Re: VRF import map question

g.raymakers · ‎08-03-2011

i'm looking to import routes from one VRF into another one. I don't want all routes, just a few, so looking to filter the import using the import map feature. Question I have is, what properties can I use in the the import map filter? e.g. I've seen examples where people used IP based ACL's to filter, but could I also use the BGP community in the route-map that will apply to the import map? (don't want to get into the business of managing large IP based acl's to control the import).

So something like this:

ip vrf vrf005

....

route-target import 65530:1000020

route-target export 65530:1000005

route-target import 65530:1000005

!

ip vrf vrf016

...

route-target export 65530:1000020

route-target import 65530:1000001

route-target import 65530:1000005

import map import-vrf16

!

! Deny WAN...

ip community-list 41 deny 65530:1700

!

route-map import-vrf16 deny 10

match comm 41

!

route-map import-vrf16 permit 20

!

Thanks,

Guy

Peter Paluch · ‎08-03-2011

Hello Guy,

Yes, it should work - just tested it on my lab.

Just a small typo in your example: As you are using a two-block route-map, the first with action deny, the second with action permit, your community list 41 needs to be changed to the permit action to actually select the routes to be denied within the first block of your route-map, i.e.:

ip community-list 41 permit 65530:1700

!

route-map import-vrf16 deny 10

match comm 41

!

route-map import-vrf16 permit 20

Also do not forget to configure your BGP neighbors in the address-family vpnv4 unicast using the neighbor send-community both.

Best regards,

Peter

g.raymakers · ‎08-03-2011

Many thanks Peter.

Thans for the pointing out the permit on the community list.

best regards,

Guy

g.raymakers · ‎08-16-2011

Quick follow-up question.. when using this feature of 'leaking' routes between VRFs - am I right to think that I need to configure the 'leaking' on each PE device? so update the RT import/export of the involved VRFs on each PE?

Many Thanks,

Guy

Peter Paluch · ‎08-17-2011

Hello Guy,

If I understand you correctly, you are asking about having a route imported to several VRFs on a PE router. You are correct, the RT import/export settings will have to be configured for this leaking to take place.

This of it this way:

The route-target export declares a list of route targets into which these routes are allowed to be imported (in other words, it creates an allowed route target list attached to each route)
The route-target import declares which routes will be imported into this VRF if allowed by their allowed route target list

Hence, if a route is to be imported into several VRFs at the receiving PE, the receiving VRFs must use at least one of the route targets that are in the allowed route target list attached to this route.

I am not sure if I am clear here - perhaps if you provide an example, I could come up with a particular solution.

Best regards,

Peter

g.raymakers · ‎08-17-2011

Hi Peter,

The case i was looking into is the following. A network with about 7 PE's with each 2 user VRFs defined and one PE with a shared services VRF. In order to give the user VRFs from all PE's access to the Services VRF, I need to define the route-target import on each PE in each user VRF. Hope this makes it clearer?

Peter Paluch · ‎08-17-2011

Hello Guy,

I see. Yes, in order for the Services VRF routes to be visible in user VRFs, each user VRF on each PE must have a route-target import command matching at least one of the RTs that were defined in the Services VRF in the route-target export command.

Best regards,

Peter