Solved: GLOBAL VRF ROUTE LEAKING

perrymcgrew · ‎03-13-2018

Hi,

I have 4500X-32 in VSS running 3.6.0E that serves as the core LAN L3 Switch. I am trying to create 2 subnets that are isolated from the rest of the VLANs -- they only need to talk to each other and get out to the Internet through the 4500X's default route through the Firewall.

I have read this post and I believe I am close...

https://supportforums.cisco.com/t5/lan-switching-and-routing/route-leaking-vrf-to-global/m-p/3062753

I just can't seem to get it to work completely. Traceroutes on the client die on the VRF's VLAN SVI. The firewall has Static routes to send the return traffic of the VRF subnets to the SVI of its VLAN.

I am testing on the "trcu" VRF...

!
ip vrf telemed
rd 100:32
route-target export 100:32
route-target import 100:30
!
ip vrf trcu
rd 100:30
route-target export 100:30
route-target import 100:32

!

ip dhcp pool WLAN_TRCU
vrf trcu
network 10.30.0.0 255.255.255.0
dns-server 8.8.8.8 4.4.4.4
default-router 10.30.0.254
!
ip dhcp pool WLAN_telemed
vrf telemed
network 10.30.2.0 255.255.255.0
dns-server 8.8.8.8 4.4.4.4
default-router 10.30.2.254
!

!
interface Vlan30
description TRCU Subnet
ip vrf forwarding trcu
ip address 10.30.0.254 255.255.255.0
!
interface Vlan32
description telemed WLAN Subnet
ip vrf forwarding telemed
ip address 10.30.2.254 255.255.255.0
!
router bgp 100
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
address-family ipv4 vrf telemed
redistribute connected
exit-address-family
!
address-family ipv4 vrf trcu
redistribute connected
exit-address-family
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.90.253 name Default_Route_to_Firewall
ip route vrf trcu 0.0.0.0 0.0.0.0 192.168.90.253 global name Default_Route_to_Firewall

ip route vrf telemed 0.0.0.0 0.0.0.0 192.168.90.253 global name Default_Route_to_Firewall

4500X#   sh bgp vrf trcu
BGP table version is 5, local router ID is 192.168.254.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:30 (default for vrf trcu)
*> 10.30.0.0/24     0.0.0.0                  0         32768 ?
*> 10.30.2.0/24     0.0.0.0                  0         32768 ?

4500X#sh ip route vrf trcu

Routing Table: trcu
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.90.253 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.90.253
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.30.0.0/24 is directly connected, Vlan30
L        10.30.0.254/32 is directly connected, Vlan30
B        10.30.2.0/24 is directly connected (telemed), 3d21h, Vlan32
L        10.30.2.254/32 is directly connected, Vlan32

What is missing????

TIA - Perry

Georg Pauwen · ‎03-14-2018

Hello,

I am just thinking, if all you want is isolate traffic from those two VLANs, why not simply use an access list on the SVIs ?

View solution in original post

Georg Pauwen · ‎03-13-2018

Hello,

is the problem that the VRFs cannot talk to each other, or that the VRFs are not routed out properly to the firewall ?

perrymcgrew · ‎03-13-2018

I have not tested routing between the 2 VRFs. The "trcu" VRF is most critical as the subnet needs to be shared between wired and wireless clients that are connected thru 5508 WLC. Wireless clients are not pulling IPs from DHCP, but I'll tackle that later.....

I have a wired PC connected to switchport in VLAN 30. It pulls 10.30.0.1 from the DHCP and I see the google DNS 8.8.8.8 and 4.4.4.4 assigned to the client along with the gateway 10.30.0.254 (IP addr of VLAN 30 SVI). But I can not access anything on the internet. Traceroute from the PC "dies" on the VLAN SVI 10.30.0.254.

On the 4500X, I can ping the PC....

4500X#ping vrf trcu 10.30.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.0.1, timeout is 2 seconds:
!!!!!

On the Firewall devices, I have static routes that point 10.30.0.0/24 to the SVI of the VLAN that has the Firewall LAN interfaces. I can NOT ping the SVI of the VRF from the firewall.

This is my Global default gateway on the 4500X:

ip route 0.0.0.0 0.0.0.0 192.168.90.253

From what I've read, this is supposed to inject the global default route into the VRF:

ip route vrf trcu 0.0.0.0 0.0.0.0 192.168.90.253 global

The .253 IP is the Firewall's interface.....

Georg Pauwen · ‎03-13-2018

Hello,

try the VRF receive feature. This essentially puts the directly connected network to your firewall in the trcu VRF:

interface Vlan30
description TRCU Subnet
ip vrf forwarding trcu
ip address 10.30.0.254 255.255.255.0

!

interface FastEthernet0/0
description To_Firewall
ip vrf select source
ip vrf receive trcu
ip address 192.168.90.254 255.255.255.252

!

ip route 10.30.0.0 255.255.255.0 Vlan30

perrymcgrew · ‎03-14-2018

Thanks. This has gotten me a little farther. The Firewall interface is a VLAN SVI (VLAN 90) but the commands you listed on the Fastethernet worked. The test PC on the "trcu" subnet can now reach the internet.... However, it can also access the other internal corporate VLANs defined in the 4500X.

The goal of this setup is to completely isolate the trcu (VLAN 30) and telemed (VLAN 32) from the rest of the corporate VLANs - only allow them to talk to each other and the Internet which was the purpose of trying this VRF and BGP setup.

The firewall has static routes for all the corporate subnets that point back to its VLAN SVI (192.168.90.254) to enable the return traffic from the internet / DMZ. So pinging my PC from the test PC - the default route in the VRF is sending pings of other corporate VLANs to the Firewall's LAN interface (192.168.90.253) who then routes it back to the 4500X and is able to reach any of the corporate networks.

interface Vlan90

description Firewall Routed Segment

ip vrf select source

ip vrf receive trcu

ip address 192.168.90.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route 0.0.0.0 0.0.0.0 192.168.90.253 name Default_Route_to_Firewall

ip route 10.30.0.0 255.255.255.0 Vlan30 name TRCU

ip route vrf trcu 0.0.0.0 0.0.0.0 192.168.90.253 global name Default_Route_to_Firewall

4500X#sh ip route vrf trcu

Routing Table: trcu

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 192.168.90.253 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.90.253

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.30.0.0/24 is directly connected, Vlan30

L 10.30.0.254/32 is directly connected, Vlan30

B 10.30.2.0/24 is directly connected (telemed), 4d16h, Vlan32

L 10.30.2.254/32 is directly connected, Vlan32

192.168.90.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.90.0/24 is directly connected, Vlan90

L 192.168.90.254/32 is directly connected, Vlan90

So right now, there is no difference than if I set the trcu / telemed VLANs up normally and added them into the OSPF routing used for the corporate VLANs....maybe there is a better way than VRF / BGP?

Georg Pauwen · ‎03-14-2018

Hello,

I am just thinking, if all you want is isolate traffic from those two VLANs, why not simply use an access list on the SVIs ?

perrymcgrew · ‎03-14-2018

I was led to believe this was best way to accomplish the goal - not create hugely complicated ACLs on the 4500X. I also was looking at VACLs as well. But I may need to revisit this as it seems that the VRF is not going to work...and time is growing short.

perrymcgrew · ‎04-25-2018

after getting really deep in the vrf / bgp leaking, went back to the ACL on the SVI. May not be the most efficient method, but is sure easier to implement.

Thx to everyone who offered comments....