[c-nsp] cross-vrf tunnels

Tony td_miles at yahoo.com
Mon Aug 10 08:43:59 EDT 2009


Hi all,

I want to route traffic from one VRF to another VRF on the same router. I did some searching and came across a prior discussion of this very same topic:

http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html

So I decided to create a tunnel between two VRF's on the same box using loopback addresses for the tunnels.

I set it all up and I can ping from the IP of one end of the tunnel in one VRF to the other end of the tunnel in the second VRF. 

The problem I have is that traffic from other sources isn't going over the tunnel properly.

The config looks something like this:

 !
 interface Loopback 501
  ip address 10.1.41.201 255.255.255.255
 !
 interface Loopback 502
  ip address 10.1.41.202 255.255.255.255
 !
 interface Tunnel 501
  ip vrf forwarding vrf1
  ip address 10.1.41.197 255.255.255.252
  tunnel source Loopback 501
  tunnel destination 10.1.41.202
 !
 interface Tunnel 502
  ip vrf forward vrf2
  ip address 10.1.41.198 255.255.255.252
  tunnel source Loopback 502
  tunnel destination 10.1.41.201
!

I setup a test lab with a 2611 router either side of a 7206 running 12.2(33)SRC (which is doing the VRF crossover). It's all ethernet, no BGP, just two local VRF's on the 7200, nothing fancy.

When I attempt to ping the 2611 router on the other side (via my loopback tunnel crossover connection) I get no response.

If I look at the stats on the tunnel interface it's as if the traffic isn't going into the tunnel. The input and output counters are all staying the same. This contrasts to when I ping directly from one end of the tunnel to the other as the counters do increase (and I get responses back).

If I enable some debug, I get the following:
* Tunnel502: adjacency fixup, 10.1.41.202->10.1.41.201, tos set to 0x0
* CEF-Drop: Packet from 10.1.41.202 (Nu0) to 10.1.41.201, Unclassified reason

Which shows that my packet across the tunnel is being dropped, but I don't know why.

When I do the ping direct from one tunnel end IP to the other, I see the normal sequence of events I would expect (packet routed via RIB, packet goes into tunnel, GRE encap, packet from one loopback to other, GRE decap, etc).

Is this supposed to work ? Does anyone else have it working ? What might I be doing wrong ?

Many thanks,
Tony.



      



More information about the cisco-nsp mailing list