, on larger projects, how would I route traffic in and out of a VRF like this? I guess I don't understand where my issue is, big or small.
Robert
02-05-2015 12:22 PM
Ok, so is your DMVPN ok between this router and the IPSEC-Customers? Is the IPSEC up? Maybe I think it uses default table if we don't specify tunnel vrf command.
Can you ping .3?
ping vrf IPSEC-Customers 10.1.2.3? I don't know if I'm asking the right questions because I am assuming I understood your question correctly. If you can explain a bit more please that would be great.
Thank you
02-07-2015 07:23 AM
Yes, the IPSEC tunnel is up. From the customer side, I can ping the tunnel endpoint (10.1.2.1). I can also ping the customer from the headend router. However if I try to ping something not in the IPSEC vrf from the customer side, it just comes back with "destination host unreachable". Its as if packets can enter/exit the vrf as they should.
Robert
02-07-2015 02:36 PM
Okay, that sounds interesting. Could you post the show ip route of the customer side and also tell us what network they are trying to reach.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: