Thanks Harold

Unfortunately, I got tired of beating my head against the router.  I eventually gave up after a number of other opinions from various sources said it couldn't be done (possibly with route-leaking and some loopback tapdance) 

I created an external path and a public ip for my BGP blackhole server at my main campus and did it thru the internet.  I would have preferred to keep it all internal (over our EPL Circuit) , but sometimes its just not worth the hassle. 

Hi @wherewolf ,

I am glad you fixed the issue.

I would still like to convert it to internal at some point, but I don't know anything about VPNv4 configuration.  Is that what is required ? because I don't know that I can do anything like that at the other end with a Linux Blackhole router. 

Hi @wherewolf ,

You do not need to implement vpnv4. It is more of what we call VRF lite. It is just that if you want to see the status of the BGP session configured for a specific VRF, you need to use the "show bgp vpnv4 uni vrf <vrf-name>".

How did you configure the BGP session initially? We can help If you provide the BGP configuration you tried?

I've recreated what I had originally - I think everything is here.  The only issue seems to be routing BGP over the vrf Mgmt-Intf. I can ping both ways.

Thanks for the assist!

ROUTER02#show vrf detail Mgmt-intf
VRF Mgmt-intf (VRF Id = 1); default RD <not set>; default VPNID <not set>
New CLI format, supports multiple address-families
Flags: 0x1808
Interfaces:
Gi0
Address family ipv4 unicast (Table ID = 0x1):
Flags: 0x0
No Export VPN route-target communities
No Import VPN route-target communities
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
Address family ipv6 unicast (Table ID = 0x1E000001):
Flags: 0x0
No Export VPN route-target communities
No Import VPN route-target communities
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
Address family ipv4 multicast not active
Address family ipv6 multicast not active

ROUTER02#show run int gi 0
Building configuration...

Current configuration : 128 bytes
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.100.7.12 255.255.255.0
negotiation auto
cdp enable
end

ip route vrf Mgmt-intf 10.14.0.8 255.255.255.255 10.100.7.1
ROUTER02#show ip route vrf Mgmt-intf

Routing Table: Mgmt-intf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected

Gateway of last resort is 10.100.7.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.100.7.1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 10.14.0.8/32 [1/0] via 10.100.7.1
C 10.100.7.0/24 is directly connected, GigabitEthernet0
L 10.100.7.12/32 is directly connected, GigabitEthernet0

ROUTER02#ping vrf Mgmt-intf 10.14.0.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.14.0.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

ROUTER02#

router bgp 64621
bgp router-id 172.16.1.4
bgp log-neighbor-changes
neighbor 10.14.0.8 remote-as 65432
neighbor 10.14.0.8 ebgp-multihop 255
neighbor 10.14.0.8 update-source GigabitEthernet0
address-family ipv4
network XX.XX.XX.XX mask 255.255.255.0
neighbor 10.14.0.8 activate
neighbor 10.14.0.8 prefix-list 666-deny-default in
neighbor 10.14.0.8 prefix-list 666-OUT out
neighbor 10.14.0.8 route-map 666DROPS in

ROUTER02#show bgp ipv4 uni sum
BGP router identifier 172.16.1.4, local AS number 64621
BGP table version is 861990, main routing table version 861990
860534 network entries using 213412432 bytes of memory
860534 path entries using 117032624 bytes of memory
4/3 BGP path/bestpath attribute entries using 1152 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 330446304 total bytes of memory
BGP activity 860853/319 prefixes, 1721154/860620 paths, scan interval 60 secs
860853 networks peaked at 06:52:57 Mar 31 2025 PST (00:55:17.279 ago)

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.14.0.8 4 65432 0 0 1 0 0 never Idle (internal bgp via vrf Mgmt-intf)
XXX.XXX.XXX.XX 4 65432 2880 1384 861991 0 0 20:52:40 860533 (2nd BGP server internal via outside)
XXX.XXX.XXX.XX 4 XXXXX 7525 7901 861991 0 0 20:53:40 1 (ISP - Single Default Route)

Bgp is not config as vrf-aware that wrong 

You need to use under bgp

Address family ipv4 vrf mgmt

Neighbor.....etc.

MHM

Hi @wherewolf ,

The issue is that you are trying to establish the BGP session from the global routing table and the neighbor is in the VRF.

You need to establish the BGP session from the VRF as follow:

router bgp 64621

address-family ipv4 unicast  vrf Mgmt-intf

neighbor 10.14.0.8 remote-as 65432
neighbor 10.14.0.8 ebgp-multihop 255
network XX.XX.XX.XX mask 255.255.255.0
neighbor 10.14.0.8 prefix-list 666-deny-default in
neighbor 10.14.0.8 prefix-list 666-OUT out
neighbor 10.14.0.8 route-map 666DROPS in

You will then need to leak route from the VRF to the global.

Thank you so much!  I will give this a go in the next maintenance window. 

I just tried to look at the commands as written...  the response was:

ROUTER02(config-router)#address-family ipv4 uni vrf Mgmt-intf
% VRF Mgmt-intf does not have an RD configured.

So two nooby questions:

1.  how do I configure the "RD"

2.  Will having a RD configured on the vrf Mgmt-intf screw up anything else?  Like access to the router itself thru the Mgmt-intf? I only have ssh access - no console as it is remote from me. 

Hi @wherewolf ,

1. The RD needs to be configured under the VRF configuration.

vrf definition Mgmt-intf

rd x:y

2. No, it won't

Also, don't forget that you will need to configure controlled route leaking between the global routing table (GRT) and the VRF routing table to achieve what you want.

I've configured Mgmt-intf with RD 100:100

You mentioned "You will then need to leak route from the VRF to the global."  forgive my ignorance, can you explain how to do this?

ROUTER02#sh bgp vpnv4 uni vrf Mgmt-intf sum
BGP router identifier 172.16.1.4, local AS number 64621
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.14.0.8 4 65432 0 0 1 0 0 never Idle

"don't forget that you will need to configure controlled route leaking between the global routing table (GRT) and the VRF routing table to achieve what you want."

I'm having some trouble figuring out if I need to do this with a route map or PBR  - I've looked for some examples but they all seem to be between three routers.  Can't seem to wrap my head around how to apply this to the Mgmt-intf....