Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 12
Registered: ‎11-11-2013

Can't ping VE from host when it's assigned to a VRF

I've worked with VRF's before, but for some reason, this one's got me puzzled!

 

Super simple arrangement:

 

MLXe4 - to - ICX - to - Host

 

MLX config:

 

ver V5.9.0aT163
module 1 br-mlx-8-port-10g-x                                    
!
vlan 102 name global_vrf_test_2
 tagged ethe 1/2
 router-interface ve 102
!
vlan 202 name 1_vrf_test_2
 tagged ethe 1/2
 router-interface ve 202
!
mstp name datacenter                           
mstp revision 1
mstp instance 0  vlan 1
mstp instance 0  vlan 100 to 103
mstp instance 0  vlan 200 to 203
mstp instance 0  vlan 300 to 303
mstp instance 0 priority 57344
mstp start
!                                                                 
system-max ip-arp 65536
system-max ip-cache 1048576
system-max ip-route 1048576
system-max virtual-interface 4095
system-max ipv6-cache 245760
system-max ipv6-route 245760
system-max ip-vrf-route 262144
system-max openflow-flow-entries 131072
system-max openflow-unprotectedvlan-entries 4096
system-max np-openflow-flow-entries layer2or3 6492 slot 1
system-max np-openflow-flow-entries layer23ipv4 24412 slot 1
system-max np-openflow-flow-entries layer3ipv6 1756 slot 1
system-max np-openflow-flow-entries layer23ipv6 3932 slot 1
!
!
vrf 1
 rd 64512:1
 ip router-id 1.1.1.1
 route-target export 64512:1
 route-target import 64512:1
 address-family ipv4
 exit-address-family
exit-vrf                                                          
!
!
interface loopback 1
 vrf forwarding 1
 ip address 1.1.1.1/32
!
interface ethernet 1/2
 port-name to_ICX
 enable
 no route-only
!
interface ve 102
 port-name global_vrf_test_2
 ip address 192.168.255.1/24
!
interface ve 202
 port-name 1_vrf_test_2
 vrf forwarding 1
 ip address 192.168.255.1/24
!

 

--

 

ICX below it is running plain layer 2, nothing fancy.

 

--

 

If I have the host in vlan 102, pings fine!:

 

mlx-tst#ping 192.168.255.10
Sending 1, 16-byte ICMP Echo to 192.168.255.10, timeout 5000 msec, TTL 64
Type Control-c to abort
Reply from 192.168.255.10  : bytes=16 time<1ms TTL=64
Success rate is 100 percent (1/1), round-trip min/avg/max=0/0/0 ms.

 

--

 

if I change the host over to vlan 202, here's the result:

 

mlx-tst#ping vrf 1 192.168.255.10
Sending 1, 16-byte ICMP Echo to 192.168.255.10, timeout 5000 msec, TTL 64
Type Control-c to abort
Request timed out.
No reply from remote host.

 

yet the host recieves the icmp echo requests:

 

18:24:07.080004 IP 192.168.255.1 > 192.168.255.10: ICMP echo request, id 43787, seq 1, length 24
18:24:07.080051 IP 192.168.255.10 > 192.168.255.1: ICMP echo reply, id 43787, seq 1, length 24

 

And I have confirmed the reply actually gets back to the router... If I use vlan 202, but just remove the VRF membership, it works too...

 

What am I doing wrong here!!!!??? It's obviously not a default route type thing per this communcation happening in-subnet...

 

Thanks in advance!

Contributor
Posts: 22
Registered: ‎05-21-2014

Re: Can't ping VE from host when it's assigned to a VRF

Your vlan/ve 102 is in the default-vrf based on your config.

 

Your vlan/ve 202 is in vrf 1.

 

Since these are two completely isolated routing tables, you have no routes between them without a L3 router/route process and including those networks in the same process.

 

By using vrfs you need to have an upstream router to bounce the traffic from running a L3 process to "connect" the two vrfs.

 

Normally, you want isolation of routing tables when using VRF, so I would expect no communication given your config.  If you want communication on that switch, you're better off with vlans rather than separate routing tables.  Then simple enable routing on the switch for them to communicate.

 

You also are using the same IP address on both VEs - which is fine is using VRF, but not when using VLANs.  

 

 

 

 

Occasional Contributor
Posts: 12
Registered: ‎11-11-2013

Re: Can't ping VE from host when it's assigned to a VRF

Thanks for your response Netman66
 
So I'm not trying to do inter-vrf routing actually. All I'm trying to do place ip space into a vrf via putting the ve into said vrf. At this point in the test, I not trying to get traffic into or out of the vrf.
 
Any ideas why I can no longer ping the host when I place the ve in a vrf? I'm using the obvious ping vrf X "address" construct... I did some port mirroring and clearly see the MLX sending the icmp out and it arriving on the host. The problem is in the return. With the monitor session I can see the echo-reply gets sent up to the MLX on the expected port, but the MLX doesn't register it...
 
Is there some additional config required for vrf-lite?
 
Any help would be greatly apprecaited.
 
Steve
Occasional Contributor
Posts: 12
Registered: ‎11-11-2013

Re: Can't ping VE from host when it's assigned to a VRF

So I ended up calling Brocade TAC on this one. It turns out apparently this is impossible, atleast on the MLX... Per traffic entering an interface that belongs to the default-vrf (even though it's a trunk and therefore doesn't belong to any VRF) it would then first have to be considered by said global VRF table before it could actually arrive at the specific ve by way of the associated vlan thats a member of the custom vrf... The engineer said we would need to route-leak the ve subnet into the global table in order for traffic to get to the servers default gateway... ... ... What the heck!? That doesn't any sense at all! After the TAC converstation, I grabbed a Cisco 3048 we had lying around and configured it just like the MLX and bam, works like a charm.

 

I'm having a hard time believing Brocade can't do this, so if any of you fine fellows have an explination or solution, I'm all ears!

 

Thanks!

Contributor
Posts: 22
Registered: ‎05-21-2014

Re: Can't ping VE from host when it's assigned to a VRF

I'm still having a hard time trying to understand what you are trying to accomplish.

 

The whole purpose of creating a VRF is to isolate the routing tables from each other - thereby not allowing any routes from either VRF to be aware of each other.  By including a ve in a vrf, you are adding that space to that specific route table.  It can only belong to one vrf at a time regardless of whether you have overlapping IP subnets.  This only comes into play at the L3 route process.

 

A trunk port will carry the traffic but has no way to combine routes on it's own - just because all your traffic termintates on a single port doesn't mean they will all talk.

 

On Brocade switches, once you create your first VRF, the un-defined address space is a member of the default-vrf automatically - there really isn't a "global route table" any longer.

 

Maybe if I understood what you were trying to do, I could offer something meaningful.

 

Post the Cisco config and maybe I can try to understand what you are looking for.

 

 

Occasional Contributor
Posts: 12
Registered: ‎11-11-2013

Re: Can't ping VE from host when it's assigned to a VRF

Ok, so after working abit more with TAC, we thought it had to do with Openflow being used on this MLX, but after further investigation, the whole problem turned out to be CAM Partition Profiles! We were running ipv4-ipv6-2 which doesn't provision any space in the TCAM for VRF's!

 

Changed that, reloaded the routers and now we can onboard traffic to a VRF with Openflow using the 2 MLX's! Problem solved.

 

Thought I would post the resolution to my issue.

 

Thanks!

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.