Solved: export routes from VRF

y.svirydovich · ‎05-08-2013

Hi!

I have a problem when I export the routes from VRF_A (just testing)

This does not work. Where is the problem?

Cheers,

ip vrf vrf_A

rd 10:100

export map EXPORT-RT

route-target export 10:100

route-target import 10:100

!

ip vrf vrf_B

rd 11:100

route-target export 11:100

route-target import 511:100

address-family vpnv4

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 send-community extended

neighbor 5.5.5.5 activate

neighbor 5.5.5.5 send-community extended

neighbor 6.6.6.6 activate

neighbor 6.6.6.6 send-community extended

exit-address-family

address-family ipv4 vrf vrf_B

redistribute connected

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf vrf_A

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

route-map EXPORT-RT permit 20

set extcommunity rt 511:100

router_4#show ip route vrf vrf_A

Routing Table: vrf_A

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 6.6.6.6 to network 0.0.0.0

172.17.0.0/24 is subnetted, 1 subnets

C 172.17.1.0 is directly connected, FastEthernet0/1

B 192.168.219.0/24 [200/0] via 6.6.6.6, 00:48:08

10.0.0.0/24 is subnetted, 1 subnets

B 10.20.1.0 [200/0] via 1.1.1.1, 00:47:59

B 192.168.1.0/24 [200/0] via 5.5.5.5, 00:48:03

B* 0.0.0.0/0 [200/10] via 6.6.6.6, 00:47:59

router_4#show ip route vrf vrf_B

Routing Table: vrf_B

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.100.0/24 is directly connected, FastEthernet1/0

router_4#

Fredrik Lönnman · ‎05-09-2013

I find sometimes the VRF import scan isnt actually beeing done every 60sec as supposed, so it might take some time before you see the routes in your new VRF. Also make sure that the routes in vrf_A actually does have the new RT: 'show bgp vpnv4 unicast vrf vrf_A 172.17.1.0' for example.

View solution in original post

Vivek Ruhil · ‎05-09-2013

Well I would do it in a different way.

1. Add a BGP community to the default route in VRF_A

On the CE

route-map SET-CT permit 10

match ip address prefix-list DEFAULT-ROUTE

set community 10:10

ip prefix-list DEFAULT-ROUTE seq 10 permit 0.0.0.0/0

2. Deny this community in the import-map on vrf_b

On any PE where vrf_b is configured

conf t

!

route-map ALLOW-VRFA deny 10

match ip community-list BLOCK-DEFAULT-ROUTE

route-map ALLOW-VRFA permit 20

!

ip vrf vrf_b

import-map ALLOW-VRFA

!

ip community-list BLOCK-DEFAULT-ROUTE permit 10:10

This way you don;t have to play with ext-communities and added flexibility in future to probably add more routes for denial or change the default route-attributes.

View solution in original post

Fredrik Lönnman · ‎05-09-2013

I find sometimes the VRF import scan isnt actually beeing done every 60sec as supposed, so it might take some time before you see the routes in your new VRF. Also make sure that the routes in vrf_A actually does have the new RT: 'show bgp vpnv4 unicast vrf vrf_A 172.17.1.0' for example.

y.svirydovich · ‎05-09-2013

Thank you!

Your answer me helped to find a source of problem.

http://mynetworkingwiki.com/index.php/Advanced_VRF_Import_and_Export_Features

-> The export route map is deployed in the originating VRF

So I have implement route-map on each router with original VRF (VRF_A)

Cheers,

Fredrik Lönnman · ‎05-09-2013

Oh you where trying to export the BGP-learnt routes from vrf_A to vrf_B? Then as you say you have to find the original VRF and tag them there, or rewrite the RT ingress on the router to add more RTs than the ones originally attached.

y.svirydovich · ‎05-09-2013

The goal is to export all routes from vrf_a to vrf_b except default-route. I try to export the all routes from vrf_a and rewrite RT in 511:100. Then I'll will edit the export route-map so it blocks default-route and will add in vrf_b route-target import 511:100. It's correct?

Vivek Ruhil · ‎05-09-2013

Well I would do it in a different way.

1. Add a BGP community to the default route in VRF_A

On the CE

route-map SET-CT permit 10

match ip address prefix-list DEFAULT-ROUTE

set community 10:10

ip prefix-list DEFAULT-ROUTE seq 10 permit 0.0.0.0/0

2. Deny this community in the import-map on vrf_b

On any PE where vrf_b is configured

conf t

!

route-map ALLOW-VRFA deny 10

match ip community-list BLOCK-DEFAULT-ROUTE

route-map ALLOW-VRFA permit 20

!

ip vrf vrf_b

import-map ALLOW-VRFA

!

ip community-list BLOCK-DEFAULT-ROUTE permit 10:10

This way you don;t have to play with ext-communities and added flexibility in future to probably add more routes for denial or change the default route-attributes.

y.svirydovich · ‎05-09-2013

Hello!

So any ways I have to use EXPORT-MAP on each CE router?

This is not easy, I don't know the all routers which implements the vrf_A

Cheers,

Vivek Ruhil · ‎05-10-2013

Hi

Sorry for not being clear the first time

route-map SET-CT is to be applied on the CE for the BGP neighbor with the PE router and also enable send-community on the neighbor.so, the config on CE will look like

router bgp

neighbor remote-as

neighbor route-map SET-CT out

neighbor send-community

!

So, only this will have to be done on the hub CE.

And on any remote PE all you have to do is:

On any PE where vrf_b is configured

conf t

!

route-map ALLOW-VRFA deny 10

match ip community-list BLOCK-DEFAULT-ROUTE

route-map ALLOW-VRFA permit 20

!

ip vrf vrf_b

import-map ALLOW-VRFA

!

ip community-list BLOCK-DEFAULT-ROUTE permit 10:10