How to merge routes from a VRF into the default routing table ?

Unanswered Question
Jan 11th, 2010

Hi,

I need some advise on VRF Design, i'm not used to how this thing work exaclty, but I will explain you what I need to acheive.

Setup

We have 1 Head-router deserving 350 Store. On this router we have:

1 link to the internal Network

1 link to private MPLS network (Bell Canada)

1 link to the Internet

On that router, for every stores, we are running 2 GRE tunnels, 1 over the MPLS link and 1 over VPN link (used as a backup for MPLS)

My problem:

The stores VPN's source IP are dynamic, therefore we need 1 default static route to access the Internet on the Head-router. But adding this routes made the Internet access not working over the MPLS network, since once the packet are reaching the Head-router, they are routed back on the Internet Access instead of going into our internal network to finally pass through our Proxy.

What I would like to do:

Use a dedicated VRF for the static routes that will bring the VPN GRE Tunnels UP and the VPNs working, then all the traffic reaching the Head-router Tunnel's end point need to "exit" that VRF and continue using the default OSPF routing table which is on the default routing table.

How can I do this ?

Is there any way to "merge" or "switch" from one VRF te the default one on a router ?

Any other way to do it ?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Mon, 01/11/2010 - 20:08

try to do the following

create a VRF lets call it VRFA

this VRF you will use it for the Internet physical interface and the Internet default route in the branch

gassing it to the Internet interface

int fax/x

ip vrf forwarding VRFA

create a default route for this VRF

ip route vrf VPNA 0.0.0.0 0.0.0.0 [next hop for your Internet ]

now for  your tunnel interface has the source interface as the physical interface above assigned to vrf VRFA

at the same time the tunnel is residing in the global routing table

as per your requirement you need the tunnel to use the Internet default route just for the tunnel establishment with the other end

there is command that you can use it for this  porous which is under the tunnel interface:

int tunnelx

tunnel vrf VRFA

in the case the tunnel will use the default route of VRFA to reach the other end of the tunnel ( for VPN)

and will use the global routing table for traffic exchange between the two tunnels

( only the tunnel source and destination will be used from VRFA vrf routing table )

if you are using ospf over th GRE i would suggest you to inject the default route from the HQ router through OSPF

router ospf 1

default-information originate always

good luck

if helpful Rate

Laurent Aubert Mon, 01/11/2010 - 20:16

Hi Nicolas,

What you can do is to configure FVRF on the GRE tunnel of the hub:

1- Put the internet interface in a VRF

2- configure the default static route in this VRF as well

3- configure FVRF so IPSec will use this VRF for the remote peer VPN address lookup.

All the decrypted traffic will be routed via the default routing table.

Here is a configuration example:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

Check chapter 5.

HTH

Laurent.

Marwan ALshawi Mon, 01/11/2010 - 20:27

this is a quick test i did for the methooed i mentioned

ip vrf VRFA
rd 1:1
!

!
!
interface Tunnel0
ip address 120.1.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source FastEthernet1/1      -- source and distenations used from vrf VRF1 routing table to get the tunnel up
tunnel destination 192.168.1.2
tunnel vrf VRFA
!

!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
!
interface FastEthernet1/1
ip vrf forwarding VRFA      -- internet interface
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
!

ip route vrf VRFA 0.0.0.0 0.0.0.0 192.168.1.2   ---- VRF default route


R1#show  ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 120.1.1.2 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet1/0
     120.0.0.0/24 is subnetted, 1 subnets
C       120.1.1.0 is directly connected, Tunnel0
O*E2 0.0.0.0/0 [110/1] via 120.1.1.2, 00:01:45, Tunnel0  --- this injected from the HQ in your case through OSPF over the tunnel
R1#

good luck

Actions

This Discussion

Related Content