10-04-2013 01:12 AM - edited 03-04-2019 09:13 PM
Hi guys,
Im having problems routing between two vrf-lite instances on two ASR 1001 routers. I have separated my networks using a single vrf to isolate one network, the rest of the connected networks still belong in the global routing table. My problem seems to stem from the fact that I don't have connectivity between the two vrf's on either router when I use a route leak to add the WAN interface of each router as a default gateway. The route appears in the vrf routing table but so far I have been unable to ping across the link. Debug IP icmp doesn't show any output at the console when I run a ping test, and I can't work out why! I think this may be related to the way the VPN tunnels were configured on both routers, but they are not configured in a way that i'm used to so I can't prove this. I would be very grateful for any help!
Thanks all.
Configs:
Router 1:
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 14
crypto isakmp key * address 10.204.7.30
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set RTR-IPSEC esp-aes esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set RTR-IPSEC
!
!
interface Tunnel0
ip unnumbered GigabitEthernet0/0.4094
tunnel source GigabitEthernet0/0.4094
tunnel mode ipsec ipv4
tunnel destination 10.204.7.30
tunnel path-mtu-discovery
tunnel protection ipsec profile VTI
!
!
ip vrf RED
description RED
rd 885:885
!
!
interface GigabitEthernet0/0.4094
description 100Mb/s ETHERFLOW TO ROUTER2
bandwidth 100000
encapsulation dot1Q 4094
ip address 10.204.7.25 255.255.255.248
service-policy output POLICY_ETHERFLOW_SHAPING_100M
!
interface GigabitEthernet0/2
description SHUTDOWN
ip vrf forwarding RED
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.885
description r1-users
encapsulation dot1Q 885
ip vrf forwarding RED
ip address 10.212.25.254 255.255.254.0
no cdp enable
!
interface GigabitEthernet0/2.886
description r1-phones
encapsulation dot1Q 886
ip vrf forwarding RED
ip address 10.212.27.254 255.255.254.0
no cdp enable
!
interface GigabitEthernet0/2.887
description r1-printers
encapsulation dot1Q 887
ip vrf forwarding RED
ip address 10.212.28.254 255.255.255.0
no cdp enable
ip route vrf RED 0.0.0.0 0.0.0.0 Tunnel0 10.204.7.30 global
Router 2:
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 14
crypto isakmp key * address 10.204.7.25
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set RTR-IPSEC esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set RTR-IPSEC
!
interface Tunnel3
ip unnumbered GigabitEthernet0/0/0.4092
tunnel source GigabitEthernet0/0/0.4092
tunnel mode ipsec ipv4
tunnel destination 10.204.7.25
tunnel path-mtu-discovery
tunnel protection ipsec profile VTI
!
ip vrf RED
description RED
rd 3:3
!
interface GigabitEthernet0/0/0.4092
description 100Mb/s ETHERFLOW TO R1
bandwidth 100000
encapsulation dot1Q 4092
ip address 10.204.7.30 255.255.255.248
service-policy output POLICY_ETHERFLOW_SHAPING_100M
!
interface GigabitEthernet0/0/3
description link to user switch
ip vrf forwarding RED
ip address 10.212.22.1 255.255.255.248
negotiation auto
!
ip route vrf RED 0.0.0.0 0.0.0.0 Tunnel3 10.204.7.25 global
Solved! Go to Solution.
10-04-2013 05:28 AM
Hi,
The traffic will arrive at each router in the global VRF - from what I can see you need some method for getting the traffic received in the global VRF across the WAN back into the 'RED' vrf.
You could do this via another tunnel running inside the VRF or maybe you could force it a static e.g. 'ip route 10.212.22.0 255.255.255.248 GigabitEthernet0/0/3 10.212.22.1' for R2
10-04-2013 05:28 AM
Hi,
The traffic will arrive at each router in the global VRF - from what I can see you need some method for getting the traffic received in the global VRF across the WAN back into the 'RED' vrf.
You could do this via another tunnel running inside the VRF or maybe you could force it a static e.g. 'ip route 10.212.22.0 255.255.255.248 GigabitEthernet0/0/3 10.212.22.1' for R2
10-04-2013 06:35 AM
Jamie, you are the man!
Your explanation was also very clear, and understood!
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide