Route leaking from VRF to Global on same router with VLAN interface

lap · ‎05-16-2011

Hi all,

I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:

interface FastEthernet4
description ***Connection to WAN***
ip vrf forwarding FVRF
ip address 10.0.0.6 255.255.255.0

interface Vlan100
description ***LAN***
ip address 192.168.227.1 255.255.255.0

So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.

I though I could do that config but it is not possible:

(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface

OR

DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
%Invalid next hop address (it's this router)

Any ideas are really welcome.

Best regards,

Laurent

Ivan Krimmel · ‎05-16-2011

you would end up with MP-BGP

lap · ‎05-16-2011

Hi ikrimmel,

Thanks for your message.

So you mean that I have to use MP-BGP. I cannot to otherwise with static routes?

Could you give an example about what you are thinking related to my setup please?

Regards,

Laurent

Andre Gustavo Albuquerque · ‎05-16-2011

Try removing the space from the interface name (vlan100 and not vlan 100).

lap · ‎05-16-2011

Hi Andre,

It is the same messages I get when removing the space.

Regards,

Laurent

lap · ‎05-16-2011

Hi,

I have tried the following solution:

Add 10.0.0.0 /24 From VRFto Global:

-------------------------------------------------------

ip route 10.0.0.0 255.255.255.0 FastEthernet4

Add 192.168.227.0 /24 from Global to VRF:

--------------------------------------------------------------

router bgp 64512
bgp log-neighbor-changes
!
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family

ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24

route-map Global permit 10

match ip address prefix-list Global-VRF

ip vrf FVRF
rd 1:1
import ipv4 unicast map Global

So now the VRF table looks like that:

--------------------------------------------------------

# sh ip route vrf FVRF

C        10.0.0.0/24 is directly connected, FastEthernet4
S        10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L        10.0.0.6/32 is directly connected, FastEthernet4
B     192.168.227.0/24 is directly connected, 00:15:12, Vlan100

The Global table looks like this:

-----------------------------------------------

#sh ip route

Gateway of last resort is 10.1.0.107 to network 0.0.0.0

D*    0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
      10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S        10.0.0.0/24 is directly connected, FastEthernet4
C        10.1.0.0/24 is directly connected, Tunnel1
L        10.1.0.227/32 is directly connected, Tunnel1
C        10.2.0.0/24 is directly connected, Tunnel2
L        10.2.0.227/32 is directly connected, Tunnel2
C        10.10.10.227/32 is directly connected, Loopback100
      192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.227.0/24 is directly connected, Vlan100
L        192.168.227.1/32 is directly connected, Vlan100

But When I try to ping it still doesn´t work:

--------------------------------------------------------------

#ping vrf FVRF 192.168.227.1 source fastEthernet 4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
.....
Success rate is 0 percent (0/5)

#ping 10.0.0.1 source vlan 100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
.....
Success rate is 0 percent (0/5)

Any ideas?

Regards,

Laurent

Ivan Krimmel · ‎05-16-2011

Laurent,

MP-BGP to be used with inter-vrf setups, in your case indeed statics should work:

http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml#global

however, pointing the static to the router's address indeed could lead to those messages. What if you'll try to specify a different next-hop on this subnet?

lap · ‎05-16-2011

Hi,

I have tried the following solution:

Add 10.0.0.0 /24 From VRFto Global:

-------------------------------------------------------

ip route 10.0.0.0 255.255.255.0 FastEthernet4

Add 192.168.227.0 /24 from Global to VRF:

--------------------------------------------------------------

router bgp 64512
bgp log-neighbor-changes
!
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family

ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24

route-map Global permit 10

match ip address prefix-list Global-VRF

ip vrf FVRF
rd 1:1
import ipv4 unicast map Global

So now the VRF table looks like that:

--------------------------------------------------------

# sh ip route vrf FVRF

C        10.0.0.0/24 is directly connected, FastEthernet4
S        10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L        10.0.0.6/32 is directly connected, FastEthernet4
B     192.168.227.0/24 is directly connected, 00:15:12, Vlan100

The Global table looks like this:

-----------------------------------------------

#sh ip route

Gateway of last resort is 10.1.0.107 to network 0.0.0.0

D*    0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
       10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S        10.0.0.0/24 is directly connected, FastEthernet4
C        10.1.0.0/24 is directly connected, Tunnel1
L        10.1.0.227/32 is directly connected, Tunnel1
C        10.2.0.0/24 is directly connected, Tunnel2
L        10.2.0.227/32 is directly connected, Tunnel2
C        10.10.10.227/32 is directly connected, Loopback100
       192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.227.0/24 is directly connected, Vlan100
L        192.168.227.1/32 is directly connected, Vlan100

But When I try to ping it still doesn´t work:

--------------------------------------------------------------

#ping vrf FVRF 192.168.227.1 source fastEthernet 4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
.....
Success rate is 0 percent (0/5)

#ping 10.0.0.1 source vlan 100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
.....
Success rate is 0 percent (0/5)

Any ideas?

Regards,

Laurent

lap · ‎05-17-2011

Anu ideas?

Laurent Aubert · ‎05-21-2011

Hi,

Did you try vrf select ?. it will allow you to have each subnet in both the GRT and in a VRF. Please see the following post for an example:

https://supportforums.cisco.com/message/972565#972565

Also on CCO: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_vrf_select_rt_ps6441_TSD_Products_Configuration_Guide_Chapter.html

HTH

Laurent.

lap · ‎05-23-2011

Hi Laurent,

Thanks I have tried and I have the following RIB now:

Global:

#sh ip route

D*    0.0.0.0/0 [90/1709056] via 10.1.0.107, 00:17:20, Tunnel1
      10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S        10.0.0.0/24 is directly connected, FastEthernet4
C        10.1.0.0/24 is directly connected, Tunnel1
L        10.1.0.227/32 is directly connected, Tunnel1
C        10.2.0.0/24 is directly connected, Tunnel2
L        10.2.0.227/32 is directly connected, Tunnel2
C        10.10.10.227/32 is directly connected, Loopback100
C        10.90.227.0/24 is directly connected, Vlan90
L        10.90.227.1/32 is directly connected, Vlan90
      172.16.0.0/32 is subnetted, 1 subnets
C        172.16.10.10 is directly connected, Loopback0
      192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.227.0/24 is directly connected, Vlan100
L        192.168.227.1/32 is directly connected, Vlan100

VRF:

#sh ip route vrf FVRF

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 10.0.0.1
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        10.0.0.0/24 is directly connected, FastEthernet4
S        10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L        10.0.0.6/32 is directly connected, FastEthernet4
      172.16.0.0/32 is subnetted, 1 subnets
C        172.16.10.10 is directly connected, Loopback0
      192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.227.0/24 is directly connected, Vlan100
L        192.168.227.1/32 is directly connected, Vlan100

So from VRF I can ping 192.168.227.1.(Vlan 100 interface in Global) and from global I can ping 10.0.0.6 (Fa4 IP in VRF).

But I cannot ping for example the other IP in 10.0.0.0 /24 subnet, for example 10.0.0.1 som er DG.

I can ping 10.0.0.1 from the VRF directly.

Any clues?

Regards,

Laurent

Laurent Aubert · ‎05-24-2011

Hi Laurent,

Here is what I tried on a PE running 12.2(33)SRE and it's almost working:

R1--------GRT Eth0/0 PE ---VRF Eth1/0-----R2

Rx default gateway is PE

PE config:

interface Ethernet0/0

description Vers R1

ip address 192.168.2.14 255.255.255.252

ip vrf select source

ip vrf receive MVPN

!

interface Ethernet1/0

description Vers R2

ip vrf forwarding MVPN

ip address 172.16.4.254 255.255.255.0

!

ip route 172.16.4.0 255.255.255.0 Ethernet1/0

It looks the same setup as yours but have different results:

- R1 can ping R2

- R1 can ping PE address in VRF (172.16.4.254)

- R2 can't ping PE address in GRT (192.168.2.14). PE is not processing the packet for unknown reason. If PE pings R2 using eth0/0 as source address, I see it receiving the echo-reply without processing it...

Also I found such design is not fully supported on all platform (local route leaking between VRF and GRT) so you may check with your local cisco account team before investigating further this issue. It will prevent you from losing too much time to come to the conclusion you need to review your design.

Thanks,

Laurent.

lap · ‎06-16-2011

Hi Laurent,

Sorry for the late reply. I haven't had the possibility to test it with the customer as he decided not to go ahead with the solution.

Best regards,

Laurent

DuncanM2008 · ‎06-12-2012

Hello,

Not this is much help but I've just attempted to implement this myself and unfortuantely drew the ultimate conclusion it wasn't possible.

As such I've chosen to migrate all subnets present in the GRT into a seperate VRF which the allows me to Inter-VRF routing using MP-BGP as previously discussed in this thread.

Although I appreciate that might not be possible depending on your environment, for me it was only 40-50 directly connected subnets (Vlan SVI's).

Once finished the GRT will be empty on my switches with only VRF's present.

HTH

kelly.a.murphy · ‎11-04-2015

I just had a similar question come up in a what-if scenario that I was labbing out. We solved this by creating mutual redistribution, using route-maps to control prefixes, between the VRF and Global table. This requires a locally significant instance of MP-BGP. It does not require VRF select configurations or static routes. The removal of static routes can save you from black-hole routing. Better late, than never.

ip vrf FVRF

rd 1:1

import ipv4 unicast map IMPORT-GLOBAL-TO-VRF

export ipv4 unicast map EXPORT-VRF-TO-GLOBAL

!

router bgp 64512

!

address-family ipv4

redistribute connected

exit-address-family

!

address-family ipv4 vrf FVRF

redistribute connected

exit-address-family

!

ip prefix-list EXPORT-VRF-TO-GLOBAL seq 10 permit 10.0.0.0/24

ip prefix-list IMPORT-GLOBAL-TO-VRF seq 10 permit 192.168.227.0/24

!

route-map IMPORT-GLOBAL-TO-VRF permit 10

match ip address prefix-list IMPORT-GLOBAL-TO-VRF

!

route-map EXPORT-VRF-TO-GLOBAL permit 10

match ip address prefix-list EXPORT-VRF-TO-GLOBAL