Hi,
i’m bulding a lab for a POC and need some advise.
Topology:
--------------------------
- -
- Firewall -
- -
--------------------------
| int E0/0 (192.168.2.1/24)
|
|
--------------------------
| |
| | int vlan 2 (192.168.2.2/24) - VRF BLUE
| L3 Switch | int vlan 8 (192.168.8.1/24) - VRF GREEN
| | int vlan 12 (192.168.12.1/24 - VRF RED
| |
---------------------------
| |
| |
| |
| |
------------- -------------
| | | |
| Host | | Host |
| GREEN | | RED |
------------- -------------
Goal:
All three VRF’s should use the Default route of VRF BLUE. So traffic from all networks should be routed to 192.168.2.1.
#############################################################
####### Method 1 (using route-target export): #######
#############################################################
ip vrf BLUE
rd 1:1
route-target export 1:1
route-target import 2:2
ip vrf GREEN
rd 2:2
route-target export 2:2
route-target import 1:1
ip vrf RED
rd 3:3
route-target export 3:3
route-target import 1:1
interface Vlan2
ip vrf forwarding BLUE
ip address 192.168.2.2 255.255.255.0
interface Vlan8
ip vrf forwarding GREEN
ip address 192.168.8.1 255.255.255.0
interface Vlan12
ip vrf forwarding RED
ip address 192.168.12.1 255.255.255.0
ip route vrf BLUE 0.0.0.0 0.0.0.0 192.168.2.1
CORE_Router#sho ip route vrf BLUE
Routing Table: BLUE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/0
L 192.168.2.2/32 is directly connected, GigabitEthernet0/0
The route (default route) is not exported to vrf GREEN:
CORE_Router#sho ip route vrf GREEN
Routing Table: GREEN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.8.0/24 is directly connected, GigabitEthernet0/4
L 192.168.8.1/32 is directly connected, GigabitEthernet0/4
CORE_Router#
CORE_Router#ping vrf BLUE 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
CORE_Router#
CORE_Router#ping vrf GREEN 8.8.8.8 so Vlan 8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CORE_Router#
##############################################################################
####### Method 2 (pointing vrf route to global routing table): #######
##############################################################################
ip vrf BLUE
rd 1:1
ip vrf GREEN
rd 2:2
ip vrf RED
rd 3:3
interface Vlan2
ip vrf forwarding BLUE
ip address 192.168.2.2 255.255.255.0
interface Vlan8
ip vrf forwarding GREEN
ip address 192.168.8.1 255.255.255.0
interface Vlan12
ip vrf forwarding RED
ip address 192.168.12.1 255.255.255.0
ip route 192.168.2.1 255.255.255.255 Vlan2
ip route 192.168.8.0 255.255.255.0 Vlan8
ip route 192.168.12.0 255.255.255.0 Vlan12
ip route vrf BLUE 0.0.0.0 0.0.0.0 192.168.2.1
ip route vrf BLUE 192.168.8.0 255.255.255.0 192.168.8.1 global
ip route vrf BLUE 192.168.12.0 255.255.255.0 192.168.12.1 global
ip route vrf GREEN 0.0.0.0 0.0.0.0 192.168.2.1 global
ip route vrf RED 0.0.0.0 0.0.0.0 192.168.2.1 global
With this setup pings from the SVI’s are working:
CORE#ping vrf BLUE 8.8.8.8 so vlan 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
CORE#
CORE#ping vrf GREEN 8.8.8.8 so vlan 8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/9 ms
CORE#
CORE#ping vrf RED 8.8.8.8 so vlan 12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/10 ms
CORE#
CORE#sho ip route vrf BLUE
Routing Table: BLUE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Vlan2
L 192.168.2.2/32 is directly connected, Vlan2
S 192.168.8.0/24 [1/0] via 192.168.8.1
S 192.168.12.0/24 [1/0] via 192.168.12.1
CORE#
CORE#sho ip route vrf GREEN
Routing Table: GREEN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.8.0/24 is directly connected, Vlan8
L 192.168.8.1/32 is directly connected, Vlan8
CORE#
CORE#sho ip route vrf RED
Routing Table: RED
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, Vlan12
L 192.168.12.1/32 is directly connected, Vlan12
CORE#
However Ping from any workstation on an access port in VLAN 8 (VRF GREEN) or VLAN 12 (VRF RED) doesn’t work.
Workstation GREEN:
IP: 192.168.8.10/24
Default Gatweway: 192.168.8.1
Workstation RED:
IP: 192.168.8.10/24
Default Gatweway: 192.168.8.1
Ping from Workstation GREEN:
GREEN#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
GREEN#
Debug IP packet on Core:
CORE#
*Oct 6 13:02:05.326: IP: s=8.8.8.8 (Vlan2), d=192.168.8.10, len 100, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 6 13:02:05.330: IP: tableid=5, s=8.8.8.8 (Vlan2), d=192.168.8.10 (Vlan8), routed via FIB
*Oct 6 13:02:05.332: IP: s=8.8.8.8 (Vlan2), d=192.168.8.10, len 100, rcvd 4
*Oct 6 13:02:05.333: IP: s=8.8.8.8 (Vlan2), d=192.168.8.10, len 100, stop process pak for forus packet
CORE#
Debug ICMP on Core:
CORE#
*Oct 6 13:03:47.006: ICMP: echo reply rcvd, src 8.8.8.8, dst 192.168.8.10, topology BASE, dscp 0 topoid 6
CORE#
Does anybody have an idea ? I have tested so many things but i’m losing my faith 
Would be great if someone could comment.
Many thanks,
Oliver