Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2633
Views
0
Helpful
25
Replies

VRF issue

adergah
Level 1
Level 1

‎12-16-2017 05:02 AM - edited ‎03-08-2019 01:07 PM

Hello everyone,

 

I have a problem due to VRF issue. If anyone can find me a solution I would appreciate it. I am sending my current configuration in brief to check:

 

vrf definition PENS_MSG_OPS

 rd 2:2

 route-target export 2:2

 route-target import 2:2

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

vrf definition PENS_MSG_TEST

 rd 3:3

 route-target export 3:3

 route-target import 3:3

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

interface Loopback2

 vrf forwarding PENS_MSG_OPS

 ip address 57.235.248.67 255.255.255.255

!

interface Loopback3

 vrf forwarding PENS_MSG_TEST

 ip address 57.235.248.70 255.255.255.255

 

!

interface GigabitEthernet0/0/0

 description to_DHMI_BACKUP_ROUTER

 ip address 10.26.1.1 255.255.255.252

 no ip proxy-arp

 negotiation auto

!

interface GigabitEthernet0/0/1

 description to_DHMI_LAN

 no ip address

 negotiation auto

!

interface GigabitEthernet0/0/1.2

 description PENS_MSG_OPS

 encapsulation dot1Q 2

 vrf forwarding PENS_MSG_OPS

 ip address 57.235.205.177 255.255.255.240

 standby version 2

 standby 102 priority 255

 standby 102 preempt delay minimum 20

 standby 102 authentication md5 key-string 7dhmi

 service-policy input input_match

!

interface GigabitEthernet0/0/1.3

 description PENS_MSG_TEST

 encapsulation dot1Q 3

 vrf forwarding PENS_MSG_TEST

 ip address 57.235.205.201 255.255.255.248

 standby version 2

 standby 152 priority 255

 standby 152 preempt delay minimum 20

 standby 152 authentication md5 key-string 7dhmi

 service-policy input input_match

!

interface GigabitEthernet0/1/0

 switchport access vlan 102

 switchport trunk allowed vlan 102

 switchport mode trunk

!

interface GigabitEthernet0/1/1

 switchport access vlan 152

 switchport trunk allowed vlan 152

 switchport mode trunk

!

interface Vlan102

 description PENS_MSG_OPS

 vrf forwarding PENS_MSG_OPS

 ip address 57.235.239.210 255.255.255.252

 no ip proxy-arp

!

interface Vlan152

 description PENS_MSG_TEST

 vrf forwarding PENS_MSG_TEST

 ip address 57.235.239.222 255.255.255.252

 no ip proxy-arp

!

router bgp 64784

 bgp router-id 57.235.239.210

 bgp log-neighbor-changes

 no bgp default ipv4-unicast

 timers bgp 15 45

 neighbor 10.26.1.2 remote-as 64784

 !

 address-family ipv4

  neighbor 10.26.1.2 activate

  neighbor 10.26.1.2 send-community extended

  neighbor 10.26.1.2 next-hop-self

 exit-address-family

 !

 address-family ipv4 vrf PENS_MSG_OPS

  bgp router-id 57.235.239.210

  network 57.235.205.176 mask 255.255.255.240

  neighbor 57.235.239.209 remote-as 65000

  neighbor 57.235.239.209 description OPS_MSG_VPN

  neighbor 57.235.239.209 activate

  neighbor 57.235.239.209 send-community extended

  neighbor 57.235.239.209 prefix-list DHMI out

  neighbor 57.235.239.209 route-map set_metric_50 out

 exit-address-family

 !

 address-family ipv4 vrf PENS_MSG_TEST

  bgp router-id 57.235.239.222

  network 57.235.205.200 mask 255.255.255.248

  neighbor 57.235.239.221 remote-as 65000

  neighbor 57.235.239.221 description MSG_TEST

  neighbor 57.235.239.221 activate

  neighbor 57.235.239.221 send-community extended

  neighbor 57.235.239.221 prefix-list DHMI out

  neighbor 57.235.239.221 route-map set_metric_50 out

 exit-address-family

!

ip forward-protocol nd

no ip http server

no ip http secure-server

ip tftp source-interface GigabitEthernet0

!

ip as-path access-list 1 permit ^$

!

ip access-list extended qos_D1

 permit tcp any any eq 8500

 permit tcp any eq 8500 any

 permit udp any any eq 8500

 permit udp any eq 8500 any

ip access-list extended qos_D2

 permit tcp any any eq 102

 permit tcp any eq 102 any

 permit udp any any eq 102

 permit udp any eq 102 any

ip access-list extended qos_D3

 permit ip any any

!

!

ip prefix-list DHMI seq 10 permit 57.235.205.176/28

ip prefix-list DHMI seq 20 permit 57.235.205.200/29

!

route-map set_metric_50 permit 10

 set metric 50

 

So here is the explanation: 

My gig 0/1/0 and gig 0/1/1 ports are connected to PE router and I am configuring the CE router. There is no problem on bgp I can ping vrf to the Interface of PE routers. What the problem is on my 0/0/1 port it will be connected to my local Lan. IP routes will further be added but what I am trying to do is I am giving my computer as the IP of 57.235.205.181/28 for example and I can ping the Routers interface of Gig 0/0/1.2 which is 57.235.205.177. However on the Router I can't ping to the address of computer. What is more surprising is I can't even ping to the it's own IP address on the router itself. When I remove the command Vrf forwarding PENS_MSG_OPS from subinterface 0/0/1.2 for example this time I can ping the computer but I can't ping the IP VRF on the PE router side from my router. What am I missing here? what kind of change should I make to ping both of them? If you can help me I will appreciate it. Thank you for your helps, have a nice weekend.

 

Labels:
0 Helpful
25 Replies 25

Georg Pauwen
VIP
VIP
In response to adergah

‎12-16-2017 08:32 AM

Hello, 

 

does the original post have the full configuration of the router ? Take all the unused and incomplete parts out. Is there anything else left in the service policy ?

0 Helpful

adergah
Level 1
Level 1
In response to Georg Pauwen

‎12-16-2017 08:39 AM

this is the all configuration I have:

 

Building configuration...

 

 

Current configuration : 5553 bytes

!

! Last configuration change at 15:31:23 UTC Sat Dec 16 2017

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

!

hostname DHMI_PENS_PRIMARY

!

boot-start-marker

boot-end-marker

!

!

vrf definition Mgmt-intf

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

vrf definition PENS_MSG_OPS

 rd 2:2

 route-target export 2:2

 route-target import 2:2

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

vrf definition PENS_MSG_TEST

 rd 3:3

 route-target export 3:3

 route-target import 3:3

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

enable password network

!

no aaa new-model

!

ip vrf forwarding

!

!

!

!

!

!

!

!

!

!

!

 

 

 

!

!

!

!

!

!

!

!

!

!

subscriber templating

multilink bundle-name authenticated

!

!

!

!

license udi pid ISR4331/K9 sn FDO21081CAT

!

spanning-tree extend system-id

!

!

redundancy

 mode none

!

!

vlan internal allocation policy ascending

!

!

class-map match-any D1

  description FMTP

 match access-group name qos_D1

class-map match-any D2

  description AMHS

 match access-group name qos_D2

class-map match-any D3

 match any

!

policy-map input_match

 class D1

 class D2

 class D3

!

!

!

!

!

!

interface Loopback2

 vrf forwarding PENS_MSG_OPS

 ip address 57.235.248.67 255.255.255.255

!

interface Loopback3

 vrf forwarding PENS_MSG_TEST

 ip address 57.235.248.68 255.255.255.255

!

interface Loopback102

 vrf forwarding PENS_MSG_OPS

 ip address 57.235.248.67 255.255.255.255

 shutdown

!

interface Loopback152

 vrf forwarding PENS_MSG_TEST

 ip address 57.235.248.68 255.255.255.255

 shutdown

!

interface GigabitEthernet0/0/0

 description to_DHMI_BACKUP_ROUTER

 ip address 10.26.1.1 255.255.255.252

 no ip proxy-arp

 negotiation auto

!

interface GigabitEthernet0/0/1

 description to_DHMI_LAN

 no ip address

 negotiation auto

!

interface GigabitEthernet0/0/1.2

 description PENS_MSG_OPS

 encapsulation dot1Q 2

 vrf forwarding PENS_MSG_OPS

 ip address 57.235.205.177 255.255.255.240

 standby version 2

 standby 102 ip 57.235.205.178

 standby 102 priority 255

 standby 102 preempt delay minimum 20

 standby 102 authentication md5 key-string 7dhmi

 service-policy input input_match

!

interface GigabitEthernet0/0/1.3

 description PENS_MSG_TEST

 encapsulation dot1Q 3

 vrf forwarding PENS_MSG_TEST

 ip address 57.235.205.201 255.255.255.248

 standby version 2

 standby 102 ip 57.235.205.202

 standby 152 priority 255

 standby 152 preempt delay minimum 20

 standby 152 authentication md5 key-string 7dhmi

 service-policy input input_match

!

interface GigabitEthernet0/0/2

 no ip address

 shutdown

 negotiation auto

!

interface GigabitEthernet0/1/0

 switchport access vlan 102

 switchport trunk allowed vlan 102

 switchport mode trunk

!

interface GigabitEthernet0/1/1

 switchport access vlan 152

 switchport trunk allowed vlan 152

 switchport mode trunk

!

interface GigabitEthernet0/1/2

 switchport access vlan 2

 shutdown

!

interface GigabitEthernet0/1/3

 switchport access vlan 3

 shutdown

!

interface GigabitEthernet0/1/4

!

interface GigabitEthernet0/1/5

!

interface GigabitEthernet0/1/6

!

interface GigabitEthernet0/1/7

!

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan102

 description PENS_MSG_OPS

 vrf forwarding PENS_MSG_OPS

 ip address 57.235.239.210 255.255.255.252

 no ip proxy-arp

!

interface Vlan152

 description PENS_MSG_TEST

 vrf forwarding PENS_MSG_TEST

 ip address 57.235.239.222 255.255.255.252

 no ip proxy-arp

!

router bgp 64784

 bgp router-id 57.235.239.210

 bgp log-neighbor-changes

 no bgp default ipv4-unicast

 timers bgp 15 45

 neighbor 10.26.1.2 remote-as 64784

 !

 address-family ipv4

  neighbor 10.26.1.2 activate

  neighbor 10.26.1.2 send-community extended

  neighbor 10.26.1.2 next-hop-self

 exit-address-family

 !

 address-family ipv4 vrf PENS_MSG_OPS

  bgp router-id 57.235.239.210

  network 57.235.205.176 mask 255.255.255.240

  neighbor 57.235.239.209 remote-as 65000

  neighbor 57.235.239.209 description OPS_MSG_VPN

  neighbor 57.235.239.209 activate

  neighbor 57.235.239.209 send-community extended

  neighbor 57.235.239.209 prefix-list DHMI out

  neighbor 57.235.239.209 route-map set_metric_50 out

 exit-address-family

 !

 address-family ipv4 vrf PENS_MSG_TEST

  bgp router-id 57.235.239.222

  network 57.235.205.200 mask 255.255.255.248

  neighbor 57.235.239.221 remote-as 65000

  neighbor 57.235.239.221 description MSG_TEST

  neighbor 57.235.239.221 activate

  neighbor 57.235.239.221 send-community extended

  neighbor 57.235.239.221 prefix-list DHMI out

  neighbor 57.235.239.221 route-map set_metric_50 out

 exit-address-family

!

ip forward-protocol nd

no ip http server

no ip http secure-server

ip tftp source-interface GigabitEthernet0

!

ip as-path access-list 1 permit ^$

!

ip access-list extended qos_D1

 permit tcp any any eq 8500

 permit tcp any eq 8500 any

 permit udp any any eq 8500

 permit udp any eq 8500 any

ip access-list extended qos_D2

 permit tcp any any eq 102

 permit tcp any eq 102 any

 permit udp any any eq 102

 permit udp any eq 102 any

ip access-list extended qos_D3

 permit ip any any

!

!

ip prefix-list DHMI seq 10 permit 57.235.205.176/28

ip prefix-list DHMI seq 20 permit 57.235.205.200/29

!

route-map set_metric_50 permit 10

 set metric 50

!

!

!

control-plane

!

!

line con 0

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

 password network

 login

!

!

end

0 Helpful

Georg Pauwen
VIP
VIP
In response to adergah

‎12-16-2017 09:06 AM

Hello,

 

the classes in your service policy do not have any action defined.

Take the entire service policy off the interface, also the HSRP stuff, so it should look like this:

 

interface GigabitEthernet0/0/1.2

description PENS_MSG_OPS

encapsulation dot1Q 2

vrf forwarding PENS_MSG_OPS

ip address 57.235.205.177 255.255.255.240

0 Helpful

adergah
Level 1
Level 1
In response to Georg Pauwen

‎12-16-2017 09:47 AM

HSRP does work because I have a standby router as you can see in the configuration. And I don't see any relation between service policy and not being able to ping the computer. Thank you for your helps.

0 Helpful

mattjones03
Level 1
Level 1

‎12-16-2017 09:19 AM

Hi,

 

It does sound like it’s a case of your Windows firewall being enabled.

 

With the Windows firewall temporarily disabled, does this correct the issue?

0 Helpful

adergah
Level 1
Level 1
In response to mattjones03

‎12-16-2017 09:48 AM

It is definetely not firewall problem of Windows. I tried 3 different computers one with Linux. And it didn't work.

0 Helpful

Georg Pauwen
VIP
VIP
In response to adergah

‎12-16-2017 10:17 AM - edited ‎12-16-2017 10:18 AM

Hello,

 

can you ping with the HSRP standby address, 57.235.205.178, as the source ?

 

ping vrf PENS_MSG_OPS 57.235.205.181 source 57.235.205.178 ?

 

And vice versa, can your PC/computer ping 57.235.205.178 Your PC/computer needs to have 57.235.205.178 as the default gateway, make sure that is configured...

0 Helpful

adergah
Level 1
Level 1
In response to Georg Pauwen

‎12-16-2017 10:20 AM

I am off at the work for today. Tomorrow night I will be able to do these steps and I will inform you about the results. Thank you for your helps and supports. Have a good weekend.

0 Helpful

adergah
Level 1
Level 1
In response to Georg Pauwen

‎12-17-2017 09:40 AM

So here is the last situation:

 

Right now I can ping vrf 57.235.205.181 from the router,

I can ping 57.235.205.177 and standby address 57.235.205.178 from the computer.

 

Just I can't ping 57.235.205.181 without vrf from the router.

 

Is this a normal situation in my case?

0 Helpful

Georg Pauwen
VIP
VIP
In response to adergah

‎12-17-2017 10:07 AM

Hello,

 

--> I can't ping 57.235.205.181 without vrf from the router.

 

That is the to-be-expected behaviour. The entire subnet is part of the VRF, so only reachable within the VRF.

0 Helpful

adergah
Level 1
Level 1
In response to Georg Pauwen

‎12-17-2017 10:18 AM

Problem seems to be solved. Thank you very much for your helps and supports.

 

Best regards,

0 Helpful
Customers Also Viewed These Support Documents