Alcatel Unleashed

Hello every one,

I have the following scenario:

2 Offices with 2 Vlans and one internet access.

I have created 3 VRF, one for each office and one for the internet access.
So far no issue.

This is my VCboot.cfg file:

!========================================!
! File: /flash/working/vcboot.cfg !
!========================================!
! Chassis:
system name "OS6860"
vrf create Net profile max
vrf create IpOne profile max
vrf create IpTwo profile max
vrf default

! Configuration:
configuration error-file-limit 2

! Capability Manager:
hash-control extended

! Virtual Flow Control:
! LFP:
! Interface:
! Port_Manager:
! Link Aggregate:
! VLAN:
vlan 1 admin-state disable
vlan 100 admin-state enable
vlan 100 name "vlan100"
vlan 110 admin-state enable
vlan 110 name "vlan110"
vlan 120 admin-state enable
vlan 120 name "vlan120"
vlan 130 admin-state enable
vlan 130 name "vlan130"
vlan 199 admin-state enable
vlan 199 name "Internet"
vlan 100 members port 1/1/1-4 untagged
vlan 110 members port 1/1/5-8 untagged
vlan 120 members port 1/1/9-12 untagged
vlan 130 members port 1/1/13-16 untagged
vlan 199 members port 1/1/24 untagged

! PVLAN:
! Spanning Tree:
spantree mode flat
spantree vlan 1 admin-state enable
spantree vlan 100 admin-state enable
spantree vlan 110 admin-state enable
spantree vlan 120 admin-state enable
spantree vlan 130 admin-state enable
spantree vlan 199 admin-state enable

! DA-UNP:
! Bridging:
! Port Mirroring:
! Port Mapping:
! IP:
! IPv6:
! IPSec:
! IPMS:
! AAA:
aaa authentication console "local"
aaa authentication ssh "local"

aaa tacacs command-authorization disable

! NTP:
ntp server clock0.ovcirrus.com
ntp server clock2.ovcirrus.com
ntp server clock3.ovcirrus.com
ntp server clock1.ovcirrus.com
ntp client admin-state enable

! QOS:
! Policy Manager:
! VLAN Stacking:
! ERP:
! MVRP:
mvrp enable

! LLDP:
! UDLD:
! Server Load Balance:
! High Availability Vlan:
! Session Manager:
session cli timeout 600
session prompt default "6860=>"

! Web:
! Trap Manager:
! Health Monitor:
! System Service:
! SNMP:
! BFD:
! IP Route Manager:
ip static-route 192.168.110.0/24 gateway 192.168.130.101 metric 1
ip static-route 192.168.120.0/24 gateway 192.168.130.101 metric 1

! VRRP:
! UDP Relay:
! RIP:
! OSPF:
! IP Multicast:
! DVMRP:
! IPMR:
! RIPng:
! OSPF3:
! BGP:
! ISIS:
! Module:
! LAN Power:
! RDP:
! DHL:
! Ethernet-OAM:
! SAA:
! SPB-ISIS:

! SVCMGR:
service stats disable

! LDP:
! EVB:
! APP-FINGERPRINT:
! FCOE:
! QMR:
! OPENFLOW:
! Dynamic auto-fabric:
auto-fabric admin-state disable

! SIP Snooping:
! DHCP Server:
! DHCPv6 Relay:
! DHCPv6 Snooping:
! DHCPv6 Server:
! DHCP Message Service:
! DHCP Active Lease Service:
! Virtual Chassis Split Protection:
! DHCP Snooping:
! APP-MONITORING:
! Loopback Detection:
! VM-SNOOPING:
! PPPOE-IA:
! Security:
! Zero Configuration:
! MAC Security:
! OVC:
! EFM-OAM:
! ALARM-MANAGER:
! DEVICE-PROFILE:
! PTP:
! IP DHCP RELAY:
! TEST-OAM:
! LOOPBACK TEST:
! UDP6 RELAY:
! MGMT AGENT:

! VRF Net
! IP:
vrf Net ip interface "Net" address 192.168.10.70 mask 255.255.255.0 vlan 199 ifindex 1

! IPv6:
! IPSec:
! IPMS:
! Web:
! BFD:
! IP Route Manager:
vrf Net ip static-route 0.0.0.0/0 gateway 192.168.10.254 metric 1
vrf Net ip route-map "R3_Net" sequence-number 50 action permit
vrf Net ip export route-map R3_Net
vrf Net ip import vrf IpOne route-map R3_Net
vrf Net ip import vrf IpTwo route-map R3_Net

! VRRP:
! UDP Relay:
! DHCPv6 Relay:
! DHCPv6 Snooping:
! IP DHCP RELAY:
! UDP6 RELAY:

! VRF IpOne
! IP:
vrf IpOne ip interface "vlan100" address 192.168.100.1 mask 255.255.255.0 vlan 100 ifindex 6
vrf IpOne ip interface "vlan110" address 192.168.110.1 mask 255.255.255.0 vlan 110 ifindex 7

! IPv6:
! IPSec:
! IPMS:
! Web:
! BFD:
! IP Route Manager:
vrf IpOne ip route-map "R1_IpOne" sequence-number 50 action permit
vrf IpOne ip export route-map R1_IpOne
vrf IpOne ip import vrf R3_Net route-map R1_IpOne

! VRRP:
! UDP Relay:
! DHCPv6 Relay:
! DHCPv6 Snooping:
! IP DHCP RELAY:
! UDP6 RELAY:

! VRF IpTwo
! IP:
vrf IpTwo ip interface "vlan120" address 192.168.120.1 mask 255.255.255.0 vlan 120 ifindex 4
vrf IpTwo ip interface "vlan130" address 192.168.130.1 mask 255.255.255.0 vlan 130 ifindex 5

! IPv6:
! IPSec:
! IPMS:
! Web:
! BFD:
! IP Route Manager:
vrf IpTwo ip route-map "R2_IpTwo" sequence-number 50 action permit
vrf IpTwo ip export route-map R2_IpTwo
vrf IpTwo ip import vrf R3_Net route-map R2_IpTwo

! VRRP:
! UDP Relay:
! DHCPv6 Relay:
! DHCPv6 Snooping:
! IP DHCP RELAY:
! UDP6 RELAY:

my issue is with the leak of routes, I can´t ping the Net Interface for the other VRF's,did I miss something?

best regards
Maxmania

Hi,
normal behavior. You can't ping the GW in the other VRF, but the clients.
regards
Silvio

Silvio,
Box-6900
client----------------------|deafult-vrf, main-vrf|-------------------DHCP server



Below is the route leaks which I have done.

-> show configuration snapshot | grep "ip "
ip interface "vlan821" address 10.140.0.1 mask 255.255.252.0 vlan 821 ifindex 1
ip router router-id 10.140.0.1
ip router primary-address 10.140.0.1
ip route-map "default" sequence-number 50 action permit
ip export all-routes
ip import vrf Main route-map default
ip dhcp relay admin-state enable
ip dhcp relay destination 192.168.80.182
vrf Main ip interface "vlan100" address 192.168.80.181 mask 255.255.255.0 vlan 100 ifindex 2
vrf Main ip route-map "mainr" sequence-number 50 action permit
vrf Main ip export all-routes
vrf Main ip import vrf default route-map mainr
->

Now I am trying to reach the DHCP server from default VRF, which says "network not reachable".
Relay is configured under default VRF.
DHCP server is reachable from Main VRF.
Hence I thought I can leak routes to make clients hitting VRF, reach the DHCP server.

But its not working.
Please help.

in the network guide you find:
• A separate DHCP server is required for each VRF instance to which DHCP packets are relayed to and
from the server. The server should reside in the same VRF as the originating requests.

If you can't ping from client in one vrf to client in other vrf than your route-leak isn't correct configured. Please try the correct using of the route-map (like explained in the network guide). But why do you create vrf if you than setup this route-leak for all network? You need a firewall between the vrf.
regards
Silvio

thanks Silvio.
That helped me.