[c-nsp] Half duplex VRF

Gerald Krause gk at ax.tc
Thu Oct 11 12:20:36 EDT 2012 

Hi Hitesh,

just to let you know how our working config looks like. We had some
problems in the beginning with Half duplex VRF on earlier IOS versions.
Now we're running 122-33.SRE on a NPE-G2 and it works as expected.

Traffic from site1 to site2 (both terminated via L2TP/PPP on the same
LNS) will be directed (egress) to port GE0/3.148 towards the firewall
10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall
permit the traffic.


LNS CONFIG
==========

LNS1#sh run vrf CUSTVRF-DOWN
Building configuration...

Current configuration : 603 bytes
ip vrf CUSTVRF-DOWN
 rd 100:2
 route-target export 100:2
 route-target import 100:2
!
!
interface GigabitEthernet0/3.149
 encapsulation dot1Q 149
 ip vrf forwarding CUSTVRF-DOWN
 ip address 10.99.16.227 255.255.255.240
!
router bgp 10000
 !
 address-family ipv4 vrf CUSTVRF-DOWN
  no synchronization
  redistribute connected
  redistribute static
 exit-address-family
!
end


LNS1#sh run vrf CUSTVRF-UP
Building configuration...

Current configuration : 816 bytes
ip vrf CUSTVRF-UP
 rd 100:3
 route-target export 100:3
 route-target import 100:1
!
!
interface GigabitEthernet0/3.148
 encapsulation dot1Q 148
 ip vrf forwarding CUSTVRF-UP
 ip address 10.99.16.243 255.255.255.240
!
interface Loopback102
 description CUSTVRF
 ip vrf forwarding CUSTVRF-UP
 ip address 10.99.17.254 255.255.255.255
!
router bgp 10000
 !
 address-family ipv4 vrf CUSTVRF-UP
  no synchronization
  redistribute connected
  redistribute static
  default-information originate
 exit-address-family
!
ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254
end


RADIUS ACCOUNTS (freeRadius)
===============

cust-vrfsite1  Password == xxxx
  Cisco-AVPair += ip:ip-unnumbered=Loopback102
  Cisco-AVPair += ip:addr=10.99.17.68
  Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
  Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0

cust-vrfsite2  Password == yyyy
  Cisco-AVPair += ip:ip-unnumbered=Loopback102
  Cisco-AVPair += ip:addr=10.99.17.69
  Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
  Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0



Gerald


Am 11.10.2012 07:45, schrieb Hitesh Vinzoda:
> Hi Arie,
> 
> This is already in place and the virtual-access interfaces belongs to this
> vrf and so do their PPP host router.
> 
> This routes are not visible in upstream vrt U which is great but these
> routes do appear in Downstream vrf D so that is the reason they route
> locally and doesnt go towards hub CE.
> 
> The illustrations that i have seen before have CE sites connected on
> different PE routers whereas in my case the CE routers are connected to
> same PE and hence we want to avoid local routing on the LNS.
> 
> Please let me know your thoughts over this.
> 
> Thanks
> Hitesh
> 
> On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner)
> <avayner at cisco.com>wrote:
> 
>>  So basically your PPP connections are in the global routing table…****
>>
>> What is the profile you are downloading from RADIUS (debug radius) for
>> them?****
>>
>> ** **
>>
>> You most likely should be downloading the “ip vrf forwarding U downstream
>> D” command using the RADIUS attribute “lcp:interface-config=ip vrf
>> forwarding U downstream D”…****
>>
>>
>> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907
>> ****
>>
>> ** **
>>
>> Arie****
>>
>> ** **
>>
>> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
>> *Sent:* Wednesday, October 10, 2012 00:44
>>
>> *To:* Arie Vayner (avayner)
>> *Cc:* Cisco Mailing list
>> *Subject:* Re: [c-nsp] Half duplex VRF****
>>
>> ** **
>>
>> Hi Arie,****
>>
>> ** **
>>
>> Below is the desired excerpt. We can't see the VRF config being applied to
>> the interfaces but its visible in "show ip int virtual-access". I have
>> tried two different way in RADIUS attributes but the results are the same.
>> ****
>>
>> ** **
>>
>> LNS#show ppp all****
>>
>> Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer Name****
>>
>> ------------ --------------------- -------- ---------------
>> --------------------****
>>
>> Vi4          LCP+ CHAP+ IPCP+      LocalT   192.168.254.200 \****
>>
>> spoke at cerberusnetworks.co.uk****
>>
>> Vi3          LCP+ CHAP+ IPCP+      LocalT   192.168.254.100 \****
>>
>> mpls at cerberusnetworks.co.uk****
>>
>> LNS#show run int vir****
>>
>> LNS#show run int virtual-acc****
>>
>> LNS#show run int virtual-access 3****
>>
>> Building configuration...****
>>
>> ** **
>>
>> Current configuration : 78 bytes****
>>
>> !****
>>
>> interface Virtual-Access3****
>>
>>  ip mtu 1492****
>>
>>  ip verify unicast reverse-path****
>>
>> end****
>>
>> ** **
>>
>> LNS#show run int virtual-access 4****
>>
>> Building configuration...****
>>
>> ** **
>>
>> Current configuration : 78 bytes****
>>
>> !****
>>
>> interface Virtual-Access4****
>>
>>  ip mtu 1492****
>>
>>  ip verify unicast reverse-path****
>>
>> end****
>>
>> =================****
>>
>> ** **
>>
>> LNS#show ip int virtual-access 3****
>>
>> Virtual-Access3 is up, line protocol is up****
>>
>>   Interface is unnumbered. Using address of Loopback2 (2.2.2.1)****
>>
>>   Broadcast address is 255.255.255.255****
>>
>>   Peer address is 192.168.254.100****
>>
>>   MTU is 1492 bytes****
>>
>>   Helper address is not set****
>>
>>   Directed broadcast forwarding is disabled****
>>
>>   Outgoing access list is not set****
>>
>>   Inbound  access list is not set****
>>
>>   Proxy ARP is enabled****
>>
>>   Local Proxy ARP is disabled****
>>
>>   Security level is default****
>>
>>   Split horizon is enabled****
>>
>>   ICMP redirects are always sent****
>>
>>   ICMP unreachables are always sent****
>>
>>   ICMP mask replies are never sent****
>>
>>   IP fast switching is enabled****
>>
>>   IP Flow switching is disabled****
>>
>>   IP CEF switching is enabled****
>>
>>   IP CEF switching turbo vector****
>>
>>   IP CEF turbo switching turbo vector****
>>
>>   VPN Routing/Forwarding "U"****
>>
>>   Downstream VPN Routing/Forwarding "D"****
>>
>>   Associated unicast routing topologies:****
>>
>>     ipv4 topologies in downstream VRF "D" :****
>>
>>         Topology "base", operation state is UP****
>>
>>     ipv4 topologies in upstream(forwarding) VRF "U":****
>>
>>         Topology "base", operation state is UP****
>>
>> ===============================================****
>>
>> Thanks****
>>
>> Hitesh****
>>
>> ** **
>>
>> On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) <avayner at cisco.com>
>> wrote:****
>>
>> Hitesh, how does your virtual-access look like for the spokes?****
>>
>> Can you please share the “show run interface virtual-access xx” for the
>> spokes?****
>>
>>  ****
>>
>> Tnx****
>>
>> Arie****
>>
>>  ****
>>
>> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
>> *Sent:* Tuesday, October 09, 2012 09:05
>> *To:* Arie Vayner (avayner)
>> *Cc:* Cisco Mailing list
>> *Subject:* Re: [c-nsp] Half duplex VRF****
>>
>>  ****
>>
>> Hi Arie,****
>>
>>  ****
>>
>> I have attached topology, .Net file and configs of related devices. R8 and
>> R9 are simulating spokes whereas Internet-RTR is simulating Hub.****
>>
>>  ****
>>
>> Cheers****
>>
>>  ****
>>
>> Hitesh****
>>
>> On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) <avayner at cisco.com>
>> wrote:****
>>
>> Hitesh, can you maybe share some of your configs?
>> Arie****
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Hitesh Vinzoda
>> Sent: Tuesday, October 09, 2012 07:04
>> To: Cisco Mailing list
>> Subject: [c-nsp] Half duplex VRF
>>
>> I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone
>> has working configuration for spokes and Hub connected on the same PE
>> router i.e. LNS. So far i able to export-import the routes but the traces
>> from one spoke to other goes directly via LNS instead of via Hub.
>>
>> Please advise.
>>
>> TIA
>> Hitesh****
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/****
>>
>>  ****
>>
>> ** **
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list