Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can't reach secondary IP that's been assigned to a VRF

Posted on 2013-01-14
11
Medium Priority
?
1,059 Views
Last Modified: 2013-01-15
Experts,

It would appear that I'm not able to reach a secondary IP on an interface that was placed inside a VRF.

In this scenario, the two routers are directly connected with a crossover, and I'm attempting to reach RouterB from RouterA:

//RouterA===============================

interface FastEthernet0/1
 ip address 172.16.0.1 255.255.0.0 secondary
 ip address 192.168.0.1 255.255.255.0



//RouterB===============================

ip vrf TEST
 rd 1:1

interface FastEthernet0/1
 ip address 172.16.0.2 255.255.0.0 secondary vrf TEST
 ip address 192.168.0.2 255.255.255.0

Open in new window


I'm able to reach the physical interface's primary IP without any issues.  I can't ping the secondary IP on RouterB though as long as it's in the VRF.

If I remove the command "ip address 172.16.0.2 255.255.0.0 secondary vrf TEST" and replace it with just "ip address 172.16.0.2 255.255.0.0 secondary" of course, everything works as expected.

Would somebody be able to explain why this doesn't work?
0
Comment
Question by:usslindstrom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 6

Expert Comment

by:airwrck
ID: 38776633
ping vrf TEST 172.16.0.2  gives you what result?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776643
Hmmm.  Maybe the interface really isn't assigning the address as expected:

From RouterB (The router with the VRF configured):

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Open in new window

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776646
FYI:  That ping test was done as:  "ping vrf TEST 172.16.0.2"
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 6

Expert Comment

by:airwrck
ID: 38776670
vrf TEST wasn't defined on RouterA,  unless you've defined the vrf somewhere else that you aren't showing on the configuration.  RouterA has no knowledge of the vrf TEST on RouterB
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776676
Understood...

- But RouterA shouldn't need to know about the VRF, correct?

I mean, if I were to take the secondary address off of RouterA, and assign it to any other device that's in the same Vlan, shouldn't they be able to communicate with the secondary address on RouterB, where it would then be put into the VRF at that point?

Devices that RouterB are connected to, shouldn't need to be VRF aware, right?
0
 
LVL 6

Expert Comment

by:airwrck
ID: 38776680
IP is open, including secondaries.  Virtual Private Network Routing and Forwarding (VRF) is private, not open.  It has its own routing instances, creates its own connections from point to point, and does NOT allow any unknown traffic onto it's interfaces.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776800
Understood.

So, in your opinion, would there be a scenario that would work here?

Obviously GRE tunnels between the two routers, and throwing the tunnel interfaces into the VRF would work, but what would be some other options?
0
 
LVL 6

Accepted Solution

by:
airwrck earned 1000 total points
ID: 38777047
you could configure a vrf interface on the other router.  then you'd have connections between two interfaces.
0
 
LVL 9

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 1000 total points
ID: 38777149
When you define a vrf ..it creates a seperate routing table other than main routing table..
since you configured routerB secondary IP in vrf and router A don't know about it because routerB's secondary IP is in vrf table and only local to router B.

If you want to reach secondary ip of router A then you need to cnfigure it under same vrf so that both the router could exchange their vrf table then only you can reach routerA.

I hope this helps bit in understanding vrf mechanism.
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 38777232
Understood.  Thank you both for your explinations.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38781098
All.  I figured out another solution to make the above option work.

Policy-based VRF routing:
     1.  I removed the secondary interface IPs from both routers.
     2.  Then I made the following ACL/Route-Map combo and applied it to the interface on RouterB.

ip access-list extended ACL_Test
 permit ip any 172.16.0.0 255.255.0.0

route-map RM_InboundTest permit 10
 match ip address ACL_Test
 set vrf Test
route-map RM_InboundTest permit 20

interface FastEthernet0/1
 ip policy route-map RM_InboundTest

Open in new window


Behind the testing is actually a work requirement, to create an isolated network for wireless guest network access.  This was the final piece I needed to work out, as my work requirements force me to dump the traffic on our VPN routers (So the traffic can go through the same content-filter/packet analysis as our standard networks.

So, wireless clients won't be able to hit ANY of our internal network (of course I'll have to adjust the ACL to deny internal --> internal) - but they'll still get internet access.

Tis' a beauty!  :)
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question