Solved

Can't reach secondary IP that's been assigned to a VRF

Posted on 2013-01-14
11
999 Views
Last Modified: 2013-01-15
Experts,

It would appear that I'm not able to reach a secondary IP on an interface that was placed inside a VRF.

In this scenario, the two routers are directly connected with a crossover, and I'm attempting to reach RouterB from RouterA:

//RouterA===============================

interface FastEthernet0/1
 ip address 172.16.0.1 255.255.0.0 secondary
 ip address 192.168.0.1 255.255.255.0



//RouterB===============================

ip vrf TEST
 rd 1:1

interface FastEthernet0/1
 ip address 172.16.0.2 255.255.0.0 secondary vrf TEST
 ip address 192.168.0.2 255.255.255.0

Open in new window


I'm able to reach the physical interface's primary IP without any issues.  I can't ping the secondary IP on RouterB though as long as it's in the VRF.

If I remove the command "ip address 172.16.0.2 255.255.0.0 secondary vrf TEST" and replace it with just "ip address 172.16.0.2 255.255.0.0 secondary" of course, everything works as expected.

Would somebody be able to explain why this doesn't work?
0
Comment
Question by:usslindstrom
  • 6
  • 4
11 Comments
 
LVL 6

Expert Comment

by:airwrck
Comment Utility
ping vrf TEST 172.16.0.2  gives you what result?
0
 
LVL 5

Author Comment

by:usslindstrom
Comment Utility
Hmmm.  Maybe the interface really isn't assigning the address as expected:

From RouterB (The router with the VRF configured):

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Open in new window

0
 
LVL 5

Author Comment

by:usslindstrom
Comment Utility
FYI:  That ping test was done as:  "ping vrf TEST 172.16.0.2"
0
 
LVL 6

Expert Comment

by:airwrck
Comment Utility
vrf TEST wasn't defined on RouterA,  unless you've defined the vrf somewhere else that you aren't showing on the configuration.  RouterA has no knowledge of the vrf TEST on RouterB
0
 
LVL 5

Author Comment

by:usslindstrom
Comment Utility
Understood...

- But RouterA shouldn't need to know about the VRF, correct?

I mean, if I were to take the secondary address off of RouterA, and assign it to any other device that's in the same Vlan, shouldn't they be able to communicate with the secondary address on RouterB, where it would then be put into the VRF at that point?

Devices that RouterB are connected to, shouldn't need to be VRF aware, right?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:airwrck
Comment Utility
IP is open, including secondaries.  Virtual Private Network Routing and Forwarding (VRF) is private, not open.  It has its own routing instances, creates its own connections from point to point, and does NOT allow any unknown traffic onto it's interfaces.
0
 
LVL 5

Author Comment

by:usslindstrom
Comment Utility
Understood.

So, in your opinion, would there be a scenario that would work here?

Obviously GRE tunnels between the two routers, and throwing the tunnel interfaces into the VRF would work, but what would be some other options?
0
 
LVL 6

Accepted Solution

by:
airwrck earned 250 total points
Comment Utility
you could configure a vrf interface on the other router.  then you'd have connections between two interfaces.
0
 
LVL 9

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 250 total points
Comment Utility
When you define a vrf ..it creates a seperate routing table other than main routing table..
since you configured routerB secondary IP in vrf and router A don't know about it because routerB's secondary IP is in vrf table and only local to router B.

If you want to reach secondary ip of router A then you need to cnfigure it under same vrf so that both the router could exchange their vrf table then only you can reach routerA.

I hope this helps bit in understanding vrf mechanism.
0
 
LVL 5

Author Closing Comment

by:usslindstrom
Comment Utility
Understood.  Thank you both for your explinations.
0
 
LVL 5

Author Comment

by:usslindstrom
Comment Utility
All.  I figured out another solution to make the above option work.

Policy-based VRF routing:
     1.  I removed the secondary interface IPs from both routers.
     2.  Then I made the following ACL/Route-Map combo and applied it to the interface on RouterB.

ip access-list extended ACL_Test
 permit ip any 172.16.0.0 255.255.0.0

route-map RM_InboundTest permit 10
 match ip address ACL_Test
 set vrf Test
route-map RM_InboundTest permit 20

interface FastEthernet0/1
 ip policy route-map RM_InboundTest

Open in new window


Behind the testing is actually a work requirement, to create an isolated network for wireless guest network access.  This was the final piece I needed to work out, as my work requirements force me to dump the traffic on our VPN routers (So the traffic can go through the same content-filter/packet analysis as our standard networks.

So, wireless clients won't be able to hit ANY of our internal network (of course I'll have to adjust the ACL to deny internal --> internal) - but they'll still get internet access.

Tis' a beauty!  :)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now