cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
0
Helpful
3
Replies

vrf lite route leaking on L3 switch - static routes

Hi,
i'm bulding a POC and need some advise.


Topology:

            --------------------
            -                                 -
            -           Firewall           -           int E0/0 (192.168.2.1/24)
            -                                 -
            --------------------
                              |
                              |
                              |
             --------------------
             |                                 |
             |                                 |    int vlan 2 (192.168.2.2/24) - VRF BLUE
             |          L3 Switch        |    int vlan 8 (192.168.8.1/24) - VRF GREEN
             |                                 |    int vlan 12 (192.168.12.1/24 - VRF RED
             |                                 |
             --------------------
                        |            |
                        |            |

                        |            |

                        |            |
          ------------    ------------
          |    Host        |    |    Host         |

          |    GREEN    |    |   RED           |

          ------------    ------------


Goal:
All three VRF's should use the Default route of VRF BLUE. So traffic from all networks should be routed to 192.168.2.1.


#############################################################
####### Method 1 (using route-target export): #######
#############################################################

ip vrf BLUE
rd 1:1
route-target export 1:1
route-target import 2:2

ip vrf GREEN
rd 2:2
route-target export 2:2
route-target import 1:1

ip vrf RED
rd 3:3
route-target export 3:3
route-target import 1:1

 

interface Vlan2
ip vrf forwarding BLUE
ip address 192.168.2.2 255.255.255.0

interface Vlan8
ip vrf forwarding GREEN
ip address 192.168.8.1 255.255.255.0

interface Vlan12
ip vrf forwarding RED
ip address 192.168.12.1 255.255.255.0


ip route vrf BLUE 0.0.0.0 0.0.0.0 192.168.2.1

----------------------------------------------------

CORE_Router#sho ip route vrf BLUE

Routing Table: BLUE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/0
L 192.168.2.2/32 is directly connected, GigabitEthernet0/0

 

 


The route (default route) is not exported to vrf GREEN:

 

CORE_Router#sho ip route vrf GREEN

Routing Table: GREEN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.8.0/24 is directly connected, GigabitEthernet0/4
L 192.168.8.1/32 is directly connected, GigabitEthernet0/4
CORE_Router#


CORE_Router#ping vrf BLUE 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
CORE_Router#

 

CORE_Router#ping vrf GREEN 8.8.8.8 so Vlan 8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CORE_Router#

 


##############################################################################
####### Method 2 (pointing vrf route to global routing table): #######
##############################################################################

 

ip vrf BLUE
rd 1:1

ip vrf GREEN
rd 2:2

ip vrf RED
rd 3:3


interface Vlan2
ip vrf forwarding BLUE
ip address 192.168.2.2 255.255.255.0

interface Vlan8
ip vrf forwarding GREEN
ip address 192.168.8.1 255.255.255.0

interface Vlan12
ip vrf forwarding RED
ip address 192.168.12.1 255.255.255.0


ip route 192.168.2.1 255.255.255.255 Vlan2
ip route 192.168.8.0 255.255.255.0 Vlan8
ip route 192.168.12.0 255.255.255.0 Vlan12

ip route vrf BLUE 0.0.0.0 0.0.0.0 192.168.2.1
ip route vrf BLUE 192.168.8.0 255.255.255.0 192.168.8.1 global
ip route vrf BLUE 192.168.12.0 255.255.255.0 192.168.12.1 global


ip route vrf GREEN 0.0.0.0 0.0.0.0 192.168.2.1 global

ip route vrf RED 0.0.0.0 0.0.0.0 192.168.2.1 global


----------------------------------------------------

 

With this setup pings from the SVI's are working:

 

CORE#ping vrf BLUE 8.8.8.8 so vlan 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
CORE#


CORE#ping vrf GREEN 8.8.8.8 so vlan 8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/9 ms
CORE#


CORE#ping vrf RED 8.8.8.8 so vlan 12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/10 ms
CORE#

 


CORE#sho ip route vrf BLUE

Routing Table: BLUE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Vlan2
L 192.168.2.2/32 is directly connected, Vlan2
S 192.168.8.0/24 [1/0] via 192.168.8.1
S 192.168.12.0/24 [1/0] via 192.168.12.1
CORE#

 

CORE#sho ip route vrf GREEN

Routing Table: GREEN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.8.0/24 is directly connected, Vlan8
L 192.168.8.1/32 is directly connected, Vlan8
CORE#

 


CORE#sho ip route vrf RED

Routing Table: RED
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, Vlan12
L 192.168.12.1/32 is directly connected, Vlan12
CORE#

 

 

However from any workstation on an access port in VLAN 8 (VRF GREEN) or VLAN 12 (VRF RED) it doesn't work.

Workstation GREEN:
IP: 192.168.8.10/24
Default Gatweway: 192.168.8.1


Workstation RED:
IP: 192.168.8.10/24
Default Gatweway: 192.168.8.1

 

Ping from Workstation GREEN:

GREEN#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
GREEN#

 

Debug IP packet on Core:

CORE#
*Oct 6 13:02:05.326: IP: s=8.8.8.8 (Vlan2), d=192.168.8.10, len 100, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 6 13:02:05.330: IP: tableid=5, s=8.8.8.8 (Vlan2), d=192.168.8.10 (Vlan8), routed via FIB
*Oct 6 13:02:05.332: IP: s=8.8.8.8 (Vlan2), d=192.168.8.10, len 100, rcvd 4
*Oct 6 13:02:05.333: IP: s=8.8.8.8 (Vlan2), d=192.168.8.10, len 100, stop process pak for forus packet
CORE#

Debug ICMP on Core:

CORE#
*Oct 6 13:03:47.006: ICMP: echo reply rcvd, src 8.8.8.8, dst 192.168.8.10, topology BASE, dscp 0 topoid 6
CORE#

 

Does anybody have an idea ? I have tested so many things but i'm losing my faith :-(

Would be great if someone could comment.


Many thanks,
Oliver

 

 

 

 

 

 

3 Replies 3

Hello

why don’t you just vrf red as your you are allowing connectivity between green/blue anyway ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul


@paul driver wrote:

Hello

why don’t you just vrf red as your you are allowing connectivity between green/blue anyway ?


Mhh, not sure what you mean ? Could you please explain ?

 

Thanks,

Oliver

Hello

well you have 3 vrfs but allowing 2 of them to communicate with each other so why bother using vrf for them and just use the one vrf for the red traffic so the other two networks cannot communicate with it 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card