cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
0
Helpful
7
Replies

VRF Lite Issues

Robert Craig
Level 3
Level 3

Hey people. I'm trying to solve a small VRF Lite project I've been working on. Router has one public interface. I have GRE tunnels going to a VTI. I also created a second tunnel VTI and put it in a VRF so that I could have one plain GRE tunnel and also a second GRE tunnel that supports IPSEC. I can't seem to figure out how to route packets in and out of the VRF and global table. From a tunnel established on the VRF, I would like to ping one of the global table peers networks (or even a loopback interface on the router itself). Below is my config. Any help is appreciated.

 


ip vrf IPSEC-Customers
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:1

interface Tunnel0
 bandwidth 100000
 bandwidth inherit
 ip address 10.1.1.1 255.255.255.0
 no ip redirects
 ip mtu 1500
 ip nat inside
 ip nhrp map multicast dynamic
 ip nhrp network-id 1011
 ip nhrp holdtime 30
 ip nhrp registration timeout 30
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 load-interval 30
 qos pre-classify
 tunnel source 204.12.X.X
 tunnel mode gre multipoint
 tunnel bandwidth transmit 100000
 tunnel bandwidth receive 100000

interface Tunnel1
 bandwidth 10000
 bandwidth inherit
 ip vrf forwarding IPSEC-Customers
 ip address 10.1.2.1 255.255.255.0
 no ip redirects
 ip mtu 1500
 ip nhrp map multicast dynamic
 ip nhrp network-id 1012
 ip nhrp holdtime 30
 ip nhrp registration timeout 30
 ip tcp adjust-mss 1400
 load-interval 30
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 50
 tunnel bandwidth transmit 100000
 tunnel bandwidth receive 100000
 tunnel protection ipsec profile DMVPN1

interface FastEthernet0/0
 bandwidth 10000
 ip address 204.12.X.X 255.255.2X.X
 ip access-group Outside_In in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 no auto-summary
 !
 address-family ipv4 vrf IPSEC-Customers
  redistribute connected
  redistribute static
  no synchronization
 exit-address-family

ip route vrf IPSEC-Customers 10.2.7.0 255.255.255.0 10.1.2.3 name Test

 

 

7 Replies 7

Bilal Nawaz
VIP Alumni
VIP Alumni

Hello,

The tunnel source and destination must be in the same vrf for this to work. In another case you can use a tunnel to ride over a vrf if required.

So your global table would then become a vrf, i am not sure if we can do this with the global table... :-/ Using your example below:

ip vrf IPSEC-Customers
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:1

ip vrf GLOBAL

rd 1:1

interface Tunnel0

ip vrf forwarding GLOBAL
 bandwidth 100000
 bandwidth inherit
 ip address 10.1.1.1 255.255.255.0
 no ip redirects
 ip mtu 1500
 ip nat inside
 ip nhrp map multicast dynamic
 ip nhrp network-id 1011
 ip nhrp holdtime 30
 ip nhrp registration timeout 30
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 load-interval 30
 qos pre-classify
 tunnel source 204.12.X.X
 tunnel mode gre multipoint
 tunnel bandwidth transmit 100000
 tunnel bandwidth receive 100000

interface Tunnel1
 bandwidth 10000
 bandwidth inherit
 ip vrf forwarding IPSEC-Customers
 ip address 10.1.2.1 255.255.255.0
 no ip redirects
 ip mtu 1500
 ip nhrp map multicast dynamic
 ip nhrp network-id 1012
 ip nhrp holdtime 30
 ip nhrp registration timeout 30
 ip tcp adjust-mss 1400
 load-interval 30
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 50
 tunnel bandwidth transmit 100000
 tunnel bandwidth receive 100000
 tunnel protection ipsec profile DMVPN1

tunnel vrf GLOBAL

interface FastEthernet0/0

ip vrf forwarding GLOBAL
 bandwidth 10000
 ip address 204.12.X.X 255.255.2X.X
 ip access-group Outside_In in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 

I haven't tested this myself but I have come across this in my studies. In theory this should work.

hope this helps

Bilal (CCIE #45032)

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Are you sure about this? I'm afraid to test this since this router is remote from me. The GLOBAL vrf doesn't exist so I would think this would be creating a second vrf like my first one.

 

Robert

Hello Robert, I would strongly advise not to do this since the router is in a remote location.

i think it will be better if you had the router locally or you were present where the router is. Also with this it may be that you have to take a look at things like routing protocols, aaa config / management config etc... and how it will interact for the GLOBAL vrf.

apart from this I cannot think of another way to get this working at the moment.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

OK, on larger projects, how would I route traffic in and out of a VRF like this? I guess I don't understand where my issue is, big or small.

 

Robert

Ok, so is your DMVPN ok between this router and the IPSEC-Customers? Is the IPSEC up? Maybe I think it uses default table if we don't specify tunnel vrf command.

Can you ping .3?

ping vrf IPSEC-Customers 10.1.2.3? I don't know if I'm asking the right questions because I am assuming I understood your question correctly. If you can explain a bit more please that would be great.

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Yes, the IPSEC tunnel is up. From the customer side, I can ping the tunnel endpoint (10.1.2.1). I can also ping the customer from the headend router. However if I try to ping something not in the IPSEC vrf from the customer side, it just comes back with "destination host unreachable". Its as if packets can enter/exit the vrf as they should.

 

Robert

Okay, that sounds interesting. Could you post the show ip route of the customer side and also tell us what network they are trying to reach.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: