VRF question for CCNP
-
Can both customer 1 and customer 2 reach it that address heading outbound.
on the pings, you can try and source the address to something within your customer 2 and see if it works. If it does, then it's the vrf that is stopping you as it should.
You may also want to just ping from a iosv-5 and from iosv-6. are those making it your ping dst.
-
They can't reach 192.168.1.203 even from Customer1 or Customer2. I posted to Cisco Learning Network. One guy posted an interesting article on VRF Fun. He said place global routes on IOSv-7 pointing towards customer1 and customer2.
https://learningnetwork.cisco.com/message/699025#699025
Hi Jeffrey,
If you want to solve this task without NAT then you need to populate the global routing table with the routes pointing to particular VRFs. Think of this: Packets from R4 will arrive on R1's f0/0 interface, and since this interface is placed into the global routing table, the packets' fate will be determined based on the global routing table contents. Note that if the IP addresses on the R1/R2 and R1/R3 links are the same (or overlapping), there is no way of solving the connectivity problem without NAT.
Assuming that you are using 10.1.2.0/24 on the R1/R2 link, and 10.1.3.0/24 on the R1/R3 link, R1 would be configured as follows:
ip route 10.1.2.0 255.255.255.0 f2/0 ip route 10.1.3.0 255.255.255.0 g3/0
Note that if R2 and R3 has also other networks behind themselves, for example, loopback networks (10.255.255.2/32 on R2, and 10.255.255.3/32 on R3), the additional configuration on R1 would be:
ip route 10.255.255.2 255.255.255.255 f2/0 10.1.2.2 ip route 10.255.255.3 255.255.255.255 g3/0 10.1.3.3
The leaking from global routing table to a non-default VRF is done by referencing the egress interface - since that interface is a member of a single VRF, it also forces the packets to cross the VRF boundary.
There are two documents that also might be of interest (you likely know them but including them for completeness):
-
My VIRL sim got corrupted on save. I had to recreate it last night so the Sh run above is different now. I knew from the pings that nothing was crossing iosv-7 from flat to VRF. The ip routes below gave sh ip route the path to get to VRF.
iosv-7#sh run | s ip route
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 192.168.32.0 255.255.255.252 GigabitEthernet0/3
ip route 192.168.64.0 255.255.255.252 GigabitEthernet0/2
ip route vrf customer1 0.0.0.0 0.0.0.0 172.16.1.1 global
ip route vrf customer2 0.0.0.0 0.0.0.0 172.16.1.1 global
iosv-7#
iosv-7#iosv-1#
iosv-1#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/7 ms
iosv-1#
iosv-1#I have never had to have routes pointing inward away from flat. Because VRF creates separate routing tables I had to add them.
-
Here is my rebuilt VRF sim.
I can ping to 172.16.1.1 from iosv-1 and iosv-2. I can't from 3 to 6. I have 172.16.16.x and 172.16.32.x on customer 1 and customer 2. So doing a static route to them would not be easy. Do I need some type of nat? I watched your video. I never saw you ping or your final configuration.
iosv-7#sh run
Building configuration...Current configuration : 4339 bytes
!
! Last configuration change at 13:58:47 UTC Fri Sep 28 2018
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname iosv-7
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable password cisco
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
ip vrf customer1
!
ip vrf customer2
!
!
!
!
no ip domain lookup
ip domain name virl.info
ip cef
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
username cisco privilege 15 secret 5 $1$pUcy$KqZNZ63JORbDOZXKRn2MF1
!
redundancy
!
no cdp run
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description Loopback
no ip address
!
interface GigabitEthernet0/0
description OOB Management
vrf forwarding Mgmt-intf
ip address 10.255.7.71 255.255.0.0
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to flat-1
ip address 172.16.1.203 255.255.255.0
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description to iosv-2
ip vrf forwarding customer2
ip address 192.168.64.1 255.255.255.252
ip ospf 2 area 0
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/3
description to iosv-1
ip vrf forwarding customer1
ip address 192.168.32.1 255.255.255.252
ip ospf 1 area 0
duplex full
speed auto
media-type rj45
!
router ospf 2 vrf customer2
router-id 0.0.7.2
network 192.168.64.0 0.0.0.3 area 0
default-information originate always
!
router ospf 1 vrf customer1
router-id 0.0.7.1
network 192.168.32.0 0.0.0.3 area 0
default-information originate always
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 192.168.32.0 255.255.255.252 GigabitEthernet0/3
ip route 192.168.64.0 255.255.255.252 GigabitEthernet0/2
ip route vrf customer1 0.0.0.0 0.0.0.0 172.16.1.1 global
ip route vrf customer2 0.0.0.0 0.0.0.0 172.16.1.1 global
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh server algorithm authentication password
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ipv6 ioam timestamp
!
!
!
control-plane
!
banner exec ^C
- IOSv is strictly limited to use for evaluation, demonstration and IOS *
- education. IOSv is provided as-is and is not supported by Cisco's *
- Technical Advisory Center. Any use or disclosure, in whole or in part, *
- of the IOSv Software or Documentation to any third party for any *
- purposes is expressly prohibited except as otherwise authorized by *
- Cisco in writing. *
**************************************************************************^C
banner incoming ^C
- IOSv is strictly limited to use for evaluation, demonstration and IOS *
- education. IOSv is provided as-is and is not supported by Cisco's *
- Technical Advisory Center. Any use or disclosure, in whole or in part, *
- of the IOSv Software or Documentation to any third party for any *
- purposes is expressly prohibited except as otherwise authorized by *
- Cisco in writing. *
**************************************************************************^C
banner login ^C
- IOSv is strictly limited to use for evaluation, demonstration and IOS *
- education. IOSv is provided as-is and is not supported by Cisco's *
- Technical Advisory Center. Any use or disclosure, in whole or in part, *
- of the IOSv Software or Documentation to any third party for any *
- purposes is expressly prohibited except as otherwise authorized by *
- Cisco in writing. *
**************************************************************************^C
!
line con 0
password cisco
line aux 0
line vty 0 4
exec-timeout 720 0
password cisco
login local
transport input telnet ssh
!
no scheduler allocate
!
end
iosv-7#
-
If you want to ping frome customer 1 to customer 2 or vice versa. You may have to do some route redistribution across them If you're using a routing protocol.
I didn't do that on the show because we tried to keep the topic as as clean and limited to that single topic as possible. But that's what I've always used route redistribution to do it.
-
I changed the ip routes to /28 on iosv-7
I changed 192.168.32.x and 64.x to /28.
I setup NAT on iosv-1 and iosv-2
ip nat pool Cust1Top 192.168.32.4 192.168.32.4 netmask 255.255.255.0
ip nat pool Cust1Bot 192.168.32.5 192.168.32.5 netmask 255.255.255.0
ip nat inside source list 1 pool Cust1Top overload
ip nat inside source list 2 pool Cust1Bot overload
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh server algorithm authentication password
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ipv6 ioam timestamp
!
!
access-list 1 permit 172.16.32.0 0.0.0.3
access-list 2 permit 172.16.16.0 0.0.0.3
SO:
3 and 4 get NAT on 15 and 6 get NAT on 2
-
ip nat pool Cust2Top 192.168.64.3 192.168.64.3 netmask 255.255.255.0
ip nat pool Cust2Bot 192.168.64.4 192.168.64.4 netmask 255.255.255.0
ip nat inside source list 1 pool Cust2Top overload
ip nat inside source list 2 pool Cust2Bot overload
ip route 0.0.0.0 0.0.0.0 192.168.64.1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh server algorithm authentication password
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ipv6 ioam timestamp
!
!
access-list 1 permit 172.16.32.0 0.0.0.3
access-list 2 permit 172.16.16.0 0.0.0.3 -
My problem with some of your content is the lack of completeness. Seems like you go 60-70% of the way there and leave the rest up to us to figure out. I used NAT and global routes to get it to work. Could you add a section for your sh run on each device so we can look at them after each show?
-
The problem again is that we covered NAT in a different episode already. On VRF, you normally don't seen it run unless you're in the service provider side of things. This show doesn't concentrate on the CCNP SP exams. So even with this, we would only see that full configuration as you've suggested from the Service Provider side.
On the episode, I configured two different VRFs, with two different sources and two separate hosts and ran the routing protocol for each VRF and showed it operationally working. Configuring VRF itself is not the objective here, It is only VRF-lite which is the focus of the episode. I try not to add complexity so that the focus is on setting up that topic and not explaining how everything else needs to work before it will work too. Hope this helps you to understand the process.
-
@ronnie-wong You are always a great help. When I took the CCNP exam a few months ago and failed it, it was a shock on how many questions were not in the books or videos on our site. I have been going through each topic and doing VIRL Sims on them. It would be great to see your finished sh runs with it working. Yes, I need to know one side of many topics for the CCNP. You can't get them properly working in a Sim without the other side done too.
-
https://wp.scsiraidguru.com/?page_id=1191
Here is the Simulation, Sh Run, Sh IP Route, Sh IP Route VRF files.
-
I like the new Cisco CCNP VRF-Lite Video done my Ronnie Wong. I hope my finished VRF project I attached using NAT with OSPF helps.
-
@michael-mckenney,
Thanks for sharing your lab! -
I thought it might help your users with the CCNP.
I started watching your new videos. I took your VRF-Lite video and did it for OSPF and working on EIGRP.. I am getting it so it can ping to the outside world from Cisco VIRL and going to work on getting TFTP to work with it.
I am watching your new VRF-Lite video. I saw you use 10.16.10.0 255.255.255.254. I had to look it up. I see it is described as a point to point connection. I love the new videos.
-
I watched Ronnie's new VRF-Lite video on CCNP Route. I did this simulation in Cisco VIRL
https://wp.scsiraidguru.com/?page_id=1239
This one is VRF-Lite with EIGRP. I am completing VRF-Lite for OSPF soon on my web site. It doesn't allow me to use default-information originate so I did a lot of ip route and ip route vrf statements to get in and out.
ip tftp source-interface g0/x allowed me to TFTP to my workstation.
sh run | redirect tftp://192.168.1.240/iosv1_ShRun.txt send iosv-1's sh run to a text file on my TFTP server. Speeds up building the simulations on my web page.
I added a few things for completeness. FLAT-1 connects to the 172.16.1..0 network on my Fortinet 60E. VIRL allows me to reach the real world. I setup IP TFTP source-interface g0/x to TFTP to my workstation.
172.16.1.1 is the 60E interface and 192.168.1.240 is my workstation.
I configured inbound and outbound IP routes for VRF to get to my workstation. Each router has loopbacks for HR and ACCT.
I did learn something new 10.16.10.0 / 255.255.255.254 is point to point.
-
https://wp.scsiraidguru.com/?page_id=1262
Here is the link for VRF using OSPF. This simulation is VRF for departments using OSPF. I have setup HR and ACCT to be separated. I also setup the routes to get out to my TFTP server, my workstation. Sh run | redirect tftp://192.168.1.240/iosv1_ShRun.txt so I could send the files below to my workstation.