[c-nsp] Inserting a default route into a MPLS/VPN pointing out of the VRF

Tony td_miles at yahoo.com
Thu Oct 22 03:05:50 EDT 2009 

--- On Wed, 21/10/09, Justin Shore <justin at justinshore.com> wrote:

> From: Justin Shore <justin at justinshore.com>
> Subject: Re: [c-nsp] Inserting a default route into a MPLS/VPN pointing out of the VRF
> To: "Brett Frankenberger" <rbf+cisco-nsp at panix.com>
> Cc: "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
> Received: Wednesday, 21 October, 2009, 7:41 AM
> Brett Frankenberger wrote:
> > Cisco has no support for:
> >    ip route vrf vrfX x.x.x.x/x next-hop
> next-hop vrfY
> > where the traffic in vrfX matching that route would be
> sent over into vrfY
> > (and then forwarded according to vryY's forwarding
> table).  (Some other
> > vendors can do that.)  (In your case, you want
> "vrfY" to be "global",
> > but that's not doable either.)
> 
> > On some platforms, this can be done with tunnels
> instead of physical
> > interfaces to avoid using two physical ports and
> dealing with the risk that those ports might fail:
> >     int lo1
> >      ip address z.z.z.10/32
> >     int lo2
> >      ip address x.x.x.20/32
> >     int tun1
> >      ip address x.x.x.1/30
> >      tunnel source lo1
> >      tunnel destination x.x.x.20
> >     int tun2
> >      ip vrf forwarding vrfX
> >      ip address x.x.x.2/30
> >      tunnel source lo2
> >      tunnel destination x.x.x.20
> >     ip route vrf vrfX 0.0.0.0/0
> tun2 How well this works depends on how tunnels are
> implemented on the
> > platform you're using.  It works fine on
> software-based routers. ASR1000s worked OK in my testing.
> Never tried 6500/7600s.
> 
> This is a thought.  I haven't tried it on 7600s either
> but it's worth trying to see if it would work.


I tried this a couple of months ago on a 7609 with SRD1 and couldn't get it to work. The traffic couldn't/wouldn't go through the tunnels properly. After wresting with it on & off for about two weeks I ended up doing it using a variation on physical interfaces..

Because the 6500/7600 has the limitation of global VLAN significance across all LAN cards, you can't even use two ports on the same 7609 and just run a crossover trunk between them because the VLAN will be the "same" on both of the ports. We had to run a crossover cable trunk from one box to another and then put one end of the VLAN on first box into vrfX and the other end of the VLAN on second box into vrfY.

It's horrible and I feel like I need to have a shower after every time I think about it, but it was the only solution that we could come up with that works without burning a lot of ports on the 7609 (two for each vrf cross connect). The only thing that calms me slightly is that it's only for a few Mbps of traffic for us and it won't be a huge setback if something dies and it stops working until we can fix it up.

Before trying it on the 7600 I tested it with 7200 on dynamips and was able to get it working with tunnels on the same box after some fiddling around. I had to disable and re-enable ip route-cache on the fast ethernet interfaces even though the tunnel was between loopbacks ?

I'd encourage you to try the tunnel method and would be very pleased to hear if you manage to get it working on the 7600.


regards,
Tony.



      __________________________________________________________________________________
Get more done like never before with Yahoo!7 Mail.
Learn more: http://au.overview.mail.yahoo.com/

More information about the cisco-nsp mailing list