Options
VRF-lite discussion
So i've got 3 routers connected as follows:
R2<
>R1<
>R3
....e0/0...............e0/0.....e0/1....................e0/1...
..........10.0.12.0/24.................10.0.13.0/24
R1 is setup with 2 vrf's VPN_01 and VPN_02, it will peer ospf within each vrf to each neighbor i.e. R2 and R3.
R2 and R3 will each have int lo0 2.2.2.2 and 3.3.3.3 respectfully.
Now i want to leak the loopback routes between the 2 vrf's so that R2 can ping R3 sourcing the ping from lo0.
R1 config
ip vrf VPN_01
rd 1:1
!
ip vrf VPN_02
rd 2:2
!
interface Ethernet0/0
ip vrf forwarding VPN_01
ip address 10.0.12.1 255.255.255.0
ip ospf network point-to-point
!
interface Ethernet0/1
ip vrf forwarding VPN_02
ip address 10.0.13.1 255.255.255.0
ip ospf network point-to-point
!
router ospf 1 vrf VPN_01
router-id 1.1.1.1
redistribute static subnets
network 0.0.0.0 255.255.255.255 area 0
!
router ospf 2 vrf VPN_02
router-id 100.2.2.2
redistribute static subnets
network 0.0.0.0 255.255.255.255 area 0
!
ip route vrf VPN_01 3.3.3.3 255.255.255.255 Ethernet0/1 10.0.13.3
ip route vrf VPN_02 2.2.2.2 255.255.255.255 Ethernet0/0 10.0.12.2
!
I wont bother posting R2 and R3 configs, as just basic ospf neighbors.
R1#sh ip route vrf VPN_02
Routing Table: VPN_02
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
S 2.2.2.2 [1/0] via 10.0.12.2, Ethernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/11] via 10.0.13.3, 01:06:09, Ethernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.13.0/24 is directly connected, Ethernet0/1
L 10.0.13.1/32 is directly connected, Ethernet0/1
R1#
R2#ping 3.3.3.3 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2#
R3#ping 2.2.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms
R3#
So everything works, but this configuration isn't sitting so good with me.It's meanly due to the static routes.
ip route vrf VPN_01 3.3.3.3 255.255.255.255 Ethernet0/1 10.0.13.3
ip route vrf VPN_02 2.2.2.2 255.255.255.255 Ethernet0/0 10.0.12.2
R1#sh ip vrf interfaces VPN_01
Interface IP-Address VRF Protocol
Et0/0 10.0.12.1 VPN_01 up
R1#sh ip vrf interfaces VPN_02
Interface IP-Address VRF Protocol
Et0/1 10.0.13.1 VPN_02 up
R1#
How can i route to an interface that's not in the vrf? VPN_01 shouldn't know about eth 0/1 and VPN_02 shouldn't know about eth 0/0. If i remove the next-hop interface from the route statement, the route doesn't work.
Now imagine i just had one vrf VPN_01 and eth 0/1 was in the global routing table as opposed to VPN_02, in this case the static route would use the keyword "global", now this makes sense to me, i'm telling the vrf to look in the global rib for the next-hop egress interface. Why i don't have to do similar when using an exit interface in another vrf? seems like the logic is a little screwed to me. Can i have someone else's interpretation on this?
R1(config)#ip route vrf VPN_01 3.3.3.3 255.255.255.255 eth 0/1 10.0.13.3 ?
<1-255> Distance metric for this route
global Next hop address is global
multicast multicast route
name Specify name of the next hop
permanent permanent route
tag Set tag for this route
track Install route depending on tracked item
<cr>
R2<
>R1<
>R3
....e0/0...............e0/0.....e0/1....................e0/1...
..........10.0.12.0/24.................10.0.13.0/24
R1 is setup with 2 vrf's VPN_01 and VPN_02, it will peer ospf within each vrf to each neighbor i.e. R2 and R3.
R2 and R3 will each have int lo0 2.2.2.2 and 3.3.3.3 respectfully.
Now i want to leak the loopback routes between the 2 vrf's so that R2 can ping R3 sourcing the ping from lo0.
R1 config
ip vrf VPN_01
rd 1:1
!
ip vrf VPN_02
rd 2:2
!
interface Ethernet0/0
ip vrf forwarding VPN_01
ip address 10.0.12.1 255.255.255.0
ip ospf network point-to-point
!
interface Ethernet0/1
ip vrf forwarding VPN_02
ip address 10.0.13.1 255.255.255.0
ip ospf network point-to-point
!
router ospf 1 vrf VPN_01
router-id 1.1.1.1
redistribute static subnets
network 0.0.0.0 255.255.255.255 area 0
!
router ospf 2 vrf VPN_02
router-id 100.2.2.2
redistribute static subnets
network 0.0.0.0 255.255.255.255 area 0
!
ip route vrf VPN_01 3.3.3.3 255.255.255.255 Ethernet0/1 10.0.13.3
ip route vrf VPN_02 2.2.2.2 255.255.255.255 Ethernet0/0 10.0.12.2
!
I wont bother posting R2 and R3 configs, as just basic ospf neighbors.
R1#sh ip route vrf VPN_02
Routing Table: VPN_02
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
S 2.2.2.2 [1/0] via 10.0.12.2, Ethernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/11] via 10.0.13.3, 01:06:09, Ethernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.13.0/24 is directly connected, Ethernet0/1
L 10.0.13.1/32 is directly connected, Ethernet0/1
R1#
R2#ping 3.3.3.3 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2#
R3#ping 2.2.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms
R3#
So everything works, but this configuration isn't sitting so good with me.It's meanly due to the static routes.
ip route vrf VPN_01 3.3.3.3 255.255.255.255 Ethernet0/1 10.0.13.3
ip route vrf VPN_02 2.2.2.2 255.255.255.255 Ethernet0/0 10.0.12.2
R1#sh ip vrf interfaces VPN_01
Interface IP-Address VRF Protocol
Et0/0 10.0.12.1 VPN_01 up
R1#sh ip vrf interfaces VPN_02
Interface IP-Address VRF Protocol
Et0/1 10.0.13.1 VPN_02 up
R1#
How can i route to an interface that's not in the vrf? VPN_01 shouldn't know about eth 0/1 and VPN_02 shouldn't know about eth 0/0. If i remove the next-hop interface from the route statement, the route doesn't work.
Now imagine i just had one vrf VPN_01 and eth 0/1 was in the global routing table as opposed to VPN_02, in this case the static route would use the keyword "global", now this makes sense to me, i'm telling the vrf to look in the global rib for the next-hop egress interface. Why i don't have to do similar when using an exit interface in another vrf? seems like the logic is a little screwed to me. Can i have someone else's interpretation on this?
R1(config)#ip route vrf VPN_01 3.3.3.3 255.255.255.255 eth 0/1 10.0.13.3 ?
<1-255> Distance metric for this route
global Next hop address is global
multicast multicast route
name Specify name of the next hop
permanent permanent route
tag Set tag for this route
track Install route depending on tracked item
<cr>
Networking, sometimes i love it, mostly i hate it.Its all about the $$$$