Solved: Importing/Exporting RTs between VRFs in the backbone

fabio1984 · ‎09-01-2021

Hi all,

Thats for the routing experts out there. Need some help in configuring RTs so a specific VRF can have Ip routing table from another VRF.

I work with a customer that controls 2 different companies. Those companies, (Company A and Company B) in our backbone, uses the same VRF/RT/RD values in the PEs, so they end up the same routing table in the CEs managed by us. So Lets say this is VRF A, RD 10:1, RT import and export is 10:1 as well.

Our Backbone runs MPLS, MPBGP.

Last week I was informed that they will have a specific site where both companies will share the environment, and requested a complete traffic segregation between company A and company B due to internal security protocols, and also to have a better control over the QoS. since they needed complete segregation, my suggestion to them was to have separate CEs and access circuits for company A and company B. They didnt agree, as they didnt want to spend money on 2 CEs and 2 access circuits. Instead, they requested us a single CE, and a single access circuit - inside this access circuit they wanted 2 logical connections, segregated by different subifs, vlan tags, but with the same VRF at CE and PE. And obviously both logical connections would need full reachability to the other existing sites.

However, this is a solution our backbone team doesnt support.

So my idea now is to talk with the backbone guys, and see if manipulating the RT values, we may get a solution. And what I have in mind is the picture attached :

- create a new VRF in the backbone - let say this is VRF B, RD is 20:1, RTs for import and export is 20:1 as well;

- We configure the access circuit for this shared site with VRF A for company A, and VRF B for company B, so them CE will get both of them;

- at the PE connected to the CE of that shared site, I include the RTs from the VRF A (which already exists) into VRF B, and vice-versa...something like this:

ip vrf A
rd 10:1
route-target import 10:1
route-target export 10:1
route-target import 20:1 - RT from VRF B
route-target export 20:1 - RT from VRF B

-----------

ip vrf B
rd 20:1
route-target import 20:1
route-target export 20:1
route-target import 10:1 - RT from VRF A
route-target export 10:1 - RT from VRF A

With that in mind, I have two questions:

1) As you can see in the picture, the remote sites are configured with VRF A only. By doing that manipulation with RT values, will those remote sites receive the routes from VRF B, since we are exporting them to VRF A in the PE connected to the CE from the shared site ? Or will I need to include the VRF B RTs in each and every PE where I have a remote site connected sitting on VRF A ?

2) in the same way in the shared site, will the routing table from the VRF B contain the subnets from VRF A, since I am importing them at the PE connected?

Giuseppe Larosa · ‎09-02-2021

Hello @fabio1984 ,

look for partial Extranet . The basic idea is based on Hub and Spoke playing with RT values

To be noted imported VPNv4 routes cannot be locally re-exported with a different RT. This is an important rule that helps to avoid routing loops.

VRF sites of VPN A and VRF sites of VRF B will import their own RT values and also the new ( a third values like 30:1) value for the shared site.

The shared site will import VPN A RT 10:1 and VPN b RT 20:1 an it will export RT 30:1

This is the way to play with RTs taking in account the limitation reported above,

the shared site will not re-advertise received routes with RT 30:1 only locally learned routes from local CE will be.

Hope to help

Giuseppe

View solution in original post

MHM Cisco World · ‎09-02-2021

there is like your case with Hub and Spoke dual ISP in Hub please take look.

Giuseppe Larosa · ‎09-02-2021