[c-nsp] MPLS VPN with lot of PPP interfaces and central firewall (Half Duplex VRF / HDVRF)
Gerald Krause
gk at ax.tc
Mon Feb 22 17:49:35 EST 2010
Am 19.02.2010 10:13, Gerald Krause schrieb:
> I hope the rest of my Half Duplex VRF will work now as this initial
> problem seems to be solved.
I'am still unable to separate the branches (LANs) on the LNS/PE. I would
expect, that any certain LAN1 from CPE1 isn't allowed to access a LAN2
behind a CPE2 directly through the LNS/PE but this isn't the case.
Maybe I have a wrong understanding how I should configure the two
Down/UP-VRFs correctly and/or how the export/import works in such a
case. Any suggestions would be appreciate.
-----------------------------------------------------------------
Network:
10.98.1.0/24 10.98.2.0/24
/ /
/ /
LAN1 LAN2
| |
CPE1 CPE2
: :
: :
Vi2.123 Vi2.121
+----------+
| LNS/PE |
+----------+
| |
| |
...to the core
-----------------------------------------------------------------
Test from CPE1: (10.98.2.0/24 is LAN2 behind CPE2)
cpe1-vrftest#ping ip 10.98.2.1 source ethernet 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.98.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.98.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 148/153/160 ms
cpe1-vrftest#
-----------------------------------------------------------------
LNS/PE Config:
!
ip vrf VRFTEST-DOWN
rd 102:0
route-target export 102:2
!
ip vrf VRFTEST-UP
rd 101:0
route-target import 101:0
!
!
interface Loopback102
description VRFTEST
ip vrf forwarding VRFTEST-UP
ip address 10.99.17.254 255.255.255.255
!
-----------------------------------------------------------------
RADIUS:
Cisco-AVPair += ip:vrf-id=VRFTEST-UP downstream VRFTEST-DOWN
Cisco-AVPair += ip:ip-unnumbered=Loopback102
-----------------------------------------------------------------
LNS#sh user wi | inc vrftest
Vi2.121 cpe2-vrftest
Vi2.123 cpe1-vrftest
-----------------------------------------------------------------
LNS#sh vrf det
VRF VRFTEST-DOWN (VRF Id = 6); default RD 102:0; default VPNID <not set>
Interfaces:
Vi2.121 [D] Vi2.123 [D]
Address family ipv4 (Table ID = 6 (0x6)):
Export VPN route-target communities
RT:102:2
No Import VPN route-target communities
No import route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
Address family ipv6 not active.
VRF VRFTEST-UP (VRF Id = 7); default RD 101:0; default VPNID <not set>
Interfaces:
Lo102 Vi2.121 Vi2.123
Address family ipv4 (Table ID = 7 (0x7)):
No Export VPN route-target communities
Import VPN route-target communities
RT:101:0
No import route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
Address family ipv6 not active.
-----------------------------------------------------------------
LNS#sh ip cef vrf VRFTEST-DOWN
Prefix Next Hop Interface
0.0.0.0/0 no route
0.0.0.0/8 drop
0.0.0.0/32 receive
10.98.1.0/24 10.99.17.1 Virtual-Access2.123
10.98.2.0/24 10.99.17.2 Virtual-Access2.121
10.99.17.1/32 attached Virtual-Access2.123
10.99.17.2/32 attached Virtual-Access2.121
127.0.0.0/8 drop
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive
LNS#sh ip cef vrf VRFTEST-UP
Prefix Next Hop Interface
0.0.0.0/0 no route
0.0.0.0/8 drop
0.0.0.0/32 receive
10.99.17.254/32 receive Loopback102
127.0.0.0/8 drop
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive
--
Gerald
More information about the cisco-nsp
mailing list