gre tunnel in global routing table, getting vrf tunnels through it

Discussion in 'Cisco' started by colin, May 24, 2007.

  1. colin

    colin Guest

    Hi Follks,

    i got following problem, im trying to get multiple vrf tunnels over a routed
    network of my service provider.
    My SP just delivers a single routed network, no customer transport vrf on
    the SP side, so i'm trying to build up an ip tunnel in the global routing
    table in order to tunnel my vrf tunnels through the global tunnel. the
    global tunnel config works fine, combined with ospf i find my neighbours
    Lo0's. Since on the global side i can set my tunnel endpoints on physical
    interfaces and they get routed they find each other and build up the tunnel.
    Now, i got the Lo11's on each Router A/B in vrf LAB. i use the lo11's as
    the tunnel endpoint, since i havent got physicals. now of course the tunnel
    for vrf LAB does not come up, since they cant find each other.
    i tryed to route the Lo11's of each other over the global physical interface
    as following: The /32 Adresses of the Lo11's get routed by my SP as shown
    later. well, i'm not realy sure about the design of this.. so any
    suggestions are welcome to bring my vrfs over this routed network of my SP.
    thank you
    cheers colin

    Router A:
    ip route vrf LAB 10.179.128.248 255.255.255.255 172.19.0.2

    Router B:
    ip route vrf LAB 10.179.128.224 255.255.255.255 172.19.128.1

    sh ip int bri | inc Tun
    Tunnel9312800 10.3.128.242 YES NVRAM up up
    Tunnel9312811 10.179.128.242 YES manual up down

    routing table of my SP for vrf LAB Adresses:
    ip route 10.179.128.224 255.255.255.255 172.19.0.1
    ip route 10.179.128.248 255.255.255.255 172.19.128.2

    Router A -- SP -- Router B:

    Router A (.1) - SP (.2) 172.19.0.0/29
    Router B (.2) - SP (.1) 172.19.128.0/29



    Router A configuration:
    interface Loopback0
    ip address 10.3.0.120 255.255.255.255

    interface Loopback9312811
    description VRF LAB
    ip vrf forwarding LAB
    ip address 10.179.128.224 255.255.255.255

    interface Tunnel9312800
    ip address 10.3.128.241 255.255.255.248
    tunnel source 172.19.0.1
    tunnel destination 172.19.128.2

    interface Tunnel9312811
    description VRF LAB
    ip vrf forwarding LAB
    ip address 10.179.128.241 255.255.255.248
    tunnel source Loopback9312811
    tunnel destination 10.179.128.248

    router ospf 1000
    router-id 10.3.0.120
    log-adjacency-changes
    passive-interface default
    no passive-interface Tunnel9312800
    network 10.0.0.0 0.15.255.255 area 0.0.0.0
    default-information originate always metric 10


    Router B configuration:

    interface Loopback0
    ip address 10.3.128.248 255.255.255.255

    interface Loopback9312811
    description VRF LAB
    ip vrf forwarding LAB
    ip address 10.179.128.248 255.255.255.255

    interface Tunnel9312800
    ip address 10.3.128.242 255.255.255.248
    tunnel source 172.19.128.2
    tunnel destination 172.19.0.1

    interface Tunnel9312811
    description VRF LAB
    ip vrf forwarding LAB
    ip address 10.179.128.242 255.255.255.248
    tunnel source Loopback9312811
    tunnel destination 10.179.128.224

    router ospf 1000
    router-id 10.3.128.248
    log-adjacency-changes
    passive-interface default
    no passive-interface Tunnel9312800
    network 10.0.0.0 0.15.255.255 area 0.0.0.0
    default-information originate always metric 10
    colin, May 24, 2007
    #1
    1. Advertising

  2. colin

    Guest

    In article <46555b98$0$3809$>, "colin" <> writes:
    > Hi Follks,
    >
    > i got following problem, im trying to get multiple vrf tunnels over a routed
    > network of my service provider.
    > My SP just delivers a single routed network, no customer transport vrf on
    > the SP side, so i'm trying to build up an ip tunnel in the global routing
    > table in order to tunnel my vrf tunnels through the global tunnel. the
    > global tunnel config works fine, combined with ospf i find my neighbours
    > Lo0's. Since on the global side i can set my tunnel endpoints on physical
    > interfaces and they get routed they find each other and build up the tunnel.
    > Now, i got the Lo11's on each Router A/B in vrf LAB. i use the lo11's as
    > the tunnel endpoint, since i havent got physicals. now of course the tunnel
    > for vrf LAB does not come up, since they cant find each other.
    > i tryed to route the Lo11's of each other over the global physical interface
    > as following: The /32 Adresses of the Lo11's get routed by my SP as shown
    > later. well, i'm not realy sure about the design of this.. so any
    > suggestions are welcome to bring my vrfs over this routed network of my SP.


    To make a long story short, your loopbacks need to be taken out of
    vrf LAB.

    If I understand you correctly you have a single physical link. It is
    in the global vrf.

    You want to create two tunnels over this link. One in the global
    table. One in vrf LAB.

    You've built the global tunnel using the physical interface endpoints
    as your tunnel endpoints.

    You cannot reuse those endpoints for the vrf LAB tunnel because you
    can't have two distinct tunnels using the same tunnel source/tunnel dest
    pair.

    So you've created a loopback interface on each end and added IP
    routes in the global table pointing to the loopback interface IPs
    and you've attempted to build your vrf LAB tunnel using those
    endpoints.

    But you put the loopback interfaces into vrf LAB with the
    "ip vrf forwarding LAB" syntax. That won't work at all.

    The most immediate problem it causes is that your vrf LAB tunnel finds
    no interface in the global table matching the "tunnel source" that
    you have specified. And even if you got past that, there's no
    route in the global routing table on the peer for the "tunnel
    dest" IP address that you have specified.


    When building an IP tunnel in a vrf environment you need to decide two
    things:

    1. What vrf is the tunnel in? That is, what vrf does the interface IP
    fall into and where will the connected interface route show up?

    You control this with "ip vrf forwarding x" under the tunnel interface
    configuration.

    2. What vrf is the underlying connectivity coming from? That is,
    what vrf are the tunnel source and tunnel dest in and what vrf has
    the routing table entries for this connectivity?

    You control this with "tunnel vrf x" under the tunnel interface
    configuration. The vrf of the tunnel source and the vrf of the routing
    table entry for the tunnel dest must be consistent with this choice.
    , May 24, 2007
    #2
    1. Advertising

  3. colin

    colin Guest

    hi briggs,

    thanks for youre help, it finally worked out, i will post an example of the
    running-config shortly.


    > To make a long story short, your loopbacks need to be taken out of
    > vrf LAB.
    >
    > If I understand you correctly you have a single physical link. It is
    > in the global vrf.
    >
    > You want to create two tunnels over this link. One in the global
    > table. One in vrf LAB.
    >
    > You've built the global tunnel using the physical interface endpoints
    > as your tunnel endpoints.
    >
    > You cannot reuse those endpoints for the vrf LAB tunnel because you
    > can't have two distinct tunnels using the same tunnel source/tunnel dest
    > pair.
    >
    > So you've created a loopback interface on each end and added IP
    > routes in the global table pointing to the loopback interface IPs
    > and you've attempted to build your vrf LAB tunnel using those
    > endpoints.
    >
    > But you put the loopback interfaces into vrf LAB with the
    > "ip vrf forwarding LAB" syntax. That won't work at all.
    >
    > The most immediate problem it causes is that your vrf LAB tunnel finds
    > no interface in the global table matching the "tunnel source" that
    > you have specified. And even if you got past that, there's no
    > route in the global routing table on the peer for the "tunnel
    > dest" IP address that you have specified.
    >
    >
    > When building an IP tunnel in a vrf environment you need to decide two
    > things:
    >
    > 1. What vrf is the tunnel in? That is, what vrf does the interface IP
    > fall into and where will the connected interface route show up?
    >
    > You control this with "ip vrf forwarding x" under the tunnel interface
    > configuration.
    >
    > 2. What vrf is the underlying connectivity coming from? That is,
    > what vrf are the tunnel source and tunnel dest in and what vrf has
    > the routing table entries for this connectivity?
    >
    > You control this with "tunnel vrf x" under the tunnel interface
    > configuration. The vrf of the tunnel source and the vrf of the routing
    > table entry for the tunnel dest must be consistent with this choice.
    colin, May 30, 2007
    #3
  4. colin

    colin Guest

    Re: gre tunnel in global routing table, getting vrf tunnels through it - "THE How-to"

    Dear NG,

    i promised a "short" example of my running config.. well it may not be so
    short.. its a crappy piece of paper now for my internal use.. but it may
    help others..

    as promised:

    -------------------------------------------------------------------------------------------------------------------------

    HOW-TO Tunneling VRF Tunnels trough a Global Tunnel.

    Problem as following:
    I got VRFs on Router A, bedween Router A or Site A and Site B / Router B, i
    got my local Service Provider, where from i get a routed network, and
    nothing more, with one adress on each side.
    I got no possibility to tunnel dot1q or get transport vrfs on Service
    Provider side.
    Now i want to get those VRFs bedween Site A and B connected over the network
    of my Provider.
    The trick is to create a Tunnel over Service Provider Net. And then to
    tunnel your VRF Tunnels through youre created Global Tunnel,
    witch is a little tricky..
    Sooo, lets get started..well, why dont you just go ahead and start reading
    through the configs... an try to return back to the text...
    hmm, its rather hard to explain this one.... gona try my best. ;-)
    soo,

    1. Router A (172.19.0.1) has to be able to contact Router B (172.17.0.1)
    over Service Provider //global routing
    get that sorted out with your provider first. Since i can't just setup my
    OSPF to propagate routes over the 172.1X.0.0 networks to my Service
    Provider, i have to route this staticly on each side:

    ! Route to Global Tunnel-Endpoint
    ip route 172.17.0.0 255.255.255.248 172.19.0.2

    2. Then build up the Tunnel9100000

    you now should see something like this:
    sh ip int brief | inc Tunnel
    Tunnel9100000 10.1.0.241 YES NVRAM up up

    3. Make sure youre routing-protocol gets to see the other side or propagates
    routes over the global tunnel:

    example:
    router ospf 1000
    passive-interface default
    no passive-interface Tunnel9100000
    network 10.0.0.0 0.0.0.255 area 0.0.0.0

    4. Create the Global Loopback-adresses for the VRF Tunnel on each side:

    example:
    interface Loopback91000111
    description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 )
    ip address 10.177.0.232 255.255.255.255

    5. Before you start pulling the new VRF Tunnels up...make sure youre
    Provider has routed youre VRF Tunnel Endpoints correctly...you save your
    self lots of time...

    Providers Routes for VRF-Tunnel-Endpoints:
    ip route 10.177.0.232 255.255.255.255 172.19.0.1
    ip route 10.177.0.233 255.255.255.255 172.17.0.2

    6. Dont forget to put the VRF-Tunnel-Endpoints in youre Global
    Routing-Process on each side:

    router ospf 1000
    network 10.177.0.232 0.0.0.1 area 0.0.0.0

    7. and now type:

    sh ip int brief | inc Tunnel
    Tunnel9100000 10.1.0.241 YES NVRAM up up
    Tunnel9100001 10.17.0.241 YES NVRAM up up


    youre Done.. now continue these steps over youre X Tunnels you wanna build
    up.
    A good design or a drawing helps alot!!!

    Have fun, hope it helped ya, it will help me again.... in around... 5-6
    month or so..

    cheers colin.cant AT solnet.ch




    ----------------------------------------------------------------------------

    Physical build-up:


    Router A - Gi1/0/2 = Gi1/0/24 - Service Provider - Gi1/0/4 = Fa0/1 - Router
    B

    Router A = .1 - 172.19.0.0/29 - .2 = SP = .1 - 172.17.0.0/29 - .2 = Router B


    Global Tunnel:

    Router A - Tun-End: 172.19.0.1 --------------- 172.17.0.2 Tun-End - Router B

    Router A - 10.1.0.241 ------Global Tunnel9100000 -------- 10.1.0.242 -
    Router B



    VRF LAB Tun: (SRCs in Global Routing Table)

    Router A - Tun-SRC: 10.177.0.232 ----------- 10.177.0.233 - Tun-SRC - Router
    B

    ! Tunnel: ip vrf forwarding LAB
    Router A - 10.177.0.241 ----- VRF LAB Tunnel ---------- 10.177.0.242 -
    Router B


    ==========================================================

    Simulated Service Provider using a 3750:

    ip routing

    interface GigabitEthernet1/0/4
    no switchport
    ip address 172.17.0.1 255.255.255.248

    interface GigabitEthernet1/0/24
    no switchport
    ip address 172.19.0.2 255.255.255.248


    ! Service Provider has to route the VRF-LABs Tunnel-Endpoints:
    ip route 10.177.0.232 255.255.255.255 172.19.0.1
    ip route 10.177.0.233 255.255.255.255 172.17.0.2

    ==========================================================

    Router A (3750);

    IOS used: c3750-advipservicesk9-mz.122-25.SEE3.bin

    ip routing
    ip cef distributed

    ip vrf LAB
    description VRF LAB
    rd 65000:11

    interface GigabitEthernet1/0/2
    no switchport
    ip address 172.19.0.1 255.255.255.248

    ! Route to Global Tunnel-Endpoint
    ip route 172.17.0.0 255.255.255.248 172.19.0.2


    interface Loopback11
    description VRF LAB (Effective VRF LO)
    ip vrf forwarding LAB
    ip address 10.179.0.120 255.255.255.255


    interface Loopback91000111
    description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 )
    ip address 10.177.0.232 255.255.255.255

    !Global Tunnel
    interface Tunnel9100000
    description GLOBAL
    ip address 10.1.0.241 255.255.255.248
    tunnel source 172.19.0.1
    tunnel destination 172.17.0.2

    !VRF LAB Tunnel
    interface Tunnel9100011
    description VRF LAB
    ip vrf forwarding LAB
    ip address 10.177.0.241 255.255.255.248
    tunnel source Loopback91000111
    tunnel destination 10.177.0.233

    router ospf 1000
    router-id W.X.Y.Z
    log-adjacency-changes
    passive-interface default
    no passive-interface Tunnel9100000
    network 10.0.0.0 0.0.0.255 area 0.0.0.0
    network 10.177.0.232 0.0.0.1 area 0.0.0.0


    ==========================================================

    Router B (3560):

    IOS used: c3560-advipservicesk9-mz.122-35.SE1.bin

    ip routing
    ip cef distributed

    ip vrf LAB
    description VRF LAB
    rd 65000:11

    interface FastEthernet0/1
    no switchport
    ip address 172.17.0.2 255.255.255.248

    ! Route to Global Tunnel-Endpoint
    ip route 172.19.0.0 255.255.255.248 172.17.0.1

    interface Loopback9100011
    description VRF LAB (Effective VRF LO)
    ip vrf forwarding LAB
    ip address 10.177.0.248 255.255.255.255

    interface Loopback91000111
    description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 )
    ip address 10.177.0.233 255.255.255.255


    !Global Tunnel:
    interface Tunnel9100000
    description GLOBAL
    ip address 10.1.0.242 255.255.255.248
    tunnel source 172.17.0.2
    tunnel destination 172.19.0.1

    !VRF LAB Tunnel
    interface Tunnel9100011
    description VRF LAB
    ip vrf forwarding LAB
    ip address 10.177.0.242 255.255.255.248
    tunnel source Loopback91000111
    tunnel destination 10.177.0.232

    router ospf 1000
    router-id W.X.Y.Z
    log-adjacency-changes
    passive-interface default
    no passive-interface Tunnel9100000
    network 10.0.0.0 0.0.0.255 area 0.0.0.0
    network 10.177.0.233 0.0.0.1 area 0.0.0.0
    colin, Jun 2, 2007
    #4
  5. colin

    swapnendu

    Joined:
    Sep 13, 2006
    Messages:
    57
    i have NOT gone through the full issue, solution and the full explanation but i have something to share quickly.

    Using multiple tunnel interfaces and multi VRF-lite dont work automatically coz two tunnel interfaces can’t share the same tunnel source/dest combination.

    to circumvent this problem, use a secondary IP addresses on the ISP link on both sides. Configure one pair of VRF tunnels to use Primary IP addresses of the physcial interface. dont use tunnel souce "interface", instead use the primary IP addresses.

    Configure the second VRF pair to use secondary Physical IP addresses.

    cheers
    Swap
    CCIE #19804
    swapnendu, Aug 4, 2009
    #5
  6. colin

    swapnendu

    Joined:
    Sep 13, 2006
    Messages:
    57
    the other way to solve this is to use different "tunnel key" on the tunnels.

    when tunnel key is used, we can use the same source and destination combination in multiple tunnels.


    e.g.
    RouterA
    interface Tunnel0
    ip vrf forwarding CUST-A
    ip address 172.16.1.2 255.255.255.252
    no tunnel source Serial0/0
    tunnel source 11.1.1.2
    tunnel destination 11.1.1.1
    tunnel key 10

    !
    interface Tunnel1
    ip vrf forwarding CUST-B
    ip address 172.16.1.6 255.255.255.252
    no tunnel source Serial0/0
    tunnel source 11.1.1.2
    tunnel destination 11.1.1.1
    tunnel key 11



    RouterB
    interface Tunnel0
    ip vrf forwarding CUST-A
    ip address 172.16.1.1 255.255.255.252
    tunnel source 11.1.1.1
    tunnel destination 11.1.1.2
    tunnel key 10

    !
    interface Tunnel1
    ip vrf forwarding CUST-B
    ip address 172.16.1.5 255.255.255.252
    tunnel source 11.1.1.1
    tunnel destination 11.1.1.2
    tunnel key 11



    ofcourse the third way is to use separate loopback interfaces and routign the loopbacks via an IGP.

    cheers
    Swap
    swapnendu, Aug 4, 2009
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. zher
    Replies:
    2
    Views:
    8,963
  2. Hoffa
    Replies:
    0
    Views:
    687
    Hoffa
    Oct 25, 2006
  3. Hoffa
    Replies:
    1
    Views:
    1,483
    Walter Roberson
    Oct 25, 2006
  4. ngurjar
    Replies:
    0
    Views:
    1,818
    ngurjar
    Oct 11, 2008
  5. Kana
    Replies:
    4
    Views:
    1,376
    Kanagaraj Krishna
    Apr 7, 2009
Loading...

Share This Page