05-16-2011 02:15 AM
Hi all,
I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
interface FastEthernet4
description ***Connection to WAN***
ip vrf forwarding FVRF
ip address 10.0.0.6 255.255.255.0
interface Vlan100
description ***LAN***
ip address 192.168.227.1 255.255.255.0
So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
I though I could do that config but it is not possible:
(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
OR
DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
%Invalid next hop address (it's this router)
Any ideas are really welcome.
Best regards,
Laurent
05-16-2011 02:18 AM
you would end up with MP-BGP
05-16-2011 02:31 AM
Hi ikrimmel,
Thanks for your message.
So you mean that I have to use MP-BGP. I cannot to otherwise with static routes?
Could you give an example about what you are thinking related to my setup please?
Regards,
Laurent
05-16-2011 02:35 AM
Try removing the space from the interface name (vlan100 and not vlan 100).
05-16-2011 02:47 AM
Hi Andre,
It is the same messages I get when removing the space.
Regards,
Laurent
05-16-2011 04:01 AM
Hi,
I have tried the following solution:
Add 10.0.0.0 /24 From VRFto Global:
-------------------------------------------------------
ip route 10.0.0.0 255.255.255.0 FastEthernet4
Add 192.168.227.0 /24 from Global to VRF:
--------------------------------------------------------------
router bgp 64512
bgp log-neighbor-changes
!
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
route-map Global permit 10
match ip address prefix-list Global-VRF
ip vrf FVRF
rd 1:1
import ipv4 unicast map Global
So now the VRF table looks like that:
--------------------------------------------------------
# sh ip route vrf FVRF
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
B 192.168.227.0/24 is directly connected, 00:15:12, Vlan100
The Global table looks like this:
-----------------------------------------------
#sh ip route
Gateway of last resort is 10.1.0.107 to network 0.0.0.0
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
But When I try to ping it still doesn´t work:
--------------------------------------------------------------
#ping vrf FVRF 192.168.227.1 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
.....
Success rate is 0 percent (0/5)
#ping 10.0.0.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
.....
Success rate is 0 percent (0/5)
Any ideas?
Regards,
Laurent
05-16-2011 02:54 AM
Laurent,
MP-BGP to be used with inter-vrf setups, in your case indeed statics should work:
however, pointing the static to the router's address indeed could lead to those messages. What if you'll try to specify a different next-hop on this subnet?
05-16-2011 04:02 AM
Hi,
I have tried the following solution:
Add 10.0.0.0 /24 From VRFto Global:
-------------------------------------------------------
ip route 10.0.0.0 255.255.255.0 FastEthernet4
Add 192.168.227.0 /24 from Global to VRF:
--------------------------------------------------------------
router bgp 64512
bgp log-neighbor-changes
!
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
route-map Global permit 10
match ip address prefix-list Global-VRF
ip vrf FVRF
rd 1:1
import ipv4 unicast map Global
So now the VRF table looks like that:
--------------------------------------------------------
# sh ip route vrf FVRF
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
B 192.168.227.0/24 is directly connected, 00:15:12, Vlan100
The Global table looks like this:
-----------------------------------------------
#sh ip route
Gateway of last resort is 10.1.0.107 to network 0.0.0.0
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
But When I try to ping it still doesn´t work:
--------------------------------------------------------------
#ping vrf FVRF 192.168.227.1 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
.....
Success rate is 0 percent (0/5)
#ping 10.0.0.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
.....
Success rate is 0 percent (0/5)
Any ideas?
Regards,
Laurent
05-17-2011 04:12 AM
Anu ideas?
05-21-2011 06:38 PM
Hi,
Did you try vrf select ?. it will allow you to have each subnet in both the GRT and in a VRF. Please see the following post for an example:
https://supportforums.cisco.com/message/972565#972565
HTH
Laurent.
05-23-2011 06:27 AM
Hi Laurent,
Thanks I have tried and I have the following RIB now:
Global:
#sh ip route
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 00:17:20, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
C 10.90.227.0/24 is directly connected, Vlan90
L 10.90.227.1/32 is directly connected, Vlan90
172.16.0.0/32 is subnetted, 1 subnets
C 172.16.10.10 is directly connected, Loopback0
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
VRF:
#sh ip route vrf FVRF
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 10.0.0.1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
172.16.0.0/32 is subnetted, 1 subnets
C 172.16.10.10 is directly connected, Loopback0
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
So from VRF I can ping 192.168.227.1.(Vlan 100 interface in Global) and from global I can ping 10.0.0.6 (Fa4 IP in VRF).
But I cannot ping for example the other IP in 10.0.0.0 /24 subnet, for example 10.0.0.1 som er DG.
I can ping 10.0.0.1 from the VRF directly.
Any clues?
Regards,
Laurent
05-24-2011 05:19 PM
Hi Laurent,
Here is what I tried on a PE running 12.2(33)SRE and it's almost working:
R1--------GRT Eth0/0 PE ---VRF Eth1/0-----R2
Rx default gateway is PE
PE config:
interface Ethernet0/0
description Vers R1
ip address 192.168.2.14 255.255.255.252
ip vrf select source
ip vrf receive MVPN
!
interface Ethernet1/0
description Vers R2
ip vrf forwarding MVPN
ip address 172.16.4.254 255.255.255.0
!
ip route 172.16.4.0 255.255.255.0 Ethernet1/0
It looks the same setup as yours but have different results:
- R1 can ping R2
- R1 can ping PE address in VRF (172.16.4.254)
- R2 can't ping PE address in GRT (192.168.2.14). PE is not processing the packet for unknown reason. If PE pings R2 using eth0/0 as source address, I see it receiving the echo-reply without processing it...
Also I found such design is not fully supported on all platform (local route leaking between VRF and GRT) so you may check with your local cisco account team before investigating further this issue. It will prevent you from losing too much time to come to the conclusion you need to review your design.
Thanks,
Laurent.
06-16-2011 04:05 AM
Hi Laurent,
Sorry for the late reply. I haven't had the possibility to test it with the customer as he decided not to go ahead with the solution.
Best regards,
Laurent
06-12-2012 03:18 PM
Hello,
Not this is much help but I've just attempted to implement this myself and unfortuantely drew the ultimate conclusion it wasn't possible.
As such I've chosen to migrate all subnets present in the GRT into a seperate VRF which the allows me to Inter-VRF routing using MP-BGP as previously discussed in this thread.
Although I appreciate that might not be possible depending on your environment, for me it was only 40-50 directly connected subnets (Vlan SVI's).
Once finished the GRT will be empty on my switches with only VRF's present.
HTH
11-04-2015 07:34 PM
I just had a similar question come up in a what-if scenario that I was labbing out. We solved this by creating mutual redistribution, using route-maps to control prefixes, between the VRF and Global table. This requires a locally significant instance of MP-BGP. It does not require VRF select configurations or static routes. The removal of static routes can save you from black-hole routing. Better late, than never.
ip vrf FVRF
rd 1:1
import ipv4 unicast map IMPORT-GLOBAL-TO-VRF
export ipv4 unicast map EXPORT-VRF-TO-GLOBAL
!
router bgp 64512
!
address-family ipv4
redistribute connected
exit-address-family
!
address-family ipv4 vrf FVRF
redistribute connected
exit-address-family
!
ip prefix-list EXPORT-VRF-TO-GLOBAL seq 10 permit 10.0.0.0/24
ip prefix-list IMPORT-GLOBAL-TO-VRF seq 10 permit 192.168.227.0/24
!
route-map IMPORT-GLOBAL-TO-VRF permit 10
match ip address prefix-list IMPORT-GLOBAL-TO-VRF
!
route-map EXPORT-VRF-TO-GLOBAL permit 10
match ip address prefix-list EXPORT-VRF-TO-GLOBAL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide