The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Re: How to Differentiate Traffic ?
> But if I have to use different IP addresses for tunnel source and tunnel destination, what > IP address should I be using?...and how to ensure reachability of those > addresses?...through normal routes or VRF routes?.. The tunnel addresses must be global. Pls try to establish then to your global loopbacks (of course making sure that loopbacks are reachable). The most common configuration is as you later discovered the internet access directly via the interface and GRE tunnel to the PE's global address (reachable via this interface) with vrf forwarding turned on the GRE tunnel. > 2. Tried using Loop Back addresses, by creating LB on both PE and CE. Enabled same VRF forwarding VPN1 on Loop Back Interface also on PE end. Used this as the source on PE-CE Tunnel. Similarly for CE-PE end also. This time, I said "ip unnumbered Lo 0" on both end tunnels. This too did not work, don't know why. As as indicated tunnel src/dst must be in global space (not vrf :). R. > krishnak@sify.com wrote: > > Hi Robert, > > (Sorry for a lengthy mail) > Thanks for the earlier suggestion. I was able to create a tunnel and then do VRF Forwarding for the traffic coming out of this tunnel alone. > > While doing this, I found some interesting problem. I tried creating another tunnel because initially I thought 2 different tunnels are required for each category of traffic, though later realized that one tunnel is enough and other traffic can normally enter through physical interface untagged..! > > Somehow this did not work at all. I am giving the part config here: > > CE: > int s0/0 > ip address 172.16.35.5 255.255.255.252 > > int t0 > ip unnumbered s0/0 > tunnel source s0/0 > tunnel destination 172.16.35.6 > > int t1 > ip unnumbered s0/0 > tunnel source s0/0 > tunnel destination 172.16.35.6 > > ip route <Provider Net> t0 > ip route <VPN network> t1 > > PE: > int s0/0 > ip address 172.16.35.6 255.255.255.252 > > int t0 > ip unnumbered s0/0 > tunnel source s0/0 > tunnel dest 172.16.35.5 > > int t1 > ip vrf forwarding VPN1 > ip unnumbered s0/0 > tunnel source s0/0 > tunnel dest 172.16.35.5 > > ip route <Provider assigned Net> t0 > ip route vrf <VPN Net> t1 > > (Provider Assigned Net - He might do NAT or Secondary Address with this block of IPs) > > I am not able to use this config basically because, it's causing some recursive routing and making the tunnel down. > This is because I am using the same source and destination on both the tunnels and routers are confused in establishing the adjecencies. > > But if I have to use different IP addresses for tunnel source and tunnel destination, what IP address should I be using?...and how to ensure reachability of those addresses?...through normal routes or VRF routes?.. > > 1. I tried using respective S0/0 addresses as the source respectively on PE-CE and CE-PE tunnels. It did not work, I suppose since VRF forwarding is not enabled on S0/0, that address is not available for Tunnel so might not be able to encapsulate properly. > > 2. Tried using Loop Back addresses, by creating LB on both PE and CE. Enabled same VRF forwarding VPN1 on Loop Back Interface also on PE end. Used this as the source on PE-CE Tunnel. Similarly for CE-PE end also. This time, I said "ip unnumbered Lo 0" on both end tunnels. This too did not work, don't know why. > > So at the end, I was not able to create two tunnnels and route traffic accordingly. It was always throwing either some adjecency errors or some recursive routing problem and shutting down the tunnels. > > Is it a limitation or some thing?..... > If one can create more than one tunnel and enable VRF forwarding for different VPNs, what IP Addresses have to be used as tunnel destination and souce?... > > (Of course FR might be a better alternative. But I dont have much idea on that and I did not try that too). > > Also, I don't have a strong justification on where does this requirement arise. One I can immdiately think of is, one site (single interface) participating in multiple VPNs and using this as an alternative to import/export of routes in "ip vrf <VPN>" configuration. Also may be if rate-limit kind of requirements are there for different kinds of traffic......not so sure.... > > Request you to clarify. > > Thanks, > KK > > Robert Raszuk <raszuk@cisco.com>: > > > KK, > > > > > In this situation, customer is using MPLS VPN for his VPN > > requirements. But some of his > > > traffic has to come out onto the Provider network, say for accessing > > server located on > > > Service provider's backbone. > > > > The simplest way to separate the traffic which destination is > > provider's > > global table at least from the forwarding perspective is to build a GRE > > tunnel on the PE-CE int and therefor have additional logical > > subinterface into your PE. > > > > R. > > > > > krishnak@sify.com wrote: > > > > > > Hi, > > > > > > I would like to differentiate VPN traffic and non VPN traffic on the > > same link from CE to PE. > > > > > > In this situation, customer is using MPLS VPN for his VPN > > requirements. But some of his traffic has to come out onto the Provider > > network, say for accessing server located on Service provider's > > backbone. > > > I can actually configure access-lists to classify this traffic, since > > I know the source address/port from which the traffic originates. > > > > > > Specifically, when I configure this on Cisco, on customer interface, I > > would like to apply this access-list to the command - "ip vrf forwarding > > VPN1" so that traffic mathcing to this ACL should not get tagged with > > this VPN. > > > I don't see a way in this interface configuration or address-family > > definitions, or any where else.... > > > Is it possible like this?... > > > > > > Any help, configuration sample is highly appreciated.. > > > > > > KK > > > ------------------------------------------------- > > > This mail helped a tree grow. Know more at http://green.sify.com > > > > > > Want to win a PC or Palm Tops or Digital Diaries or T-Shirts? > > > Click here http://promos.sify.com/niit/main.asp?mail > > > > > > ------- > > > The MPLS-OPS Mailing List > > > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > > > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > > > ------- > > The MPLS-OPS Mailing List > > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > > > ------------------------------------------------- > This mail helped a tree grow. Know more at http://green.sify.com > > Want to win a PC or Palm Tops or Digital Diaries or T-Shirts? > Click here http://promos.sify.com/niit/main.asp?mail ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
|
|