Inter-vrf connectivity issue

ziigzaag · June 16, 2010, 11:36am

Hello everyone.
I’ve been trying to setup a router and, considering the requirements, an vrf-lite alike setup seemed ideal (no BGP, no MPLS).
The problem is, without any specific configuration statements, I have inter-vrf connectivity issues. This is what I’ve got:
-RB532 - ROS 4.10 (same with 3.30)

[root@rb532] > interface print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                        TYPE             MTU   L2MTU
 0  R  ether1-mgmt                 ether            1500  1600 
 1     ether2                      ether            1500  1600 
 2  R  ether3-lan                  ether            1500  1600         
 3  R  loop-a                      bridge           1500  65535
 4  R  loop-b                      bridge           1500  65535

[root@rb532] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   172.30.0.10/27     172.30.0.0      172.30.0.31     ether1-mgmt            
 1   10.10.10.1/24      10.10.10.0      10.10.10.255    loop-a                 
 2   10.20.10.1/24      10.20.10.0      10.20.10.255    loop-b                 
 3   10.20.20.1/24      10.20.20.0      10.20.20.255    ether3-lan             

[root@rb532] > ip route print detail 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADC  dst-address=10.10.10.0/24 pref-src=10.10.10.1 gateway=loop-a gateway-status=loop-a reachable distance=0 
        scope=10 routing-mark=vrfa 

 1 ADC  dst-address=10.20.10.0/24 pref-src=10.20.10.1 gateway=loop-b gateway-status=loop-b reachable distance=0 
        scope=10 routing-mark=vrfb 

 2 ADC  dst-address=10.20.20.0/24 pref-src=10.20.20.1 gateway=ether3-lan gateway-status=ether3-lan reachable 
        distance=0 scope=10 routing-mark=vrfb 

 3 A S  dst-address=0.0.0.0/0 gateway=172.30.0.1 gateway-status=172.30.0.1 reachable ether1-mgmt distance=10 scope=30 
        target-scope=10 

 4 ADC  dst-address=172.30.0.0/27 pref-src=172.30.0.10 gateway=ether1-mgmt gateway-status=ether1-mgmt reachable 
        distance=0 scope=10 

[root@rb532] > ip route vrf print 
Flags: X - disabled, I - inactive 
 0   routing-mark=vrfa interfaces=loop-a route-distinguisher=10:10 import-route-targets=10:10 
     export-route-targets=10:10 

 1   routing-mark=vrfb interfaces=loop-b,ether3-lan route-distinguisher=20:20 import-route-targets=20:20 
     export-route-targets=20:20

a laptop, connected to ether3-lan:

root@blah:~# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:XX:YY:ZZ:XY:YZ  
          inet addr:10.20.20.2  Bcast:10.20.20.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:30283 (29.5 KiB)  TX bytes:37604 (36.7 KiB)
          Interrupt:16 

root@blah:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.20.20.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         10.20.20.1      0.0.0.0         UG    0      0        0 eth0

and this is what happens:

[root@rb532] > ping 10.10.10.1 src-address=10.20.10.1
10.10.10.1 64 byte ping: ttl=64 time=7 ms
10.10.10.1 64 byte ping: ttl=64 time=9 ms
10.10.10.1 64 byte ping: ttl=64 time=9 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 7/8.3/9 ms

[root@rb532] > ping 10.10.10.1 src-address=10.20.10.1 routing-table=vrfa 
10.10.10.1 64 byte ping: ttl=64 time=10 ms
10.10.10.1 64 byte ping: ttl=64 time=8 ms
10.10.10.1 64 byte ping: ttl=64 time=8 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 8/8.6/10 ms

[root@rb532] > ping 10.10.10.1 src-address=10.20.10.1 routing-table=vrfb 
10.10.10.1 64 byte ping: ttl=64 time=6 ms
10.10.10.1 64 byte ping: ttl=64 time=8 ms
10.10.10.1 64 byte ping: ttl=64 time=8 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 6/7.3/8 ms

root@blah:~# ping 10.20.20.1
PING 10.20.20.1 (10.20.20.1) 56(84) bytes of data.
64 bytes from 10.20.20.1: icmp_seq=1 ttl=64 time=0.466 ms
64 bytes from 10.20.20.1: icmp_seq=2 ttl=64 time=0.554 ms
^C
--- 10.20.20.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.466/0.510/0.554/0.044 ms

root@blah:~# ping 172.30.0.10
PING 172.30.0.10 (172.30.0.10) 56(84) bytes of data.
64 bytes from 172.30.0.10: icmp_seq=1 ttl=64 time=0.699 ms
64 bytes from 172.30.0.10: icmp_seq=2 ttl=64 time=0.562 ms
^C
--- 172.30.0.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.562/0.630/0.699/0.072 ms

root@blah:~# ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.669 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.530 ms
^C
--- 10.10.10.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.530/0.599/0.669/0.073 ms

So, it seems I have connectivity from any VRF to any VRF. Shouldn’t that not suppose to happen (as per RFC-2547, paragraph 1.7), or am I doing something wrong?
Thanks for your help.

blake · June 16, 2010, 2:59pm

I haven’t read the RFC, but I believe you are correct that you should be seeing that behavior.

With that said, I experience the same behavior on my routers. This is ‘normal’. You should only be able to ping the IP addresses local to the router, and not any other hosts on those subnets. There is no real inter-VRF connectivity.

ziigzaag · June 16, 2010, 4:07pm

Thanks, blake. I confirm that - can only ping router’s local interfaces. Guess I’m used to “some other vendor’s” default behaviour

c6504#ping vrf vrfa ip 10.10.10.1                      

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

c6504#ping vrf vrfa ip 10.10.10.1 source 10.20.10.1

% Invalid source address- IP address not on any of our up interfaces

Shouldn’t this produce “no local connectivity” behaviour?

[root@rb532] > ip route rule add action=unreachable routing-mark=vrfb table=vrfa 
[root@rb532] > ip route rule add action=unreachable routing-mark=vrfa table=vrfb

blake · June 16, 2010, 8:22pm

We’re a big Cisco shop, and have recently begun using Mikrotik. I certainly expected Mikrotik to have the same VRF behavior as Cisco. I can live with how it functions now, although it would be nice to have 100% VRF separation in the future.