[c-nsp] VRF-LITE Route leaking for secondary ip addresss
Peter Rathlev
peter at rathlev.dk
Mon Aug 8 17:02:26 EDT 2011
On Mon, 2011-08-08 at 21:51 +0530, Ranjith R wrote:
> Will VRF-LITE work for secondary ip address on an interface?
I was puzzled by this question, but you're quite right: What you test
here doesn't work right for secondary addresses, at least on the
Sup720-3B SXI on which I tested.
My gut feeling is that transit traffic would work right, though I
haven't tested that. The problem seems to be with receiving the traffic.
Some observations I made:
- I could telnet to the secondary address from the global VRF, even
though I couldn't ping it.
- As expected, unless "vrf-also" is configured, telnet towards the
primary address is refused even if the source IP address is allowed
in the VTY ACL. But telnet towards the secondary address is accepted
(if the source is accepted in the VTY ACL) even without "vrf-also".
This puzzles me a lot and worries me a little.
- A traceroute towards a primary address shows the "leaking" router
two hops before starting to time out, i.e. the incoming interface
is repeated in the trace, taking the place of the destination.
ICMP based traceroute doesn't finish. UDP based traceroute finishes,
the port unreachable seems to be sent correctly.
- I could ping neither the primary nor the secondary address from
global on the device doing the "leaking" itself.
I tested it on a device with MPLS enabled, and with the host (from with
I tried connecting) several hops away. From what you see my guess is
that this isn't relevant, but it might be. (I haven't got the means to
test with this at the moment.)
--
Peter
More information about the cisco-nsp
mailing list