VRF<->Global problem

Unanswered Question
Aug 28th, 2010
User Badges:

I provide my customers an ethernet port off my PE (ie: FastEthernet0/0 on PE from configuration below).  They can connect whatever they want into the port.  Most times it's simply a PC.  The only thing they expect to get off that port is Internet access.


I'm trying to stick all these users into a VRF called INTERNET, but I'm having some trouble getting the global table to see the networks that I'm assigning to my customers (ie: 5.0.0.0/30 from the PE config below).


Near as I can tell, the VRF knows about the default gateway and the global table knows how to reach 5.0.0.0/30, but for some reason, there's no connectivity and I'm not sure how to begin troubleshooting this.


Anyone have any pointers?         



PE#traceroute vrf INTERNET 7.7.7.7


Type escape sequence to abort.

Tracing the route to 7.7.7.7


  1  *  *  *

PE#show ip route vrf INTERNET



Routing Table: INTERNET

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP

       + - replicated route, % - next hop override


Gateway of last resort is 10.0.0.1 to network 0.0.0.0


S*    0.0.0.0/0 [250/0] via 10.0.0.1

      5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        5.0.0.0/30 is directly connected, FastEthernet0/0

L        5.0.0.1/32 is directly connected, FastEthernet0/0

PE#show ip bgp vpnv4 vrf INTERNET
BGP table version is 40, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 21949:0 (default for vrf INTERNET)
*> 5.0.0.0/30       0.0.0.0                  0         32768 ?
PE#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
C        1.1.1.1/32 is directly connected, Loopback0
      3.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
O        3.3.3.3/32 [110/2] via 10.0.0.1, 2d02h, FastEthernet3/0
      7.0.0.0/32 is subnetted, 1 subnets
B        7.7.7.7 [200/0] via 3.3.3.3, 1d18h
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/31 is directly connected, FastEthernet3/0
L        10.0.0.0/32 is directly connected, FastEthernet3/0
PE#show ip bgp
BGP table version is 35, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*>i5.0.0.0/24       3.3.3.3                  0    100      0 i
*>i7.7.7.7/32       3.3.3.3                  0    100      0 1 i
PE#
P#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
O        1.1.1.1/32 [110/2] via 10.0.0.0, 2d02h, FastEthernet1/0
      5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S        5.0.0.0/24 is directly connected, Null0
S        5.0.0.0/30 [1/0] via 10.0.0.0, FastEthernet1/0
      7.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        7.0.0.0/31 is directly connected, FastEthernet0/0
L        7.0.0.0/32 is directly connected, FastEthernet0/0
B        7.7.7.7/32 [20/0] via 7.0.0.1, 2d02h
C        10.0.0.0/31 is directly connected, FastEthernet1/0
L        10.0.0.1/32 is directly connected, FastEthernet1/0
P#show ip route vrf INTERNET
Routing Table: INTERNET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      5.0.0.0/30 is subnetted, 1 subnets
B        5.0.0.0 [200/0] via 1.1.1.1, 00:09:33
ISP#traceroute 5.0.0.2
Type escape sequence to abort.
Tracing the route to 5.0.0.2
  1 7.0.0.0 40 msec 8 msec 4 msec
  2  *  *  *
  3 10.0.0.1 [AS 21949] 24 msec 16 msec 8 msec
  4  *  *  *
  5 10.0.0.1 [AS 21949] 32 msec 20 msec 12 msec
  6  *  *  *
  7 10.0.0.1 [AS 21949] 12 msec 16 msec 12 msec
  8  *  *  *
  9 10.0.0.1 [AS 21949] 28 msec 28 msec 16 msec
10  *  *  *
ISP#show ip route 5.0.0.0
Routing entry for 5.0.0.0/24, 1 known subnets
B       5.0.0.0 [20/0] via 7.0.0.0, 02:34:17
R7#

!PE

!


ip vrf INTERNET

rd 21949:0

route-target export 21949:0

route-target import 21949:0

!


interface Loopback0

ip address 1.1.1.1 255.255.255.255

!       

interface FastEthernet0/0

ip vrf forwarding INTERNET

ip address 5.0.0.1 255.255.255.252

speed 100

duplex full

!       

interface FastEthernet3/0
ip address 10.0.0.0 255.255.255.254
speed auto
duplex auto
mpls ip
!
router ospf 21949
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 21949
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 21949
neighbor 3.3.3.3 update-source Loopback0
!
address-family ipv4
  no synchronization
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 next-hop-self
  no auto-summary
exit-address-family
!      
address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community both
exit-address-family
!      
address-family ipv4 vrf INTERNET
  no synchronization
  redistribute connected
exit-address-family
!
ip route vrf INTERNET 0.0.0.0 0.0.0.0 10.0.0.1 global 250 permanent name "L3VPN Default Leak"
!
!P
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 7.0.0.0 255.255.255.254
speed 100
duplex full
!
interface FastEthernet1/0
ip address 10.0.0.1 255.255.255.254
speed auto
duplex auto
mpls ip
!
router ospf 21949
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 21949
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 21949
neighbor 1.1.1.1 update-source Loopback0
neighbor 7.0.0.1 remote-as 1
!
address-family ipv4
  no synchronization
  network 5.0.0.0 mask 255.255.255.0
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 next-hop-self
  neighbor 7.0.0.1 activate
  no auto-summary
exit-address-family
!
address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community both
  neighbor 1.1.1.1 route-reflector-client
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community both
  neighbor 2.2.2.2 route-reflector-client
exit-address-family
!
address-family ipv4 vrf INTERNET
  no synchronization
  redistribute connected
exit-address-family
!
ip route 5.0.0.0 255.255.255.0 Null0 250
ip route 5.0.0.0 255.255.255.252 FastEthernet1/0 10.0.0.0
!
!ISP
!
interface Loopback0
ip address 7.7.7.7 255.255.255.255
!
interface FastEthernet0/0
ip address 7.0.0.1 255.255.255.254
speed 100
full-duplex
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 7.7.7.7 mask 255.255.255.255
neighbor 7.0.0.0 remote-as 21949
!
Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
swapnendum Mon, 08/30/2010 - 02:13
User Badges:

Route leakage between global/VRF is not allowed on multi-access interfaces like ethernet.


Few common solutions to the problem you are facing -

1. put the internet interface on router P in a VRF lets say ISP, and use the conventional vpnv4 import/export between INTERNET and ISP VRFs.

2. use VRF NAT  on PE

3. use other methods to leak routes - e.g. cable loop,  gre based leakage etc.


HTH


Swap

#19804x2

Laurent Aubert Sun, 09/12/2010 - 15:09
User Badges:
  • Cisco Employee,

Hi,


My vote goes to option 1.


Put P interface connected to your ISP into a VRF which means your P becomes a PE actually. Then either you receive via BGP a default route from your ISP or have a static one configured on your P and export it with a dedicated RT you can then import in any customer VRF requesting Internet access.


HTH


Laurent.

Actions

This Discussion