cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Route Leaking between VRF:s (Shared services)

ta1983
Beginner
Beginner

Hi,

I'm a bit confused by this setup that i'm trying to achieve.

The setup is classic though, I have one VRF for education (EDU), one for administrators (ADM) and then a shared VRF (GEM) like this:

ip vrf ADM

description *** ADMIN NET ***

rd 2:2

export map ADM-to-EDU

route-target export 2:2

route-target import 1:1

route-target import 2:2

!

ip vrf EDU

description *** ELEV NET ***

rd 3:3

route-target export 3:3

route-target import 1:1

route-target import 33:33

route-target import 3:3

!

ip vrf GEM

description *** GEMENSAM NET ***

rd 1:1

route-target export 1:1

route-target import 2:2

route-target import 3:3

route-target import 1:1

!

As you can see, i have also configured an export map for vrf ADM, which i'm then importing routes from.

the Map looks as follows:

!

access-list 1 permit 172.18.254.37

!

route-map ADM-to-EDU permit 10

match ip address 1

set extcommunity rt 33:33 additive

!

A relevant part of the ip setup is as follows:

!

interface Loopback3

ip vrf forwarding EDU

ip address 3.3.3.3 255.255.255.255

!

interface Loopback37

ip vrf forwarding ADM

ip address 172.18.254.37 255.255.255.255

!

I'm running BGP:

router bgp 65235

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf GEM

  redistribute connected

  redistribute static

  default-information originate

  no synchronization

exit-address-family

!

address-family ipv4 vrf EDU

  redistribute connected

  redistribute static

  default-information originate

  no synchronization

exit-address-family

!

address-family ipv4 vrf ADM

  redistribute connected

  redistribute static

  default-information originate

  no synchronization

exit-address-family

!

Now, the thing is, the leaking is working, i can see the leaked route in the EDU routing table below,

Router#sh ip route vrf EDU

Routing Table: EDU
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.19.16.5 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
B       1.1.1.1 is directly connected, 04:53:31, Loopback1
     3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback3
     172.19.0.0/32 is subnetted, 1 subnets
B       172.19.16.5 is directly connected, 02:27:51, Loopback0
     172.18.0.0/32 is subnetted, 1 subnets
B       172.18.254.37 is directly connected, 00:32:14, Loopback37
B*   0.0.0.0/0 [20/0] via 172.19.16.5 (GEM), 02:08:42

but i cannot reach it:

Router#ping vrf EDU 172.18.254.37

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

But if i run "debug ip packet" and the perform another ping, i get this result which i think is a bit weird? to me it seems as if it works.

Router#ping vrf EDU 172.18.254.37

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:

*Mar  1 05:42:40.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:40.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:40.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:40.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:40.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:40.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar  1 05:42:42.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:42.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:42.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:42.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:42.582: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:42.586: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:42.590: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:42.590: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar  1 05:42:44.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:44.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:44.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:44.574: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:44.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:44.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar  1 05:42:46.566: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:46.570: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:46.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:46.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:46.570: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:46.574: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar  1 05:42:48.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:48.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar  1 05:42:48.566: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar  1 05:42:48.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar  1 05:42:48.574: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:48.574: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar  1 05:42:48.582: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar  1 05:42:48.582: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
Success rate is 0 percent (0/5)
Router#

However, if i add leaking for 3.3.3.3 in ADM vrf like this:

!

access-list 2 permit 3.3.3.3

!

route-map EDU-to-ADM permit 10

match ip address 2

set extcommunity rt  22:22 additive

!

ip vrf ADM

description *** ADMIN NET ***

rd 2:2

export map ADM-to-EDU

route-target export 2:2

route-target import 1:1

route-target import 22:22      < - added line

route-target import 2:2

!

!

ip vrf EDU

description *** ELEV NET ***

rd 3:3

export map EDU-to-ADM         < - added line

route-target export 3:3

route-target import 1:1

route-target import 33:33

route-target import 3:3

!

Then it will work:

Router#ping vrf EDU 172.18.254.37

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms

So actually, my big question is, am i doing this the right or wrong way? i'm a bit confused.

Sorry about the rant, maybe it will clarify some things for others who are confused, or maybe just make it worse!

      

Some additional thoughts:

Why can't i perform this ping, shouldnt this work?

Router#ping vrf GEM 172.18.254.37

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

bgp info:

Router#sh ip bgp vpnv4 all
BGP table version is 79, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf GEM)
*> 0.0.0.0          172.19.16.5              0         32768 ?
*> 1.1.1.1/32       0.0.0.0                  0         32768 ?
*> 2.2.2.2/32       0.0.0.0                  0         32768 ?
*> 3.3.3.3/32       0.0.0.0                  0         32768 ?
*> 172.18.254.37/32 0.0.0.0                  0         32768 ?
*> 172.19.16.5/32   0.0.0.0                  0         32768 ?
Route Distinguisher: 2:2 (default for vrf ADM)
*> 0.0.0.0          172.19.16.5              0         32768 ?
*> 1.1.1.1/32       0.0.0.0                  0         32768 ?
*> 2.2.2.2/32       0.0.0.0                  0         32768 ?
*> 3.3.3.3/32       0.0.0.0                  0         32768 ?
*> 172.18.254.37/32 0.0.0.0                  0         32768 ?
*> 172.19.16.5/32   0.0.0.0                  0         32768 ?
Route Distinguisher: 3:3 (default for vrf EDU)
*> 0.0.0.0          172.19.16.5              0         32768 ?
*> 1.1.1.1/32       0.0.0.0                  0         32768 ?
   Network          Next Hop            Metric LocPrf Weight Path
*> 3.3.3.3/32       0.0.0.0                  0         32768 ?
*> 172.18.254.37/32 0.0.0.0                  0         32768 ?
*> 172.19.16.5/32   0.0.0.0                  0         32768 ?
Router#

1 ACCEPTED SOLUTION

Accepted Solutions

Hello Tommy,

your understanding is correct to build two way IP communication between two VRFs that are not importing each other route targets you need to use an export map that will add a modified RT in order to perform  a so called partial extranet in both directions as you have seen in your tests.

You are close to the solution and you may have found it by yourself

ip prefix-list 2 seq 5 permit 172.19.0.0/16

You need to rewrite this in the following way:

ip prefix-list 2 seq 5 permit 172.19.0.0/16  le 32

Only in this way you can take full advantage of the capabilities of IP prefix-list to describe all the IP subnets in EDU VRF topology that are within the 172.19/16 block.

I would suggest to use alphanumeric names like PL-EDU-to-ADM for the names of the prefix lists, the use of numbers makes less clear the configuration (in my opinion and experience)

Hope to help

Giuseppe

View solution in original post

5 REPLIES 5

a.rakurty
Beginner
Beginner

Try to ping by sourcing the interface or the ip.