[c-nsp] Half duplex VRF

Hitesh Vinzoda vinzoda.hitesh at gmail.com
Fri Oct 12 05:45:55 EDT 2012 

Hi Gerald,

I have tested this and worked like charm.. thanks for sharing the working
configuration.

Best Regards
Hitesh

On Fri, Oct 12, 2012 at 9:02 AM, Hitesh Vinzoda <vinzoda.hitesh at gmail.com>wrote:

> Hi Gerald,
>
> Thanks for your inputs. Will try this configuration and let you know how
> it goes..!
>
> Cheers
> Hitesh
>
>
> On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause <gk at ax.tc> wrote:
>
>> Hi Hitesh,
>>
>> just to let you know how our working config looks like. We had some
>> problems in the beginning with Half duplex VRF on earlier IOS versions.
>> Now we're running 122-33.SRE on a NPE-G2 and it works as expected.
>>
>> Traffic from site1 to site2 (both terminated via L2TP/PPP on the same
>> LNS) will be directed (egress) to port GE0/3.148 towards the firewall
>> 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall
>> permit the traffic.
>>
>>
>> LNS CONFIG
>> ==========
>>
>> LNS1#sh run vrf CUSTVRF-DOWN
>> Building configuration...
>>
>> Current configuration : 603 bytes
>> ip vrf CUSTVRF-DOWN
>>  rd 100:2
>>  route-target export 100:2
>>  route-target import 100:2
>> !
>> !
>> interface GigabitEthernet0/3.149
>>  encapsulation dot1Q 149
>>  ip vrf forwarding CUSTVRF-DOWN
>>  ip address 10.99.16.227 255.255.255.240
>> !
>> router bgp 10000
>>  !
>>  address-family ipv4 vrf CUSTVRF-DOWN
>>   no synchronization
>>   redistribute connected
>>   redistribute static
>>  exit-address-family
>> !
>> end
>>
>>
>> LNS1#sh run vrf CUSTVRF-UP
>> Building configuration...
>>
>> Current configuration : 816 bytes
>> ip vrf CUSTVRF-UP
>>  rd 100:3
>>  route-target export 100:3
>>  route-target import 100:1
>> !
>> !
>> interface GigabitEthernet0/3.148
>>  encapsulation dot1Q 148
>>  ip vrf forwarding CUSTVRF-UP
>>  ip address 10.99.16.243 255.255.255.240
>> !
>> interface Loopback102
>>  description CUSTVRF
>>  ip vrf forwarding CUSTVRF-UP
>>  ip address 10.99.17.254 255.255.255.255
>> !
>> router bgp 10000
>>  !
>>  address-family ipv4 vrf CUSTVRF-UP
>>   no synchronization
>>   redistribute connected
>>   redistribute static
>>   default-information originate
>>  exit-address-family
>> !
>> ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254
>> end
>>
>>
>> RADIUS ACCOUNTS (freeRadius)
>> ===============
>>
>> cust-vrfsite1  Password == xxxx
>>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
>>   Cisco-AVPair += ip:addr=10.99.17.68
>>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
>>   Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0
>>
>> cust-vrfsite2  Password == yyyy
>>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
>>   Cisco-AVPair += ip:addr=10.99.17.69
>>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
>>   Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0
>>
>>
>>
>> Gerald
>>
>>
>> Am 11.10.2012 07:45, schrieb Hitesh Vinzoda:
>> > Hi Arie,
>> >
>> > This is already in place and the virtual-access interfaces belongs to
>> this
>> > vrf and so do their PPP host router.
>> >
>> > This routes are not visible in upstream vrt U which is great but these
>> > routes do appear in Downstream vrf D so that is the reason they route
>> > locally and doesnt go towards hub CE.
>> >
>> > The illustrations that i have seen before have CE sites connected on
>> > different PE routers whereas in my case the CE routers are connected to
>> > same PE and hence we want to avoid local routing on the LNS.
>> >
>> > Please let me know your thoughts over this.
>> >
>> > Thanks
>> > Hitesh
>> >
>> > On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner)
>> > <avayner at cisco.com>wrote:
>> >
>> >>  So basically your PPP connections are in the global routing table…****
>> >>
>> >> What is the profile you are downloading from RADIUS (debug radius) for
>> >> them?****
>> >>
>> >> ** **
>> >>
>> >> You most likely should be downloading the “ip vrf forwarding U
>> downstream
>> >> D” command using the RADIUS attribute “lcp:interface-config=ip vrf
>> >> forwarding U downstream D”…****
>> >>
>> >>
>> >>
>> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907
>> >> ****
>> >>
>> >> ** **
>> >>
>> >> Arie****
>> >>
>> >> ** **
>> >>
>> >> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
>> >> *Sent:* Wednesday, October 10, 2012 00:44
>> >>
>> >> *To:* Arie Vayner (avayner)
>> >> *Cc:* Cisco Mailing list
>> >> *Subject:* Re: [c-nsp] Half duplex VRF****
>> >>
>> >> ** **
>> >>
>> >> Hi Arie,****
>> >>
>> >> ** **
>> >>
>> >> Below is the desired excerpt. We can't see the VRF config being
>> applied to
>> >> the interfaces but its visible in "show ip int virtual-access". I have
>> >> tried two different way in RADIUS attributes but the results are the
>> same.
>> >> ****
>> >>
>> >> ** **
>> >>
>> >> LNS#show ppp all****
>> >>
>> >> Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer
>> Name****
>> >>
>> >> ------------ --------------------- -------- ---------------
>> >> --------------------****
>> >>
>> >> Vi4          LCP+ CHAP+ IPCP+      LocalT   192.168.254.200 \****
>> >>
>> >> spoke at cerberusnetworks.co.uk****
>> >>
>> >> Vi3          LCP+ CHAP+ IPCP+      LocalT   192.168.254.100 \****
>> >>
>> >> mpls at cerberusnetworks.co.uk****
>> >>
>> >> LNS#show run int vir****
>> >>
>> >> LNS#show run int virtual-acc****
>> >>
>> >> LNS#show run int virtual-access 3****
>> >>
>> >> Building configuration...****
>> >>
>> >> ** **
>> >>
>> >> Current configuration : 78 bytes****
>> >>
>> >> !****
>> >>
>> >> interface Virtual-Access3****
>> >>
>> >>  ip mtu 1492****
>> >>
>> >>  ip verify unicast reverse-path****
>> >>
>> >> end****
>> >>
>> >> ** **
>> >>
>> >> LNS#show run int virtual-access 4****
>> >>
>> >> Building configuration...****
>> >>
>> >> ** **
>> >>
>> >> Current configuration : 78 bytes****
>> >>
>> >> !****
>> >>
>> >> interface Virtual-Access4****
>> >>
>> >>  ip mtu 1492****
>> >>
>> >>  ip verify unicast reverse-path****
>> >>
>> >> end****
>> >>
>> >> =================****
>> >>
>> >> ** **
>> >>
>> >> LNS#show ip int virtual-access 3****
>> >>
>> >> Virtual-Access3 is up, line protocol is up****
>> >>
>> >>   Interface is unnumbered. Using address of Loopback2 (2.2.2.1)****
>> >>
>> >>   Broadcast address is 255.255.255.255****
>> >>
>> >>   Peer address is 192.168.254.100****
>> >>
>> >>   MTU is 1492 bytes****
>> >>
>> >>   Helper address is not set****
>> >>
>> >>   Directed broadcast forwarding is disabled****
>> >>
>> >>   Outgoing access list is not set****
>> >>
>> >>   Inbound  access list is not set****
>> >>
>> >>   Proxy ARP is enabled****
>> >>
>> >>   Local Proxy ARP is disabled****
>> >>
>> >>   Security level is default****
>> >>
>> >>   Split horizon is enabled****
>> >>
>> >>   ICMP redirects are always sent****
>> >>
>> >>   ICMP unreachables are always sent****
>> >>
>> >>   ICMP mask replies are never sent****
>> >>
>> >>   IP fast switching is enabled****
>> >>
>> >>   IP Flow switching is disabled****
>> >>
>> >>   IP CEF switching is enabled****
>> >>
>> >>   IP CEF switching turbo vector****
>> >>
>> >>   IP CEF turbo switching turbo vector****
>> >>
>> >>   VPN Routing/Forwarding "U"****
>> >>
>> >>   Downstream VPN Routing/Forwarding "D"****
>> >>
>> >>   Associated unicast routing topologies:****
>> >>
>> >>     ipv4 topologies in downstream VRF "D" :****
>> >>
>> >>         Topology "base", operation state is UP****
>> >>
>> >>     ipv4 topologies in upstream(forwarding) VRF "U":****
>> >>
>> >>         Topology "base", operation state is UP****
>> >>
>> >> ===============================================****
>> >>
>> >> Thanks****
>> >>
>> >> Hitesh****
>> >>
>> >> ** **
>> >>
>> >> On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) <
>> avayner at cisco.com>
>> >> wrote:****
>> >>
>> >> Hitesh, how does your virtual-access look like for the spokes?****
>> >>
>> >> Can you please share the “show run interface virtual-access xx” for the
>> >> spokes?****
>> >>
>> >>  ****
>> >>
>> >> Tnx****
>> >>
>> >> Arie****
>> >>
>> >>  ****
>> >>
>> >> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
>> >> *Sent:* Tuesday, October 09, 2012 09:05
>> >> *To:* Arie Vayner (avayner)
>> >> *Cc:* Cisco Mailing list
>> >> *Subject:* Re: [c-nsp] Half duplex VRF****
>> >>
>> >>  ****
>> >>
>> >> Hi Arie,****
>> >>
>> >>  ****
>> >>
>> >> I have attached topology, .Net file and configs of related devices. R8
>> and
>> >> R9 are simulating spokes whereas Internet-RTR is simulating Hub.****
>> >>
>> >>  ****
>> >>
>> >> Cheers****
>> >>
>> >>  ****
>> >>
>> >> Hitesh****
>> >>
>> >> On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) <
>> avayner at cisco.com>
>> >> wrote:****
>> >>
>> >> Hitesh, can you maybe share some of your configs?
>> >> Arie****
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Hitesh Vinzoda
>> >> Sent: Tuesday, October 09, 2012 07:04
>> >> To: Cisco Mailing list
>> >> Subject: [c-nsp] Half duplex VRF
>> >>
>> >> I am trying to setup half duplex vrf to save vrf's on the LNS. Does
>> anyone
>> >> has working configuration for spokes and Hub connected on the same PE
>> >> router i.e. LNS. So far i able to export-import the routes but the
>> traces
>> >> from one spoke to other goes directly via LNS instead of via Hub.
>> >>
>> >> Please advise.
>> >>
>> >> TIA
>> >> Hitesh****
>> >>
>> >> _______________________________________________
>> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/****
>> >>
>> >>  ****
>> >>
>> >> ** **
>> >>
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >
>>
>>
>

More information about the cisco-nsp mailing list