[c-nsp] cross-vrf tunnels

Jeff Fitzwater jfitz at Princeton.EDU
Mon Aug 10 09:24:22 EDT 2009


I believe your problem is that both ends of the tunnel have the same  
mac address causing arp to fail.  You can change one end and it should  
work.

I had similar problem with VRF path back to global on the same router,  
but I had to use the physical interfaces to get around the "single  
lookup in cef issue".



Jeff Fitzwater
OIT Network Systems
Princeton University
On Aug 10, 2009, at 8:43 AM, Tony wrote:

> Hi all,
>
> I want to route traffic from one VRF to another VRF on the same  
> router. I did some searching and came across a prior discussion of  
> this very same topic:
>
> http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html
>
> So I decided to create a tunnel between two VRF's on the same box  
> using loopback addresses for the tunnels.
>
> I set it all up and I can ping from the IP of one end of the tunnel  
> in one VRF to the other end of the tunnel in the second VRF.
>
> The problem I have is that traffic from other sources isn't going  
> over the tunnel properly.
>
> The config looks something like this:
>
> !
> interface Loopback 501
>  ip address 10.1.41.201 255.255.255.255
> !
> interface Loopback 502
>  ip address 10.1.41.202 255.255.255.255
> !
> interface Tunnel 501
>  ip vrf forwarding vrf1
>  ip address 10.1.41.197 255.255.255.252
>  tunnel source Loopback 501
>  tunnel destination 10.1.41.202
> !
> interface Tunnel 502
>  ip vrf forward vrf2
>  ip address 10.1.41.198 255.255.255.252
>  tunnel source Loopback 502
>  tunnel destination 10.1.41.201
> !
>
> I setup a test lab with a 2611 router either side of a 7206 running  
> 12.2(33)SRC (which is doing the VRF crossover). It's all ethernet,  
> no BGP, just two local VRF's on the 7200, nothing fancy.
>
> When I attempt to ping the 2611 router on the other side (via my  
> loopback tunnel crossover connection) I get no response.
>
> If I look at the stats on the tunnel interface it's as if the  
> traffic isn't going into the tunnel. The input and output counters  
> are all staying the same. This contrasts to when I ping directly  
> from one end of the tunnel to the other as the counters do increase  
> (and I get responses back).
>
> If I enable some debug, I get the following:
> * Tunnel502: adjacency fixup, 10.1.41.202->10.1.41.201, tos set to 0x0
> * CEF-Drop: Packet from 10.1.41.202 (Nu0) to 10.1.41.201,  
> Unclassified reason
>
> Which shows that my packet across the tunnel is being dropped, but I  
> don't know why.
>
> When I do the ping direct from one tunnel end IP to the other, I see  
> the normal sequence of events I would expect (packet routed via RIB,  
> packet goes into tunnel, GRE encap, packet from one loopback to  
> other, GRE decap, etc).
>
> Is this supposed to work ? Does anyone else have it working ? What  
> might I be doing wrong ?
>
> Many thanks,
> Tony.
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list