01-11-2010 07:06 AM - edited 03-04-2019 07:10 AM
Hi,
I need some advise on VRF Design, i'm not used to how this thing work exaclty, but I will explain you what I need to acheive.
Setup
We have 1 Head-router deserving 350 Store. On this router we have:
1 link to the internal Network
1 link to private MPLS network (Bell Canada)
1 link to the Internet
On that router, for every stores, we are running 2 GRE tunnels, 1 over the MPLS link and 1 over VPN link (used as a backup for MPLS)
My problem:
The stores VPN's source IP are dynamic, therefore we need 1 default static route to access the Internet on the Head-router. But adding this routes made the Internet access not working over the MPLS network, since once the packet are reaching the Head-router, they are routed back on the Internet Access instead of going into our internal network to finally pass through our Proxy.
What I would like to do:
Use a dedicated VRF for the static routes that will bring the VPN GRE Tunnels UP and the VPNs working, then all the traffic reaching the Head-router Tunnel's end point need to "exit" that VRF and continue using the default OSPF routing table which is on the default routing table.
How can I do this ?
Is there any way to "merge" or "switch" from one VRF te the default one on a router ?
Any other way to do it ?
Thanks
01-11-2010 08:08 PM
try to do the following
create a VRF lets call it VRFA
this VRF you will use it for the Internet physical interface and the Internet default route in the branch
gassing it to the Internet interface
int fax/x
ip vrf forwarding VRFA
create a default route for this VRF
ip route vrf VPNA 0.0.0.0 0.0.0.0 [next hop for your Internet ]
now for your tunnel interface has the source interface as the physical interface above assigned to vrf VRFA
at the same time the tunnel is residing in the global routing table
as per your requirement you need the tunnel to use the Internet default route just for the tunnel establishment with the other end
there is command that you can use it for this porous which is under the tunnel interface:
int tunnelx
tunnel vrf VRFA
in the case the tunnel will use the default route of VRFA to reach the other end of the tunnel ( for VPN)
and will use the global routing table for traffic exchange between the two tunnels
( only the tunnel source and destination will be used from VRFA vrf routing table )
if you are using ospf over th GRE i would suggest you to inject the default route from the HQ router through OSPF
router ospf 1
default-information originate always
good luck
if helpful Rate
01-11-2010 08:16 PM
Hi Nicolas,
What you can do is to configure FVRF on the GRE tunnel of the hub:
1- Put the internet interface in a VRF
2- configure the default static route in this VRF as well
3- configure FVRF so IPSec will use this VRF for the remote peer VPN address lookup.
All the decrypted traffic will be routed via the default routing table.
Here is a configuration example:
Check chapter 5.
HTH
Laurent.
01-11-2010 08:27 PM
this is a quick test i did for the methooed i mentioned
ip vrf VRFA
rd 1:1
!
!
!
interface Tunnel0
ip address 120.1.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source FastEthernet1/1 -- source and distenations used from vrf VRF1 routing table to get the tunnel up
tunnel destination 192.168.1.2
tunnel vrf VRFA
!
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
!
interface FastEthernet1/1
ip vrf forwarding VRFA -- internet interface
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
!
ip route vrf VRFA 0.0.0.0 0.0.0.0 192.168.1.2 ---- VRF default route
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 120.1.1.2 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet1/0
120.0.0.0/24 is subnetted, 1 subnets
C 120.1.1.0 is directly connected, Tunnel0
O*E2 0.0.0.0/0 [110/1] via 120.1.1.2, 00:01:45, Tunnel0 --- this injected from the HQ in your case through OSPF over the tunnel
R1#
good luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide