Re: VRF Leaking on Border Leaf

suneq · ‎04-22-2020

Hi experts,

I have a question regarding how VRF leaking works in ACI. I have a simple topology as follows:

The Border Leaf is learning the route 10.0.0.0/8 via OSPF in the VRF A from the router. I want to leak this route into VRF B so that the VM can reach the 10.x subnet.

My question is: how the route will be leaked in this case. I read this article https://www.cisco.com/c/en/us/support/docs/software/aci-data-center/215128-troubleshooting-unexpected-route-leaking.html

and understand that MP-BGP will be used if I want to leak a L3Out route to a non-Border Leaf. But here I have a Border Leaf with 2 VRFs, will MP-BGP be used in this case or APIC will simply push the 10.0.0.0/8 from VRF A to VRF B (as it does when leaking a BD subnet) . In brief, I do not understand if the route 10.0.0.0/8 will be "learned" from OSPF or MP-BGP in the VRF B.

Any help will be greatly appreciated. Thanks.

Claudia de Luna · ‎04-22-2020

Hi @suneq

Have you had a chance to review this post:

https://community.cisco.com/t5/data-center-documents/aci-inter-vrf-tenant-route-leaking-configuration-example/ta-p/3221879

The last scenario discussed I believe is exactly what you are trying to do.

suneq · ‎04-22-2020

Hi Claudia de Luna,

Thanks for your swift reply. I already read the article you mentioned but unfortunately I think it does not cover my question.

If we take your example, I understand how the L3Out route 200.200.200.200/32 is leaked to the Provider VRF on the non-Border Leaf 201. However, I am not sure how it works on a Border Leaf; let's say that we connect a new server to Leaf 101 (BL) and put it to the Provider VRF, how does the leaking work in this case?

1. The BL 101 learned the route 200.200.200.200/32 via OSPF in the Consumer VRF, export it to MP-BGP and the Provider VRF (always on the same BL) import that route?

2. The BL 101 learned the route 200.200.200.200/32 via OSPF in the Consumer VRF and the APIC simply pushes that route into the Provider VRF (as it does when leaking a BD subnet)?

I hope my question is a bit clearer. Thanks for your help.

Gaurav Gambhir · ‎04-22-2020

Route learned in VRF A for from OSPF will use MP-BGP vpnv4 address family to leak the route from one vrf to another.

Pretty much same way how it would happen on MPLE PE b/w two vrf.

When you mark the subnet as shared under the L3out, under the hood we create the prefix-list and update the import RTs.

You can check the following ,show ip bgp process vrf B and you should see the RT of vrf A in import RT list.

suneq · ‎04-23-2020

Hi @Gaurav Gambhir,

Thanks for your reply. That's what I think how it should work but as I cannot test right now, I prefer to have a confirmation. Let me go a bit further with the topology below, if the VRF leaking is done correctly for the L3Out subnet 192.168.1.0/24 from VRF A to VRF B, when I check BGP VPNv4 table on the BL2 I should see 2 iBGP routes and I can force the traffic from VM2 to 192.168.1.0/24 to prefer the route from BL1 (by setting the local preference with interleak policy for example)? Am I correct?

I have a doubt because my colleague told me that in this case, VM2 will always prefer the path BL2-CE2 because of OSPF. I would agree with him if the VM2 is in the VRF A, but here as it is in the VRF B, I think we can force the traffic (from VM2 to 192.168.1.0/24) to take the path BL1-CE1. Am I correct?

Thanks.