cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1059
Views
0
Helpful
2
Replies

VRF<->Global problem

jlixfeld
Level 1
Level 1

I provide my customers an ethernet port off my PE (ie: FastEthernet0/0 on PE from configuration below).  They can connect whatever they want into the port.  Most times it's simply a PC.  The only thing they expect to get off that port is Internet access.

I'm trying to stick all these users into a VRF called INTERNET, but I'm having some trouble getting the global table to see the networks that I'm assigning to my customers (ie: 5.0.0.0/30 from the PE config below).

Near as I can tell, the VRF knows about the default gateway and the global table knows how to reach 5.0.0.0/30, but for some reason, there's no connectivity and I'm not sure how to begin troubleshooting this.

Anyone have any pointers?         

PE#traceroute vrf INTERNET 7.7.7.7

Type escape sequence to abort.

Tracing the route to 7.7.7.7

  1  *  *  *

PE#show ip route vrf INTERNET

Routing Table: INTERNET

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP

       + - replicated route, % - next hop override

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [250/0] via 10.0.0.1

      5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        5.0.0.0/30 is directly connected, FastEthernet0/0

L        5.0.0.1/32 is directly connected, FastEthernet0/0

PE#show ip bgp vpnv4 vrf INTERNET
BGP table version is 40, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 21949:0 (default for vrf INTERNET)
*> 5.0.0.0/30       0.0.0.0                  0         32768 ?
PE#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
C        1.1.1.1/32 is directly connected, Loopback0
      3.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
O        3.3.3.3/32 [110/2] via 10.0.0.1, 2d02h, FastEthernet3/0
      7.0.0.0/32 is subnetted, 1 subnets
B        7.7.7.7 [200/0] via 3.3.3.3, 1d18h
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/31 is directly connected, FastEthernet3/0
L        10.0.0.0/32 is directly connected, FastEthernet3/0
PE#show ip bgp
BGP table version is 35, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*>i5.0.0.0/24       3.3.3.3                  0    100      0 i
*>i7.7.7.7/32       3.3.3.3                  0    100      0 1 i
PE#
P#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
O        1.1.1.1/32 [110/2] via 10.0.0.0, 2d02h, FastEthernet1/0
      5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S        5.0.0.0/24 is directly connected, Null0
S        5.0.0.0/30 [1/0] via 10.0.0.0, FastEthernet1/0
      7.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        7.0.0.0/31 is directly connected, FastEthernet0/0
L        7.0.0.0/32 is directly connected, FastEthernet0/0
B        7.7.7.7/32 [20/0] via 7.0.0.1, 2d02h
C        10.0.0.0/31 is directly connected, FastEthernet1/0
L        10.0.0.1/32 is directly connected, FastEthernet1/0
P#show ip route vrf INTERNET
Routing Table: INTERNET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      5.0.0.0/30 is subnetted, 1 subnets
B        5.0.0.0 [200/0] via 1.1.1.1, 00:09:33
ISP#traceroute 5.0.0.2
Type escape sequence to abort.
Tracing the route to 5.0.0.2
  1 7.0.0.0 40 msec 8 msec 4 msec
  2  *  *  *
  3 10.0.0.1 [AS 21949] 24 msec 16 msec 8 msec
  4  *  *  *
  5 10.0.0.1 [AS 21949] 32 msec 20 msec 12 msec
  6  *  *  *
  7 10.0.0.1 [AS 21949] 12 msec 16 msec 12 msec
  8  *  *  *
  9 10.0.0.1 [AS 21949] 28 msec 28 msec 16 msec
10  *  *  *
ISP#show ip route 5.0.0.0
Routing entry for 5.0.0.0/24, 1 known subnets
B       5.0.0.0 [20/0] via 7.0.0.0, 02:34:17
R7#

!PE

!

ip vrf INTERNET

rd 21949:0

route-target export 21949:0

route-target import 21949:0

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!       

interface FastEthernet0/0

ip vrf forwarding INTERNET

ip address 5.0.0.1 255.255.255.252

speed 100

duplex full

!       

interface FastEthernet3/0
ip address 10.0.0.0 255.255.255.254
speed auto
duplex auto
mpls ip
!
router ospf 21949
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 21949
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 21949
neighbor 3.3.3.3 update-source Loopback0
!
address-family ipv4
  no synchronization
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 next-hop-self
  no auto-summary
exit-address-family
!      
address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community both
exit-address-family
!      
address-family ipv4 vrf INTERNET
  no synchronization
  redistribute connected
exit-address-family
!
ip route vrf INTERNET 0.0.0.0 0.0.0.0 10.0.0.1 global 250 permanent name "L3VPN Default Leak"
!
!P
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 7.0.0.0 255.255.255.254
speed 100
duplex full
!
interface FastEthernet1/0
ip address 10.0.0.1 255.255.255.254
speed auto
duplex auto
mpls ip
!
router ospf 21949
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 21949
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 21949
neighbor 1.1.1.1 update-source Loopback0
neighbor 7.0.0.1 remote-as 1
!
address-family ipv4
  no synchronization
  network 5.0.0.0 mask 255.255.255.0
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 next-hop-self
  neighbor 7.0.0.1 activate
  no auto-summary
exit-address-family
!
address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community both
  neighbor 1.1.1.1 route-reflector-client
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community both
  neighbor 2.2.2.2 route-reflector-client
exit-address-family
!
address-family ipv4 vrf INTERNET
  no synchronization
  redistribute connected
exit-address-family
!
ip route 5.0.0.0 255.255.255.0 Null0 250
ip route 5.0.0.0 255.255.255.252 FastEthernet1/0 10.0.0.0
!
!ISP
!
interface Loopback0
ip address 7.7.7.7 255.255.255.255
!
interface FastEthernet0/0
ip address 7.0.0.1 255.255.255.254
speed 100
full-duplex
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 7.7.7.7 mask 255.255.255.255
neighbor 7.0.0.0 remote-as 21949
!
2 Replies 2

swapnendum
Level 1
Level 1

Route leakage between global/VRF is not allowed on multi-access interfaces like ethernet.

Few common solutions to the problem you are facing -

1. put the internet interface on router P in a VRF lets say ISP, and use the conventional vpnv4 import/export between INTERNET and ISP VRFs.

2. use VRF NAT  on PE

3. use other methods to leak routes - e.g. cable loop,  gre based leakage etc.

HTH

Swap

#19804x2

Hi,

My vote goes to option 1.

Put P interface connected to your ISP into a VRF which means your P becomes a PE actually. Then either you receive via BGP a default route from your ISP or have a static one configured on your P and export it with a dedicated RT you can then import in any customer VRF requesting Internet access.

HTH

Laurent.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: