cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
292
Views
0
Helpful
3
Replies

VRF Lite

kim
Level 1
Level 1

Hi everybody :)

Thanks for an awesome ressource!

Long story short, i've been labbing dhcp snooping and arp inspection. And during i needed extra clients... So i thought i could use a single switch, separate a couple of routed ports with vrfs. Then have the ports ping each other through a second switch with a simple vlan between them. But they cant ping each other. Could someone please tell me what is wrong with my logic here...

I'm running c3560-ipservicesk9-mz.122-58.SE2.bin on a 3560c with the following config:

Vrfs first:

clients#sh ip vrf
  Name                             Default RD          Interfaces
  cli6                             6:6                 Fa0/6
  cli7                             7:7                 Fa0/7
  cli8                             8:8                 Fa0/8

Then the interfaces:

clients#sh run int fa0/7
Building configuration...

Current configuration : 153 bytes
!
interface FastEthernet0/7
 no switchport
 ip vrf forwarding cli7
 ip dhcp client hostname cli7
 ip address dhcp
end

clients#sh run int fa0/8
Building configuration...

Current configuration : 153 bytes
!
interface FastEthernet0/8
 no switchport
 ip vrf forwarding cli8
 ip dhcp client hostname cli8
 ip address dhcp
end

Interface states:

clients#sh ip int brie | i /7|/8
FastEthernet0/7        10.3.76.43      YES DHCP   up                    up      
FastEthernet0/8        10.3.76.46      YES DHCP   up                    up      

The switch vlaning the two routet ports together:

MiddleSw#sh run int fa0/8
Building configuration...

Current configuration : 108 bytes
!
interface FastEthernet0/8
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
end

MiddleSw#sh run int fa0/7
Building configuration...

Current configuration : 108 bytes
!
interface FastEthernet0/7
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
end

I have a PC on the same subnet, in the same vlan on MiddleSw that has no problem pinging either of the two routet ports. Leading me to believe that this is not possible, but why? Hope you guys can elaborate :)

Thanks again!

 

3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

Hi Kim,

On the clients switch, when you want to do pings, you will need to issue the ping command including the name of a VRF. Without that, the ping command tries to reach the intended destination using interfaces and routing information from the global routing table which is obviously empty.

So if you want to ping your Fa0/8 from your Fa0/7, you need to issue

ping ip-address-of-Fa0/8 vrf cli7

And in the opposite direction, if you want to ping Fa0/7 from your Fa0/8, you need to issue

ping ip-address-of-Fa0/7 vrf cli8

You always need to keep in mind the VRF in which the ping packets are being originated and from which they need to be routed out. This VRF needs to be specified in the ping command.

Would you mind testing this out and telling us if it worked for you?

Best regards,
Peter

Hey Peter :) 

Thanks for your reply! Thats exactly what i've been doing, but your suggestion tells me that maybe this aught to work...

Note, addresses changed slightly

clients#sh ip int brie | i /7|/8
FastEthernet0/7        10.3.76.122     YES DHCP   up                    up      
FastEthernet0/8        10.3.76.117     YES DHCP   up                    up      

The ping:

 

clients#ping vrf cli7 10.3.76.117

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.76.56, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

But no dice!... Routing information shows:

clients#sh ip route vrf cli7
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.3.76.0/24 is directly connected, FastEthernet0/7
L        10.3.76.122/32 is directly connected, FastEthernet0/7


clients#sh ip route vrf cli8
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.3.76.0/24 is directly connected, FastEthernet0/8
L        10.3.76.117/32 is directly connected, FastEthernet0/8

Hi Kim,

I apologize for responding so late - it's been a busy week.

Some of the outputs you have posted are puzzling me, for example:

clients#ping vrf cli7 10.3.76.117

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.76.56, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

If you were pinging 10.3.76.117, why does the ping say you're pinging 10.3.76.56?

If this was just an error in transcription, can you make the experiment again and check the following?

  • See the show ip arp vrf cli7 and show ip arp vrf cli8 whether you have been able to properly learn the IP/MAC mapping of the pinging and pinged IP address. If not, we have a problem in the L2 connectivity between your Fa0/7 and Fa0/8 or in the ARP process. Running debug arp could potentially isolate the problem.
  • Check whether both the pinging and the pinged IP address have the same MAC address. If they do, this may be because the routed interfaces on your switch may be sharing the same MAC address. In that case, you'd need to redefine the per-port MAC addresses using the mac-address interface command.

Looking forward to hearing back from you :)

Best regards,
Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco