Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VRF-lite on c3550

Hi folks,

I have three OSPF areas connected via OSPF "0" backbone and there is MPLS VPN created.

Iside each area is L3 switch c3550 which acts as gateway for VLAN in VRF (CE). The switch is for the purpose of VPN connected to MPLS backbone (PE) through IPIP tunnel. In the VRF inside OSPF area is only very simple static routing - on L3 switch the default route is directed to the tunnel.

The MPLS VPN itself seems to be working fine - I can reach each L3 switch or router inside VPN - but only from other router/switch.

After connecting PC into VLAN inside VRF, it can?t reach even its gateway - well I handle this with "sdm prefer extended-match". Very tricky btw.

After that correction the PC can reach its gateway, and it even can reach "beginnig" of IPIP tunnel on L3 switch, but not anything else inside VPN, not even the "other" side of tunnel on PE router. From VPN I can reach PC?s gateway, but not PC itself.

When I connect PE and CE via 802.1q trunk and move gateway of VLAN in VRF to the PE, everything work just fine. So I believe the problem lies somewhere in L3 switch, maybe with cooperation with IPIP tunnel.

Any suggestions?

Thanks a lot, Martin

3 REPLIES

Re: VRF-lite on c3550

Hi Martin,

could you post the VRF and tunnel related config of a 3550?

Can you check the VRF routing table: "show ip route vrf "? If the destinations are not there, no connectivity can be achieved.

Where is the tunnel terminating - in the VRF or in the global routing table?

No IP in the global routing table gets connectivity to the VRF IPs and vice versa. This is not a bug, but a feature ;-)

Could this be the reason?

Regards, Martin

New Member

Re: VRF-lite on c3550

Hi,

as ususally, the problem has been solved two minutes after I posted my message :))

To your questions: Yes, routing table is OK, all networks are correctly distributed. The tunnel is terminated in VRF on both sides.

The problem was in "IPIP" tunnel mode. When I remove "tunnel mode ipip" from tunnel configuration, the host started to communicate to the VPN.

So, my problem is resolved, but I don?t understand why... can somebody explain it to me?

Re: VRF-lite on c3550

Well, yes :-)

IPIP is not VRF aware, GRE is!

So a GRE tunnel can terminate inside a VRF.

Regards, Martin

794
Views
0
Helpful
3
Replies
CreatePlease to create content