Solved

Can't reach secondary IP that's been assigned to a VRF

Posted on 2013-01-14
11
1,015 Views
Last Modified: 2013-01-15
Experts,

It would appear that I'm not able to reach a secondary IP on an interface that was placed inside a VRF.

In this scenario, the two routers are directly connected with a crossover, and I'm attempting to reach RouterB from RouterA:

//RouterA===============================

interface FastEthernet0/1
 ip address 172.16.0.1 255.255.0.0 secondary
 ip address 192.168.0.1 255.255.255.0



//RouterB===============================

ip vrf TEST
 rd 1:1

interface FastEthernet0/1
 ip address 172.16.0.2 255.255.0.0 secondary vrf TEST
 ip address 192.168.0.2 255.255.255.0

Open in new window


I'm able to reach the physical interface's primary IP without any issues.  I can't ping the secondary IP on RouterB though as long as it's in the VRF.

If I remove the command "ip address 172.16.0.2 255.255.0.0 secondary vrf TEST" and replace it with just "ip address 172.16.0.2 255.255.0.0 secondary" of course, everything works as expected.

Would somebody be able to explain why this doesn't work?
0
Comment
Question by:usslindstrom
  • 6
  • 4
11 Comments
 
LVL 6

Expert Comment

by:airwrck
ID: 38776633
ping vrf TEST 172.16.0.2  gives you what result?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776643
Hmmm.  Maybe the interface really isn't assigning the address as expected:

From RouterB (The router with the VRF configured):

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Open in new window

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776646
FYI:  That ping test was done as:  "ping vrf TEST 172.16.0.2"
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 6

Expert Comment

by:airwrck
ID: 38776670
vrf TEST wasn't defined on RouterA,  unless you've defined the vrf somewhere else that you aren't showing on the configuration.  RouterA has no knowledge of the vrf TEST on RouterB
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776676
Understood...

- But RouterA shouldn't need to know about the VRF, correct?

I mean, if I were to take the secondary address off of RouterA, and assign it to any other device that's in the same Vlan, shouldn't they be able to communicate with the secondary address on RouterB, where it would then be put into the VRF at that point?

Devices that RouterB are connected to, shouldn't need to be VRF aware, right?
0
 
LVL 6

Expert Comment

by:airwrck
ID: 38776680
IP is open, including secondaries.  Virtual Private Network Routing and Forwarding (VRF) is private, not open.  It has its own routing instances, creates its own connections from point to point, and does NOT allow any unknown traffic onto it's interfaces.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776800
Understood.

So, in your opinion, would there be a scenario that would work here?

Obviously GRE tunnels between the two routers, and throwing the tunnel interfaces into the VRF would work, but what would be some other options?
0
 
LVL 6

Accepted Solution

by:
airwrck earned 250 total points
ID: 38777047
you could configure a vrf interface on the other router.  then you'd have connections between two interfaces.
0
 
LVL 9

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 250 total points
ID: 38777149
When you define a vrf ..it creates a seperate routing table other than main routing table..
since you configured routerB secondary IP in vrf and router A don't know about it because routerB's secondary IP is in vrf table and only local to router B.

If you want to reach secondary ip of router A then you need to cnfigure it under same vrf so that both the router could exchange their vrf table then only you can reach routerA.

I hope this helps bit in understanding vrf mechanism.
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 38777232
Understood.  Thank you both for your explinations.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38781098
All.  I figured out another solution to make the above option work.

Policy-based VRF routing:
     1.  I removed the secondary interface IPs from both routers.
     2.  Then I made the following ACL/Route-Map combo and applied it to the interface on RouterB.

ip access-list extended ACL_Test
 permit ip any 172.16.0.0 255.255.0.0

route-map RM_InboundTest permit 10
 match ip address ACL_Test
 set vrf Test
route-map RM_InboundTest permit 20

interface FastEthernet0/1
 ip policy route-map RM_InboundTest

Open in new window


Behind the testing is actually a work requirement, to create an isolated network for wireless guest network access.  This was the final piece I needed to work out, as my work requirements force me to dump the traffic on our VPN routers (So the traffic can go through the same content-filter/packet analysis as our standard networks.

So, wireless clients won't be able to hit ANY of our internal network (of course I'll have to adjust the ACL to deny internal --> internal) - but they'll still get internet access.

Tis' a beauty!  :)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question