Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > gre tunnel in global routing table, getting vrf tunnels through it

Reply
Thread Tools

gre tunnel in global routing table, getting vrf tunnels through it

 
 
colin
Guest
Posts: n/a
 
      05-24-2007
Hi Follks,

i got following problem, im trying to get multiple vrf tunnels over a routed
network of my service provider.
My SP just delivers a single routed network, no customer transport vrf on
the SP side, so i'm trying to build up an ip tunnel in the global routing
table in order to tunnel my vrf tunnels through the global tunnel. the
global tunnel config works fine, combined with ospf i find my neighbours
Lo0's. Since on the global side i can set my tunnel endpoints on physical
interfaces and they get routed they find each other and build up the tunnel.
Now, i got the Lo11's on each Router A/B in vrf LAB. i use the lo11's as
the tunnel endpoint, since i havent got physicals. now of course the tunnel
for vrf LAB does not come up, since they cant find each other.
i tryed to route the Lo11's of each other over the global physical interface
as following: The /32 Adresses of the Lo11's get routed by my SP as shown
later. well, i'm not realy sure about the design of this.. so any
suggestions are welcome to bring my vrfs over this routed network of my SP.
thank you
cheers colin

Router A:
ip route vrf LAB 10.179.128.248 255.255.255.255 172.19.0.2

Router B:
ip route vrf LAB 10.179.128.224 255.255.255.255 172.19.128.1

sh ip int bri | inc Tun
Tunnel9312800 10.3.128.242 YES NVRAM up up
Tunnel9312811 10.179.128.242 YES manual up down

routing table of my SP for vrf LAB Adresses:
ip route 10.179.128.224 255.255.255.255 172.19.0.1
ip route 10.179.128.248 255.255.255.255 172.19.128.2

Router A -- SP -- Router B:

Router A (.1) - SP (.2) 172.19.0.0/29
Router B (.2) - SP (.1) 172.19.128.0/29



Router A configuration:
interface Loopback0
ip address 10.3.0.120 255.255.255.255

interface Loopback9312811
description VRF LAB
ip vrf forwarding LAB
ip address 10.179.128.224 255.255.255.255

interface Tunnel9312800
ip address 10.3.128.241 255.255.255.248
tunnel source 172.19.0.1
tunnel destination 172.19.128.2

interface Tunnel9312811
description VRF LAB
ip vrf forwarding LAB
ip address 10.179.128.241 255.255.255.248
tunnel source Loopback9312811
tunnel destination 10.179.128.248

router ospf 1000
router-id 10.3.0.120
log-adjacency-changes
passive-interface default
no passive-interface Tunnel9312800
network 10.0.0.0 0.15.255.255 area 0.0.0.0
default-information originate always metric 10


Router B configuration:

interface Loopback0
ip address 10.3.128.248 255.255.255.255

interface Loopback9312811
description VRF LAB
ip vrf forwarding LAB
ip address 10.179.128.248 255.255.255.255

interface Tunnel9312800
ip address 10.3.128.242 255.255.255.248
tunnel source 172.19.128.2
tunnel destination 172.19.0.1

interface Tunnel9312811
description VRF LAB
ip vrf forwarding LAB
ip address 10.179.128.242 255.255.255.248
tunnel source Loopback9312811
tunnel destination 10.179.128.224

router ospf 1000
router-id 10.3.128.248
log-adjacency-changes
passive-interface default
no passive-interface Tunnel9312800
network 10.0.0.0 0.15.255.255 area 0.0.0.0
default-information originate always metric 10






 
Reply With Quote
 
 
 
 
briggs@encompasserve.org
Guest
Posts: n/a
 
      05-24-2007
In article <46555b98$0$3809$(E-Mail Removed)>, "colin" <(E-Mail Removed)> writes:
> Hi Follks,
>
> i got following problem, im trying to get multiple vrf tunnels over a routed
> network of my service provider.
> My SP just delivers a single routed network, no customer transport vrf on
> the SP side, so i'm trying to build up an ip tunnel in the global routing
> table in order to tunnel my vrf tunnels through the global tunnel. the
> global tunnel config works fine, combined with ospf i find my neighbours
> Lo0's. Since on the global side i can set my tunnel endpoints on physical
> interfaces and they get routed they find each other and build up the tunnel.
> Now, i got the Lo11's on each Router A/B in vrf LAB. i use the lo11's as
> the tunnel endpoint, since i havent got physicals. now of course the tunnel
> for vrf LAB does not come up, since they cant find each other.
> i tryed to route the Lo11's of each other over the global physical interface
> as following: The /32 Adresses of the Lo11's get routed by my SP as shown
> later. well, i'm not realy sure about the design of this.. so any
> suggestions are welcome to bring my vrfs over this routed network of my SP.


To make a long story short, your loopbacks need to be taken out of
vrf LAB.

If I understand you correctly you have a single physical link. It is
in the global vrf.

You want to create two tunnels over this link. One in the global
table. One in vrf LAB.

You've built the global tunnel using the physical interface endpoints
as your tunnel endpoints.

You cannot reuse those endpoints for the vrf LAB tunnel because you
can't have two distinct tunnels using the same tunnel source/tunnel dest
pair.

So you've created a loopback interface on each end and added IP
routes in the global table pointing to the loopback interface IPs
and you've attempted to build your vrf LAB tunnel using those
endpoints.

But you put the loopback interfaces into vrf LAB with the
"ip vrf forwarding LAB" syntax. That won't work at all.

The most immediate problem it causes is that your vrf LAB tunnel finds
no interface in the global table matching the "tunnel source" that
you have specified. And even if you got past that, there's no
route in the global routing table on the peer for the "tunnel
dest" IP address that you have specified.


When building an IP tunnel in a vrf environment you need to decide two
things:

1. What vrf is the tunnel in? That is, what vrf does the interface IP
fall into and where will the connected interface route show up?

You control this with "ip vrf forwarding x" under the tunnel interface
configuration.

2. What vrf is the underlying connectivity coming from? That is,
what vrf are the tunnel source and tunnel dest in and what vrf has
the routing table entries for this connectivity?

You control this with "tunnel vrf x" under the tunnel interface
configuration. The vrf of the tunnel source and the vrf of the routing
table entry for the tunnel dest must be consistent with this choice.
 
Reply With Quote
 
 
 
 
colin
Guest
Posts: n/a
 
      05-30-2007
hi briggs,

thanks for youre help, it finally worked out, i will post an example of the
running-config shortly.


> To make a long story short, your loopbacks need to be taken out of
> vrf LAB.
>
> If I understand you correctly you have a single physical link. It is
> in the global vrf.
>
> You want to create two tunnels over this link. One in the global
> table. One in vrf LAB.
>
> You've built the global tunnel using the physical interface endpoints
> as your tunnel endpoints.
>
> You cannot reuse those endpoints for the vrf LAB tunnel because you
> can't have two distinct tunnels using the same tunnel source/tunnel dest
> pair.
>
> So you've created a loopback interface on each end and added IP
> routes in the global table pointing to the loopback interface IPs
> and you've attempted to build your vrf LAB tunnel using those
> endpoints.
>
> But you put the loopback interfaces into vrf LAB with the
> "ip vrf forwarding LAB" syntax. That won't work at all.
>
> The most immediate problem it causes is that your vrf LAB tunnel finds
> no interface in the global table matching the "tunnel source" that
> you have specified. And even if you got past that, there's no
> route in the global routing table on the peer for the "tunnel
> dest" IP address that you have specified.
>
>
> When building an IP tunnel in a vrf environment you need to decide two
> things:
>
> 1. What vrf is the tunnel in? That is, what vrf does the interface IP
> fall into and where will the connected interface route show up?
>
> You control this with "ip vrf forwarding x" under the tunnel interface
> configuration.
>
> 2. What vrf is the underlying connectivity coming from? That is,
> what vrf are the tunnel source and tunnel dest in and what vrf has
> the routing table entries for this connectivity?
>
> You control this with "tunnel vrf x" under the tunnel interface
> configuration. The vrf of the tunnel source and the vrf of the routing
> table entry for the tunnel dest must be consistent with this choice.



 
Reply With Quote
 
colin
Guest
Posts: n/a
 
      06-02-2007
Dear NG,

i promised a "short" example of my running config.. well it may not be so
short.. its a crappy piece of paper now for my internal use.. but it may
help others..

as promised:

-------------------------------------------------------------------------------------------------------------------------

HOW-TO Tunneling VRF Tunnels trough a Global Tunnel.

Problem as following:
I got VRFs on Router A, bedween Router A or Site A and Site B / Router B, i
got my local Service Provider, where from i get a routed network, and
nothing more, with one adress on each side.
I got no possibility to tunnel dot1q or get transport vrfs on Service
Provider side.
Now i want to get those VRFs bedween Site A and B connected over the network
of my Provider.
The trick is to create a Tunnel over Service Provider Net. And then to
tunnel your VRF Tunnels through youre created Global Tunnel,
witch is a little tricky..
Sooo, lets get started..well, why dont you just go ahead and start reading
through the configs... an try to return back to the text...
hmm, its rather hard to explain this one.... gona try my best.
soo,

1. Router A (172.19.0.1) has to be able to contact Router B (172.17.0.1)
over Service Provider //global routing
get that sorted out with your provider first. Since i can't just setup my
OSPF to propagate routes over the 172.1X.0.0 networks to my Service
Provider, i have to route this staticly on each side:

! Route to Global Tunnel-Endpoint
ip route 172.17.0.0 255.255.255.248 172.19.0.2

2. Then build up the Tunnel9100000

you now should see something like this:
sh ip int brief | inc Tunnel
Tunnel9100000 10.1.0.241 YES NVRAM up up

3. Make sure youre routing-protocol gets to see the other side or propagates
routes over the global tunnel:

example:
router ospf 1000
passive-interface default
no passive-interface Tunnel9100000
network 10.0.0.0 0.0.0.255 area 0.0.0.0

4. Create the Global Loopback-adresses for the VRF Tunnel on each side:

example:
interface Loopback91000111
description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 )
ip address 10.177.0.232 255.255.255.255

5. Before you start pulling the new VRF Tunnels up...make sure youre
Provider has routed youre VRF Tunnel Endpoints correctly...you save your
self lots of time...

Providers Routes for VRF-Tunnel-Endpoints:
ip route 10.177.0.232 255.255.255.255 172.19.0.1
ip route 10.177.0.233 255.255.255.255 172.17.0.2

6. Dont forget to put the VRF-Tunnel-Endpoints in youre Global
Routing-Process on each side:

router ospf 1000
network 10.177.0.232 0.0.0.1 area 0.0.0.0

7. and now type:

sh ip int brief | inc Tunnel
Tunnel9100000 10.1.0.241 YES NVRAM up up
Tunnel9100001 10.17.0.241 YES NVRAM up up


youre Done.. now continue these steps over youre X Tunnels you wanna build
up.
A good design or a drawing helps alot!!!

Have fun, hope it helped ya, it will help me again.... in around... 5-6
month or so..

cheers colin.cant AT solnet.ch




----------------------------------------------------------------------------

Physical build-up:


Router A - Gi1/0/2 = Gi1/0/24 - Service Provider - Gi1/0/4 = Fa0/1 - Router
B

Router A = .1 - 172.19.0.0/29 - .2 = SP = .1 - 172.17.0.0/29 - .2 = Router B


Global Tunnel:

Router A - Tun-End: 172.19.0.1 --------------- 172.17.0.2 Tun-End - Router B

Router A - 10.1.0.241 ------Global Tunnel9100000 -------- 10.1.0.242 -
Router B



VRF LAB Tun: (SRCs in Global Routing Table)

Router A - Tun-SRC: 10.177.0.232 ----------- 10.177.0.233 - Tun-SRC - Router
B

! Tunnel: ip vrf forwarding LAB
Router A - 10.177.0.241 ----- VRF LAB Tunnel ---------- 10.177.0.242 -
Router B


================================================== ========

Simulated Service Provider using a 3750:

ip routing

interface GigabitEthernet1/0/4
no switchport
ip address 172.17.0.1 255.255.255.248

interface GigabitEthernet1/0/24
no switchport
ip address 172.19.0.2 255.255.255.248


! Service Provider has to route the VRF-LABs Tunnel-Endpoints:
ip route 10.177.0.232 255.255.255.255 172.19.0.1
ip route 10.177.0.233 255.255.255.255 172.17.0.2

================================================== ========

Router A (3750);

IOS used: c3750-advipservicesk9-mz.122-25.SEE3.bin

ip routing
ip cef distributed

ip vrf LAB
description VRF LAB
rd 65000:11

interface GigabitEthernet1/0/2
no switchport
ip address 172.19.0.1 255.255.255.248

! Route to Global Tunnel-Endpoint
ip route 172.17.0.0 255.255.255.248 172.19.0.2


interface Loopback11
description VRF LAB (Effective VRF LO)
ip vrf forwarding LAB
ip address 10.179.0.120 255.255.255.255


interface Loopback91000111
description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 )
ip address 10.177.0.232 255.255.255.255

!Global Tunnel
interface Tunnel9100000
description GLOBAL
ip address 10.1.0.241 255.255.255.248
tunnel source 172.19.0.1
tunnel destination 172.17.0.2

!VRF LAB Tunnel
interface Tunnel9100011
description VRF LAB
ip vrf forwarding LAB
ip address 10.177.0.241 255.255.255.248
tunnel source Loopback91000111
tunnel destination 10.177.0.233

router ospf 1000
router-id W.X.Y.Z
log-adjacency-changes
passive-interface default
no passive-interface Tunnel9100000
network 10.0.0.0 0.0.0.255 area 0.0.0.0
network 10.177.0.232 0.0.0.1 area 0.0.0.0


================================================== ========

Router B (3560):

IOS used: c3560-advipservicesk9-mz.122-35.SE1.bin

ip routing
ip cef distributed

ip vrf LAB
description VRF LAB
rd 65000:11

interface FastEthernet0/1
no switchport
ip address 172.17.0.2 255.255.255.248

! Route to Global Tunnel-Endpoint
ip route 172.19.0.0 255.255.255.248 172.17.0.1

interface Loopback9100011
description VRF LAB (Effective VRF LO)
ip vrf forwarding LAB
ip address 10.177.0.248 255.255.255.255

interface Loopback91000111
description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 )
ip address 10.177.0.233 255.255.255.255


!Global Tunnel:
interface Tunnel9100000
description GLOBAL
ip address 10.1.0.242 255.255.255.248
tunnel source 172.17.0.2
tunnel destination 172.19.0.1

!VRF LAB Tunnel
interface Tunnel9100011
description VRF LAB
ip vrf forwarding LAB
ip address 10.177.0.242 255.255.255.248
tunnel source Loopback91000111
tunnel destination 10.177.0.232

router ospf 1000
router-id W.X.Y.Z
log-adjacency-changes
passive-interface default
no passive-interface Tunnel9100000
network 10.0.0.0 0.0.0.255 area 0.0.0.0
network 10.177.0.233 0.0.0.1 area 0.0.0.0




 
Reply With Quote
 
swapnendu swapnendu is offline
Member
Join Date: Sep 2006
Posts: 57
 
      08-04-2009
i have NOT gone through the full issue, solution and the full explanation but i have something to share quickly.

Using multiple tunnel interfaces and multi VRF-lite dont work automatically coz two tunnel interfaces can’t share the same tunnel source/dest combination.

to circumvent this problem, use a secondary IP addresses on the ISP link on both sides. Configure one pair of VRF tunnels to use Primary IP addresses of the physcial interface. dont use tunnel souce "interface", instead use the primary IP addresses.

Configure the second VRF pair to use secondary Physical IP addresses.

cheers
Swap
CCIE #19804
 
Reply With Quote
 
swapnendu swapnendu is offline
Member
Join Date: Sep 2006
Posts: 57
 
      08-04-2009
the other way to solve this is to use different "tunnel key" on the tunnels.

when tunnel key is used, we can use the same source and destination combination in multiple tunnels.


e.g.
RouterA
interface Tunnel0
ip vrf forwarding CUST-A
ip address 172.16.1.2 255.255.255.252
no tunnel source Serial0/0
tunnel source 11.1.1.2
tunnel destination 11.1.1.1
tunnel key 10

!
interface Tunnel1
ip vrf forwarding CUST-B
ip address 172.16.1.6 255.255.255.252
no tunnel source Serial0/0
tunnel source 11.1.1.2
tunnel destination 11.1.1.1
tunnel key 11



RouterB
interface Tunnel0
ip vrf forwarding CUST-A
ip address 172.16.1.1 255.255.255.252
tunnel source 11.1.1.1
tunnel destination 11.1.1.2
tunnel key 10

!
interface Tunnel1
ip vrf forwarding CUST-B
ip address 172.16.1.5 255.255.255.252
tunnel source 11.1.1.1
tunnel destination 11.1.1.2
tunnel key 11



ofcourse the third way is to use separate loopback interfaces and routign the loopbacks via an IGP.

cheers
Swap
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VRF GRE Tunnel over another VRF network ngurjar Software 0 10-11-2008 04:15 AM
3x Cisco 1841 and GRE tunnels through Internet DH3JHZ Cisco 0 07-09-2007 10:01 AM
exchange routes between global IP routing table and VRF routing table zher Cisco 2 11-04-2004 11:28 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Multi-vrf to Multi-vrf keithb Cisco 1 05-10-2004 04:32 PM



Advertisments