[c-nsp] Half duplex VRF

Mohammad Khalil eng_mssk at hotmail.com
Tue Oct 23 07:51:38 EDT 2012 

I have read that the hub and spoke VRF only works with virtual templates ?
And , it's supposed to be configured with AAA server right ?

Thanks

BR,
Mohammad

> Date: Fri, 12 Oct 2012 15:15:55 +0530
> From: vinzoda.hitesh at gmail.com
> To: gk at ax.tc
> CC: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Half duplex VRF
> 
> Hi Gerald,
> 
> I have tested this and worked like charm.. thanks for sharing the working
> configuration.
> 
> Best Regards
> Hitesh
> 
> On Fri, Oct 12, 2012 at 9:02 AM, Hitesh Vinzoda <vinzoda.hitesh at gmail.com>wrote:
> 
> > Hi Gerald,
> >
> > Thanks for your inputs. Will try this configuration and let you know how
> > it goes..!
> >
> > Cheers
> > Hitesh
> >
> >
> > On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause <gk at ax.tc> wrote:
> >
> >> Hi Hitesh,
> >>
> >> just to let you know how our working config looks like. We had some
> >> problems in the beginning with Half duplex VRF on earlier IOS versions.
> >> Now we're running 122-33.SRE on a NPE-G2 and it works as expected.
> >>
> >> Traffic from site1 to site2 (both terminated via L2TP/PPP on the same
> >> LNS) will be directed (egress) to port GE0/3.148 towards the firewall
> >> 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall
> >> permit the traffic.
> >>
> >>
> >> LNS CONFIG
> >> ==========
> >>
> >> LNS1#sh run vrf CUSTVRF-DOWN
> >> Building configuration...
> >>
> >> Current configuration : 603 bytes
> >> ip vrf CUSTVRF-DOWN
> >>  rd 100:2
> >>  route-target export 100:2
> >>  route-target import 100:2
> >> !
> >> !
> >> interface GigabitEthernet0/3.149
> >>  encapsulation dot1Q 149
> >>  ip vrf forwarding CUSTVRF-DOWN
> >>  ip address 10.99.16.227 255.255.255.240
> >> !
> >> router bgp 10000
> >>  !
> >>  address-family ipv4 vrf CUSTVRF-DOWN
> >>   no synchronization
> >>   redistribute connected
> >>   redistribute static
> >>  exit-address-family
> >> !
> >> end
> >>
> >>
> >> LNS1#sh run vrf CUSTVRF-UP
> >> Building configuration...
> >>
> >> Current configuration : 816 bytes
> >> ip vrf CUSTVRF-UP
> >>  rd 100:3
> >>  route-target export 100:3
> >>  route-target import 100:1
> >> !
> >> !
> >> interface GigabitEthernet0/3.148
> >>  encapsulation dot1Q 148
> >>  ip vrf forwarding CUSTVRF-UP
> >>  ip address 10.99.16.243 255.255.255.240
> >> !
> >> interface Loopback102
> >>  description CUSTVRF
> >>  ip vrf forwarding CUSTVRF-UP
> >>  ip address 10.99.17.254 255.255.255.255
> >> !
> >> router bgp 10000
> >>  !
> >>  address-family ipv4 vrf CUSTVRF-UP
> >>   no synchronization
> >>   redistribute connected
> >>   redistribute static
> >>   default-information originate
> >>  exit-address-family
> >> !
> >> ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254
> >> end
> >>
> >>
> >> RADIUS ACCOUNTS (freeRadius)
> >> ===============
> >>
> >> cust-vrfsite1  Password == xxxx
> >>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
> >>   Cisco-AVPair += ip:addr=10.99.17.68
> >>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
> >>   Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0
> >>
> >> cust-vrfsite2  Password == yyyy
> >>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
> >>   Cisco-AVPair += ip:addr=10.99.17.69
> >>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
> >>   Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0
> >>
> >>
> >>
> >> Gerald
> >>
> >>
> >> Am 11.10.2012 07:45, schrieb Hitesh Vinzoda:
> >> > Hi Arie,
> >> >
> >> > This is already in place and the virtual-access interfaces belongs to
> >> this
> >> > vrf and so do their PPP host router.
> >> >
> >> > This routes are not visible in upstream vrt U which is great but these
> >> > routes do appear in Downstream vrf D so that is the reason they route
> >> > locally and doesnt go towards hub CE.
> >> >
> >> > The illustrations that i have seen before have CE sites connected on
> >> > different PE routers whereas in my case the CE routers are connected to
> >> > same PE and hence we want to avoid local routing on the LNS.
> >> >
> >> > Please let me know your thoughts over this.
> >> >
> >> > Thanks
> >> > Hitesh
> >> >
> >> > On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner)
> >> > <avayner at cisco.com>wrote:
> >> >
> >> >>  So basically your PPP connections are in the global routing table…****
> >> >>
> >> >> What is the profile you are downloading from RADIUS (debug radius) for
> >> >> them?****
> >> >>
> >> >> ** **
> >> >>
> >> >> You most likely should be downloading the “ip vrf forwarding U
> >> downstream
> >> >> D” command using the RADIUS attribute “lcp:interface-config=ip vrf
> >> >> forwarding U downstream D”…****
> >> >>
> >> >>
> >> >>
> >> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907
> >> >> ****
> >> >>
> >> >> ** **
> >> >>
> >> >> Arie****
> >> >>
> >> >> ** **
> >> >>
> >> >> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
> >> >> *Sent:* Wednesday, October 10, 2012 00:44
> >> >>
> >> >> *To:* Arie Vayner (avayner)
> >> >> *Cc:* Cisco Mailing list
> >> >> *Subject:* Re: [c-nsp] Half duplex VRF****
> >> >>
> >> >> ** **
> >> >>
> >> >> Hi Arie,****
> >> >>
> >> >> ** **
> >> >>
> >> >> Below is the desired excerpt. We can't see the VRF config being
> >> applied to
> >> >> the interfaces but its visible in "show ip int virtual-access". I have
> >> >> tried two different way in RADIUS attributes but the results are the
> >> same.
> >> >> ****
> >> >>
> >> >> ** **
> >> >>
> >> >> LNS#show ppp all****
> >> >>
> >> >> Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer
> >> Name****
> >> >>
> >> >> ------------ --------------------- -------- ---------------
> >> >> --------------------****
> >> >>
> >> >> Vi4          LCP+ CHAP+ IPCP+      LocalT   192.168.254.200 \****
> >> >>
> >> >> spoke at cerberusnetworks.co.uk****
> >> >>
> >> >> Vi3          LCP+ CHAP+ IPCP+      LocalT   192.168.254.100 \****
> >> >>
> >> >> mpls at cerberusnetworks.co.uk****
> >> >>
> >> >> LNS#show run int vir****
> >> >>
> >> >> LNS#show run int virtual-acc****
> >> >>
> >> >> LNS#show run int virtual-access 3****
> >> >>
> >> >> Building configuration...****
> >> >>
> >> >> ** **
> >> >>
> >> >> Current configuration : 78 bytes****
> >> >>
> >> >> !****
> >> >>
> >> >> interface Virtual-Access3****
> >> >>
> >> >>  ip mtu 1492****
> >> >>
> >> >>  ip verify unicast reverse-path****
> >> >>
> >> >> end****
> >> >>
> >> >> ** **
> >> >>
> >> >> LNS#show run int virtual-access 4****
> >> >>
> >> >> Building configuration...****
> >> >>
> >> >> ** **
> >> >>
> >> >> Current configuration : 78 bytes****
> >> >>
> >> >> !****
> >> >>
> >> >> interface Virtual-Access4****
> >> >>
> >> >>  ip mtu 1492****
> >> >>
> >> >>  ip verify unicast reverse-path****
> >> >>
> >> >> end****
> >> >>
> >> >> =================****
> >> >>
> >> >> ** **
> >> >>
> >> >> LNS#show ip int virtual-access 3****
> >> >>
> >> >> Virtual-Access3 is up, line protocol is up****
> >> >>
> >> >>   Interface is unnumbered. Using address of Loopback2 (2.2.2.1)****
> >> >>
> >> >>   Broadcast address is 255.255.255.255****
> >> >>
> >> >>   Peer address is 192.168.254.100****
> >> >>
> >> >>   MTU is 1492 bytes****
> >> >>
> >> >>   Helper address is not set****
> >> >>
> >> >>   Directed broadcast forwarding is disabled****
> >> >>
> >> >>   Outgoing access list is not set****
> >> >>
> >> >>   Inbound  access list is not set****
> >> >>
> >> >>   Proxy ARP is enabled****
> >> >>
> >> >>   Local Proxy ARP is disabled****
> >> >>
> >> >>   Security level is default****
> >> >>
> >> >>   Split horizon is enabled****
> >> >>
> >> >>   ICMP redirects are always sent****
> >> >>
> >> >>   ICMP unreachables are always sent****
> >> >>
> >> >>   ICMP mask replies are never sent****
> >> >>
> >> >>   IP fast switching is enabled****
> >> >>
> >> >>   IP Flow switching is disabled****
> >> >>
> >> >>   IP CEF switching is enabled****
> >> >>
> >> >>   IP CEF switching turbo vector****
> >> >>
> >> >>   IP CEF turbo switching turbo vector****
> >> >>
> >> >>   VPN Routing/Forwarding "U"****
> >> >>
> >> >>   Downstream VPN Routing/Forwarding "D"****
> >> >>
> >> >>   Associated unicast routing topologies:****
> >> >>
> >> >>     ipv4 topologies in downstream VRF "D" :****
> >> >>
> >> >>         Topology "base", operation state is UP****
> >> >>
> >> >>     ipv4 topologies in upstream(forwarding) VRF "U":****
> >> >>
> >> >>         Topology "base", operation state is UP****
> >> >>
> >> >> ===============================================****
> >> >>
> >> >> Thanks****
> >> >>
> >> >> Hitesh****
> >> >>
> >> >> ** **
> >> >>
> >> >> On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) <
> >> avayner at cisco.com>
> >> >> wrote:****
> >> >>
> >> >> Hitesh, how does your virtual-access look like for the spokes?****
> >> >>
> >> >> Can you please share the “show run interface virtual-access xx” for the
> >> >> spokes?****
> >> >>
> >> >>  ****
> >> >>
> >> >> Tnx****
> >> >>
> >> >> Arie****
> >> >>
> >> >>  ****
> >> >>
> >> >> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
> >> >> *Sent:* Tuesday, October 09, 2012 09:05
> >> >> *To:* Arie Vayner (avayner)
> >> >> *Cc:* Cisco Mailing list
> >> >> *Subject:* Re: [c-nsp] Half duplex VRF****
> >> >>
> >> >>  ****
> >> >>
> >> >> Hi Arie,****
> >> >>
> >> >>  ****
> >> >>
> >> >> I have attached topology, .Net file and configs of related devices. R8
> >> and
> >> >> R9 are simulating spokes whereas Internet-RTR is simulating Hub.****
> >> >>
> >> >>  ****
> >> >>
> >> >> Cheers****
> >> >>
> >> >>  ****
> >> >>
> >> >> Hitesh****
> >> >>
> >> >> On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) <
> >> avayner at cisco.com>
> >> >> wrote:****
> >> >>
> >> >> Hitesh, can you maybe share some of your configs?
> >> >> Arie****
> >> >>
> >> >>
> >> >> -----Original Message-----
> >> >> From: cisco-nsp-bounces at puck.nether.net [mailto:
> >> >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Hitesh Vinzoda
> >> >> Sent: Tuesday, October 09, 2012 07:04
> >> >> To: Cisco Mailing list
> >> >> Subject: [c-nsp] Half duplex VRF
> >> >>
> >> >> I am trying to setup half duplex vrf to save vrf's on the LNS. Does
> >> anyone
> >> >> has working configuration for spokes and Hub connected on the same PE
> >> >> router i.e. LNS. So far i able to export-import the routes but the
> >> traces
> >> >> from one spoke to other goes directly via LNS instead of via Hub.
> >> >>
> >> >> Please advise.
> >> >>
> >> >> TIA
> >> >> Hitesh****
> >> >>
> >> >> _______________________________________________
> >> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/****
> >> >>
> >> >>  ****
> >> >>
> >> >> ** **
> >> >>
> >> > _______________________________________________
> >> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> >
> >>
> >>
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list