1. Home
  2. Cisco Systems
  3. gre tunnel in global routing table, getting vrf tunnels through it

gre tunnel in global routing table, getting vrf tunnels through it

Hi Follks,

i got following problem, im trying to get multiple vrf tunnels over a routed network of my service provider. My SP just delivers a single routed network, no customer transport vrf on the SP side, so i'm trying to build up an ip tunnel in the global routing table in order to tunnel my vrf tunnels through the global tunnel. the global tunnel config works fine, combined with ospf i find my neighbours Lo0's. Since on the global side i can set my tunnel endpoints on physical interfaces and they get routed they find each other and build up the tunnel. Now, i got the Lo11's on each Router A/B in vrf LAB. i use the lo11's as the tunnel endpoint, since i havent got physicals. now of course the tunnel for vrf LAB does not come up, since they cant find each other. i tryed to route the Lo11's of each other over the global physical interface as following: The /32 Adresses of the Lo11's get routed by my SP as shown later. well, i'm not realy sure about the design of this.. so any suggestions are welcome to bring my vrfs over this routed network of my SP. thank you cheers colin

Router A: ip route vrf LAB 10.179.128.248 255.255.255.255 172.19.0.2

Router B: ip route vrf LAB 10.179.128.224 255.255.255.255 172.19.128.1

sh ip int bri | inc Tun Tunnel9312800 10.3.128.242 YES NVRAM up up Tunnel9312811 10.179.128.242 YES manual up down

routing table of my SP for vrf LAB Adresses: ip route 10.179.128.224 255.255.255.255 172.19.0.1 ip route 10.179.128.248 255.255.255.255 172.19.128.2

Router A -- SP -- Router B:

Router A (.1) - SP (.2) 172.19.0.0/29 Router B (.2) - SP (.1) 172.19.128.0/29

Router A configuration: interface Loopback0 ip address 10.3.0.120 255.255.255.255

interface Loopback9312811 description VRF LAB ip vrf forwarding LAB ip address 10.179.128.224 255.255.255.255

interface Tunnel9312800 ip address 10.3.128.241 255.255.255.248 tunnel source 172.19.0.1 tunnel destination 172.19.128.2

interface Tunnel9312811 description VRF LAB ip vrf forwarding LAB ip address 10.179.128.241 255.255.255.248 tunnel source Loopback9312811 tunnel destination 10.179.128.248

router ospf 1000 router-id 10.3.0.120 log-adjacency-changes passive-interface default no passive-interface Tunnel9312800 network 10.0.0.0 0.15.255.255 area 0.0.0.0 default-information originate always metric 10

Router B configuration:

interface Loopback0 ip address 10.3.128.248 255.255.255.255

interface Loopback9312811 description VRF LAB ip vrf forwarding LAB ip address 10.179.128.248 255.255.255.255

interface Tunnel9312800 ip address 10.3.128.242 255.255.255.248 tunnel source 172.19.128.2 tunnel destination 172.19.0.1

interface Tunnel9312811 description VRF LAB ip vrf forwarding LAB ip address 10.179.128.242 255.255.255.248 tunnel source Loopback9312811 tunnel destination 10.179.128.224

router ospf 1000 router-id 10.3.128.248 log-adjacency-changes passive-interface default no passive-interface Tunnel9312800 network 10.0.0.0 0.15.255.255 area 0.0.0.0 default-information originate always metric 10

Reply to
colin
Loading thread data ...

To make a long story short, your loopbacks need to be taken out of vrf LAB.

If I understand you correctly you have a single physical link. It is in the global vrf.

You want to create two tunnels over this link. One in the global table. One in vrf LAB.

You've built the global tunnel using the physical interface endpoints as your tunnel endpoints.

You cannot reuse those endpoints for the vrf LAB tunnel because you can't have two distinct tunnels using the same tunnel source/tunnel dest pair.

So you've created a loopback interface on each end and added IP routes in the global table pointing to the loopback interface IPs and you've attempted to build your vrf LAB tunnel using those endpoints.

But you put the loopback interfaces into vrf LAB with the "ip vrf forwarding LAB" syntax. That won't work at all.

The most immediate problem it causes is that your vrf LAB tunnel finds no interface in the global table matching the "tunnel source" that you have specified. And even if you got past that, there's no route in the global routing table on the peer for the "tunnel dest" IP address that you have specified.

When building an IP tunnel in a vrf environment you need to decide two things:

  1. What vrf is the tunnel in? That is, what vrf does the interface IP fall into and where will the connected interface route show up?

You control this with "ip vrf forwarding x" under the tunnel interface configuration.

  1. What vrf is the underlying connectivity coming from? That is, what vrf are the tunnel source and tunnel dest in and what vrf has the routing table entries for this connectivity?

You control this with "tunnel vrf x" under the tunnel interface configuration. The vrf of the tunnel source and the vrf of the routing table entry for the tunnel dest must be consistent with this choice.

Reply to
briggs

hi briggs,

thanks for youre help, it finally worked out, i will post an example of the running-config shortly.

Reply to
colin

Dear NG,

i promised a "short" example of my running config.. well it may not be so short.. its a crappy piece of paper now for my internal use.. but it may help others..

as promised:

-------------------------------------------------------------------------------------------------------------------------

HOW-TO Tunneling VRF Tunnels trough a Global Tunnel.

Problem as following: I got VRFs on Router A, bedween Router A or Site A and Site B / Router B, i got my local Service Provider, where from i get a routed network, and nothing more, with one adress on each side. I got no possibility to tunnel dot1q or get transport vrfs on Service Provider side. Now i want to get those VRFs bedween Site A and B connected over the network of my Provider. The trick is to create a Tunnel over Service Provider Net. And then to tunnel your VRF Tunnels through youre created Global Tunnel, witch is a little tricky.. Sooo, lets get started..well, why dont you just go ahead and start reading through the configs... an try to return back to the text... hmm, its rather hard to explain this one.... gona try my best. ;-) soo,

  1. Router A (172.19.0.1) has to be able to contact Router B (172.17.0.1) over Service Provider //global routing get that sorted out with your provider first. Since i can't just setup my OSPF to propagate routes over the 172.1X.0.0 networks to my Service Provider, i have to route this staticly on each side:

! Route to Global Tunnel-Endpoint ip route 172.17.0.0 255.255.255.248 172.19.0.2

  1. Then build up the Tunnel9100000

you now should see something like this: sh ip int brief | inc Tunnel Tunnel9100000 10.1.0.241 YES NVRAM up up

  1. Make sure youre routing-protocol gets to see the other side or propagates routes over the global tunnel:

example: router ospf 1000 passive-interface default no passive-interface Tunnel9100000 network 10.0.0.0 0.0.0.255 area 0.0.0.0

  1. Create the Global Loopback-adresses for the VRF Tunnel on each side:

example: interface Loopback91000111 description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 ) ip address 10.177.0.232 255.255.255.255

  1. Before you start pulling the new VRF Tunnels up...make sure youre Provider has routed youre VRF Tunnel Endpoints correctly...you save your self lots of time...

Providers Routes for VRF-Tunnel-Endpoints: ip route 10.177.0.232 255.255.255.255 172.19.0.1 ip route 10.177.0.233 255.255.255.255 172.17.0.2

  1. Dont forget to put the VRF-Tunnel-Endpoints in youre Global Routing-Process on each side:

router ospf 1000 network 10.177.0.232 0.0.0.1 area 0.0.0.0

  1. and now type:

sh ip int brief | inc Tunnel Tunnel9100000 10.1.0.241 YES NVRAM up up Tunnel9100001 10.17.0.241 YES NVRAM up up

youre Done.. now continue these steps over youre X Tunnels you wanna build up. A good design or a drawing helps alot!!!

Have fun, hope it helped ya, it will help me again.... in around... 5-6 month or so..

cheers colin.cant AT solnet.ch

----------------------------------------------------------------------------

Physical build-up:

Router A - Gi1/0/2 = Gi1/0/24 - Service Provider - Gi1/0/4 = Fa0/1 - Router B

Router A = .1 - 172.19.0.0/29 - .2 = SP = .1 - 172.17.0.0/29 - .2 = Router B

Global Tunnel:

Router A - Tun-End: 172.19.0.1 --------------- 172.17.0.2 Tun-End - Router B

Router A - 10.1.0.241 ------Global Tunnel9100000 -------- 10.1.0.242 - Router B

VRF LAB Tun: (SRCs in Global Routing Table)

Router A - Tun-SRC: 10.177.0.232 ----------- 10.177.0.233 - Tun-SRC - Router B

! Tunnel: ip vrf forwarding LAB Router A - 10.177.0.241 ----- VRF LAB Tunnel ---------- 10.177.0.242 - Router B

==========================================================

Simulated Service Provider using a 3750:

ip routing

interface GigabitEthernet1/0/4 no switchport ip address 172.17.0.1 255.255.255.248

interface GigabitEthernet1/0/24 no switchport ip address 172.19.0.2 255.255.255.248

! Service Provider has to route the VRF-LABs Tunnel-Endpoints: ip route 10.177.0.232 255.255.255.255 172.19.0.1 ip route 10.177.0.233 255.255.255.255 172.17.0.2

==========================================================

Router A (3750);

IOS used: c3750-advipservicesk9-mz.122-25.SEE3.bin

ip routing ip cef distributed

ip vrf LAB description VRF LAB rd 65000:11

interface GigabitEthernet1/0/2 no switchport ip address 172.19.0.1 255.255.255.248

! Route to Global Tunnel-Endpoint ip route 172.17.0.0 255.255.255.248 172.19.0.2

interface Loopback11 description VRF LAB (Effective VRF LO) ip vrf forwarding LAB ip address 10.179.0.120 255.255.255.255

interface Loopback91000111 description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 ) ip address 10.177.0.232 255.255.255.255

!Global Tunnel interface Tunnel9100000 description GLOBAL ip address 10.1.0.241 255.255.255.248 tunnel source 172.19.0.1 tunnel destination 172.17.0.2

!VRF LAB Tunnel interface Tunnel9100011 description VRF LAB ip vrf forwarding LAB ip address 10.177.0.241 255.255.255.248 tunnel source Loopback91000111 tunnel destination 10.177.0.233

router ospf 1000 router-id W.X.Y.Z log-adjacency-changes passive-interface default no passive-interface Tunnel9100000 network 10.0.0.0 0.0.0.255 area 0.0.0.0 network 10.177.0.232 0.0.0.1 area 0.0.0.0

==========================================================

Router B (3560):

IOS used: c3560-advipservicesk9-mz.122-35.SE1.bin

ip routing ip cef distributed

ip vrf LAB description VRF LAB rd 65000:11

interface FastEthernet0/1 no switchport ip address 172.17.0.2 255.255.255.248

! Route to Global Tunnel-Endpoint ip route 172.19.0.0 255.255.255.248 172.17.0.1

interface Loopback9100011 description VRF LAB (Effective VRF LO) ip vrf forwarding LAB ip address 10.177.0.248 255.255.255.255

interface Loopback91000111 description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 ) ip address 10.177.0.233 255.255.255.255

!Global Tunnel: interface Tunnel9100000 description GLOBAL ip address 10.1.0.242 255.255.255.248 tunnel source 172.17.0.2 tunnel destination 172.19.0.1

!VRF LAB Tunnel interface Tunnel9100011 description VRF LAB ip vrf forwarding LAB ip address 10.177.0.242 255.255.255.248 tunnel source Loopback91000111 tunnel destination 10.177.0.232

router ospf 1000 router-id W.X.Y.Z log-adjacency-changes passive-interface default no passive-interface Tunnel9100000 network 10.0.0.0 0.0.0.255 area 0.0.0.0 network 10.177.0.233 0.0.0.1 area 0.0.0.0

Reply to
colin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.