[c-nsp] Half duplex VRF

Hitesh Vinzoda vinzoda.hitesh at gmail.com
Thu Oct 11 23:32:14 EDT 2012 

Hi Gerald,

Thanks for your inputs. Will try this configuration and let you know how it
goes..!

Cheers
Hitesh

On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause <gk at ax.tc> wrote:

> Hi Hitesh,
>
> just to let you know how our working config looks like. We had some
> problems in the beginning with Half duplex VRF on earlier IOS versions.
> Now we're running 122-33.SRE on a NPE-G2 and it works as expected.
>
> Traffic from site1 to site2 (both terminated via L2TP/PPP on the same
> LNS) will be directed (egress) to port GE0/3.148 towards the firewall
> 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall
> permit the traffic.
>
>
> LNS CONFIG
> ==========
>
> LNS1#sh run vrf CUSTVRF-DOWN
> Building configuration...
>
> Current configuration : 603 bytes
> ip vrf CUSTVRF-DOWN
>  rd 100:2
>  route-target export 100:2
>  route-target import 100:2
> !
> !
> interface GigabitEthernet0/3.149
>  encapsulation dot1Q 149
>  ip vrf forwarding CUSTVRF-DOWN
>  ip address 10.99.16.227 255.255.255.240
> !
> router bgp 10000
>  !
>  address-family ipv4 vrf CUSTVRF-DOWN
>   no synchronization
>   redistribute connected
>   redistribute static
>  exit-address-family
> !
> end
>
>
> LNS1#sh run vrf CUSTVRF-UP
> Building configuration...
>
> Current configuration : 816 bytes
> ip vrf CUSTVRF-UP
>  rd 100:3
>  route-target export 100:3
>  route-target import 100:1
> !
> !
> interface GigabitEthernet0/3.148
>  encapsulation dot1Q 148
>  ip vrf forwarding CUSTVRF-UP
>  ip address 10.99.16.243 255.255.255.240
> !
> interface Loopback102
>  description CUSTVRF
>  ip vrf forwarding CUSTVRF-UP
>  ip address 10.99.17.254 255.255.255.255
> !
> router bgp 10000
>  !
>  address-family ipv4 vrf CUSTVRF-UP
>   no synchronization
>   redistribute connected
>   redistribute static
>   default-information originate
>  exit-address-family
> !
> ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254
> end
>
>
> RADIUS ACCOUNTS (freeRadius)
> ===============
>
> cust-vrfsite1  Password == xxxx
>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
>   Cisco-AVPair += ip:addr=10.99.17.68
>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
>   Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0
>
> cust-vrfsite2  Password == yyyy
>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
>   Cisco-AVPair += ip:addr=10.99.17.69
>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
>   Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0
>
>
>
> Gerald
>
>
> Am 11.10.2012 07:45, schrieb Hitesh Vinzoda:
> > Hi Arie,
> >
> > This is already in place and the virtual-access interfaces belongs to
> this
> > vrf and so do their PPP host router.
> >
> > This routes are not visible in upstream vrt U which is great but these
> > routes do appear in Downstream vrf D so that is the reason they route
> > locally and doesnt go towards hub CE.
> >
> > The illustrations that i have seen before have CE sites connected on
> > different PE routers whereas in my case the CE routers are connected to
> > same PE and hence we want to avoid local routing on the LNS.
> >
> > Please let me know your thoughts over this.
> >
> > Thanks
> > Hitesh
> >
> > On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner)
> > <avayner at cisco.com>wrote:
> >
> >>  So basically your PPP connections are in the global routing table…****
> >>
> >> What is the profile you are downloading from RADIUS (debug radius) for
> >> them?****
> >>
> >> ** **
> >>
> >> You most likely should be downloading the “ip vrf forwarding U
> downstream
> >> D” command using the RADIUS attribute “lcp:interface-config=ip vrf
> >> forwarding U downstream D”…****
> >>
> >>
> >>
> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907
> >> ****
> >>
> >> ** **
> >>
> >> Arie****
> >>
> >> ** **
> >>
> >> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
> >> *Sent:* Wednesday, October 10, 2012 00:44
> >>
> >> *To:* Arie Vayner (avayner)
> >> *Cc:* Cisco Mailing list
> >> *Subject:* Re: [c-nsp] Half duplex VRF****
> >>
> >> ** **
> >>
> >> Hi Arie,****
> >>
> >> ** **
> >>
> >> Below is the desired excerpt. We can't see the VRF config being applied
> to
> >> the interfaces but its visible in "show ip int virtual-access". I have
> >> tried two different way in RADIUS attributes but the results are the
> same.
> >> ****
> >>
> >> ** **
> >>
> >> LNS#show ppp all****
> >>
> >> Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer
> Name****
> >>
> >> ------------ --------------------- -------- ---------------
> >> --------------------****
> >>
> >> Vi4          LCP+ CHAP+ IPCP+      LocalT   192.168.254.200 \****
> >>
> >> spoke at cerberusnetworks.co.uk****
> >>
> >> Vi3          LCP+ CHAP+ IPCP+      LocalT   192.168.254.100 \****
> >>
> >> mpls at cerberusnetworks.co.uk****
> >>
> >> LNS#show run int vir****
> >>
> >> LNS#show run int virtual-acc****
> >>
> >> LNS#show run int virtual-access 3****
> >>
> >> Building configuration...****
> >>
> >> ** **
> >>
> >> Current configuration : 78 bytes****
> >>
> >> !****
> >>
> >> interface Virtual-Access3****
> >>
> >>  ip mtu 1492****
> >>
> >>  ip verify unicast reverse-path****
> >>
> >> end****
> >>
> >> ** **
> >>
> >> LNS#show run int virtual-access 4****
> >>
> >> Building configuration...****
> >>
> >> ** **
> >>
> >> Current configuration : 78 bytes****
> >>
> >> !****
> >>
> >> interface Virtual-Access4****
> >>
> >>  ip mtu 1492****
> >>
> >>  ip verify unicast reverse-path****
> >>
> >> end****
> >>
> >> =================****
> >>
> >> ** **
> >>
> >> LNS#show ip int virtual-access 3****
> >>
> >> Virtual-Access3 is up, line protocol is up****
> >>
> >>   Interface is unnumbered. Using address of Loopback2 (2.2.2.1)****
> >>
> >>   Broadcast address is 255.255.255.255****
> >>
> >>   Peer address is 192.168.254.100****
> >>
> >>   MTU is 1492 bytes****
> >>
> >>   Helper address is not set****
> >>
> >>   Directed broadcast forwarding is disabled****
> >>
> >>   Outgoing access list is not set****
> >>
> >>   Inbound  access list is not set****
> >>
> >>   Proxy ARP is enabled****
> >>
> >>   Local Proxy ARP is disabled****
> >>
> >>   Security level is default****
> >>
> >>   Split horizon is enabled****
> >>
> >>   ICMP redirects are always sent****
> >>
> >>   ICMP unreachables are always sent****
> >>
> >>   ICMP mask replies are never sent****
> >>
> >>   IP fast switching is enabled****
> >>
> >>   IP Flow switching is disabled****
> >>
> >>   IP CEF switching is enabled****
> >>
> >>   IP CEF switching turbo vector****
> >>
> >>   IP CEF turbo switching turbo vector****
> >>
> >>   VPN Routing/Forwarding "U"****
> >>
> >>   Downstream VPN Routing/Forwarding "D"****
> >>
> >>   Associated unicast routing topologies:****
> >>
> >>     ipv4 topologies in downstream VRF "D" :****
> >>
> >>         Topology "base", operation state is UP****
> >>
> >>     ipv4 topologies in upstream(forwarding) VRF "U":****
> >>
> >>         Topology "base", operation state is UP****
> >>
> >> ===============================================****
> >>
> >> Thanks****
> >>
> >> Hitesh****
> >>
> >> ** **
> >>
> >> On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) <
> avayner at cisco.com>
> >> wrote:****
> >>
> >> Hitesh, how does your virtual-access look like for the spokes?****
> >>
> >> Can you please share the “show run interface virtual-access xx” for the
> >> spokes?****
> >>
> >>  ****
> >>
> >> Tnx****
> >>
> >> Arie****
> >>
> >>  ****
> >>
> >> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
> >> *Sent:* Tuesday, October 09, 2012 09:05
> >> *To:* Arie Vayner (avayner)
> >> *Cc:* Cisco Mailing list
> >> *Subject:* Re: [c-nsp] Half duplex VRF****
> >>
> >>  ****
> >>
> >> Hi Arie,****
> >>
> >>  ****
> >>
> >> I have attached topology, .Net file and configs of related devices. R8
> and
> >> R9 are simulating spokes whereas Internet-RTR is simulating Hub.****
> >>
> >>  ****
> >>
> >> Cheers****
> >>
> >>  ****
> >>
> >> Hitesh****
> >>
> >> On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) <
> avayner at cisco.com>
> >> wrote:****
> >>
> >> Hitesh, can you maybe share some of your configs?
> >> Arie****
> >>
> >>
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net [mailto:
> >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Hitesh Vinzoda
> >> Sent: Tuesday, October 09, 2012 07:04
> >> To: Cisco Mailing list
> >> Subject: [c-nsp] Half duplex VRF
> >>
> >> I am trying to setup half duplex vrf to save vrf's on the LNS. Does
> anyone
> >> has working configuration for spokes and Hub connected on the same PE
> >> router i.e. LNS. So far i able to export-import the routes but the
> traces
> >> from one spoke to other goes directly via LNS instead of via Hub.
> >>
> >> Please advise.
> >>
> >> TIA
> >> Hitesh****
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/****
> >>
> >>  ****
> >>
> >> ** **
> >>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>

More information about the cisco-nsp mailing list