Dear NG,
i promised a "short" example of my running config.. well it may not be so short.. its a crappy piece of paper now for my internal use.. but it may help others..
as promised:
-------------------------------------------------------------------------------------------------------------------------
HOW-TO Tunneling VRF Tunnels trough a Global Tunnel.
Problem as following: I got VRFs on Router A, bedween Router A or Site A and Site B / Router B, i got my local Service Provider, where from i get a routed network, and nothing more, with one adress on each side. I got no possibility to tunnel dot1q or get transport vrfs on Service Provider side. Now i want to get those VRFs bedween Site A and B connected over the network of my Provider. The trick is to create a Tunnel over Service Provider Net. And then to tunnel your VRF Tunnels through youre created Global Tunnel, witch is a little tricky.. Sooo, lets get started..well, why dont you just go ahead and start reading through the configs... an try to return back to the text... hmm, its rather hard to explain this one.... gona try my best. ;-) soo,
- Router A (172.19.0.1) has to be able to contact Router B (172.17.0.1) over Service Provider //global routing get that sorted out with your provider first. Since i can't just setup my OSPF to propagate routes over the 172.1X.0.0 networks to my Service Provider, i have to route this staticly on each side:
! Route to Global Tunnel-Endpoint ip route 172.17.0.0 255.255.255.248 172.19.0.2
- Then build up the Tunnel9100000
you now should see something like this: sh ip int brief | inc Tunnel Tunnel9100000 10.1.0.241 YES NVRAM up up
- Make sure youre routing-protocol gets to see the other side or propagates routes over the global tunnel:
example: router ospf 1000 passive-interface default no passive-interface Tunnel9100000 network 10.0.0.0 0.0.0.255 area 0.0.0.0
- Create the Global Loopback-adresses for the VRF Tunnel on each side:
example: interface Loopback91000111 description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 ) ip address 10.177.0.232 255.255.255.255
- Before you start pulling the new VRF Tunnels up...make sure youre Provider has routed youre VRF Tunnel Endpoints correctly...you save your self lots of time...
Providers Routes for VRF-Tunnel-Endpoints: ip route 10.177.0.232 255.255.255.255 172.19.0.1 ip route 10.177.0.233 255.255.255.255 172.17.0.2
- Dont forget to put the VRF-Tunnel-Endpoints in youre Global Routing-Process on each side:
router ospf 1000 network 10.177.0.232 0.0.0.1 area 0.0.0.0
- and now type:
sh ip int brief | inc Tunnel Tunnel9100000 10.1.0.241 YES NVRAM up up Tunnel9100001 10.17.0.241 YES NVRAM up up
youre Done.. now continue these steps over youre X Tunnels you wanna build up. A good design or a drawing helps alot!!!
Have fun, hope it helped ya, it will help me again.... in around... 5-6 month or so..
cheers colin.cant AT solnet.ch
----------------------------------------------------------------------------
Physical build-up:
Router A - Gi1/0/2 = Gi1/0/24 - Service Provider - Gi1/0/4 = Fa0/1 - Router B
Router A = .1 - 172.19.0.0/29 - .2 = SP = .1 - 172.17.0.0/29 - .2 = Router B
Global Tunnel:
Router A - Tun-End: 172.19.0.1 --------------- 172.17.0.2 Tun-End - Router B
Router A - 10.1.0.241 ------Global Tunnel9100000 -------- 10.1.0.242 - Router B
VRF LAB Tun: (SRCs in Global Routing Table)
Router A - Tun-SRC: 10.177.0.232 ----------- 10.177.0.233 - Tun-SRC - Router B
! Tunnel: ip vrf forwarding LAB Router A - 10.177.0.241 ----- VRF LAB Tunnel ---------- 10.177.0.242 - Router B
==========================================================
Simulated Service Provider using a 3750:
ip routing
interface GigabitEthernet1/0/4 no switchport ip address 172.17.0.1 255.255.255.248
interface GigabitEthernet1/0/24 no switchport ip address 172.19.0.2 255.255.255.248
! Service Provider has to route the VRF-LABs Tunnel-Endpoints: ip route 10.177.0.232 255.255.255.255 172.19.0.1 ip route 10.177.0.233 255.255.255.255 172.17.0.2
==========================================================
Router A (3750);
IOS used: c3750-advipservicesk9-mz.122-25.SEE3.bin
ip routing ip cef distributed
ip vrf LAB description VRF LAB rd 65000:11
interface GigabitEthernet1/0/2 no switchport ip address 172.19.0.1 255.255.255.248
! Route to Global Tunnel-Endpoint ip route 172.17.0.0 255.255.255.248 172.19.0.2
interface Loopback11 description VRF LAB (Effective VRF LO) ip vrf forwarding LAB ip address 10.179.0.120 255.255.255.255
interface Loopback91000111 description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 ) ip address 10.177.0.232 255.255.255.255
!Global Tunnel interface Tunnel9100000 description GLOBAL ip address 10.1.0.241 255.255.255.248 tunnel source 172.19.0.1 tunnel destination 172.17.0.2
!VRF LAB Tunnel interface Tunnel9100011 description VRF LAB ip vrf forwarding LAB ip address 10.177.0.241 255.255.255.248 tunnel source Loopback91000111 tunnel destination 10.177.0.233
router ospf 1000 router-id W.X.Y.Z log-adjacency-changes passive-interface default no passive-interface Tunnel9100000 network 10.0.0.0 0.0.0.255 area 0.0.0.0 network 10.177.0.232 0.0.0.1 area 0.0.0.0
==========================================================
Router B (3560):
IOS used: c3560-advipservicesk9-mz.122-35.SE1.bin
ip routing ip cef distributed
ip vrf LAB description VRF LAB rd 65000:11
interface FastEthernet0/1 no switchport ip address 172.17.0.2 255.255.255.248
! Route to Global Tunnel-Endpoint ip route 172.19.0.0 255.255.255.248 172.17.0.1
interface Loopback9100011 description VRF LAB (Effective VRF LO) ip vrf forwarding LAB ip address 10.177.0.248 255.255.255.255
interface Loopback91000111 description VRF LAB ( Global TUNNEL LO 9XYYYZZ1 ) ip address 10.177.0.233 255.255.255.255
!Global Tunnel: interface Tunnel9100000 description GLOBAL ip address 10.1.0.242 255.255.255.248 tunnel source 172.17.0.2 tunnel destination 172.19.0.1
!VRF LAB Tunnel interface Tunnel9100011 description VRF LAB ip vrf forwarding LAB ip address 10.177.0.242 255.255.255.248 tunnel source Loopback91000111 tunnel destination 10.177.0.232
router ospf 1000 router-id W.X.Y.Z log-adjacency-changes passive-interface default no passive-interface Tunnel9100000 network 10.0.0.0 0.0.0.255 area 0.0.0.0 network 10.177.0.233 0.0.0.1 area 0.0.0.0