05-07-2012 12:33 PM - edited 03-07-2019 06:33 AM
hello all:
I have the folowing setup:
And I have 4 environments:
Accordingly I configured 4 VRFs as shown in the Attached pictures:
Moreover I’ve configured 4 Pcs as follow:
NAME IP/CIDR GATEWAY
PCS1 172.19.1.100/24 172.19.1.241
PCS2 172.19.8.100/24 172.19.8.241
PCS3 172.19.16.100/24 172.19.16.241
PCS4 172.19.24.100/24 172.19.24.241
The aim of the setup is to isolate each environment from the others and have full control of the subnet
E.g. someone from VRF: AIX UAT can access any vlan within his VRF but if he want to access any other vlan out of his VRF he will not be able to do so and the routing to be provided by the FW SSG140
I am attaching the config for the same I’ve done in GNS3
The thing is each of the PCS is able to ping his gateway and other vlan interfaces in his own VRF but when i came to pinging other VLANS interfaces it should be routed through the FW (which is just a router in my lab configured with 802.1Q and sub interfaces connected to SW01 through trunk)
Pig Examples:
PC1> ping 172.19.1.241
172.19.1.241 icmp_seq=1 ttl=255 time=19.000 ms
!
PC1> ping 172.19.2.241
172.19.2.241 icmp_seq=1 ttl=255 time=42.000 ms
!
Ping is successful for all the members of the VRF a
!
!
Here we are crossing to the second VRF members so ping is getting drops :
PC1> ping 172.19.8.241
*172.19.1.241 icmp_seq=1 ttl=255 time=22.000 ms (ICMP type:3, code:1, Destination host unreachable)
!
PC1> ping 172.19.16.241
*172.19.1.241 icmp_seq=1 ttl=255 time=4289347.296 ms (ICMP type:3, code:1, Destination host unreachable)
!
PC1> ping 172.19.24.241
*172.19.1.241 icmp_seq=1 ttl=255 time=4289053.296 ms (ICMP type:3, code:1, Destination host unreachable)172.1
Here is a trace route from PC1 to unreachable VRF IPs:
PC1 tracert 172.19.8.241
traceroute to 172.19.8.241, 64 hops max, press Ctrl+C to stop
1 *172.19.1.241 3968903.296 ms (ICMP type:3, code:1, Destination host unreachable)
And all are the same for the rest of the PCs
one last thing:
below is PING from SW01 to FW01 and as you can see its not working
W01#ping 172.19.8.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.8.254, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
SW01#ping 172.19.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.254, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
also i am attaching the running config of all the devices, please let me know how can i route all the vlans and make this work
07-31-2012 03:30 PM
wow
2 month and no ANSWER ? :'(
07-31-2012 04:20 PM
one last thing:
below is PING from SW01 to FW01 and as you can see its not working
W01#ping 172.19.8.254
Success rate is 0 percent (0/3)
SW01#ping 172.19.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.254, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
Try:
ping vrf AIX_DEV 172.19.8.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.8.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/25/52 ms
ping vrf AIX_UAT 172.19.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/36/68 ms
You need to include the VRF when pinging from a VRF interface, omitting this value will force the router to use the global routing table.
As far as your other problem, each VRF must have a route to the other subnets pointing to the FW.
If you inspect each VRF on SW01, you will see only has routes for that VRF. How would it know to respond to packets from other VRFs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide