[c-nsp] cross-vrf tunnels

Tony td_miles at yahoo.com
Mon Aug 10 17:54:51 EDT 2009 

Hi Jeff,

Thanks for the suggestion. The tunnel interfaces don't have a MAC address (under "show int tun501"), but I added a different one to each tunnel anyway (and now it. The outcome was no different, still no traffic and packets still being dropped by CEF.

I tried to add a MAC to the loopback interfaces, but it wouldn't let me.

So your tunnel from VRF to global routing table works ok ?

I have been looking at stuff on packet recirculation, but it all seems to apply to 6500/7600 with no references for anything smaller than this ?


I am aware that I could leak routes between VRF's, but I'd prefer to do it this way if it's at all possible.



Thanks,
Tony.


--- On Mon, 10/8/09, Jeff Fitzwater <jfitz at Princeton.EDU> wrote:

> From: Jeff Fitzwater <jfitz at Princeton.EDU>
> Subject: Re: [c-nsp] cross-vrf tunnels
> To: "Tony" <td_miles at yahoo.com>
> Cc: cisco-nsp at puck.nether.net
> Date: Monday, 10 August, 2009, 11:24 PM
> I believe your problem is that both
> ends of the tunnel have the same mac address causing arp to
> fail.  You can change one end and it should work.
> 
> I had similar problem with VRF path back to global on the
> same router, but I had to use the physical interfaces to get
> around the "single lookup in cef issue".
> 
> 
> 
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> On Aug 10, 2009, at 8:43 AM, Tony wrote:
> 
> > Hi all,
> > 
> > I want to route traffic from one VRF to another VRF on
> the same router. I did some searching and came across a
> prior discussion of this very same topic:
> > 
> > http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html
> > 
> > So I decided to create a tunnel between two VRF's on
> the same box using loopback addresses for the tunnels.
> > 
> > I set it all up and I can ping from the IP of one end
> of the tunnel in one VRF to the other end of the tunnel in
> the second VRF.
> > 
> > The problem I have is that traffic from other sources
> isn't going over the tunnel properly.
> > 
> > The config looks something like this:
> > 
> > !
> > interface Loopback 501
> >  ip address 10.1.41.201 255.255.255.255
> > !
> > interface Loopback 502
> >  ip address 10.1.41.202 255..255.255.255
> > !
> > interface Tunnel 501
> >  ip vrf forwarding vrf1
> >  ip address 10.1.41.197 255.255.255.252
> >  tunnel source Loopback 501
> >  tunnel destination 10.1.41.202
> > !
> > interface Tunnel 502
> >  ip vrf forward vrf2
> >  ip address 10.1.41.198 255.255.255.252
> >  tunnel source Loopback 502
> >  tunnel destination 10.1.41.201
> > !
> > 
> > I setup a test lab with a 2611 router either side of a
> 7206 running 12.2(33)SRC (which is doing the VRF crossover).
> It's all ethernet, no BGP, just two local VRF's on the 7200,
> nothing fancy.
> > 
> > When I attempt to ping the 2611 router on the other
> side (via my loopback tunnel crossover connection) I get no
> response.
> > 
> > If I look at the stats on the tunnel interface it's as
> if the traffic isn't going into the tunnel. The input and
> output counters are all staying the same. This contrasts to
> when I ping directly from one end of the tunnel to the other
> as the counters do increase (and I get responses back).
> > 
> > If I enable some debug, I get the following:
> > * Tunnel502: adjacency fixup,
> 10.1.41.202->10.1.41.201, tos set to 0x0
> > * CEF-Drop: Packet from 10.1.41.202 (Nu0) to
> 10..1.41.201, Unclassified reason
> > 
> > Which shows that my packet across the tunnel is being
> dropped, but I don't know why.
> > 
> > When I do the ping direct from one tunnel end IP to
> the other, I see the normal sequence of events I would
> expect (packet routed via RIB, packet goes into tunnel, GRE
> encap, packet from one loopback to other, GRE decap, etc).
> > 
> > Is this supposed to work ? Does anyone else have it
> working ? What might I be doing wrong ?
> > 
> > Many thanks,
> > Tony.
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether..net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>

More information about the cisco-nsp mailing list