[c-nsp] Half duplex VRF
Arie Vayner (avayner)
avayner at cisco.com
Tue Oct 23 12:24:52 EDT 2012
Half Duplex VRF can also be supported on regular interfaces.
Note the "downstream" option:
http://www.cisco.com/en/US/docs/ios-xml/ios/mpls/command/mp-e1.html#GUID-004281BD-F140-4EA1-BD00-30179140C189t
Arie
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Tuesday, October 23, 2012 04:52
To: vinzoda.hitesh at gmail.com; gk at ax.tc
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Half duplex VRF
I have read that the hub and spoke VRF only works with virtual templates ?
And , it's supposed to be configured with AAA server right ?
Thanks
BR,
Mohammad
> Date: Fri, 12 Oct 2012 15:15:55 +0530
> From: vinzoda.hitesh at gmail.com
> To: gk at ax.tc
> CC: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Half duplex VRF
>
> Hi Gerald,
>
> I have tested this and worked like charm.. thanks for sharing the
> working configuration.
>
> Best Regards
> Hitesh
>
> On Fri, Oct 12, 2012 at 9:02 AM, Hitesh Vinzoda <vinzoda.hitesh at gmail.com>wrote:
>
> > Hi Gerald,
> >
> > Thanks for your inputs. Will try this configuration and let you know
> > how it goes..!
> >
> > Cheers
> > Hitesh
> >
> >
> > On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause <gk at ax.tc> wrote:
> >
> >> Hi Hitesh,
> >>
> >> just to let you know how our working config looks like. We had some
> >> problems in the beginning with Half duplex VRF on earlier IOS versions.
> >> Now we're running 122-33.SRE on a NPE-G2 and it works as expected.
> >>
> >> Traffic from site1 to site2 (both terminated via L2TP/PPP on the
> >> same
> >> LNS) will be directed (egress) to port GE0/3.148 towards the
> >> firewall
> >> 10.99.16.254 and then back (ingress) on port GE0/3.149 if the
> >> firewall permit the traffic.
> >>
> >>
> >> LNS CONFIG
> >> ==========
> >>
> >> LNS1#sh run vrf CUSTVRF-DOWN
> >> Building configuration...
> >>
> >> Current configuration : 603 bytes
> >> ip vrf CUSTVRF-DOWN
> >> rd 100:2
> >> route-target export 100:2
> >> route-target import 100:2
> >> !
> >> !
> >> interface GigabitEthernet0/3.149
> >> encapsulation dot1Q 149
> >> ip vrf forwarding CUSTVRF-DOWN
> >> ip address 10.99.16.227 255.255.255.240 !
> >> router bgp 10000
> >> !
> >> address-family ipv4 vrf CUSTVRF-DOWN
> >> no synchronization
> >> redistribute connected
> >> redistribute static
> >> exit-address-family
> >> !
> >> end
> >>
> >>
> >> LNS1#sh run vrf CUSTVRF-UP
> >> Building configuration...
> >>
> >> Current configuration : 816 bytes
> >> ip vrf CUSTVRF-UP
> >> rd 100:3
> >> route-target export 100:3
> >> route-target import 100:1
> >> !
> >> !
> >> interface GigabitEthernet0/3.148
> >> encapsulation dot1Q 148
> >> ip vrf forwarding CUSTVRF-UP
> >> ip address 10.99.16.243 255.255.255.240
> >> !
> >> interface Loopback102
> >> description CUSTVRF
> >> ip vrf forwarding CUSTVRF-UP
> >> ip address 10.99.17.254 255.255.255.255
> >> !
> >> router bgp 10000
> >> !
> >> address-family ipv4 vrf CUSTVRF-UP
> >> no synchronization
> >> redistribute connected
> >> redistribute static
> >> default-information originate
> >> exit-address-family
> >> !
> >> ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254
> >> end
> >>
> >>
> >> RADIUS ACCOUNTS (freeRadius)
> >> ===============
> >>
> >> cust-vrfsite1 Password == xxxx
> >> Cisco-AVPair += ip:ip-unnumbered=Loopback102
> >> Cisco-AVPair += ip:addr=10.99.17.68
> >> Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
> >> Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0
> >>
> >> cust-vrfsite2 Password == yyyy
> >> Cisco-AVPair += ip:ip-unnumbered=Loopback102
> >> Cisco-AVPair += ip:addr=10.99.17.69
> >> Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
> >> Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0
> >>
> >>
> >>
> >> Gerald
> >>
> >>
> >> Am 11.10.2012 07:45, schrieb Hitesh Vinzoda:
> >> > Hi Arie,
> >> >
> >> > This is already in place and the virtual-access interfaces belongs to
> >> this
> >> > vrf and so do their PPP host router.
> >> >
> >> > This routes are not visible in upstream vrt U which is great but these
> >> > routes do appear in Downstream vrf D so that is the reason they route
> >> > locally and doesnt go towards hub CE.
> >> >
> >> > The illustrations that i have seen before have CE sites connected on
> >> > different PE routers whereas in my case the CE routers are connected to
> >> > same PE and hence we want to avoid local routing on the LNS.
> >> >
> >> > Please let me know your thoughts over this.
> >> >
> >> > Thanks
> >> > Hitesh
> >> >
> >> > On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner)
> >> > <avayner at cisco.com>wrote:
> >> >
> >> >> So basically your PPP connections are in the global routing table...****
> >> >>
> >> >> What is the profile you are downloading from RADIUS (debug radius) for
> >> >> them?****
> >> >>
> >> >> ** **
> >> >>
> >> >> You most likely should be downloading the "ip vrf forwarding U
> >> downstream
> >> >> D" command using the RADIUS attribute "lcp:interface-config=ip vrf
> >> >> forwarding U downstream D"...****
> >> >>
> >> >>
> >> >>
> >> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907
> >> >> ****
> >> >>
> >> >> ** **
> >> >>
> >> >> Arie****
> >> >>
> >> >> ** **
> >> >>
> >> >> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
> >> >> *Sent:* Wednesday, October 10, 2012 00:44
> >> >>
> >> >> *To:* Arie Vayner (avayner)
> >> >> *Cc:* Cisco Mailing list
> >> >> *Subject:* Re: [c-nsp] Half duplex VRF****
> >> >>
> >> >> ** **
> >> >>
> >> >> Hi Arie,****
> >> >>
> >> >> ** **
> >> >>
> >> >> Below is the desired excerpt. We can't see the VRF config being
> >> applied to
> >> >> the interfaces but its visible in "show ip int virtual-access". I have
> >> >> tried two different way in RADIUS attributes but the results are the
> >> same.
> >> >> ****
> >> >>
> >> >> ** **
> >> >>
> >> >> LNS#show ppp all****
> >> >>
> >> >> Interface/ID OPEN+ Nego* Fail- Stage Peer Address Peer
> >> Name****
> >> >>
> >> >> ------------ --------------------- -------- ---------------
> >> >> --------------------****
> >> >>
> >> >> Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \****
> >> >>
> >> >> spoke at cerberusnetworks.co.uk****
> >> >>
> >> >> Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \****
> >> >>
> >> >> mpls at cerberusnetworks.co.uk****
> >> >>
> >> >> LNS#show run int vir****
> >> >>
> >> >> LNS#show run int virtual-acc****
> >> >>
> >> >> LNS#show run int virtual-access 3****
> >> >>
> >> >> Building configuration...****
> >> >>
> >> >> ** **
> >> >>
> >> >> Current configuration : 78 bytes****
> >> >>
> >> >> !****
> >> >>
> >> >> interface Virtual-Access3****
> >> >>
> >> >> ip mtu 1492****
> >> >>
> >> >> ip verify unicast reverse-path****
> >> >>
> >> >> end****
> >> >>
> >> >> ** **
> >> >>
> >> >> LNS#show run int virtual-access 4****
> >> >>
> >> >> Building configuration...****
> >> >>
> >> >> ** **
> >> >>
> >> >> Current configuration : 78 bytes****
> >> >>
> >> >> !****
> >> >>
> >> >> interface Virtual-Access4****
> >> >>
> >> >> ip mtu 1492****
> >> >>
> >> >> ip verify unicast reverse-path****
> >> >>
> >> >> end****
> >> >>
> >> >> =================****
> >> >>
> >> >> ** **
> >> >>
> >> >> LNS#show ip int virtual-access 3****
> >> >>
> >> >> Virtual-Access3 is up, line protocol is up****
> >> >>
> >> >> Interface is unnumbered. Using address of Loopback2 (2.2.2.1)****
> >> >>
> >> >> Broadcast address is 255.255.255.255****
> >> >>
> >> >> Peer address is 192.168.254.100****
> >> >>
> >> >> MTU is 1492 bytes****
> >> >>
> >> >> Helper address is not set****
> >> >>
> >> >> Directed broadcast forwarding is disabled****
> >> >>
> >> >> Outgoing access list is not set****
> >> >>
> >> >> Inbound access list is not set****
> >> >>
> >> >> Proxy ARP is enabled****
> >> >>
> >> >> Local Proxy ARP is disabled****
> >> >>
> >> >> Security level is default****
> >> >>
> >> >> Split horizon is enabled****
> >> >>
> >> >> ICMP redirects are always sent****
> >> >>
> >> >> ICMP unreachables are always sent****
> >> >>
> >> >> ICMP mask replies are never sent****
> >> >>
> >> >> IP fast switching is enabled****
> >> >>
> >> >> IP Flow switching is disabled****
> >> >>
> >> >> IP CEF switching is enabled****
> >> >>
> >> >> IP CEF switching turbo vector****
> >> >>
> >> >> IP CEF turbo switching turbo vector****
> >> >>
> >> >> VPN Routing/Forwarding "U"****
> >> >>
> >> >> Downstream VPN Routing/Forwarding "D"****
> >> >>
> >> >> Associated unicast routing topologies:****
> >> >>
> >> >> ipv4 topologies in downstream VRF "D" :****
> >> >>
> >> >> Topology "base", operation state is UP****
> >> >>
> >> >> ipv4 topologies in upstream(forwarding) VRF "U":****
> >> >>
> >> >> Topology "base", operation state is UP****
> >> >>
> >> >> ===============================================****
> >> >>
> >> >> Thanks****
> >> >>
> >> >> Hitesh****
> >> >>
> >> >> ** **
> >> >>
> >> >> On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) <
> >> avayner at cisco.com>
> >> >> wrote:****
> >> >>
> >> >> Hitesh, how does your virtual-access look like for the spokes?****
> >> >>
> >> >> Can you please share the "show run interface virtual-access xx" for the
> >> >> spokes?****
> >> >>
> >> >> ****
> >> >>
> >> >> Tnx****
> >> >>
> >> >> Arie****
> >> >>
> >> >> ****
> >> >>
> >> >> *From:* Hitesh Vinzoda [mailto:vinzoda.hitesh at gmail.com]
> >> >> *Sent:* Tuesday, October 09, 2012 09:05
> >> >> *To:* Arie Vayner (avayner)
> >> >> *Cc:* Cisco Mailing list
> >> >> *Subject:* Re: [c-nsp] Half duplex VRF****
> >> >>
> >> >> ****
> >> >>
> >> >> Hi Arie,****
> >> >>
> >> >> ****
> >> >>
> >> >> I have attached topology, .Net file and configs of related devices. R8
> >> and
> >> >> R9 are simulating spokes whereas Internet-RTR is simulating Hub.****
> >> >>
> >> >> ****
> >> >>
> >> >> Cheers****
> >> >>
> >> >> ****
> >> >>
> >> >> Hitesh****
> >> >>
> >> >> On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) <
> >> avayner at cisco.com>
> >> >> wrote:****
> >> >>
> >> >> Hitesh, can you maybe share some of your configs?
> >> >> Arie****
> >> >>
> >> >>
> >> >> -----Original Message-----
> >> >> From: cisco-nsp-bounces at puck.nether.net [mailto:
> >> >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Hitesh Vinzoda
> >> >> Sent: Tuesday, October 09, 2012 07:04
> >> >> To: Cisco Mailing list
> >> >> Subject: [c-nsp] Half duplex VRF
> >> >>
> >> >> I am trying to setup half duplex vrf to save vrf's on the LNS. Does
> >> anyone
> >> >> has working configuration for spokes and Hub connected on the same PE
> >> >> router i.e. LNS. So far i able to export-import the routes but the
> >> traces
> >> >> from one spoke to other goes directly via LNS instead of via Hub.
> >> >>
> >> >> Please advise.
> >> >>
> >> >> TIA
> >> >> Hitesh****
> >> >>
> >> >> _______________________________________________
> >> >> cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/****
> >> >>
> >> >> ****
> >> >>
> >> >> ** **
> >> >>
> >> > _______________________________________________
> >> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> >
> >>
> >>
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list