Solved

Can't reach secondary IP that's been assigned to a VRF

Posted on 2013-01-14
11
1,008 Views
Last Modified: 2013-01-15
Experts,

It would appear that I'm not able to reach a secondary IP on an interface that was placed inside a VRF.

In this scenario, the two routers are directly connected with a crossover, and I'm attempting to reach RouterB from RouterA:

//RouterA===============================

interface FastEthernet0/1
 ip address 172.16.0.1 255.255.0.0 secondary
 ip address 192.168.0.1 255.255.255.0



//RouterB===============================

ip vrf TEST
 rd 1:1

interface FastEthernet0/1
 ip address 172.16.0.2 255.255.0.0 secondary vrf TEST
 ip address 192.168.0.2 255.255.255.0

Open in new window


I'm able to reach the physical interface's primary IP without any issues.  I can't ping the secondary IP on RouterB though as long as it's in the VRF.

If I remove the command "ip address 172.16.0.2 255.255.0.0 secondary vrf TEST" and replace it with just "ip address 172.16.0.2 255.255.0.0 secondary" of course, everything works as expected.

Would somebody be able to explain why this doesn't work?
0
Comment
Question by:usslindstrom
  • 6
  • 4
11 Comments
 
LVL 6

Expert Comment

by:airwrck
ID: 38776633
ping vrf TEST 172.16.0.2  gives you what result?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776643
Hmmm.  Maybe the interface really isn't assigning the address as expected:

From RouterB (The router with the VRF configured):

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Open in new window

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776646
FYI:  That ping test was done as:  "ping vrf TEST 172.16.0.2"
0
 
LVL 6

Expert Comment

by:airwrck
ID: 38776670
vrf TEST wasn't defined on RouterA,  unless you've defined the vrf somewhere else that you aren't showing on the configuration.  RouterA has no knowledge of the vrf TEST on RouterB
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776676
Understood...

- But RouterA shouldn't need to know about the VRF, correct?

I mean, if I were to take the secondary address off of RouterA, and assign it to any other device that's in the same Vlan, shouldn't they be able to communicate with the secondary address on RouterB, where it would then be put into the VRF at that point?

Devices that RouterB are connected to, shouldn't need to be VRF aware, right?
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 6

Expert Comment

by:airwrck
ID: 38776680
IP is open, including secondaries.  Virtual Private Network Routing and Forwarding (VRF) is private, not open.  It has its own routing instances, creates its own connections from point to point, and does NOT allow any unknown traffic onto it's interfaces.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776800
Understood.

So, in your opinion, would there be a scenario that would work here?

Obviously GRE tunnels between the two routers, and throwing the tunnel interfaces into the VRF would work, but what would be some other options?
0
 
LVL 6

Accepted Solution

by:
airwrck earned 250 total points
ID: 38777047
you could configure a vrf interface on the other router.  then you'd have connections between two interfaces.
0
 
LVL 9

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 250 total points
ID: 38777149
When you define a vrf ..it creates a seperate routing table other than main routing table..
since you configured routerB secondary IP in vrf and router A don't know about it because routerB's secondary IP is in vrf table and only local to router B.

If you want to reach secondary ip of router A then you need to cnfigure it under same vrf so that both the router could exchange their vrf table then only you can reach routerA.

I hope this helps bit in understanding vrf mechanism.
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 38777232
Understood.  Thank you both for your explinations.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38781098
All.  I figured out another solution to make the above option work.

Policy-based VRF routing:
     1.  I removed the secondary interface IPs from both routers.
     2.  Then I made the following ACL/Route-Map combo and applied it to the interface on RouterB.

ip access-list extended ACL_Test
 permit ip any 172.16.0.0 255.255.0.0

route-map RM_InboundTest permit 10
 match ip address ACL_Test
 set vrf Test
route-map RM_InboundTest permit 20

interface FastEthernet0/1
 ip policy route-map RM_InboundTest

Open in new window


Behind the testing is actually a work requirement, to create an isolated network for wireless guest network access.  This was the final piece I needed to work out, as my work requirements force me to dump the traffic on our VPN routers (So the traffic can go through the same content-filter/packet analysis as our standard networks.

So, wireless clients won't be able to hit ANY of our internal network (of course I'll have to adjust the ACL to deny internal --> internal) - but they'll still get internet access.

Tis' a beauty!  :)
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Access point 6 56
Unable to RDP to windows 10 pro machine 15 74
networking details on centos 6.6 4 50
BGP Code 12 41
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now