Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2080
Views
0
Helpful
1
Replies

Cannot get to the internet from VRF but can ping within the VRF.

Go to solution
cjjones
Level 1
Level 1

‎03-07-2018 09:08 AM - edited ‎03-12-2019 05:05 AM

I'm totally new to mpls so I'm a little confused as to why I can't get to the internet with what I have configured. I am not using bgp, just ospf and I can ping within the vrf but not to addresses on the internet. When I do a trace from the firewall, to the internal vlan interface address, the only thing that answers is the core switch. The trace does not get to the remote switch. When I do a trace from the remote switch to 8.8.8.8, the core switch replies but then the trace dies. I can ping the firewall from the core switch and I do have a route and rules in the firewall to permit the traffic. Below are my configs. Could one of you take a look and see if I'm missing something? Ospf is advertising the default gateway to the remote switch and the remote switch is advertising the internal vlan, and loopback.
Remote Switch Config:
ip vrf BM3
rd 2003:3
route-target import 2003:3

route-target export 2003:3

vlan 2003
name BM3_Data_VLAN2003

interface Loopback2003
description BM3 MPLS/OSPF Loopback
ip vrf forwarding BM3
ip address 192.168.254.3 255.255.255.255
no shut

interface GigabitEthernet6/3
description MPLS to VSS g1/7/48
no ip address
no shut

int g6/3.3
description BM3 MPLS to VSS g1/7/48.3
encapsulation dot1Q 203
ip vrf forwarding BM3
ip address 192.168.255.7 255.255.255.254
no shut

interf vlan 2003
descr BM3
ip vrf forwarding BM3
ip address 192.168.3.1 255.255.255.0
no shut

router ospf 2003 vrf BM3
router-id 192.168.254.3
log-adjacency-changes
network 192.168.254.3 0.0.0.0 area 0
network 192.168.255.6 0.0.0.1 area 0
network 192.168.3.0 0.0.0.255 area 0

mpls ldp router-id vrf BM3 lo2003 force

Core Switch Config:
ip vrf BM3
rd 2003:3
route-target import 2003:3

 route-target export 2003:3

interface Loopback2003
description BM3 MPLS/OSPF Loopback
ip vrf forwarding BM3
ip address 192.168.253.3 255.255.255.255
no shut

int g1/7/48
description CORE MPLS to MOD1 g6/3
no shut

int g1/7/48.3
description CORE MPLS to BM3 g6/3.3
encapsulation dot1Q 203
ip vrf forwarding BM3
ip address 192.168.255.6 255.255.255.254
no shut

router ospf 2003 vrf BM3
router-id 192.168.253.3
log-adjacency-changes
network 192.168.253.3 0.0.0.0 area 0
network 192.168.255.5 0.0.0.1 area 0
default-information originate always

ip route vrf BM3 0.0.0.0 0.0.0.0 GigabitEthernet1/5/3 10.10.255.4 name MPLS_Default

mpls ldp router-id vrf BM3 lo2003 force

 

Trace from the firewall to 192.168.3.1(remote switch) dies after reply form the core switch interface it is connected to. Trace from 192.168.3.1(remote switch) to 8.8.8.8 dies after reply from the core switch interface it is connected to. Ping/trace from 192.168.3.1 to core loopback works. I don't have bgp running since this is just a single vrf and it looks like I have correct routes in the vrf i.e. default route,  192.168.3.0/24 and connected vrf interfaces are all there. I don't have the interface to the firewall configured in a vrf as there are other networks also using the internet connection.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cjjones
Level 1
Level 1

‎03-08-2018 06:18 PM

Fixed. Had to nat the traffic coming off the vrf to an ip address that was in a subnet known to the global ospf routing table.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
cjjones
Level 1
Level 1

‎03-08-2018 06:18 PM

Fixed. Had to nat the traffic coming off the vrf to an ip address that was in a subnet known to the global ospf routing table.

0 Helpful
Customers Also Viewed These Support Documents