cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27125
Views
0
Helpful
5
Replies

Route Leaking between VRF:s (Shared services)

ta1983
Beginner
Beginner

Hi,

I'm a bit confused by this setup that i'm trying to achieve.

The setup is classic though, I have one VRF for education (EDU), one for administrators (ADM) and then a shared VRF (GEM) like this:

ip vrf ADM

description *** ADMIN NET ***

rd 2:2

export map ADM-to-EDU

route-target export 2:2

route-target import 1:1

route-target import 2:2

!

ip vrf EDU

description *** ELEV NET ***

rd 3:3

route-target export 3:3

route-target import 1:1

route-target import 33:33

route-target import 3:3

!

ip vrf GEM

description *** GEMENSAM NET ***

rd 1:1

route-target export 1:1

route-target import 2:2

route-target import 3:3

route-target import 1:1

!

As you can see, i have also configured an export map for vrf ADM, which i'm then importing routes from.

the Map looks as follows:

!

access-list 1 permit 172.18.254.37

!

route-map ADM-to-EDU permit 10

match ip address 1

set extcommunity rt 33:33 additive

!

A relevant part of the ip setup is as follows:

!

interface Loopback3

ip vrf forwarding EDU

ip address 3.3.3.3 255.255.255.255

!

interface Loopback37

ip vrf forwarding ADM

ip address 172.18.254.37 255.255.255.255

!

I'm running BGP:

router bgp 65235

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf GEM

  redistribute connected

  redistribute static

  default-information originate

  no synchronization

exit-address-family

!

address-family ipv4 vrf EDU

  redistribute connected

  redistribute static

  default-information originate

  no synchronization

exit-address-family

!

address-family ipv4 vrf ADM

  redistribute connected

  redistribute static

  default-information originate

  no synchronization

exit-address-family

!

Now, the thing is, the leaking is working, i can see the leaked route in the EDU routing table below,

Router#sh ip route vrf EDU

Routing Table: EDU
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.19.16.5 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
B       1.1.1.1 is directly connected, 04:53:31, Loopback1
     3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback3
     172.19.0.0/32 is subnetted, 1 subnets
B       172.19.16.5 is directly connected, 02:27:51, Loopback0
     172.18.0.0/32 is subnetted, 1 subnets
B       172.18.254.37 is directly connected, 00:32:14, Loopback37
B*   0.0.0.0/0 [20/0] via 172.19.16.5 (GEM), 02:08:42

but i cannot reach it:

Router#ping vrf EDU 172.18.254.37

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

But if i run "debug ip packet" and the perform another ping, i get this result which i think is a bit weird? to me it seems as if it works.

Router#ping vrf EDU 172.18.254.37

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:

*Mar  1 05:42:40.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:40.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:40.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:40.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:40.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:40.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar  1 05:42:42.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:42.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:42.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:42.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:42.582: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:42.586: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:42.590: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:42.590: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar  1 05:42:44.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:44.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:44.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:44.574: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:44.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:44.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar  1 05:42:46.566: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:46.570: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:46.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:46.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:46.570: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:46.574: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar  1 05:42:48.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:48.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:48.566: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:48.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:48.574: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:48.574: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:48.582: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:48.582: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
Success rate is 0 percent (0/5)
Router#

However, if i add leaking for 3.3.3.3 in ADM vrf like this:

!

access-list 2 permit 3.3.3.3

!

route-map EDU-to-ADM permit 10

match ip address 2

set extcommunity rt  22:22 additive

!

ip vrf ADM

description *** ADMIN NET ***

rd 2:2

export map ADM-to-EDU

route-target export 2:2

route-target import 1:1

route-target import 22:22      < - added line

route-target import 2:2

!

!

ip vrf EDU

description *** ELEV NET ***

rd 3:3

export map EDU-to-ADM         < - added line

route-target export 3:3

route-target import 1:1

route-target import 33:33

route-target import 3:3

!

Then it will work:

Router#ping vrf EDU 172.18.254.37

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms

So actually, my big question is, am i doing this the right or wrong way? i'm a bit confused.

Sorry about the rant, maybe it will clarify some things for others who are confused, or maybe just make it worse!

      

Some additional thoughts:

Why can't i perform this ping, shouldnt this work?

Router#ping vrf GEM 172.18.254.37

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

bgp info:

Router#sh ip bgp vpnv4 all
BGP table version is 79, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf GEM)
*> 0.0.0.0          172.19.16.5              0         32768 ?
*> 1.1.1.1/32       0.0.0.0                  0         32768 ?
*> 2.2.2.2/32       0.0.0.0                  0         32768 ?
*> 3.3.3.3/32       0.0.0.0                  0         32768 ?
*> 172.18.254.37/32 0.0.0.0                  0         32768 ?
*> 172.19.16.5/32   0.0.0.0                  0         32768 ?
Route Distinguisher: 2:2 (default for vrf ADM)
*> 0.0.0.0          172.19.16.5              0         32768 ?
*> 1.1.1.1/32       0.0.0.0                  0         32768 ?
*> 2.2.2.2/32       0.0.0.0                  0         32768 ?
*> 3.3.3.3/32       0.0.0.0                  0         32768 ?
*> 172.18.254.37/32 0.0.0.0                  0         32768 ?
*> 172.19.16.5/32   0.0.0.0                  0         32768 ?
Route Distinguisher: 3:3 (default for vrf EDU)
*> 0.0.0.0          172.19.16.5              0         32768 ?
*> 1.1.1.1/32       0.0.0.0                  0         32768 ?
   Network          Next Hop            Metric LocPrf Weight Path
*> 3.3.3.3/32       0.0.0.0                  0         32768 ?
*> 172.18.254.37/32 0.0.0.0                  0         32768 ?
*> 172.19.16.5/32   0.0.0.0                  0         32768 ?
Router#

1 Accepted Solution

Accepted Solutions

Hello Tommy,

your understanding is correct to build two way IP communication between two VRFs that are not importing each other route targets you need to use an export map that will add a modified RT in order to perform  a so called partial extranet in both directions as you have seen in your tests.

You are close to the solution and you may have found it by yourself

ip prefix-list 2 seq 5 permit 172.19.0.0/16

You need to rewrite this in the following way:

ip prefix-list 2 seq 5 permit 172.19.0.0/16  le 32

Only in this way you can take full advantage of the capabilities of IP prefix-list to describe all the IP subnets in EDU VRF topology that are within the 172.19/16 block.

I would suggest to use alphanumeric names like PL-EDU-to-ADM for the names of the prefix lists, the use of numbers makes less clear the configuration (in my opinion and experience)

Hope to help

Giuseppe

View solution in original post

5 Replies 5

a.rakurty
Beginner
Beginner

Try to ping by sourcing the interface or the ip.

Thank you for your answer Aravala.

Ok, so i think i'm beginning to understand this now after several hours..

Below is my setup now, and it works, but the thing is that it ONLY works from nets that are actually configured on interfaces.

What i mean by this is,

i want to reach ONLY the ip 172.18.254.37(ADM net) from ANY adress on 172.19.0.0/16 (EDU net)

so naturally i try and change the prefix list to:

ip prefix-list 1 seq 5 permit 172.18.254.37/32

ip prefix-list 2 seq 5 permit 172.19.0.0/16

But this doesnt work, i would be very grateful if someone could explain why and how to get around it..! i dont want to define every subnet on 172.19.0.0/16 and at the same time leave all of the 172.18.254.0/24 network open.

working setup:

!

ip vrf ADM

description *** ADMIN NET ***

rd 2:2

export map ADM-to-EDU

route-target export 2:2

route-target import 1:1

route-target import 22:22

route-target import 2:2

!

ip vrf EDU

description *** ELEV NET ***

rd 3:3

export map EDU-to-ADM

route-target export 3:3

route-target import 1:1

route-target import 33:33

route-target import 3:3

!

ip vrf GEM

description *** GEMENSAM NET ***

rd 1:1

route-target export 1:1

route-target import 2:2

route-target import 3:3

route-target import 1:1

!

!

ip prefix-list 1 seq 5 permit 172.18.254.0/24

ip prefix-list 2 seq 5 permit 172.19.64.0/21

!

route-map ADM-to-EDU permit 10

match ip address prefix-list 1

set extcommunity rt  33:33 additive

!

route-map EDU-to-ADM permit 10

match ip address prefix-list 2

set extcommunity rt  22:22 additive

!

Hello Tommy,

your understanding is correct to build two way IP communication between two VRFs that are not importing each other route targets you need to use an export map that will add a modified RT in order to perform  a so called partial extranet in both directions as you have seen in your tests.

You are close to the solution and you may have found it by yourself

ip prefix-list 2 seq 5 permit 172.19.0.0/16

You need to rewrite this in the following way:

ip prefix-list 2 seq 5 permit 172.19.0.0/16  le 32

Only in this way you can take full advantage of the capabilities of IP prefix-list to describe all the IP subnets in EDU VRF topology that are within the 172.19/16 block.

I would suggest to use alphanumeric names like PL-EDU-to-ADM for the names of the prefix lists, the use of numbers makes less clear the configuration (in my opinion and experience)

Hope to help

Giuseppe

Hello Giuseppe!

Thank you, your post is spot on. As you said i found out about the "le" option after another couple of hours =)

This solved my problems, and as a benefit i learned alot about the power of prefix lists which is great.

I agree, the prefix list are alot prettier with names, i will follow your advise!

Thanks alot, hopefully this will help someone. I have read several of threads where your posts have cleared up one thing after another, great stuff.

Also, i would like to share an awesome tutorial on prefix lists: http://ccienotes.blogspot.se/2007/08/ip-prefix-list.html

Best Regards,

Tommy

Hi !

Have you any example or link for route leaking between VRFs for IOS XR ?
I've found some info but not so clear.
some commands are different and i'm in a stuck.

regards

Gabriel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers