VRF Installationavecuneracine road inaccessible NH

Hello

I just start dabling in the VRF to GNS3 so forgive me if this is a silly question. My understanding is that roads be installed in the SIDES if the next hop address is inaccessible. I announced a single route in the VRF (from BGP) and installed the road even if the VRF ignores the next hop.

#show ip route vrf Border1 test

Routing table: test
Code: L - local, C - connected, S - static, mobile R - RIP, M-, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2
i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2
-IS inter area, * - candidate failure, U - static route by user
o - ODR, P - periodic downloaded route static, H - PNDH, l - LISP
+ - replicated road, % - next hop override

Gateway of last resort is not set

10.0.0.0/32 is divided into subnets, subnets 1
C 10.99.99.1 is directly connected, Loopback9
B 200.1.1.0/24 [20: 20] via 10.35.1.1, 00:40:12, GigabitEthernet3/0

#show ip route vrf Border1 test 10.35.1.1

Routing table: test
Subnet in the table %

test definition VRF
RD 100: 100
!
ipv4 address family
import the unicast ipv4 IMPORT OF GLOBAL - map
output-address-family

interface Loopback9
VRF forwarding test
10.99.99.1 IP 255.255.255.255

IP-list of prefixes LEAK VRF seq 5 permit 26 200.1.1.0/24

IMPORT OF GLOBAL-enabled 10 route map
address for correspondence prefix LEAK VRF ip-list

I have a really basic VRF configuration and made no big thing with her. Any ideas on how the VRF can install this road when there isn't a road to the next hop?

Hello cwhite0013,

It is true that BGP should not install a route if it has an entry for the next break in the Routing Table.

Looking at your configuration, I can see the router "flows" in the VRF 'test', the 200.1.1.0/24 road which is originally in the global Routing Table.

In this case, the router must send traffic to a next break in the global Routing Table. This is the reason for which the router is looking for the jump next 10.35.1.1 not in the VRF 'test', but in the global Routing Table where there should be an entry for it.

I hope this helps.

Tags: Cisco Network

Similar Questions

True object of road-identifiers

Hi all

I have a small question about the route identifiers. In a cloud of PSI using MP-iBGP VPNv4 for exploitation of customer routes, must the route identifiers on different routers EP (each repair the same client at different locations) have the same identifiers of road on the different PE routers VRF?

Secondly, the road-identifiers are transported in MP - BGP VPNv4 commercials? I guess that sums it up to... What is the real purpose of the road-identifiers.

Any ideas would be very useful!

David

Hello David,.
```
do the route-distinguishers on different PE routers (each servicing the  same customer at different locations) need to have the same route  distinguishers on the VRFs of the different PE routers?
```
Route identifiers (RDs) values can be largely arbitrary. Must be unique for different VRF on the EP even, but for two correspondents VRF on two different PEs, they may or may not be the same, it does not really matter. In simpler deployments, they may be the same, but in the largest virtual private networks, or more complex, it is more likely that they differ.
```
Secondly, are route-distinguishers carried in MP-BGP VPNv4 advertisments?
```
Yes, they are, in the context of network addresses al who are in a particular VRF and are advertised to other PEs.

Let me explain the process of advertising routes to one PE in the other and let me start first by talking about the other attribute configured in the VRF - target of the road (RT).

The RT is a BGP attribute of a route - technically, it is an attribute of the enlarged community. Be an attribute means that this value is a property of the road which specifies how it should be treated, but is not a part of the network address of the road or the mask. It is included with the announcement of this network to a BGP peer but similar to other BGP attributes (next hop, and preferably local, metric AS_PATH, etc.), it's just a property of the announced network, not a part of the address. Some BGP attributes need not always to be present, or may be present multiple times in a update for a road. The RT is especially used to say in what VRF the particular route can be imported. Say that a road has an export RT to 1:1 and 1:2 means that the road can be imported to a VRF that matters with 1:1 or 1:2 routes.

The presence of the RT and the possibility of having several RTs for a single update allowing great flexibility in design with several places MPLS VPNs and the partial visibilities between them. However, considering only the RTs do not.

Consider two VRF on a single router, V1 and V2, each of them containing a single network 10.0.0.0/8. For the moment, assume that there is no concept of Dr. If BGP sends the roads of this router to a peer, he always sends them in a certain order. Suppose that the first flights sent are those of a VRF, say V1, then roads since a different VRF, say V2, are announced. V1 use RT to 1:1, V2 use RT to 1:2.

Now, imagine how BGP updates would look on the wire: firstly, an update comes, saying that there is a network 10.0.0.0/8 valued RT 1:1. What would the router of neighborhood? She would put the route in the corresponding VRF V1. Now, a second update is available in (or a second entrance to the single update is transformed) and guess what - it is said that there is the same network 10.0.0.0/8, just with the RT 1:2 the value. If the neighborhood router, how? It would consider this second update to be a replacement of the previous update - the same network, but different attributes. So, it would delete the 10.0.0.0/8 network of the VRF V1 and add it to VRF V2!

This would happen because for BGP, the network and its subnet mask were key in its database. An update of a network is carried out simply by sending the update on this network once again, with the new attributes specified explicitly. There is no need to remove first the road. And because BGP does not see the difference between the network 10.0.0.0/8 of V1 and V2 10.0.0.0/8, it merges because he thinks that the information on the same network just updated.

This was RD comes in - by extending the official network for all roads address in a particular VRF using a single value. If V1 has the RD also set to 1:1 (it may very well be different from RTs and generally that is) and V2 RD 1:2 the value, then the road to V1 is announced as 1:1:10.0.0.0/8 while the same path of V2 will be announced as 1:2:10.0.0.0/8. For BGP, it is now clear that these two networks is not the same. The trick here is to use the RD to temporarily extend the IP addresses of the network in a VRF with unique values to work around the BGP networks identical-looking attitude. However, the RD is not used to sort routes in different VRF receiving them through BGP and exists only within the communication of the BGP.

So said RT in can VRF has road and eventually will be imported. RD support BGP understand that this a VRF X network is not the same as the network X from a different VRF. Both RT and RD have the same format, but it is their only similarity. RD must be present only once in each VRF on a simple PE and must be unique. RT must be present at least once in each VRF and does not need to be unique (if VRF route leaking is desired). RD becomes part of the network address in the BGP updates, RTs are transported as attributes of these networks. RDs are never used to sort the routes between VRF - that is the purpose of the RTs. This is also the reason why the RD may or may not be the same in the two corresponding VRF on two different PEs - in fact, it does not matter.

Please feel welcome to ask for more!

Best regards

Peter

Two VRF to swap roads... except by default

I have two VRF configured on my EP (unless GNS3) routers. The original installation is quite simple, as follows:

IP vrf VRF_A
RD 100: 1
Route target export 100: 1
Route-target import 100: 1
!
IP vrf VRF_B
RD 100:2
Route target export 100:2
Route-target import 100:2
!

I want these two VRF to swap roads, except for their routes by default. So, I did the following:

IP-prefix list blockDefault seq 5 deny 0.0.0.0/0
IP-list of prefixes blockDefault seq 50 allowed the 0.0.0.0/0 32

ALL_EXCEPT_DEFAULT_VPN_A allowed 10 route map
match ip address-list of prefixes blockDefault
Set extcommunity rt 100:10

ALL_EXCEPT_DEFAULT_VPN_B allowed 10 route map
match ip address-list of prefixes blockDefault
Set extcommunity rt 100:20

IP vrf VRF_A
RD 100: 1
ALL_EXCEPT_DEFAULT_VRF_A export map
Route-target import 100: 1
Route target export 100: 1
Route-target import 100:20
Route target export 100:20
!
IP vrf VRF_B
RD 100:2
ALL_EXCEPT_DEFAULT_VRF_B export map
Route-target import 100:2
Route target export 100:2
Route-target import 100:10
Route target export 100:10
!

Now, I find that even thoughI can see the routes of VRF_A in VRF_B, I'm actually losing roads that were once in the routing table VRF_A (and vica versa).

Can someone advise if I have the above correct Setup?

Hi Steven,

the problem with your route-is card, who 'set extcommunity rt' clause without the "additive" keyword will replace all existing RTs (100: 1 / 100:2 as well) with the new RT.

There are several ways to accomplish the task, for example:
```
 ip prefix-list DEFAULT-ROUTE permit 0.0.0.0/0 ! route-map ALL_EXCEPT_DEFAULT_VRF_A permit 10 match ip address prefix-list DEFAULT-ROUTE ! do nothing route-map ALL_EXCEPT_DEFAULT_VRF_A permit 20 ! every other prefix set extcommunity rt 100:10 additive ! ip vrf VRF_A rd 100:1 export map ALL_EXCEPT_DEFAULT_VRF_A route-target import 100:1 route-target import 100:20 route-target export 100:1 ! (...) 
```
Result:
```
 R1#show ip bgp vpnv4 all 0.0.0.0 0.0.0.0 | i VRF|RT Paths: (1 available, best #1, table VRF_A)       Extended Community: RT:100:1 Paths: (1 available, best #1, table VRF_B)       Extended Community: RT:100:2 R1#! a prefix originated in VRF_A R1#show ip bgp vpnv4 all 172.16.12.0 | i VRF|RT Paths: (1 available, best #1, table VRF_A)       Extended Community: RT:100:1 RT:100:10 Paths: (1 available, best #1, table VRF_B)       Extended Community: RT:100:1 RT:100:10 R1#! a prefix originated in VRF_B R1#show ip bgp vpnv4 all 172.16.13.0 | i VRF|RT Paths: (1 available, best #1, table VRF_A)       Extended Community: RT:100:2 RT:100:20 Paths: (1 available, best #1, table VRF_B)       Extended Community: RT:100:2 RT:100:20
```
HTH

Rolf

DMVPN with VRF (redistribution a road by default via VRF)

Hi all

I was testing a DMVPN configuration so that users with POLES surfing the Internet on the Internet portal of the HUB. The SPOKE1PN is able to ping all internal IP addresses and route determination agrees. When he reached out to the Internet (HUB_INTGW) gateway, pings are okay, but traceroute requests time out. I was wondering if anyone has an idea. Here's my topology.

Basically, if SPOKE1PN pings to the Internet, it goes to SPOKE1, HUB1 via tu0, HUB1_INTGW and it gets overloaded NAT.

QUESTION (OK, TRACEROUTE DROPS AFTER OVERLOADED NAT PINGS)

SPOKE1PN #ping 202.0.0.2 rep 88

Type to abort escape sequence.

88, echoes ICMP 100 bytes to 202.0.0.2 sending, time-out is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!

Success rate is 100 per cent (88/88), round-trip min/avg/max = 144/211/328 ms

SPOKE1PN #traceroute 202.0.0.2

Type to abort escape sequence.

The route to 202.0.0.2

1 192.168.1.1 88 MS 64 ms 16 ms

2 172.14.1.1 164 MS 92 MS 128 ms

3 10.1.0.254 152 MS 124 MS ms 116

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 * * *

17 * * *

18 * * *

19 * * *

20 * * *

21 * * *

22 * * *

23 * * *

24 * * *

25 * * *

26 * * *

27 * * *

28 * * *

29 * * *

30 * * *

SPOKE1

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname SPOKE1

!

boot-start-marker

boot-end-marker

!

!

No aaa new-model

memory iomem size 5

IP cef

!

IP vrf DMVPN

RD 1:1

!

crypto ISAKMP policy 1

BA aes 256

md5 hash

preshared authentication

Group 5

address key crypto isakmp 0.0.0.0 @ngelam1chell3r1c 0.0.0.0

ISAKMP crypto keepalive 60 periodicals

!

Crypto ipsec transform-set SET1 IPSEC ah-md5-hmac esp - aes

!

Profile of crypto ipsec DMVPN

game of transformation-IPSEC-SET1

!

interface Tunnel0

IP vrf forwarding DMVPN

IP 172.14.1.2 255.255.255.0

no ip redirection

IP mtu 1416

property intellectual PNDH authentication cisco123

property intellectual PNDH card 172.14.1.1 200.0.0.2

map of PNDH IP multicast 200.0.0.2

property intellectual PNDH card 172.14.1.254 200.0.1.2

map of PNDH IP multicast 200.0.1.2

PNDH id network IP-99

property intellectual PNDH nhs 172.14.1.1

property intellectual PNDH nhs 172.14.1.254

source of tunnel FastEthernet0/1

multipoint gre tunnel mode

tunnel key 999

Protection ipsec DMVPN tunnel profile

!

interface FastEthernet0/0

IP vrf forwarding DMVPN

IP 192.168.1.1 255.255.255.0

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 201.0.0.2 255.255.255.240

Speed 100

full-duplex

!

Router eigrp 1

Auto-resume

!

address ipv4 vrf DMVPN family

redistribute connected

network 172.14.1.0 0.0.0.255

network 192.168.1.0

No Auto-resume

autonomous system of-1

output-address-family

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 201.0.0.1

!

no ip address of the http server

no ip http secure server

!

control plan

!

Line con 0

line to 0

line vty 0 4

!

end

HUB1

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname HUB1

!

boot-start-marker

boot-end-marker

!

No aaa new-model

memory iomem size 5

IP cef

!

IP vrf DMVPN

RD 1:1

!

crypto ISAKMP policy 1

BA aes 256

md5 hash

preshared authentication

Group 5

address key crypto isakmp 0.0.0.0 @ngelam1chell3r1c 0.0.0.0

ISAKMP crypto keepalive 60

!

Crypto ipsec transform-set SET1 IPSEC ah-md5-hmac esp - aes

No encryption ipsec nat-transparency udp-program

!

Profile of crypto ipsec DMVPN

game of transformation-IPSEC-SET1

!

interface Tunnel0

IP vrf forwarding DMVPN

IP 172.14.1.1 255.255.255.0

no ip redirection

IP mtu 1416

property intellectual PNDH authentication cisco123

dynamic multicast of IP PNDH map

PNDH id network IP-99

source of tunnel FastEthernet0/1

multipoint gre tunnel mode

tunnel key 999

Protection ipsec DMVPN tunnel profile

!

interface FastEthernet0/0

IP vrf forwarding DMVPN

IP 10.1.0.1 255.255.255.0

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 200.0.0.2 255.255.255.240

Speed 100

full-duplex

!

Router eigrp 1

Auto-resume

!

address ipv4 vrf DMVPN family

redistribute connected

redistribute static

Network 10.1.0.0 0.0.0.255

network 172.14.1.0 0.0.0.255

No Auto-resume

autonomous system of-1

output-address-family

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 200.0.0.1

IP route vrf DMVPN 0.0.0.0 0.0.0.0 10.1.0.254

!

no ip address of the http server

no ip http secure server

!

control plan

!

Line con 0

line to 0

line vty 0 4

!

end

HUB1_INTGW

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname HUB1_INTGW

!

boot-start-marker

boot-end-marker

!

No aaa new-model

memory iomem size 5

IP cef

!

no ip domain search

!

Authenticated MultiLink bundle-name Panel

!

Archives

The config log

hidekeys

!

interface FastEthernet0/0

IP 10.1.0.254 255.255.255.0

IP nat inside

IP virtual-reassembly

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 200.0.1.2 255.255.255.240

NAT outside IP

IP virtual-reassembly

Speed 100

full-duplex

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 200.0.1.1

IP route 192.168.1.0 255.255.255.0 10.1.0.1

!

no ip address of the http server

no ip http secure server

overload of IP nat inside source list ACL_NATOVERLOAD interface FastEthernet0/1

!

IP access-list standard ACL_NATOVERLOAD

permit 10.1.0.0 0.0.0.255

permit 192.168.1.0 0.0.0.255

permit 172.14.1.0 0.0.0.255

!

control plan

!

Line con 0

exec-timeout 0 0

Synchronous recording

line to 0

line vty 0 4

!

end

Desmon,

If the works of ping I can bet you that it's a problem of how ICMP unreachable it will be via NAT (PAT in fact) in response to UDP with expired TTL.

Can you do a static NAT on HUB1_INTGW to the IP test and you should see a difference... BTW the debug ip packet is your friend, try it :-) on INTGW and INT_RTR

Marcin

Loopback address VRF who flees to the global routing table

Hello

I have a router and you have set up several VRF. I was also able to run routes between the global routing table and one of the VRF (VRF data) with success.

Now, I have not been able to flee the VRF (1.1.1.1) data loopback address in the global routing table, so I can ping to the VRF the global routing table loopback address.

I also read this article:

http://www.Cisco.com/en/us/Tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

Does anyone know this before?

Joined the config

Thank you

Reza

If select VRF is not supported, you can create a false road map and apply it to the loopback interface:

FAKE route map

vrf adjustment data

!

int loopback 0

FAKE IP policy-map of route

receive data IP vrf

!

http://www.Cisco.com/en/us/docs/iOS/MPLS/configuration/guide/mp_vpn_vrf_select_rt_ps6441_TSD_Products_Configuration_Guide_Chapter.html

HTH

Laurent.

VPN problem taking in charge the VRF CSR

Hello community,

I am currently evaluating CSR at AWS (60 day trial) and already around the usual problems and specialty architecture network AWS design.

I can't open a TAC case, because we purchased no license. We will, once this last problem is solved.

Current configuration:
- Two councillors in a VPC in two AZs
- Transit between two advisers of the GRE tunnel
- running supports the BGP VRF
- using door VRF
- the RSC is connected to several AWS VPC (customers) via the AWS VPN feature - route entirely mesh based VPN--a VRF customer - all running with BGP
- Link to local is done in the same way: entirely mesh route based VPN - using door VRF - all running with BGP
- VRF import/export rules
It works fine - no problems here. All HA tests work as expected. So far, so good.

Now, we had to create a VPN connection to a special local location of our society. We should create a policy based VPN location (no support for VPN road based there). It is a two-to-one VPN. Two advisors of the connection to a gateway onPrem. The two tunnels, run the same field of encryption. OnPrem routing is based on the State of the tunnel. We put this tunnel in the VRF door of entry. Routes are injected to the door VRF routing table by VPN process (reverse-way static in crypto map). To get these exported to consumer VRF routes, there is a network statement in door VRF BGP process.

Well, this also works fine if we do this only with CSR A. Reachablity is out. CSR B the delivery of the CSR due to taking work supported the VRF VPN. However, if we establish the second CSR B tunnel, there is something strange happens.

Tunnel is very well implemented. Traffic through the tunnel at CSR B is accepted and routed to the destination. Created at door VRF on CSR B traffic is routed in its own VPN very well. However, traffic from a VRF client who reached CSR B (traceroute proved that) is not routed through the VPN tunnel, despite the VPN client routing table is to say. CSR A running the same configuration, there is no problem. Only on the CSR B.

I don't understand this. If remove us the configuration of the tunnel of CSR and create only tunnel on CSR B, it still does not. I don't understand why, because I did a comparison of config and found no difference.

Someone at - it an idea, whats going on?

How can I debug this problem?

CSR - A:

B 172.29.13.176/28 [20/0] via 1.1.119.182 (vrf - default), 3w4d

CSR - B:

with route (doesn't work is not for the customer VRF)
B 172.29.13.176/28 [20/0] via 1.1.119.182 (vrf - default), 00:00:02

No itinerary (work, because only sent by public transit to the CSR - A)
B 172.29.13.176/28 [20/0] via 192.168.254.53 (vrf - default), 00:38:23

This problem is hard to describe, I would really appriciate discuss with a TAC engineer in a WebEx. Is this possible?

Thank you.

Hello Tobias,.

The problem you describe is going to be outside our CSR platform expertise. Looks like the CSR works well and HA works as well, and now you're trying to find a solution to a problem of network/VPN that you are facing.

Our team is led to find an internal resource to resolve your issue, please allow us a day or two to get back to you with an answer

Concerning

Tony

OSPF in VRF with the same area ID.

Hi all

On a PE MPLS/VPN router, I configured OSPF as the routing PE Protocol / THIS.

I configured several OSPF (one for each VRF) process.

But if I have several customers who use the same ID in OSPF area on the side, can I set up the same area ID for multiple OSPF processes on the side of PE? Of course, all these areas are independent and I don't want to see customer1 routes into the OSPF customer2!

In the following example, I have 2 clients. Each client has 2 sites and has a backbone OSPF area which spreads across 2 sites. For each customer, I want to interconnect its 2 sites and extend the dorsal area OSPF MPLS.

Customer1 OSPF backbone area is different from that of customer2, although the ID is the same...

Here is an example of configuration of the EP:

G0/1 interface

IP vrf forwarding customer1

10.1.1.1 IP address 255.255.255.0

!

G0/2 interface

IP vrf forwarding customer2

10.1.2.1 IP address 255.255.255.0

!

!

router ospf 1 vrf customer1

Network 10.1.1.0 0.0.0.255 area 0

!

router ospf 2 vrf customer2

Network 10.1.2.0 0.0.0.255 area 0

Will not have problems if I use the same area ID here?

Thanks for your help!

Hello Sam,.

You will not face any problem because you have configured cust1 and cust2 under vrf instance in ospf. There will be no

mix with cust1 cust2 roads.

In addition to this, also set up the id of the field (a 32 unique ip address) under process ospf for each customer. The reason why if you configure the ospf process

ID 1 for cust1 at the end and if configure you the process id 2 for the same client on the spread of roads from start to finish B will be considered

inter-area at the B end

router ospf 1 vrf customer1

field id 1.1.1.1 OSPF > keep this even to this vrf on each site

Network 10.1.1.0 0.0.0.255 area 0

Hope this is useful

Concerning

Mahesh

VRF-lite, NAT and route-leak

Hello, community. I'm trying to reproduce the installation with two clients (R1 and R2) program, router PE (R3) and common services (R4).

Here is the configuration:

R1:

interface Loopback0

IP 10.10.1.1 255.255.255.255

!

interface FastEthernet1/0

192.168.15.1 IP address 255.255.255.0

!

IP route 0.0.0.0 0.0.0.0 192.168.15.5

R2:

interface Loopback0

10.10.2.2 IP address 255.255.255.255

!

interface FastEthernet1/0

IP 192.168.16.1 255.255.255.192

!

IP route 0.0.0.0 0.0.0.0 192.168.16.5

R3:

IP vrf VRF1

RD 1:1

export of road-objective 1:1

import of course-target 1:1

!

IP vrf VRF2

Rd 2:2

Route target export 2:2

import of course-target 2:2

!

interface FastEthernet0/0

R1 description

IP vrf forwarding VRF1

IP 192.168.15.5 255.255.255.192

IP nat inside

IP virtual-reassembly

!

interface FastEthernet0/1

R2 description

IP vrf forwarding VRF2

IP 192.168.16.5 255.255.255.192

IP nat inside

IP virtual-reassembly

!

interface FastEthernet1/0

R4 description

IP 1.1.1.1 255.255.255.0

NAT outside IP

IP virtual-reassembly

!

IP route 0.0.0.0 0.0.0.0 1.1.1.2

IP route vrf VRF1 0.0.0.0 0.0.0.0 FastEthernet1/0 overall 1.1.1.2

IP route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1

IP route vrf VRF2 0.0.0.0 0.0.0.0 FastEthernet1/0 overall 1.1.1.2

IP route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1

!

IP nat inside source list 15 interface FastEthernet1/0 vrf VRF1 overload

VRF2 of the IP nat inside source list 16 interface FastEthernet1/0 vrf, overload

!

access-list 15 allow 192.0.0.0 0.255.255.255

access-list 15 allow 10.10.0.0 0.0.255.255

access-list 16 allow 192.0.0.0 0.255.255.255

access-list 16 allow 10.10.0.0 0.0.255.255

R4:

interface Loopback0

IP 10.10.10.10 address 255.255.255.255

!

interface FastEthernet0/0

1.1.1.2 IP 255.255.255.0

!

IP route 0.0.0.0 0.0.0.0 1.1.1.1

The configuration is not operational.

R1 #ping 192.168.15.5

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.15.5, wait time is 2 seconds:

!!!!!

Success rate is 100 per cent (5/5), round-trip min/avg/max = 68/89/116 ms

R1 #ping 192.168.15.5 source l0

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.15.5, wait time is 2 seconds:

Packet sent with the address 10.10.1.1 source

!!!!!

Success rate is 100 per cent (5/5), round-trip min/avg/max = 68/86/92 ms

R1 #ping 1.1.1.1 source l0

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes of 1.1.1.1, time-out is 2 seconds:

Packet sent with the address 10.10.1.1 source

.!!!!

Success rate is 80% (4/5), round-trip min/avg/max = 292/357/400 ms

R1 #ping 1.1.1.2 source l0

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 1.1.1.2, time-out is 2 seconds:

Packet sent with the address 10.10.1.1 source

.!!!!

Success rate is 80% (4/5), round-trip min/avg/max = 216/187/160 ms

R1 #ping 10.10.10.10 source l0

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes of 10.10.10.10, time-out is 2 seconds:

Packet sent with the address 10.10.1.1 source

.....

Success rate is 0% (0/5)

I can't ping R4 loopback address ("shared resource" or also known as the "common service")

It is the same with R2 (second customer).

But I can still ping loopback R4 of R3:

R3 #ping 10.10.10.10

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes of 10.10.10.10, time-out is 2 seconds:

!!!!!

Success rate is 100 per cent (5/5), round-trip min/avg/max = 40/88/116 ms

It's the routing on R3 table:

R3 #sh ip road | start the gateway

Gateway of last resort is 1.1.1.2 network 0.0.0.0

1.0.0.0/24 is divided into subnets, subnets 1

C 1.1.1.0 is directly connected, FastEthernet1/0

S * 0.0.0.0/0 [1/0] via 1.1.1.2

R3 #sh ip route vrf VRF1 | start the gateway

Gateway of last resort is 1.1.1.2 network 0.0.0.0

192.168.15.0/26 is divided into subnets, subnets 1

C 192.168.15.0 is directly connected, FastEthernet0/0

10.0.0.0/16 is divided into subnets, subnets 1

S 10.10.0.0 [1/0] via 192.168.15.1

S * 0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0

R3 #sh ip route vrf VRF2 | start the gateway

Gateway of last resort is 1.1.1.2 network 0.0.0.0

10.0.0.0/16 is divided into subnets, subnets 1

S 10.10.0.0 [1/0] via 192.168.16.1

192.168.16.0/26 is divided into subnets, subnets 1

C 192.168.16.0 is directly connected, FastEthernet0/1

S * 0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0

So the question is what is the cause of the problem? How to troubleshoot? What is the troubleshooting steps?

Hi Eugene Khabarov

His does not work since the address IP of Destination that represents common Services is be routed locally to the THIS itself. That's the problem here. We must ensure that the Destination subnet is not pointing to what is happening here.

R4:

interface Loopback0

IP 10.10.10.10 address 255.255.255.255

!

R3-VRF1

S 10.10.0.0 [1/0] via 192.168.15.1

Concerning

Verdier

VRF aware IPSEC and NAT

Hello world.

I ' am having a Hub router and 2 routers Spoke with LAN - IP - address range overlap.

->-10.47.1.0/24 routerA

/

172.16.1.0 - VRFR

\

-> RouterB-10.47.1.0/24

I use road maps to get the different local host for the VRF different side of the hub (no problem)

I use the VRF aware IPSEC functionality to get to the different networks - talk without nat (no problem)

My main question is that I have to do nat on the router HUB - I need to translate the host on the HUB - local LAN IP-addresses defined by the different LAN talk Administraors.

These NAT-ranges may be different / might overlap for the different VRF.

My problem is that I have no idea how to do to get NAT traffic ' ed correctly (after the road-map, before IPSEC).

If you have an idea / if you solved the problem

-I would be grateful for a hint of /Clue / THE Solution.

Thanks in advance

Jarle

Hi Nelly,

I finally found a router to test on it. I'm still trying to make it work with a single site without NAT. Without success so far, the card encryption is not triggered.

Question: what this line do exactly? IP route vrf VRF1 10.47.2.0 255.255.255.0 200.200.200.1 global

I guess that's only in the anticipation of your originating stuff.

In a NAT environment, no, do you still need an ip route vrf command?

What is the result of your sh ip vrf interface?

Is this ok for the vrf to be associated only to the loopback interface?

No clue on how to solve this?

Regarding your last comment, your crypto card should be ok. Packets are translated before being treated by the encryption engine. See the link

http://www.Cisco.com/warp/public/556/5.html

I would try

interface Ethernet0/0

IP nat inside

interface Ethernet1/0

NAT outside IP

IP nat inside source static network 10.47.1.0 10.47.2.0/24 VRF1 vrf

Thank you

Michel

How do I route out of the VRF to the global table

How to build static routes (two-way) between the VRF and the overall table?

Cat 6509

12.2 (33)

Single VRF, Full BGP. EIGRP inside the VRF.

I do not have a 6509

but on IOS, you attach the word 'global' key to the VRF road, and on the incoming Interfaces, I created a policy map to send traffic to the vrf.

The AAA authentication and VRF-Lite

Hello!

I encountered a strange problem, when you use authentication Radius AAA and VRF-Lite.

The setting is as follows. A/31 linknet is configured between PE and THIS (7206/g1 and C1812), where the EP sub-si is part of a MPLS VPN and VRF-Lite CE uses to maintain separate local services (where more than one VPN is used..).

Access to the this, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following configuration:

--> Config start<>

AAA new-model

!

!

Group AA radius RADIUS-auth server

Server x.x.4.23 auth-port 1645 acct-port 1646

Server x.x.7.139 auth-port 1645 acct-port 1646

!

AAA authentication login default group auth radius local

enable AAA, enable authentication by default group RADIUS-auth

...

touch of 1646-Server RADIUS host x.x.4.23 auth-port 1645 acct-port

touch of 1646-Server RADIUS host x.x.7.139 auth-port 1645 acct-port

...

source-interface IP vrf 10 RADIUS

---> Config ends<>

The VRF-Lite instance is configured like this:

---> Config start<>

VRF IP-10

RD 65001:10

---> Config ends<>

Now - if I remove the configuration VRF-Lite and use global routing on the CE (which is OK for a simple vpn installation), AAA/RADIUS authentication works very well. "" When I activate transfer ip vrf "10" on the interface of the outside and inside, AAA/RADIUS service is unable to reach the two defined servers.

I compared the routing table when using VRF-Lite and global routing, and they are identical. All roads are correctly imported via BGP, and the service as a whole operates without problem, in other words, the AAA/RADIUS part is the only service does not.

It may be necessary to include a vrf-transfer command in the config of Group server as follows:

AAA radius RADIUS-auth server group

Server-private x.x.x.x auth-port 1645 acct-port

1646 key ww

IP vrf forwarding 10

See the document below for more details:

http://www.Cisco.com/en/us/partner/docs/iOS/12_4/secure/configuration/guide/hvrfaaa.html

Laboratory VRF pulling hair

Hello, I am trying to learn VRF so I can possibly get it to work. I've got gre tunnel which only arise after the addition of vrf interfaces forwarding to it. What I'm trying to do is to force all traffic from R17 to the bottom of the tunnel interface 0. I can't even endpoints of tunnel to come for basic connectivity and even less to achieve my goal. Please ignore the road map stuff, I was able to reach the goal within minutes using those who, now, I am doing it with VRF. The tunnel interfaces are down. I have attached a diagram.

What I am doing wrong? Thank you guys! If anyone can understand this riddle I'll be quite relieved.

Config of R11 (fa1/0 using as endpoint)

R11 #sh run

Building configuration...

Current configuration: 1616 bytes

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname R11

!

boot-start-marker

boot-end-marker

!

!

No aaa new-model

memory iomem size 5

IP cef

!

!

!

!

IP vrf detour

!

no ip domain search

IP domain name lab.local

!

!

!

!

!

!

!

interface Loopback0

255.255.255.255 IP address 11.11.11.11

!

interface Tunnel0

redirect IP vrf detour

IP 123.123.123.123 255.255.255.0

load-interval 30

tunnel source 10.0.0.2

tunnel destination 15.15.15.15

!

interface FastEthernet0/0

IP address 2.2.2.2 255.255.255.0

automatic duplex

automatic speed

!

interface Serial0/0

no ip address

Shutdown

2000000 clock frequency

!

interface FastEthernet0/1

1.1.1.2 IP 255.255.255.0

automatic duplex

automatic speed

!

interface FastEthernet1/0

redirect IP vrf detour

the IP 10.0.0.2 255.255.255.0

automatic duplex

automatic speed

!

router ospf 1

Log-adjacency-changes

area 10 heel No.-Summary

Network 10.0.0.0 0.0.0.255 area 10

network 0.0.0.0 255.255.255.255 area 0

!

IP forward-Protocol ND

detour of vrf IP route 0.0.0.0 0.0.0.0 123.123.123.124

!

no ip address of the http server

no ip http secure server

!

tunnel extended IP access list

allow icmp 10.0.0.0 0.0.0.255 any

Licensing ip 10.0.0.0 0.0.0.255 any

!

tunneltime allowed 10 route map

tunneling of ip address match

Set the interface Tunnel0

!

!

control plan

!

!

Line con 0

exec-timeout 0 0

privilege level 15

Synchronous recording

line to 0

exec-timeout 0 0

privilege level 15

Synchronous recording

line vty 0 4

opening of session

!

!

end

R15 config (2nd endpoint using loopback 0 point)

R15 #sh run

Building configuration...

Current configuration: 1185 bytes

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname R15

!

boot-start-marker

boot-end-marker

!

!

No aaa new-model

memory iomem size 5

IP cef

!

!

!

!

IP vrf detour

!

-More-

* 04:53:36.450 Mar 1: % SYS-5-CONFIG_I: configured from console by console

no ip domain search

IP domain name lab.local

!

!

!

!

!

!

!

interface Loopback0

redirect IP vrf detour

IP 15.15.15.15 255.255.255.0

!

interface Tunnel0

redirect IP vrf detour

IP 123.123.123.124 255.255.255.0

source of tunnel Loopback0

tunnel destination 10.0.0.2

!

interface FastEthernet0/0

5.5.5.5 IP address 255.255.255.0

automatic duplex

automatic speed

!

interface FastEthernet0/1

4.4.4.5 IP address 255.255.255.0

automatic duplex

automatic speed

!

router ospf 1

Log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

!

IP forward-Protocol ND

detour of vrf IP route 0.0.0.0 0.0.0.0 123.123.123.123

!

no ip address of the http server

no ip http secure server

!

!

control plan

!

!

Line con 0

exec-timeout 0 0

privilege level 15

Synchronous recording

line to 0

exec-timeout 0 0

privilege level 15

Synchronous recording

line vty 0 4

opening of session

!

!

end

Hi Blake,

Tunnel endpoints should be in the global routing table not in the VRF. So you should remove "ip vrf forwarding detour" fa1/0 R11 and lo0 on R15 or other interfaces that are associated with the global routing table as endpoints. This should allow your future tunnel.

Hope this helps

iPsec S2S ASA to ASR with VRF using Lo's ADDRESS

so, I have a solution and then a question about this solution:

first the solution and the config for any guy in the future, who would need it:

to configure the ASA VPN to the ASR:

door-key crypto KEY-SITE-B-DC

address [asr-ip-address]

pre-shared key address [address-ip-ASA] key test123

!

Crypto ISAKMP-SITE-B-DC isakmp profile

VRF VPN

door KEY-SITE-B-DC

identity function address [address-ip-ASA] 255.255.255.255

!

crypto ISAKMP policy 9

BA aes

preshared authentication

Group 2

lifetime 28800

!

card crypto VPN - S2S - address Loopback11

Map 10 S2S - VPN ipsec-isakmp crypto

Description # VPN S2S SITE-B-DC ASA #.

defined by peer [ASA-ip-address]

game of transformation-TRANS_SET-SITE-B-DC

PFS group2 Set

define the profile of isakmp ISAKMP-SITE-B-DC

match address IPSEC-VPN-ACL_SITE-B-DC

!

Crypto ipsec transform-set esp-aes - TRANS_SET-SITE-B-DC esp-sha-hmac

tunnel mode

!

EXIT/ENTRY interface

Description # BECAUSE RUN US DYNAMIC PROTOCOL BGP (in my case), no matter WHAT INTERFACE COULD BE THE If INPUT/OUTPUT, SO THESE IFs MUST ALSO HAVE THE CRYPTOMAP #.

S2S - VPN crypto card

!

interface Loopback11

Description # IPSEC TEST #.

IP 255.255.255.255 [asr-ip-address]

!

!

IPSEC-VPN-ACL_SITE-B-DC extended IP access list

permit ip host [ASR-LAN-addresses] [ASA-LAN-addresses]

!

IP route vrf VPN [ASA-LAN-addresses] 255.255.255.x 8.8.8.8 global name GENERIC-IPSEC-CRYPTO-ROAD (ANYCAST) * the road here is for the traffic is encrypted, the next hop MUST be no recursive road *.

!

So now for my question:

REALLY should be a route with a match on the other than a default route routing table?

(because it does not work with a route that directs the default route, even when the recursive path pointing to the interface even spefic road made).

is there any other way to do this? because to point the way to 8.8.8.8, means im my tunnels to be available on the availability of a course of 8.0.0.0 in the RIBS.

help would be what enjoyed here guys!

Why not let the router hide the complexity of administration using IPP?

http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-Rev-RTE-inject.html#GUID-DEBFE993-16DF-4599-946A-1B7A42521C92

The example is not perfect because of the connection point to point between two routers, but you can understand what IP address as the gateway.

I suggest also entry of cryptographic cards, the new software. logical interfaces with tunnel protection is the way to go. The problem does not appear here.

Static route of VPN in EIGRP redistribution (FD is Inaccessible)

Hi all

I redistribute the site to site VPN static route in EIGRP, but what I noticed on the 6509 when I sh ip eigrp 200 topol, the static route to the ASA "FD is inaccessible."

6509 output:

Topology EIGRP-IPv4 for AS(200)/ID(10.33.95.34 table)

Code: P - passive, A - Active, U - update, Q - Query, R - reply,.

r response status, s - AIS status

P 199.x.x.240/28, successors 1, FD 53760, tag is 36539

through reallocation (53760/0)

P 10.64.129.0/24, successors 1, FD is 28416

Via 10.210.98.200 (28416/28160), Vlan98

P 10.1.2.0/24, 0 successors, FD is Inaccessible

Via 10.210.98.200 (28416/28160), Vlan98

P 10.210.98.0/24, successors 1, FD is 2816

Via connected, Vlan98

ASA5510 output:

Topology EIGRP-IPv4 for AS(200)/ID(10.64.129.253 table)

Code: P - passive, A - Active, U - update, Q - Query, R - reply,.

r response status, s - AIS status

P 10.1.2.0 255.255.255.0 successors 1, FD is 28160

Via Rstatic (28160/0)

P 10.64.129.0 255.255.255.0 successors 1, FD is 28160

Via connected, Ethernet0/0

P 199.x.x.240 255.255.255.240, successors 1, FD 79360, tag is 36539

Via 10.210.98.254 (79360/53760), Ethernet0/1

P 10.210.98.0 255.255.255.0 successors 1, FD is 28160

Via connected, Ethernet0/1

The ASA config:

200SW_EIGRP list standard access allowed 10.1.2.0 255.255.255.0

permissible static in eigrp route map 10

200SW_EIGR match ip address

Router eigrp 200

redistribute static static in eigrp route map

external route 10.1.2.0 255.255.255.0 x.x.x.

Thank you

Thomas,

When the flight director is not accessible in the EIGRP topology table, the router does not use this EIGRP route in its routing table.

Probably, the road is overridden by any other routing protocol that has the lowest administrative distance.

Could you please share the routing table?

Thank you.

How to configure VPN remote access to use a specific Interface and the road

I add a second external connection to an existing system on a 5510 ASA ASA V8.2 with 6.4 AMPS

I added the new WAN using another interface (newwan).

The intention is to bring more internet traffic on the new road/interface (newwan), but keep our existing VPN using the old interface (outside).

I used the ASDM GUI to make changes and most of it works.

That is to say. The default route goes via (newwan)

Coming out of a VPN using a site to character the way previous (out) as they now have static routes to achieve this.

The only problem is that remote incomming VPN access Anyconnect do not work.

I put the default static route to use the new interface (newwan) and the default tunnel road be (outside), but that's the point is will not...

I can either ping external IP address from an external location.

It seems that the external interface doesn't send traffic to the - external interface (or at least that's where I think the problem lies). How can I force responses to remote VPN entering IPS unknown traffic to go back on the external interface?

The only change I have to do to make it work again on the external interface is to make the default static route to use external interface. Calling all internet traffic to the (external connection) original

Pointers appreciated.

William

William,

As it is right now that you will not use the same interface you have road to terminate remote access unless you know their IP addresses by default.

In one of the designs that I saw that we did something like that.

(ISP cloud) - edge router - ASA.

The edge router, you can make PAT within the interface for incoming traffic on port udp/500 and UDP/4500 (you may need to add exceptions to your L2L static) of the router. It's dirty, I would not say, it is recommended, but apparently it worked.

On routers, this kind of situation is easily solved using VRF-lite with crypto.

M.

VRF Installationavecuneracine road inaccessible NH

Similar Questions

Maybe you are looking for