VRF-Lite not working with Inspection

mhattar · ‎01-23-2014

Hi all,

I've been trying to get this to work , but it appears to be a bug of some sort .

I have two VRFs configured on a physicall 1811 running (C181X-ADVIPSERVICESK9-M), Version 15.1(4)M6

one is called inside facing the LAN and one is called outside facing the WAN side. The two VRFs are connected via a GRE tunnel. F0 , Tu0 are part of "outside" and T1 and VL1 are part of inside. Routing is working fine and I can ping 4.2.2.2 , and NATting is set up on the outside VRF and it's also working fine , I can access the internet etc.

traffic flows this way in the outbound direction :

vlan 1--> Lo1 --> Tu 1 --> Tu0 --> Lo0 --> Fa0

and vice versa in the inbound .

Internet traffic works fine , I add inspection to Tu0 to create openings in the WAN ACL for traffic coming in the return direction, do show inspect sessions , works fine , then add the WAN ACL to Fa0, and it doesn't seem to work . Basically inspection (CBAC) and ACLs don't seem to work with VRFs.

I attached the config for reference.

Note: I'm doing this for QoS in the inbound direction since VL interface don't take QoS policy in outbound direction .but that's irrelevant.

Any help would be appreciated!

Thanks,

Murad

Vasilii Mikhailovskii · ‎01-24-2014

Hello, Murad.

Coudl you please provide a configuration that is not working (I mean configure and apply ACL, add inspection)?

mhattar · ‎01-24-2014

Hello MikhailovskyVV,

Sorry forgot

interface Tunnel0

ip vrf forwarding outside

ip address 10.3.3.3 255.255.255.0

ip inspect INSPECTION in

ip nat inside

ip virtual-reassembly in

tunnel source Loopback0

tunnel destination 10.1.3.4

interface FastEthernet0

ip vrf forwarding outside

ip access-group Outside_IN in

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

I noticed that if I disable cef things start working again , so could it be a software bug ?

Cheers,

Vasilii Mikhailovskii · ‎01-24-2014

Hello, Murad.

Sorry, but I've never had such design.

You could try another IOS.

Btw, why do you run such a complicated configuration?

The router has two L3 interfaces, so it ought to be enough for any QoS design.

mhattar · ‎01-24-2014

Hi Mikhailovsky ,

yes it is a bit complex for what we're trying to acheive, it appears that ISR routers have a bit of a limitation despite having more than one layer 3 interface , the VLAN interface does not accept a QoS policy in the outbound direction, thus Cisco suggested creating two VRFs with a tunnel in between and applying the policy on the tunnel , thus acheiving QoS on traffic in the inbound direction for branch offices.

I'm thinking of trying it on an 891 instead of an 1811 and with a newer image and see if the issue persists.

Cheers,

Murad

Vasilii Mikhailovskii · ‎01-25-2014

Hello, Murad.

What is the issue if you put outbound QoS on F1 interface?

Could you provide any link, where Cisco suggests to build such a design to have simple outbound QoS?

mhattar · ‎01-27-2014

Hi Mikhailovsky,

That's a very good point , the limitation was that in this scenario we won't be able to utilize the integrated VLAN interface ports that are on the router, so we would need another separate physical switch and connect that to port Fa1 .

The document where this is referenced is :

http://stor.balios.net/Live2012/BRKRST-3500.pdf

The document also references another solution where this could potentially work , physical loopback cable between FA1 and the vlan interface of the router , move the config (from the vlan interface to fa1 / ip address , nat inside , inspection, etc) , default the vlan interface , turn it on and give it no IP address , so it acts as a dump flat switch .. this seems more stable than VRF setup.

btw : I rebooted the router without changing ANY config , and it seems to be working , with CEF enabled.

Go figure!

Cheers