VRFs not working properly between core routers

Islam Nadim · ‎03-27-2013

Hello All,

I have this problem when I'm working with VRFs on GNS3 ..

If I have only 1 core router, the VRF works fine. But when I add another Core router, the VRF doesn't work

NOTE: I'm using 2691 routers.

This is the topology that works:

And this is the one that doesn't work:

This is the VRF configuration on both Core routers:

Core1:

ip vrf C1

rd 100:1000

route-target export 100:1000

route-target import 100:1000

!

ip vrf C2

rd 200:2000

route-target export 200:2000

route-target import 200:2000

!

Core2:

ip vrf C1

rd 100:1000

route-target export 100:1000

route-target import 100:1000

!

ip vrf C2

rd 200:2000

route-target export 200:2000

route-target import 200:2000

!

Need advise

Muhammad Thanveer · ‎03-27-2013

do you have a vpnv4 neighbor relation ship established between core 1 and core2.

if you want communication between all the routers then the rds must be impoted accordingly. Hope u understood.

Please rate the post if it is informative.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Islam Nadim · ‎03-27-2013

I'm using static routes .. sorry for not stating that earlier

Muhammad Thanveer · ‎03-27-2013

Hello,

Do you mean PE-CE rpotocol is static routing.

What about PE-PE protocol, is it also a static routing.

In your second case you must have a way to deliver your vpn routes to other core routers. You can achieve this by MPBGP or in your static routing case you must be able to play with tunneling.

I mean define two tunnels between two core routers, place each of them in different vrfs, I am not sure but it must work.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Islam Nadim · ‎03-27-2013

Everything is running static .. I'm using static just for the sake of testing ...

So as I understood, I should use tunnels between the PEs? Can you show me how?

Ajay Raj · ‎03-28-2013

If you are using VRF, then PE to PE should be MPBGP otherwise it wont work.

blau grana · ‎03-28-2013

Hello Islam,

You do not need to tun MPBGP, as you said, you have configured static routing, I think that will be problem, could you post configuration of both Core routers.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Islam Nadim · ‎03-28-2013

here are the config:

Core1:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Core1

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

ip vrf C1

rd 100:1000

route-target export 100:1000

route-target import 100:1000

ip vrf C2

rd 200:2000

route-target export 200:2000

route-target import 200:2000

no ip domain lookup

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

interface FastEthernet0/0

description -- UNUSED --

no ip address

shutdown

duplex auto

speed auto

interface Serial0/0

description to Core2

ip address 192.168.0.1 255.255.255.0

clock rate 2000000

interface FastEthernet0/1

description -- UNUSED --

no ip address

shutdown

duplex auto

speed auto

interface Serial0/1

description to A1

ip vrf forwarding C1

ip address 192.168.2.1 255.255.255.0

clock rate 2000000

interface Serial0/2

description to B1

ip vrf forwarding C2

ip address 192.168.4.1 255.255.255.0

clock rate 2000000

interface Serial0/3

no ip address

shutdown

clock rate 2000000

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Serial0/0

ip route vrf C1 0.0.0.0 0.0.0.0 Serial0/0

ip route vrf C2 0.0.0.0 0.0.0.0 Serial0/0

no ip http server

no ip http secure-server

control-plane

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

end

========================

Core2:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Core2

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

ip vrf C1

rd 100:1000

route-target export 100:1000

route-target import 100:1000

ip vrf C2

rd 200:2000

route-target export 200:2000

route-target import 200:2000

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

interface FastEthernet0/0

description -- UNUSED --

no ip address

shutdown

duplex auto

speed auto

interface Serial0/0

description to Core1

ip address 192.168.0.2 255.255.255.0

clock rate 2000000

interface FastEthernet0/1

description -- UNUSED --

no ip address

shutdown

duplex auto

speed auto

interface Serial0/1

description to A2

ip vrf forwarding C1

ip address 192.168.3.1 255.255.255.0

clock rate 2000000

interface Serial0/2

description to B2

ip vrf forwarding C2

ip address 192.168.5.1 255.255.255.0

clock rate 2000000

interface Serial0/3

no ip address

shutdown

clock rate 2000000

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Serial0/0

ip route vrf C1 0.0.0.0 0.0.0.0 Serial0/0

ip route vrf C2 0.0.0.0 0.0.0.0 Serial0/0

ip http server

no ip http secure-server

control-plane

line con 0

logging synchronous

line aux 0

line vty 0 4

login

end

As for the CE routers, only the Serial0/0 interfaces configured with the appropriate IPs, and a static default route pointing to the Serial0/0

ip route 0.0.0.0 0.0.0.0 Serial0/0

pille1234 · ‎03-28-2013

If all you want to achieve is to extend your VRFs to Core2 without inter-VRF-communication than VRF lite is the way to go. Basicly all you have to do is create subinterfaces on s0/0 and assign these subinterfaces to their respective VRF. Remember that you could technically use identical IP-adresses / subnets on all subinterfaces, as these remain within each VRF.

If you need inter-VRF-connectivity than MP-BGP is needed. The tunnel construction already mentioned might work, but I have never seen that or tested myself so I don't know for sure.

Regards.

Islam Nadim · ‎03-28-2013

Any config samples would be great

pille1234 · ‎03-28-2013

http://bit.ly/13BQ5W0

First hit

Muhammad Thanveer · ‎03-28-2013

Hello Nadeem,

Here is your configuration, I was planning to do a test scenario, however you helped me out to learn and show this.

Please find the scenario and the attachments.

Please rate the post and mark it answered if you feel it answered.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

blau grana · ‎03-29-2013

Hello,

As pille said, if you use vrf-lite you need to connect Core1 and Core2 with links in respective VRFs. VRF is local to both routers and you connected them with link S0/0 <-> S0/0 in global routing table.

Solution ->

1) create second link between Core1 and Core2, existing link will be added to first VRF and new link to second VRF, that way each vrf can communicate via restective link.

2) leave configuration as it is and create two GRE tunnels via existing link, one tunnel for one VRF.

Core1

interface Tunnel 1

ip vrf forwarding C1

ip address 10.0.0.1 255.255.255.0

tunnel source s0/0

tunnel destination 192.168.0.2

interface Tunnel 2

ip vrf forwarding C2

ip address 10.0.0.1 255.255.255.0

tunnel source s0/0

tunnel destination 192.168.0.2

Core2

interface Tunnel 1

ip vrf forwarding C1

ip address 10.0.0.2 255.255.255.0

tunnel source s0/0

tunnel destination 192.168.0.1

interface Tunnel 2

ip vrf forwarding C2

ip address 10.0.0.2 255.255.255.0

tunnel source s0/0

tunnel destination 192.168.0.1

Traffic from particular VRFs will be transported between Core1 and Core2 thanks to GRE tunnels. Do not forget to configure static routing to work this properly.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions