Re: [c-nsp] Half duplex VRF
I have read that the hub and spoke VRF only works with virtual templates ? And , it's supposed to be configured with AAA server right ? Thanks BR, Mohammad Date: Fri, 12 Oct 2012 15:15:55 +0530 From: vinzoda.hit...@gmail.com To: g...@ax.tc CC: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Half duplex VRF Hi Gerald, I have tested this and worked like charm.. thanks for sharing the working configuration. Best Regards Hitesh On Fri, Oct 12, 2012 at 9:02 AM, Hitesh Vinzoda vinzoda.hit...@gmail.comwrote: Hi Gerald, Thanks for your inputs. Will try this configuration and let you know how it goes..! Cheers Hitesh On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause g...@ax.tc wrote: Hi Hitesh, just to let you know how our working config looks like. We had some problems in the beginning with Half duplex VRF on earlier IOS versions. Now we're running 122-33.SRE on a NPE-G2 and it works as expected. Traffic from site1 to site2 (both terminated via L2TP/PPP on the same LNS) will be directed (egress) to port GE0/3.148 towards the firewall 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall permit the traffic. LNS CONFIG == LNS1#sh run vrf CUSTVRF-DOWN Building configuration... Current configuration : 603 bytes ip vrf CUSTVRF-DOWN rd 100:2 route-target export 100:2 route-target import 100:2 ! ! interface GigabitEthernet0/3.149 encapsulation dot1Q 149 ip vrf forwarding CUSTVRF-DOWN ip address 10.99.16.227 255.255.255.240 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-DOWN no synchronization redistribute connected redistribute static exit-address-family ! end LNS1#sh run vrf CUSTVRF-UP Building configuration... Current configuration : 816 bytes ip vrf CUSTVRF-UP rd 100:3 route-target export 100:3 route-target import 100:1 ! ! interface GigabitEthernet0/3.148 encapsulation dot1Q 148 ip vrf forwarding CUSTVRF-UP ip address 10.99.16.243 255.255.255.240 ! interface Loopback102 description CUSTVRF ip vrf forwarding CUSTVRF-UP ip address 10.99.17.254 255.255.255.255 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-UP no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254 end RADIUS ACCOUNTS (freeRadius) === cust-vrfsite1 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.68 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0 cust-vrfsite2 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.69 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0 Gerald Am 11.10.2012 07:45, schrieb Hitesh Vinzoda: Hi Arie, This is already in place and the virtual-access interfaces belongs to this vrf and so do their PPP host router. This routes are not visible in upstream vrt U which is great but these routes do appear in Downstream vrf D so that is the reason they route locally and doesnt go towards hub CE. The illustrations that i have seen before have CE sites connected on different PE routers whereas in my case the CE routers are connected to same PE and hence we want to avoid local routing on the LNS. Please let me know your thoughts over this. Thanks Hitesh On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner) avay...@cisco.comwrote: So basically your PPP connections are in the global routing table… What is the profile you are downloading from RADIUS (debug radius) for them? ** ** You most likely should be downloading the “ip vrf forwarding U downstream D” command using the RADIUS attribute “lcp:interface-config=ip vrf forwarding U downstream D”… http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 ** ** Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Wednesday, October 10, 2012 00:44 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. ** ** LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name
Re: [c-nsp] Half duplex VRF
Half Duplex VRF can also be supported on regular interfaces. Note the downstream option: http://www.cisco.com/en/US/docs/ios-xml/ios/mpls/command/mp-e1.html#GUID-004281BD-F140-4EA1-BD00-30179140C189t Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, October 23, 2012 04:52 To: vinzoda.hit...@gmail.com; g...@ax.tc Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Half duplex VRF I have read that the hub and spoke VRF only works with virtual templates ? And , it's supposed to be configured with AAA server right ? Thanks BR, Mohammad Date: Fri, 12 Oct 2012 15:15:55 +0530 From: vinzoda.hit...@gmail.com To: g...@ax.tc CC: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Half duplex VRF Hi Gerald, I have tested this and worked like charm.. thanks for sharing the working configuration. Best Regards Hitesh On Fri, Oct 12, 2012 at 9:02 AM, Hitesh Vinzoda vinzoda.hit...@gmail.comwrote: Hi Gerald, Thanks for your inputs. Will try this configuration and let you know how it goes..! Cheers Hitesh On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause g...@ax.tc wrote: Hi Hitesh, just to let you know how our working config looks like. We had some problems in the beginning with Half duplex VRF on earlier IOS versions. Now we're running 122-33.SRE on a NPE-G2 and it works as expected. Traffic from site1 to site2 (both terminated via L2TP/PPP on the same LNS) will be directed (egress) to port GE0/3.148 towards the firewall 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall permit the traffic. LNS CONFIG == LNS1#sh run vrf CUSTVRF-DOWN Building configuration... Current configuration : 603 bytes ip vrf CUSTVRF-DOWN rd 100:2 route-target export 100:2 route-target import 100:2 ! ! interface GigabitEthernet0/3.149 encapsulation dot1Q 149 ip vrf forwarding CUSTVRF-DOWN ip address 10.99.16.227 255.255.255.240 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-DOWN no synchronization redistribute connected redistribute static exit-address-family ! end LNS1#sh run vrf CUSTVRF-UP Building configuration... Current configuration : 816 bytes ip vrf CUSTVRF-UP rd 100:3 route-target export 100:3 route-target import 100:1 ! ! interface GigabitEthernet0/3.148 encapsulation dot1Q 148 ip vrf forwarding CUSTVRF-UP ip address 10.99.16.243 255.255.255.240 ! interface Loopback102 description CUSTVRF ip vrf forwarding CUSTVRF-UP ip address 10.99.17.254 255.255.255.255 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-UP no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254 end RADIUS ACCOUNTS (freeRadius) === cust-vrfsite1 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.68 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0 cust-vrfsite2 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.69 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0 Gerald Am 11.10.2012 07:45, schrieb Hitesh Vinzoda: Hi Arie, This is already in place and the virtual-access interfaces belongs to this vrf and so do their PPP host router. This routes are not visible in upstream vrt U which is great but these routes do appear in Downstream vrf D so that is the reason they route locally and doesnt go towards hub CE. The illustrations that i have seen before have CE sites connected on different PE routers whereas in my case the CE routers are connected to same PE and hence we want to avoid local routing on the LNS. Please let me know your thoughts over this. Thanks Hitesh On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner) avay...@cisco.comwrote: So basically your PPP connections are in the global routing table... What is the profile you are downloading from RADIUS (debug radius) for them? ** ** You most likely should be downloading the ip vrf forwarding U downstream D command using the RADIUS attribute lcp:interface-config=ip vrf forwarding U downstream D... http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 ** ** Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Wednesday, October 10, 2012 00:44 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF
Re: [c-nsp] Half duplex VRF
Hi Gerald, I have tested this and worked like charm.. thanks for sharing the working configuration. Best Regards Hitesh On Fri, Oct 12, 2012 at 9:02 AM, Hitesh Vinzoda vinzoda.hit...@gmail.comwrote: Hi Gerald, Thanks for your inputs. Will try this configuration and let you know how it goes..! Cheers Hitesh On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause g...@ax.tc wrote: Hi Hitesh, just to let you know how our working config looks like. We had some problems in the beginning with Half duplex VRF on earlier IOS versions. Now we're running 122-33.SRE on a NPE-G2 and it works as expected. Traffic from site1 to site2 (both terminated via L2TP/PPP on the same LNS) will be directed (egress) to port GE0/3.148 towards the firewall 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall permit the traffic. LNS CONFIG == LNS1#sh run vrf CUSTVRF-DOWN Building configuration... Current configuration : 603 bytes ip vrf CUSTVRF-DOWN rd 100:2 route-target export 100:2 route-target import 100:2 ! ! interface GigabitEthernet0/3.149 encapsulation dot1Q 149 ip vrf forwarding CUSTVRF-DOWN ip address 10.99.16.227 255.255.255.240 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-DOWN no synchronization redistribute connected redistribute static exit-address-family ! end LNS1#sh run vrf CUSTVRF-UP Building configuration... Current configuration : 816 bytes ip vrf CUSTVRF-UP rd 100:3 route-target export 100:3 route-target import 100:1 ! ! interface GigabitEthernet0/3.148 encapsulation dot1Q 148 ip vrf forwarding CUSTVRF-UP ip address 10.99.16.243 255.255.255.240 ! interface Loopback102 description CUSTVRF ip vrf forwarding CUSTVRF-UP ip address 10.99.17.254 255.255.255.255 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-UP no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254 end RADIUS ACCOUNTS (freeRadius) === cust-vrfsite1 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.68 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0 cust-vrfsite2 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.69 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0 Gerald Am 11.10.2012 07:45, schrieb Hitesh Vinzoda: Hi Arie, This is already in place and the virtual-access interfaces belongs to this vrf and so do their PPP host router. This routes are not visible in upstream vrt U which is great but these routes do appear in Downstream vrf D so that is the reason they route locally and doesnt go towards hub CE. The illustrations that i have seen before have CE sites connected on different PE routers whereas in my case the CE routers are connected to same PE and hence we want to avoid local routing on the LNS. Please let me know your thoughts over this. Thanks Hitesh On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner) avay...@cisco.comwrote: So basically your PPP connections are in the global routing table… What is the profile you are downloading from RADIUS (debug radius) for them? ** ** You most likely should be downloading the “ip vrf forwarding U downstream D” command using the RADIUS attribute “lcp:interface-config=ip vrf forwarding U downstream D”… http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 ** ** Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Wednesday, October 10, 2012 00:44 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. ** ** LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end
Re: [c-nsp] Half duplex VRF
Hi Hitesh, just to let you know how our working config looks like. We had some problems in the beginning with Half duplex VRF on earlier IOS versions. Now we're running 122-33.SRE on a NPE-G2 and it works as expected. Traffic from site1 to site2 (both terminated via L2TP/PPP on the same LNS) will be directed (egress) to port GE0/3.148 towards the firewall 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall permit the traffic. LNS CONFIG == LNS1#sh run vrf CUSTVRF-DOWN Building configuration... Current configuration : 603 bytes ip vrf CUSTVRF-DOWN rd 100:2 route-target export 100:2 route-target import 100:2 ! ! interface GigabitEthernet0/3.149 encapsulation dot1Q 149 ip vrf forwarding CUSTVRF-DOWN ip address 10.99.16.227 255.255.255.240 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-DOWN no synchronization redistribute connected redistribute static exit-address-family ! end LNS1#sh run vrf CUSTVRF-UP Building configuration... Current configuration : 816 bytes ip vrf CUSTVRF-UP rd 100:3 route-target export 100:3 route-target import 100:1 ! ! interface GigabitEthernet0/3.148 encapsulation dot1Q 148 ip vrf forwarding CUSTVRF-UP ip address 10.99.16.243 255.255.255.240 ! interface Loopback102 description CUSTVRF ip vrf forwarding CUSTVRF-UP ip address 10.99.17.254 255.255.255.255 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-UP no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254 end RADIUS ACCOUNTS (freeRadius) === cust-vrfsite1 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.68 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0 cust-vrfsite2 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.69 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0 Gerald Am 11.10.2012 07:45, schrieb Hitesh Vinzoda: Hi Arie, This is already in place and the virtual-access interfaces belongs to this vrf and so do their PPP host router. This routes are not visible in upstream vrt U which is great but these routes do appear in Downstream vrf D so that is the reason they route locally and doesnt go towards hub CE. The illustrations that i have seen before have CE sites connected on different PE routers whereas in my case the CE routers are connected to same PE and hence we want to avoid local routing on the LNS. Please let me know your thoughts over this. Thanks Hitesh On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner) avay...@cisco.comwrote: So basically your PPP connections are in the global routing table… What is the profile you are downloading from RADIUS (debug radius) for them? ** ** You most likely should be downloading the “ip vrf forwarding U downstream D” command using the RADIUS attribute “lcp:interface-config=ip vrf forwarding U downstream D”… http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 ** ** Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Wednesday, October 10, 2012 00:44 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. ** ** LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end ** ** LNS#show run int virtual-access 4 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access4 ip mtu 1492 ip verify unicast reverse-path end = ** ** LNS#show ip int virtual-access 3 Virtual-Access3 is up, line protocol is up Interface is unnumbered. Using address of Loopback2 (2.2.2.1) Broadcast address is 255.255.255.255 Peer address is 192.168.254.100 MTU is 1492 bytes Helper address
Re: [c-nsp] Half duplex VRF
Hi Gerald, Thanks for your inputs. Will try this configuration and let you know how it goes..! Cheers Hitesh On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause g...@ax.tc wrote: Hi Hitesh, just to let you know how our working config looks like. We had some problems in the beginning with Half duplex VRF on earlier IOS versions. Now we're running 122-33.SRE on a NPE-G2 and it works as expected. Traffic from site1 to site2 (both terminated via L2TP/PPP on the same LNS) will be directed (egress) to port GE0/3.148 towards the firewall 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall permit the traffic. LNS CONFIG == LNS1#sh run vrf CUSTVRF-DOWN Building configuration... Current configuration : 603 bytes ip vrf CUSTVRF-DOWN rd 100:2 route-target export 100:2 route-target import 100:2 ! ! interface GigabitEthernet0/3.149 encapsulation dot1Q 149 ip vrf forwarding CUSTVRF-DOWN ip address 10.99.16.227 255.255.255.240 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-DOWN no synchronization redistribute connected redistribute static exit-address-family ! end LNS1#sh run vrf CUSTVRF-UP Building configuration... Current configuration : 816 bytes ip vrf CUSTVRF-UP rd 100:3 route-target export 100:3 route-target import 100:1 ! ! interface GigabitEthernet0/3.148 encapsulation dot1Q 148 ip vrf forwarding CUSTVRF-UP ip address 10.99.16.243 255.255.255.240 ! interface Loopback102 description CUSTVRF ip vrf forwarding CUSTVRF-UP ip address 10.99.17.254 255.255.255.255 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-UP no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254 end RADIUS ACCOUNTS (freeRadius) === cust-vrfsite1 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.68 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0 cust-vrfsite2 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.69 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0 Gerald Am 11.10.2012 07:45, schrieb Hitesh Vinzoda: Hi Arie, This is already in place and the virtual-access interfaces belongs to this vrf and so do their PPP host router. This routes are not visible in upstream vrt U which is great but these routes do appear in Downstream vrf D so that is the reason they route locally and doesnt go towards hub CE. The illustrations that i have seen before have CE sites connected on different PE routers whereas in my case the CE routers are connected to same PE and hence we want to avoid local routing on the LNS. Please let me know your thoughts over this. Thanks Hitesh On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner) avay...@cisco.comwrote: So basically your PPP connections are in the global routing table… What is the profile you are downloading from RADIUS (debug radius) for them? ** ** You most likely should be downloading the “ip vrf forwarding U downstream D” command using the RADIUS attribute “lcp:interface-config=ip vrf forwarding U downstream D”… http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 ** ** Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Wednesday, October 10, 2012 00:44 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. ** ** LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end ** ** LNS#show run int virtual-access 4 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access4 ip mtu 1492
Re: [c-nsp] Half duplex VRF
Hi Arie, Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end LNS#show run int virtual-access 4 Building configuration... Current configuration : 78 bytes ! interface Virtual-Access4 ip mtu 1492 ip verify unicast reverse-path end = LNS#show ip int virtual-access 3 Virtual-Access3 is up, line protocol is up Interface is unnumbered. Using address of Loopback2 (2.2.2.1) Broadcast address is 255.255.255.255 Peer address is 192.168.254.100 MTU is 1492 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP CEF turbo switching turbo vector VPN Routing/Forwarding U Downstream VPN Routing/Forwarding D Associated unicast routing topologies: ipv4 topologies in downstream VRF D : Topology base, operation state is UP ipv4 topologies in upstream(forwarding) VRF U: Topology base, operation state is UP === Thanks Hitesh On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) avay...@cisco.comwrote: Hitesh, how does your virtual-access look like for the spokes? Can you please share the “show run interface virtual-access xx” for the spokes? ** ** Tnx Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Tuesday, October 09, 2012 09:05 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** I have attached topology, .Net file and configs of related devices. R8 and R9 are simulating spokes whereas Internet-RTR is simulating Hub. ** ** Cheers ** ** Hitesh On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) avay...@cisco.com wrote: Hitesh, can you maybe share some of your configs? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, October 09, 2012 07:04 To: Cisco Mailing list Subject: [c-nsp] Half duplex VRF I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working configuration for spokes and Hub connected on the same PE router i.e. LNS. So far i able to export-import the routes but the traces from one spoke to other goes directly via LNS instead of via Hub. Please advise. TIA Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ** ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Half duplex VRF
So basically your PPP connections are in the global routing table... What is the profile you are downloading from RADIUS (debug radius) for them? You most likely should be downloading the ip vrf forwarding U downstream D command using the RADIUS attribute lcp:interface-config=ip vrf forwarding U downstream D... http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 Arie From: Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] Sent: Wednesday, October 10, 2012 00:44 To: Arie Vayner (avayner) Cc: Cisco Mailing list Subject: Re: [c-nsp] Half duplex VRF Hi Arie, Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.ukmailto:sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.ukmailto:m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end LNS#show run int virtual-access 4 Building configuration... Current configuration : 78 bytes ! interface Virtual-Access4 ip mtu 1492 ip verify unicast reverse-path end = LNS#show ip int virtual-access 3 Virtual-Access3 is up, line protocol is up Interface is unnumbered. Using address of Loopback2 (2.2.2.1) Broadcast address is 255.255.255.255 Peer address is 192.168.254.100 MTU is 1492 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP CEF turbo switching turbo vector VPN Routing/Forwarding U Downstream VPN Routing/Forwarding D Associated unicast routing topologies: ipv4 topologies in downstream VRF D : Topology base, operation state is UP ipv4 topologies in upstream(forwarding) VRF U: Topology base, operation state is UP === Thanks Hitesh On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) avay...@cisco.commailto:avay...@cisco.com wrote: Hitesh, how does your virtual-access look like for the spokes? Can you please share the show run interface virtual-access xx for the spokes? Tnx Arie From: Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.commailto:vinzoda.hit...@gmail.com] Sent: Tuesday, October 09, 2012 09:05 To: Arie Vayner (avayner) Cc: Cisco Mailing list Subject: Re: [c-nsp] Half duplex VRF Hi Arie, I have attached topology, .Net file and configs of related devices. R8 and R9 are simulating spokes whereas Internet-RTR is simulating Hub. Cheers Hitesh On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) avay...@cisco.commailto:avay...@cisco.com wrote: Hitesh, can you maybe share some of your configs? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, October 09, 2012 07:04 To: Cisco Mailing list Subject: [c-nsp] Half duplex VRF I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working configuration for spokes and Hub connected on the same PE router i.e. LNS. So far i able to export-import the routes but the traces from one spoke to other goes directly via LNS instead of via Hub. Please advise. TIA Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Half duplex VRF
Hi Arie, This is already in place and the virtual-access interfaces belongs to this vrf and so do their PPP host router. This routes are not visible in upstream vrt U which is great but these routes do appear in Downstream vrf D so that is the reason they route locally and doesnt go towards hub CE. The illustrations that i have seen before have CE sites connected on different PE routers whereas in my case the CE routers are connected to same PE and hence we want to avoid local routing on the LNS. Please let me know your thoughts over this. Thanks Hitesh On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner) avay...@cisco.comwrote: So basically your PPP connections are in the global routing table… What is the profile you are downloading from RADIUS (debug radius) for them? ** ** You most likely should be downloading the “ip vrf forwarding U downstream D” command using the RADIUS attribute “lcp:interface-config=ip vrf forwarding U downstream D”… http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 ** ** Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Wednesday, October 10, 2012 00:44 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. ** ** LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end ** ** LNS#show run int virtual-access 4 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access4 ip mtu 1492 ip verify unicast reverse-path end = ** ** LNS#show ip int virtual-access 3 Virtual-Access3 is up, line protocol is up Interface is unnumbered. Using address of Loopback2 (2.2.2.1) Broadcast address is 255.255.255.255 Peer address is 192.168.254.100 MTU is 1492 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP CEF turbo switching turbo vector VPN Routing/Forwarding U Downstream VPN Routing/Forwarding D Associated unicast routing topologies: ipv4 topologies in downstream VRF D : Topology base, operation state is UP ipv4 topologies in upstream(forwarding) VRF U: Topology base, operation state is UP === Thanks Hitesh ** ** On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) avay...@cisco.com wrote: Hitesh, how does your virtual-access look like for the spokes? Can you please share the “show run interface virtual-access xx” for the spokes? Tnx Arie *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Tuesday, October 09, 2012 09:05 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF Hi Arie, I have attached topology, .Net file and configs of related devices. R8 and R9 are simulating spokes whereas Internet-RTR is simulating Hub. Cheers Hitesh On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) avay...@cisco.com wrote: Hitesh, can you maybe share some of your configs? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, October 09, 2012 07:04 To: Cisco Mailing list Subject: [c-nsp] Half duplex VRF I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working
[c-nsp] Half duplex VRF
I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working configuration for spokes and Hub connected on the same PE router i.e. LNS. So far i able to export-import the routes but the traces from one spoke to other goes directly via LNS instead of via Hub. Please advise. TIA Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Half duplex VRF
Hitesh, can you maybe share some of your configs? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, October 09, 2012 07:04 To: Cisco Mailing list Subject: [c-nsp] Half duplex VRF I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working configuration for spokes and Hub connected on the same PE router i.e. LNS. So far i able to export-import the routes but the traces from one spoke to other goes directly via LNS instead of via Hub. Please advise. TIA Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Half duplex VRF
Hi Arie, I have attached topology, .Net file and configs of related devices. R8 and R9 are simulating spokes whereas Internet-RTR is simulating Hub. Cheers Hitesh On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) avay...@cisco.comwrote: Hitesh, can you maybe share some of your configs? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, October 09, 2012 07:04 To: Cisco Mailing list Subject: [c-nsp] Half duplex VRF I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working configuration for spokes and Hub connected on the same PE router i.e. LNS. So far i able to export-import the routes but the traces from one spoke to other goes directly via LNS instead of via Hub. Please advise. TIA Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Half duplex VRF
Hitesh, how does your virtual-access look like for the spokes? Can you please share the show run interface virtual-access xx for the spokes? Tnx Arie From: Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] Sent: Tuesday, October 09, 2012 09:05 To: Arie Vayner (avayner) Cc: Cisco Mailing list Subject: Re: [c-nsp] Half duplex VRF Hi Arie, I have attached topology, .Net file and configs of related devices. R8 and R9 are simulating spokes whereas Internet-RTR is simulating Hub. Cheers Hitesh On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) avay...@cisco.commailto:avay...@cisco.com wrote: Hitesh, can you maybe share some of your configs? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, October 09, 2012 07:04 To: Cisco Mailing list Subject: [c-nsp] Half duplex VRF I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working configuration for spokes and Hub connected on the same PE router i.e. LNS. So far i able to export-import the routes but the traces from one spoke to other goes directly via LNS instead of via Hub. Please advise. TIA Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
