08-01-2012 03:58 AM
Hi,
I'm a bit confused by this setup that i'm trying to achieve.
The setup is classic though, I have one VRF for education (EDU), one for administrators (ADM) and then a shared VRF (GEM) like this:
ip vrf ADM
description *** ADMIN NET ***
rd 2:2
export map ADM-to-EDU
route-target export 2:2
route-target import 1:1
route-target import 2:2
!
ip vrf EDU
description *** ELEV NET ***
rd 3:3
route-target export 3:3
route-target import 1:1
route-target import 33:33
route-target import 3:3
!
ip vrf GEM
description *** GEMENSAM NET ***
rd 1:1
route-target export 1:1
route-target import 2:2
route-target import 3:3
route-target import 1:1
!
As you can see, i have also configured an export map for vrf ADM, which i'm then importing routes from.
the Map looks as follows:
!
access-list 1 permit 172.18.254.37
!
route-map ADM-to-EDU permit 10
match ip address 1
set extcommunity rt 33:33 additive
!
A relevant part of the ip setup is as follows:
!
interface Loopback3
ip vrf forwarding EDU
ip address 3.3.3.3 255.255.255.255
!
interface Loopback37
ip vrf forwarding ADM
ip address 172.18.254.37 255.255.255.255
!
I'm running BGP:
router bgp 65235
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf GEM
redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
!
address-family ipv4 vrf EDU
redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
!
address-family ipv4 vrf ADM
redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
!
Now, the thing is, the leaking is working, i can see the leaked route in the EDU routing table below,
Router#sh ip route vrf EDU
Routing Table: EDU
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.19.16.5 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 is directly connected, 04:53:31, Loopback1
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback3
172.19.0.0/32 is subnetted, 1 subnets
B 172.19.16.5 is directly connected, 02:27:51, Loopback0
172.18.0.0/32 is subnetted, 1 subnets
B 172.18.254.37 is directly connected, 00:32:14, Loopback37
B* 0.0.0.0/0 [20/0] via 172.19.16.5 (GEM), 02:08:42
but i cannot reach it:
Router#ping vrf EDU 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
But if i run "debug ip packet" and the perform another ping, i get this result which i think is a bit weird? to me it seems as if it works.
Router#ping vrf EDU 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
*Mar 1 05:42:40.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:40.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:40.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:40.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:40.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:40.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:42.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:42.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:42.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:42.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:42.582: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:42.586: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:42.590: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:42.590: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:44.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:44.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:44.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:44.574: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:44.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:44.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:46.566: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:46.570: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:46.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:46.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:46.570: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:46.574: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:48.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:48.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:48.566: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:48.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:48.574: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:48.574: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:48.582: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:48.582: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
Success rate is 0 percent (0/5)
Router#
However, if i add leaking for 3.3.3.3 in ADM vrf like this:
!
access-list 2 permit 3.3.3.3
!
route-map EDU-to-ADM permit 10
match ip address 2
set extcommunity rt 22:22 additive
!
ip vrf ADM
description *** ADMIN NET ***
rd 2:2
export map ADM-to-EDU
route-target export 2:2
route-target import 1:1
route-target import 22:22 < - added line
route-target import 2:2
!
!
ip vrf EDU
description *** ELEV NET ***
rd 3:3
export map EDU-to-ADM < - added line
route-target export 3:3
route-target import 1:1
route-target import 33:33
route-target import 3:3
!
Then it will work:
Router#ping vrf EDU 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms
So actually, my big question is, am i doing this the right or wrong way? i'm a bit confused.
Sorry about the rant, maybe it will clarify some things for others who are confused, or maybe just make it worse!
Some additional thoughts:
Why can't i perform this ping, shouldnt this work?
Router#ping vrf GEM 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#
bgp info:
Router#sh ip bgp vpnv4 all
BGP table version is 79, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf GEM)
*> 0.0.0.0 172.19.16.5 0 32768 ?
*> 1.1.1.1/32 0.0.0.0 0 32768 ?
*> 2.2.2.2/32 0.0.0.0 0 32768 ?
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 172.18.254.37/32 0.0.0.0 0 32768 ?
*> 172.19.16.5/32 0.0.0.0 0 32768 ?
Route Distinguisher: 2:2 (default for vrf ADM)
*> 0.0.0.0 172.19.16.5 0 32768 ?
*> 1.1.1.1/32 0.0.0.0 0 32768 ?
*> 2.2.2.2/32 0.0.0.0 0 32768 ?
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 172.18.254.37/32 0.0.0.0 0 32768 ?
*> 172.19.16.5/32 0.0.0.0 0 32768 ?
Route Distinguisher: 3:3 (default for vrf EDU)
*> 0.0.0.0 172.19.16.5 0 32768 ?
*> 1.1.1.1/32 0.0.0.0 0 32768 ?
Network Next Hop Metric LocPrf Weight Path
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 172.18.254.37/32 0.0.0.0 0 32768 ?
*> 172.19.16.5/32 0.0.0.0 0 32768 ?
Router#
Solved! Go to Solution.
08-08-2012 05:07 AM
Hello Tommy,
your understanding is correct to build two way IP communication between two VRFs that are not importing each other route targets you need to use an export map that will add a modified RT in order to perform a so called partial extranet in both directions as you have seen in your tests.
You are close to the solution and you may have found it by yourself
ip prefix-list 2 seq 5 permit 172.19.0.0/16
You need to rewrite this in the following way:
ip prefix-list 2 seq 5 permit 172.19.0.0/16 le 32
Only in this way you can take full advantage of the capabilities of IP prefix-list to describe all the IP subnets in EDU VRF topology that are within the 172.19/16 block.
I would suggest to use alphanumeric names like PL-EDU-to-ADM for the names of the prefix lists, the use of numbers makes less clear the configuration (in my opinion and experience)
Hope to help
Giuseppe
08-01-2012 12:22 PM
Try to ping by sourcing the interface or the ip.
08-02-2012 11:00 AM
Thank you for your answer Aravala.
Ok, so i think i'm beginning to understand this now after several hours..
Below is my setup now, and it works, but the thing is that it ONLY works from nets that are actually configured on interfaces.
What i mean by this is,
i want to reach ONLY the ip 172.18.254.37(ADM net) from ANY adress on 172.19.0.0/16 (EDU net)
so naturally i try and change the prefix list to:
ip prefix-list 1 seq 5 permit 172.18.254.37/32
ip prefix-list 2 seq 5 permit 172.19.0.0/16
But this doesnt work, i would be very grateful if someone could explain why and how to get around it..! i dont want to define every subnet on 172.19.0.0/16 and at the same time leave all of the 172.18.254.0/24 network open.
working setup:
!
ip vrf ADM
description *** ADMIN NET ***
rd 2:2
export map ADM-to-EDU
route-target export 2:2
route-target import 1:1
route-target import 22:22
route-target import 2:2
!
ip vrf EDU
description *** ELEV NET ***
rd 3:3
export map EDU-to-ADM
route-target export 3:3
route-target import 1:1
route-target import 33:33
route-target import 3:3
!
ip vrf GEM
description *** GEMENSAM NET ***
rd 1:1
route-target export 1:1
route-target import 2:2
route-target import 3:3
route-target import 1:1
!
!
ip prefix-list 1 seq 5 permit 172.18.254.0/24
ip prefix-list 2 seq 5 permit 172.19.64.0/21
!
route-map ADM-to-EDU permit 10
match ip address prefix-list 1
set extcommunity rt 33:33 additive
!
route-map EDU-to-ADM permit 10
match ip address prefix-list 2
set extcommunity rt 22:22 additive
!
08-08-2012 05:07 AM
Hello Tommy,
your understanding is correct to build two way IP communication between two VRFs that are not importing each other route targets you need to use an export map that will add a modified RT in order to perform a so called partial extranet in both directions as you have seen in your tests.
You are close to the solution and you may have found it by yourself
ip prefix-list 2 seq 5 permit 172.19.0.0/16
You need to rewrite this in the following way:
ip prefix-list 2 seq 5 permit 172.19.0.0/16 le 32
Only in this way you can take full advantage of the capabilities of IP prefix-list to describe all the IP subnets in EDU VRF topology that are within the 172.19/16 block.
I would suggest to use alphanumeric names like PL-EDU-to-ADM for the names of the prefix lists, the use of numbers makes less clear the configuration (in my opinion and experience)
Hope to help
Giuseppe
08-08-2012 05:14 AM
Hello Giuseppe!
Thank you, your post is spot on. As you said i found out about the "le" option after another couple of hours =)
This solved my problems, and as a benefit i learned alot about the power of prefix lists which is great.
I agree, the prefix list are alot prettier with names, i will follow your advise!
Thanks alot, hopefully this will help someone. I have read several of threads where your posts have cleared up one thing after another, great stuff.
Also, i would like to share an awesome tutorial on prefix lists: http://ccienotes.blogspot.se/2007/08/ip-prefix-list.html
Best Regards,
Tommy
06-25-2019 08:52 AM
Hi !
Have you any example or link for route leaking between VRFs for IOS XR ?
I've found some info but not so clear.
some commands are different and i'm in a stuck.
regards
Gabriel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide