[c-nsp] MPLS VPN with lot of PPP interfaces and central firewall (Half Duplex VRF / HDVRF)

Gerald Krause gk at ax.tc
Tue Feb 23 05:40:49 EST 2010 

Am 23.02.2010 09:02, Oliver Boehmer (oboehmer) schrieb:
>  
>> Am 19.02.2010 10:13, Gerald Krause schrieb:
>>> I hope the rest of my Half Duplex VRF will work now as this initial
>>> problem seems to be solved.
>> I'am still unable to separate the branches (LANs) on the LNS/PE. I
> would
>> expect, that any certain LAN1 from CPE1 isn't allowed to access a LAN2
>> behind a CPE2 directly through the LNS/PE but this isn't the case.
>>
>> Maybe I have a wrong understanding how I should configure the two
>> Down/UP-VRFs correctly and/or how the export/import works in such a
>> case. Any suggestions would be appreciate.
> 
> Interesting.. Your config looks ok. I don't have a lab setup ready, but
> can you inject a (bogus or valid) default from a remote PE into the
> "VRFTEST-UP" so you actually provide any routing for the branches?
> 
> i.e.
> 
> hostname hub-PE
> !
> ip vrf VRFTEST-HUB
>  rd x:y
>  route-target export 101:0
>  route-target import 102:2
> !
> int lo123
>  ip vrf forwarding VRFTEST-HUB
>  ip address 1.1.1.1 255.255.255.255
> !
> router bgp ..
>  address-family ipv4 vrf VRFTEST-HUB
>   default-information originate
>   redistribute static
>   redistribute connected
> !
> ip route vrf 0.0.0.0 0.0.0.0 Null0

Hello Oli, thx for your support again. I have configured the HUB/PE as
suggested:

!
interface Loopback102
 ip vrf forwarding VRFTEST-HUB
 ip address 10.99.17.253 255.255.255.255
!
ip route vrf VRFTEST-HUB 0.0.0.0 0.0.0.0 Null0
!

The export/import looks good:

LNS#sh ip route vrf VRFTEST-DOWN
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
U        10.98.1.0/24 [1/0] via 10.99.17.1
U        10.98.2.0/24 [1/0] via 10.99.17.2
C        10.99.17.1/32 is directly connected, Virtual-Access2.123
C        10.99.17.2/32 is directly connected, Virtual-Access2.121

LNS#sh ip route vrf VRFTEST-UP
B*    0.0.0.0/0 [200/0] via x.x.x.x 00:10:25
      10.0.0.0/32 is subnetted, 2 subnets
B        10.99.17.253 [200/0] via x.x.x.x, 00:10:25
C        10.99.17.254 is directly connected, Loopback102

HUB#sh ip route vrf VRFTEST-HUB
S*    0.0.0.0/0 is directly connected, Null0
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B        10.98.1.0/24 [200/0] via 212.79.49.200, 00:13:07
B        10.98.2.0/24 [200/0] via 212.79.49.200, 00:13:07
C        10.99.17.253/32 is directly connected, Loopback102

I see that a traceroute from CPE1 to CPE2 now take the path over the HUB
and then back to the LNS as expected:

cpe1-vrftest#traceroute
Target IP address: 10.98.2.1
Source address: 10.98.1.1
Tracing the route to 10.98.2.1
  1 10.99.17.254 72 msec 60 msec 64 msec   (Loopback102 LNS)
  2 10.99.17.253 68 msec 64 msec 64 msec   (Loopback102 HUB)
  3 10.99.17.254 72 msec 72 msec 64 msec   (Loopback102 LNS)
  4 10.99.17.2 152 msec *  148 msec        (CPE2)
cpe1-vrftest#

When I remove the def-route on the HUB, I'am still able to reach CPE2
from CPE1 directly over the LNS:

cpe1-vrftest#traceroute
Target IP address: 10.98.2.1
Source address: 10.98.1.1
Tracing the route to 10.98.2.1
  1 10.99.17.254 68 msec 60 msec 64 msec   (Loopback102 LNS)
  2 10.99.17.2 152 msec *  148 msec        (CPE2)

So I *can* re-direct the traffic from CPE to CPE through the HUB but in
the case the HUB fails, the CPEs are directly connected again through
the LNS/SPOKE PE. Is that the expected behaviour? Or is there still some
thing I'am missing (RPF is enabled on the Vi's)?

--
Gerald

More information about the cisco-nsp mailing list