Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4227
Views
5
Helpful
9
Replies

VRF-aware DNS lookup not working on 3850 ?

aurinoco_cisco
Level 1
Level 1

‎06-20-2017 02:53 AM - edited ‎03-08-2019 11:02 AM

Hi
We have a Catalyst 3850-24T-E.
We are trying to configure and use vrf-aware DNS. We have done the following:

ip domain-lookup
ip name-server vrf my_vrf 192.168.1.100
show host vrf my_vrf
Name lookup view: my_vrf
Default domain is not set
Name/address lookup uses domain service
Name servers are 192.168.1.100
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
show host
Name lookup view: Global
Default domain is not set
Name/address lookup uses domain service
Name servers are 255.255.255.255
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
ping vrf my_vrf 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ping vrf my_vrf cisco.com 
Translating "cisco.com"...domain server (255.255.255.255)
% Unrecognized host or address, or protocol not running.
It seems to me that ping uses VRF (and ping 192.168.1.100 works), while the DNS resolution does not consider VRF and tries to use the default host/route to access DNS on 255.255.255.255 which fails as there is no DNS server there, and therefore the ping does not proceed.
    • Is this expected behaviour ?
    • Am I doing something wrong ?

    • Is there a way to get this working ?

1 person had this problem
Labels:
0 Helpful
9 Replies 9

Terence Payet
Level 1
Level 1

‎06-20-2017 04:01 AM

Hi,

The issue is related to your vrf config. Basically you are trying to query your dns server which is currently located in the Global routing from vrf "my_vrf". This is not gonna work "right off the bat".

Based on your configs, I guess you do have some knowledge on VRF, and i will not go into details. But if not i will suggest you understand the concept of VRF.

But basically for your solution to work, you will need to perform some sort of route leaking from Global into VRF routing table. See below example based on your example:

int vlan xx (SVI where your DNS server is located)

ip vrf select source

ip vrf receive my_vrf

ip route (source of your network trying to access DNS server) vlan xx (SVI of your source network)

Hope this helps.

Regards,

Terence

0 Helpful

aurinoco_cisco
Level 1
Level 1
In response to Terence Payet

‎06-22-2017 02:30 AM

Dear Terence,

thank you for your reply. We were trying to avoid route leaking from the Global VRF to my_vrf and assumed that the command

ip name-server vrf my_vrf 192.168.1.1

would send domain lookups into this VRF as shown with

show host vrf my_vrf
Name lookup view: my_vrf
Default domain is not set
Name/address lookup uses domain service
Name servers are 192.168.1.100
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)

We are wondering what the intended use of these commands is.

Is there a possibility to avoid route leaking and still reach a domain server that is in a VRF.

thanks, aurinoco_cisco

0 Helpful

Terence Payet
Level 1
Level 1
In response to aurinoco_cisco

‎06-22-2017 02:41 AM

Hi Aurinoco,

The command "ip name-server vrf my_vrf 192.168.1.1" implies that the dns server 192.168.1.1 is in vrf "my_vrf" and only that specific vrf unless some sort of route leaking is done. Basically when you configure a vrf, all services related to that specific vrf needs to be vrf aware. 

HTH.

Regards,

Terence

0 Helpful

aurinoco_cisco
Level 1
Level 1
In response to Terence Payet

‎06-22-2017 05:48 AM

Dear Terence,

thank you once again!!

Does this mean that it is the domain-lookup service that is not VRF aware, and we therefore can't use a DNS server in a VRF without route leaking?

best,

aurinoco_cisco

0 Helpful

ilijat
Level 1
Level 1

‎04-27-2018 05:41 PM

Is this resolved? 
I have the same problem. When I try to ping from vrf, it's using dns server from global routing table, not from vrf

0 Helpful

gnijs
Level 4
Level 4
In response to ilijat

‎07-11-2018 07:37 AM - edited ‎07-11-2018 07:38 AM

We have the same problem, we are running fuji latest release 16.8.1a. We have even configured "source interface vrf" for dns, and even with this it doesn't work.

 

I think because it is for the following reasons:

* we have 3 VRF: global, IT & mgmt

* only IT & mgmt have ip interfaces. the global does not have any ip interfaces.

 


ip name-server vrf IT 1.1.1.1 2.2.2.2

ip name-server vrf Mgmt-vrf 1.1.1.1 2.2.2.2
ip domain list vrf IT DOMAIN1.COM
ip domain list vrf Mgmt-vrf DOMAIN1.COM

no ip domain lookup (=assuming this disabled dns lookup in the global vrf only)
ip domain lookup vrf IT source-interface Loopback0 (Lo0 = part of vrf IT)
ip domain lookup vrf Mgmt-vrf source-interface GigabitEthernet0/0 (Gi0/0= part of vrf Mgmt-vrf)
ip domain name vrf IT DOMAIN1.COM
ip domain name vrf Mgmt-vrf DOMAIN1.COM

 

because the global does not have any ip interfaces, we have not defined anything for dns in the "default" vrf.

 

however, it seems the "no ip domain-lookup" disables DNS in all VRFs:

 

ping SERVER1

% Unrecognized host or address, or protocol not running.

 

ping vrf IT SERVER1

% Unrecognized host or address, or protocol not running.

 

ping vrf Mgmt-vrf SERVER1

% Unrecognized host or address, or protocol not running.

 

i think this is wrong.

 

Anyway, after enabling "ip domain lookup", dns does not work in the default vrf (as expected)

it does not work in the Mgmt-vrf

and in the IT vrf it sometimes works and sometimes not (then you get: protocol not running ??)

 

 

I don't know why this is, both VRF are configured alike. Both have a default route towards the destination.

I am connected to the router via the Gi0/0 interface (so via Mgmt-vrf). Don't know if this makes a difference.

Also "show ip dns servers" gives inconsistent output:

 

#sh ip dns servers

IP VRF TTL(s) RTT(ms) RTO(ms) EDNS DNSSEC RECURSION
-----------------------------------------------------------------------------
1.1.1.1 Mgmt-vr 683 1000 64000 Yes Yes Yes
2.2.2.2 IT 869 1451 1451 No Yes Yes
2.2.2.2 Mgmt-vr 685 1000 119000 Yes Yes Yes

 

note how EDNS is different in the IT and Mgmt-vrf , although it are the same dns servers

0 Helpful

ilijat1
Level 1
Level 1
In response to ilijat

‎07-11-2018 09:13 AM

I will update this with my case. I was working with Cisco tech and it seems that vrf aware DNS is not supported on specific platform/ IOS image version in my case

0 Helpful

mo491x001
Level 1
Level 1
In response to ilijat1

‎07-23-2019 02:41 AM

Hello,

I have the same issue with WS-3850-12S-E, both IOS-XE 3.7.0 & 3.7.5. Is there any list of firmware versions or appliances which are not working ?

Has anybody resolved it e.g. with TAC? or is it fixed in some specific release?

 

Thank you for reply.

BR Martin Orlich

0 Helpful

saad_masood_88
Level 1
Level 1

‎03-21-2021 05:51 AM

Hello,

 

You just need to issue the following command additionally to that particular vrf which is not resolving. 

 

ip domain lookup vrf Mgmt-vrf

 

Best

Saad Masood

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card