12-09-2020 03:55 PM - edited 12-21-2020 12:39 PM
This documentation seems wrong, and doesn't work. Am I missing something or does the documentation need to be fixed.
Talking about :
Configuration Centralized VRF Route-Leaking - Shared Internet with Custom VRF
This has ip route 0.0.0.0/0 Null0 in the tenant vrf and advertises it to the tenant vrf.
Obviously this causes the default route to send it to the tenant vrf on the border and gets dropped. The imported 0.0.0.0/0 route from the shared internet vrf won't override the 0.0.0.0/0 static route, so the documentation doesn't make sense to me.
It seems to be missing a command to re-advertise previously imported routes, so it would import the default route from internet vrf and then use the 'advertise-as-vpn' command like in IOS-XR to re-advertise the imported route (with route map of course).
This command(advertise-as-vpn) doesn't seem to exist on nxos, and the way this documentation has the config, it doesn't work.
Either I'm missing a single command somewhere in my test lab , or the documentation is broken.
Has anyone else tried this?
12-19-2020 12:01 PM
Seriously no replies? I was hoping for at least a 'yeah the documentation looks wrong and doesn't work'
12-19-2020 02:13 PM
Hello!
I believe this particular section of the document is incorrect - I will work internally to verify this and get it corrected.
The majority of the configuration example is correct - however, the ip route 0.0.0.0/0 Null0 static route under each tenant VRF (Red, Blue, etc.) should instead be ip route 0.0.0.0/0 10.9.9.1 vrf Shared. This will put a default route in each tenant VRF that has a next-hop of 10.9.9.1 in the Shared VRF (which would be the external next-hop of your Internet-facing gateway).
As mentioned, I will check internally to verify whether this is correct and have the document corrected. Note that since the holiday season is around the corner, it might take some time for an updated copy to be published.
Thank you!
-Christopher
12-19-2020 03:20 PM - edited 12-19-2020 03:38 PM
I tried that as well, and it sort-of worked. I need it to be dynamic though as in bgp default route is injected from '10.9.9.1' and imported into red/blue and then red/blue redistribute it (i.e. advertise-vpn/allow-vpn; i know these commands exist in some vrf context but I couldn't get it to work right with EVPN, although it may have been a bug, I will reinvestigate).
The static route worked but if 10.9.9.1 disappears and reappears the route doesn't come back properly, plus it's not a very elegant solution.
Thanks for looking into it at least! I hope to see a better solution proposed, and hopefully more features added to nxos, like being able to force re-advertisement of imported routes to evpn if necessary and also centralized gateway on evpn.
10-12-2022 06:45 AM
Hello!
I'm also confused about that documenttion
The section "Some pointers follow:" tells the right way to deal with this occasion
1)The default-route is made exported from the Shared Internet VRF and re-advertisement within VRF Blue and VRF Red on the Border Node.
leaking default route to VRF Blue and VRF Red can attract traffic towards Border Node with Shared Internet VRF,and go to the external router.
And I think the ip route 0.0.0.0/0 Null0 under the VRF Blue and VRF Red is needless,cus you are already have the default route leaking from the shared internet VRF.
2)Ensure the default-route in VRF Blue and VRF Red is not leaked to the Shared Internet VRF
that means the import map RM_DENY_IMPORT should under the VRF shared.
3)
aggregate-address 10.10.0.0/16
aggregate-address 10.20.0.0/16
just creat the aggreat for VRF Blue and VRF Red
So,in this way,you have the route towards the external router on the control plane,vice versa
VRF Blue host--->default-router leaking from VRF shared--->VRF Blue border--->VRF shared---> ip route 0.0.0.0/0 10.9.9.1--->external router
external router --->static route about the VRF Blue and Red--->VRF shared---aggregated address(10.10.0.0/16 and 10.20.0.0/16)--->VRF Blue or VRF Red host
12-01-2022 07:02 AM
Did anyone get this to work?
I've tried this but I have a hard time getting everything to work.
I've pretty much followed the instructions. I've set up the SHARED VRF and two CUSTOM VRFs
The SHARED VRF only have a static route for external connectivity (no dynamic routing right now)
External GW = 192.168.10.1
Border Leaf = 192.168.10.6
The CUSTOM VRFs are also set up on non-border leafs.
I've tried both with and without "ip route 0.0.0.0/0 Null0" in the CUSTOM VRFs.
Result:
01-22-2024 02:20 PM
The document is certainly not correct. The default route from the vrf share is not propagated to other tenants connected to other vteps. Only the hosts connected to the border switch have access to the internet.
01-22-2024 02:26 PM
This document should be corrected and reposted.
02-22-2024 10:04 AM
Please check this document, maybe it will help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide