cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
447
Views
6
Helpful
11
Replies

Catalyst 9200L 17.3.6 GRE tunnel build issues

netgn
Level 1
Level 1

We have a remote location that has no firewall and have a need to tunnel some traffic back to our corporate firewall.  Looking at the 9200L switch we have, its capable of running VRF-lite and GRE tunneling.  We have successfully created the VRF and GRE tunnel with below settings. The tunnel is in fact up, we can ping between the tunnel end points ok.  We can also ping the Internet sourcing from vlan 400 ip 10.10.10.254.  However anything in vlan 400 behind svi 400 cannot ping out to the Internet.  Devices can ping their default gateway 10.10.10.254 just fine.  What am I missing here?  Also, on the firewall back at corp, we see no traffic flows for any traffic except for 10.10.10.254.  

ARP, DHCP Bindings, and mac addresses all show devices in the right vlan, and right VRF.  

!

Interface vlan 400

vrf forwarding isolated-vlan

ip address 10.10.10.254 255.255.255.0

no ip redirects

no autostate

!

Tunnel100

vrf forwarding isolated-vlan

ip address 192.168.10.1 255.255.255.252

tunnel source loopback100

tunnel destination 100.100.100.2

!

interface loopback 100

ip address 100.100.100.1

 

1 Accepted Solution

Accepted Solutions

netgn
Level 1
Level 1

Super frustrated by this one but figured it out.  Turns out 'ip routing' was not enabled on the 9200 switch which is why the l2 path worked ok from svi to tunnel but anything behind svi that was routed got dropped.  What really threw me off was the show ip route and show ip route vrf commands showed a routing table.  So I thought ip routing was on.  Turns out that was my lynchpin.  Got me again Cisco!!  

 

View solution in original post

11 Replies 11

Joseph W. Doherty
Hall of Fame
Hall of Fame

Insufficient information, because the whole point of a VRF is L3 isolation, much like a L2 VLAN, in concept.  How is this VRF supposed to interact with L3 external to it?

Joseph,

   Im trying to accomplish isolation of a vlan in its own VRF that will route across the GRE tunnel in the same VRF back to the corporate location.   Im not sure I understand your question however.  If the vlan SVI and GRE tunnel are in the same VRF wouldn't that be the L3 path?  I want all source destination traffic for the vlan SVI in the isolated VRF to stay there.  

 

 

User Traffic --> Vlan 400 (isolated-vrf) ---> GRE tunnel to Corporate (isolated-vrf)  ---> Firewall at Corporate (not vrf aware) 

Unless Im missing something here shouldn't this work?  Or are you saying the firewall at corporate has to be aware of my vrf configuration for traffic to pass properly?  

Im using the tunnel source and destination (loopbacks) from global routing table to get the encapsulated traffic over to corporate firewall.  The tunnel is up, we can ping across the tunnel fine, its just anything behind the 9200L cant ping anything at corporate but sourcing from the SVI on the 9200L we can.  

 

Thank you, that does help provide clarity.

What's still unclear, what's the other side of the tunnel, i.e. corporate side.  I mean, you have a VRF subnet, at both remote and corporate sides, and you route between them?  On the corporate side, how do you route between corporate VRF subnet and FW?

In practice, I've seen VRFs used for security to isolate sections of a corporate subnet such that you need to transit a FW to get to another security section.  What VRFs allow, much like VLANs, same devices can be hosting the different VRFs, so even though networks are physically using the same hardware, some networks cannot communicate with other unless they transit a FW.

The other side of the GRE tunnel is a Palo Firewall.  All I want to accomplish is creating a virtual routing instance on the 9200L that takes vlan 400 traffic and tunnels it across the GRE to the Palo Firewall.  It will only be default route traffic.  

Other side use GRE abd it is palo' and you are sure LO is ping from both side.

The last think still need is open GRE port in palo.

MHM

ip route vrf isolated-vlan 0.0.0.0 0.0.0.0 192.168.10.2

The FW will need to know to route to 10.10.10.0/24 via the tunnel.

You use LO as source and destiantion are you sure the LO is pingable

MHM

Yes can do that no issue.  That traffic passes.  

netgn
Level 1
Level 1

Super frustrated by this one but figured it out.  Turns out 'ip routing' was not enabled on the 9200 switch which is why the l2 path worked ok from svi to tunnel but anything behind svi that was routed got dropped.  What really threw me off was the show ip route and show ip route vrf commands showed a routing table.  So I thought ip routing was on.  Turns out that was my lynchpin.  Got me again Cisco!!  

 


@netgn wrote:

Super frustrated by this one but figured it out.  Turns out 'ip routing' was not enabled on the 9200 switch which is why the l2 path worked ok from svi to tunnel but anything behind svi that was routed got dropped.  What really threw me off was the show ip route and show ip route vrf commands showed a routing table.  So I thought ip routing was on.  Turns out that was my lynchpin.  Got me again Cisco!!  


Ouch!  Yea, that would be problematic, especially to transit the subnet.(?)  (Did you have something configured to route across the tunnel subnet?)

Often low end switches, I recall, default to IP routing not being enabled.  (Conversely, I recall, some large L3 switches wouldn't allow IP routing to be disabled.)

Thank you for the follow up.

You bet and thanks for helping.