NetBiscuit: July 2012

Monday, 16 July 2012

Multi VRF

The configuration below shows how to configure the PE and CE routers to extend a VRF to a customer site. This allows a CE (customer) router to support two separate routing tables. This configuration was created on GNS3 with IOS version c2691-adventerprisek9-mz.124-25d.bin. Parts of the configuration below have been omitted for brevity:

! PE (Provider Edge) Router Configuration

hostname PE-Router

! Create two VRFs

ip vrf VRF1

rd 1:100

route-target export 1:100

route-target import 1:100

ip vrf VRF2

rd 2:100

route-target export 2:100

route-target import 2:100

! Create a loopback interface to act as the BGP router ID, note it is not part of
! a vrf

interface Loopback0

ip address 100.1.1.1 255.255.255.255

! Create two more loopback interfaces, one in each VRF. This was just done to

! illustrate that you can use overlapping address space

interface Loopback1

ip vrf forwarding VRF1

ip address 1.1.1.1 255.255.255.255

interface Loopback2

ip vrf forwarding VRF2

ip address 1.1.1.1 255.255.255.255

interface FastEthernet0/0

no ip address

speed 100

full-duplex

! Create two subinterface with a dot1q tag and assign to each vrf

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip vrf forwarding VRF1

ip address 192.168.1.1 255.255.255.0

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip vrf forwarding VRF2

ip address 192.168.2.1 255.255.255.0

! Configure the BGP section

router bgp 1

no synchronization

bgp router-id 100.1.1.1

bgp log-neighbor-changes

no auto-summary

address-family ipv4 vrf VRF2

redistribute connected

neighbor 192.168.2.254 remote-as 100

neighbor 192.168.2.254 activate

no synchronization

exit-address-family

address-family ipv4 vrf VRF1

redistribute connected

neighbor 192.168.1.254 remote-as 100

neighbor 192.168.1.254 activate

no synchronization

exit-address-family

===============================================================

! CE (Customer Edge) Router Configuration

hostname CE-Router

! On this router we just create one VRF - the other received routes are going

! to go into the global routing table

ip vrf VRF2

rd 2:100

interface FastEthernet0/0

no ip address

speed 100

full-duplex

! Create subinterfaces with dot1q tags - note that only Fa0/0.2 has
! a vrf forwarding statement

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 192.168.1.254 255.255.255.0

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip vrf forwarding VRF2

ip address 192.168.2.254 255.255.255.0

interface FastEthernet0/1

no ip address

speed 100

full-duplex

! BGP configuration - note how one neighbour statement is in the global

! section and one is in the "address-family ipv4" section

router bgp 100

no synchronization

bgp log-neighbor-changes

redistribute connected

neighbor 192.168.1.1 remote-as 1

no auto-summary

address-family ipv4 vrf VRF2

redistribute connected

neighbor 192.168.2.1 remote-as 1

neighbor 192.168.2.1 activate

no synchronization

exit-address-family

===============================================================

On the PE router:

! Only the loopback0 interface is in the global routing table

PE-Router#sh ip ro

100.0.0.0/32 is subnetted, 1 subnets

C 100.1.1.1 is directly connected, Loopback0

PE-Router#sh ip route vrf VRF1

1.0.0.0/32 is subnetted, 1 subnets

C 1.1.1.1 is directly connected, Loopback1

C 192.168.1.0/24 is directly connected, FastEthernet0/0.1

PE-Router#sh ip route vrf VRF2

1.0.0.0/32 is subnetted, 1 subnets

C 1.1.1.1 is directly connected, Loopback2

C 192.168.2.0/24 is directly connected, FastEthernet0/0.2

PE-Router#sh ip bgp vpnv4 all

BGP table version is 14, local router ID is 100.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 1:100 (default for vrf VRF1)

*> 1.1.1.1/32 0.0.0.0 0 32768 ?

* 192.168.1.0 192.168.1.254 0 0 100 ?

*> 0.0.0.0 0 32768 ?

Route Distinguisher: 2:100 (default for vrf VRF2)

*> 1.1.1.1/32 0.0.0.0 0 32768 ?

* 192.168.2.0 192.168.2.254 0 0 100 ?

*> 0.0.0.0 0 32768 ?

On the CE router:

CE-Router#sh ip ro

1.0.0.0/32 is subnetted, 1 subnets

B 1.1.1.1 [20/0] via 192.168.1.1, 00:44:36

C 192.168.1.0/24 is directly connected, FastEthernet0/0.1

CE-Router#sh ip route vrf VRF2

1.0.0.0/32 is subnetted, 1 subnets

B 1.1.1.1 [20/0] via 192.168.2.1, 00:39:49

C 192.168.2.0/24 is directly connected, FastEthernet0/0.2

CE-Router#sh ip bgp summary

BGP router identifier 192.168.1.254, local AS number 100

BGP table version is 4, main routing table version 4

2 network entries using 234 bytes of memory

3 path entries using 156 bytes of memory

3/2 BGP path/bestpath attribute entries using 372 bytes of memory

1 BGP AS-PATH entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 786 total bytes of memory

BGP activity 5/1 prefixes, 7/1 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

192.168.1.1 4 1 54 53 4 0 0 00:45:31 2

CE-Router#sh ip bgp vpnv4 all

BGP table version is 7, local router ID is 192.168.1.254

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 2:100 (default for vrf VRF2)

*> 1.1.1.1/32 192.168.2.1 0 0 1 ?

* 192.168.2.0 192.168.2.1 0 0 1 ?

*> 0.0.0.0 0 32768 ?

Friday, 6 July 2012

VRF Lite

VRF Lite (I hate the word lite - a real toe-curling Americanism - can't we call it VRF Basic or VRF - Beginner's Edition?) is a way of using VRF on a router without BGP.
In its simplest form VRF is a way of creating separate forwarding instances and routing tables on a single router. Different customers can then connect to the same router via different interfaces and all traffic is kept separate. Different customer can even have overlapping address spaces because each VRF gets its own routing table.
The configuration below was created in GNS3, the routers are 2961s and the IOS version used is: c2691-adventerprisek9-mz.124-25d.bin.

I have only included the config for R3 here as that is the thing doing the VRF bit. There is nothing unusual about the configs for the other routers - to them they are not aware that VRF is taking place. R1 and R4 are part of Site_A and R2 and R5 are part of Site_B. Irrelevant bits of the R3 config have been omitted for brevity.

!
hostname R3
!
ip cef
!
!
! Create two VRF instances for our two sites with different route distinguishers
ip vrf Site_A
rd 100:1
!
ip vrf Site_B
rd 100:2
!
! This interface is in VRF Site_A
interface FastEthernet0/0
ip vrf forwarding Site_A
ip address 10.0.0.254 255.255.255.0
duplex auto
speed auto
!
! This interface is in VRF Site_B
interface Serial0/0
ip vrf forwarding Site_B
ip address 10.0.1.254 255.255.255.0
clock rate 8000000
!
! This interface is in VRF Site_A
interface FastEthernet0/1
ip vrf forwarding Site_A
ip address 192.168.0.254 255.255.255.0
duplex auto
speed auto
!
! This interface is in VRF Site_B - note how it uses the same address as Fa0/1
interface FastEthernet1/0 ip vrf forwarding Site_B
ip address 192.168.0.254 255.255.255.0
speed 100
full-duplex
!
! We enable EIGRP for Site_A, note how the majority of the configuration now goes under
! "address-family ipv4" section
router eigrp 1 auto-summary
!
address-family ipv4 vrf Site_A
network 10.0.0.0
network 192.168.0.0
no auto-summary
autonomous-system 1
exit-address-family
!
! We enable OSPF for Site_B - looks a bit different than the EIGRP bit doesn't it?
router ospf 1 vrf Site_B
log-adjacency-changes
network 10.0.1.0 0.0.0.255 area 0
network 192.168.0.0 0.0.0.255 area 0
!
!
end

That is it for the config side of thing. Some show commands to illustrate the point:

Show ip route on the router shows no routes, not even connected ones, this is because all interfaces are part of a VRF so the global routing table has no visibility of them.

R3#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R3#

Ah, this is more like it - now we can see all the routes for Site_A VRF including connected interfaces. Note the "D" showing that we have EIGRP learned routes

R3#sh ip ro vrf Site_A

Routing Table: Site_A

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

4.0.0.0/32 is subnetted, 1 subnets

D 4.4.4.4 [90/409600] via 192.168.0.1, 01:01:18, FastEthernet0/1

10.0.0.0/24 is subnetted, 1 subnets

C 10.0.0.0 is directly connected, FastEthernet0/0

C 192.168.0.0/24 is directly connected, FastEthernet0/1

We see something similar for Site_B, note the "O" for OSPF learned routes

R3#sh ip ro vrf Site_B

Routing Table: Site_B

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

5.0.0.0/32 is subnetted, 1 subnets

O 5.5.5.5 [110/2] via 192.168.0.1, 00:46:17, FastEthernet1/0

10.0.0.0/24 is subnetted, 1 subnets

C 10.0.1.0 is directly connected, Serial0/0

C 192.168.0.0/24 is directly connected, FastEthernet1/0

Show ip EIGRP neighbours on R3 shows no neighbours, again because they are part of the VRF rather than global to the router (am I labouring the point a bit..?)

R3#sh ip eigrp neighbors

IP-EIGRP neighbors for process 1

Here they are:

R3#sh ip eigrp vrf Site_A neighbors

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 10.0.0.1 Fa0/0 11 01:03:41 206 1236 0 15

0 192.168.0.1 Fa0/1 14 01:09:27 41 246 0 8

This is a handy command too:

R3#sh ip vrf interfaces

Interface IP-Address VRF Protocol

Fa0/1 192.168.0.254 Site_A up

Fa0/0 10.0.0.254 Site_A up

Fa1/0 192.168.0.254 Site_B up

Se0/0 10.0.1.254 Site_B up

Thursday, 5 July 2012

Cisco NAT with multiple WAN connections

With reference to:
https://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

This configuration allows you to run NAT over two WAN connections and load balance over them. Created and tested in GNS3. An example of where you would use this is if you had a single router connected to two different service providers and you wanted to NAT over both of them for load balancing. Should one of them go down NAT should continue to work over the other connection (though in practice I found that if you had an active NAT translation over one connection and you pulled that WAN link it would not failover automatically and you would have to kill that session and restart it - I was using pretty old IOS on GNS3 though).
It is not shown here but you can control which source address gets NAT'ted on which connection through the use of policy routing.

! Create two ip sla monitors to track the next hop of each WAN connection
ip sla monitor 1
type echo protocol ipIcmpEcho 123.123.123.2 source-interface FastEthernet0/0
timeout 1000
threshold 40
frequency 3
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 124.124.124.2 source-interface FastEthernet1/0
timeout 1000
threshold 40
frequency 3
ip sla monitor schedule 2 life forever start-time now
!
!
! Create two tracking objects to track the state of the ip sla monitors
track timer interface 5
!
track 123 rtr 1 reachability
delay down 15 up 10
!
track 345 rtr 2 reachability
delay down 15 up 10
!
! Fa0/0 defined as an outside NAT interface
interface FastEthernet0/0
description WAN Connection 1
ip address 123.123.123.1 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
! Fa0/1 defined as an inside NAT interface
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
! Fa1/0 defined as an outside NAT interface
interface FastEthernet1/0
description WAN Connection 2
ip address 124.124.124.1 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
! Static routes configured to follow the tracked objects
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 123.123.123.2 track 123
ip route 0.0.0.0 0.0.0.0 124.124.124.2 track 345
!
! NAT overload statements for each WAN interface referencing their own
! route-map
ip nat inside source route-map nat1 interface FastEthernet0/0 overload
ip nat inside source route-map nat2 interface FastEthernet1/0 overload
!
! ACL defining the "inside" network
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
! Route-map referencing the ACL and matching one interface
route-map nat2 permit 10
match ip address 100
match interface FastEthernet1/0
!
! Route-map referencing the same ACL and matching the other interface
route-map nat1 permit 10
match ip address 100
match interface FastEthernet0/0
!