Solved

Can't reach secondary IP that's been assigned to a VRF

Posted on 2013-01-14
11
1,045 Views
Last Modified: 2013-01-15
Experts,

It would appear that I'm not able to reach a secondary IP on an interface that was placed inside a VRF.

In this scenario, the two routers are directly connected with a crossover, and I'm attempting to reach RouterB from RouterA:

//RouterA===============================

interface FastEthernet0/1
 ip address 172.16.0.1 255.255.0.0 secondary
 ip address 192.168.0.1 255.255.255.0



//RouterB===============================

ip vrf TEST
 rd 1:1

interface FastEthernet0/1
 ip address 172.16.0.2 255.255.0.0 secondary vrf TEST
 ip address 192.168.0.2 255.255.255.0

Open in new window


I'm able to reach the physical interface's primary IP without any issues.  I can't ping the secondary IP on RouterB though as long as it's in the VRF.

If I remove the command "ip address 172.16.0.2 255.255.0.0 secondary vrf TEST" and replace it with just "ip address 172.16.0.2 255.255.0.0 secondary" of course, everything works as expected.

Would somebody be able to explain why this doesn't work?
0
Comment
Question by:usslindstrom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 6

Expert Comment

by:airwrck
ID: 38776633
ping vrf TEST 172.16.0.2  gives you what result?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776643
Hmmm.  Maybe the interface really isn't assigning the address as expected:

From RouterB (The router with the VRF configured):

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Open in new window

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776646
FYI:  That ping test was done as:  "ping vrf TEST 172.16.0.2"
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 6

Expert Comment

by:airwrck
ID: 38776670
vrf TEST wasn't defined on RouterA,  unless you've defined the vrf somewhere else that you aren't showing on the configuration.  RouterA has no knowledge of the vrf TEST on RouterB
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776676
Understood...

- But RouterA shouldn't need to know about the VRF, correct?

I mean, if I were to take the secondary address off of RouterA, and assign it to any other device that's in the same Vlan, shouldn't they be able to communicate with the secondary address on RouterB, where it would then be put into the VRF at that point?

Devices that RouterB are connected to, shouldn't need to be VRF aware, right?
0
 
LVL 6

Expert Comment

by:airwrck
ID: 38776680
IP is open, including secondaries.  Virtual Private Network Routing and Forwarding (VRF) is private, not open.  It has its own routing instances, creates its own connections from point to point, and does NOT allow any unknown traffic onto it's interfaces.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38776800
Understood.

So, in your opinion, would there be a scenario that would work here?

Obviously GRE tunnels between the two routers, and throwing the tunnel interfaces into the VRF would work, but what would be some other options?
0
 
LVL 6

Accepted Solution

by:
airwrck earned 250 total points
ID: 38777047
you could configure a vrf interface on the other router.  then you'd have connections between two interfaces.
0
 
LVL 9

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 250 total points
ID: 38777149
When you define a vrf ..it creates a seperate routing table other than main routing table..
since you configured routerB secondary IP in vrf and router A don't know about it because routerB's secondary IP is in vrf table and only local to router B.

If you want to reach secondary ip of router A then you need to cnfigure it under same vrf so that both the router could exchange their vrf table then only you can reach routerA.

I hope this helps bit in understanding vrf mechanism.
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 38777232
Understood.  Thank you both for your explinations.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38781098
All.  I figured out another solution to make the above option work.

Policy-based VRF routing:
     1.  I removed the secondary interface IPs from both routers.
     2.  Then I made the following ACL/Route-Map combo and applied it to the interface on RouterB.

ip access-list extended ACL_Test
 permit ip any 172.16.0.0 255.255.0.0

route-map RM_InboundTest permit 10
 match ip address ACL_Test
 set vrf Test
route-map RM_InboundTest permit 20

interface FastEthernet0/1
 ip policy route-map RM_InboundTest

Open in new window


Behind the testing is actually a work requirement, to create an isolated network for wireless guest network access.  This was the final piece I needed to work out, as my work requirements force me to dump the traffic on our VPN routers (So the traffic can go through the same content-filter/packet analysis as our standard networks.

So, wireless clients won't be able to hit ANY of our internal network (of course I'll have to adjust the ACL to deny internal --> internal) - but they'll still get internet access.

Tis' a beauty!  :)
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Make the most of your online learning experience.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question