Solved: Re: Leaking /32 prefix

cihanogeturk · ‎12-05-2021

Hello,

Can someone help me with the config below?

I can leake /24 prefixes but when I do /32, it doesn't work.
This needs to happen on Switch not on router.- Please check the attachment.

ip vrf CORPORATE
rd 65000:100
export map CORP_FILTER
route-target import 65000:250
!
ip vrf INTERNET
rd 65000:200
export map INT_FILTER

route-target import 65000:150

!

router bgp 65000
bgp router-id 10.70.70.1
bgp log-neighbor-changes
!
address-family ipv4 vrf CORPORATE
redistribute connected
neighbor 10.70.70.2 remote-as 65000
neighbor 10.70.70.2 update-source Vlan970
neighbor 10.70.70.2 activate
neighbor 10.70.70.2 soft-reconfiguration inbound
exit-address-family
!
address-family ipv4 vrf INTERNET
redistribute connected
neighbor 10.71.71.2 remote-as 65000
neighbor 10.71.71.2 update-source Vlan971
neighbor 10.71.71.2 activate
neighbor 10.71.71.2 soft-reconfiguration inbound
exit-address-family

!

ip prefix-list CORP_LEAK seq 5 permit 10.100.100.100/32
!
ip prefix-list INT_LEAK seq 5 permit 10.200.200.200/32
!
route-map INT_FILTER permit 10
match ip address prefix-list INT_LEAK
set extcommunity rt 65000:250
!
route-map CORP_FILTER permit 10
match ip address prefix-list CORP_LEAK
set extcommunity rt 65000:150




switch#sh ip route vrf CORPORATE




B* 0.0.0.0/0 [200/0] via 10.70.70.2, 00:08:44
10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C 10.70.70.0/30 is directly connected, Vlan970
L 10.70.70.1/32 is directly connected, Vlan970
C 10.100.100.0/24 is directly connected, Vlan100
L 10.100.100.1/32 is directly connected, Vlan100
C 10.101.101.0/24 is directly connected, Vlan101
L 10.101.101.1/32 is directly connected, Vlan101

Harold Ritter · ‎12-06-2021

Hi @cihanogeturk ,

You could use a static route towards that host and the use a network statement under bgp to advertise the specific route.

router bgp 65000

address-family ipv4 vrf CORPORATE

network 10.100.100.100 mask 255.255.255.255

!

ip route vrf CORPORATE 10.100.100.100 255.255.255.255 Gi1/0

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎12-06-2021

Hi @cihanogeturk ,

The reason it doesn't work is that you do not have any /32 connected routes.

B* 0.0.0.0/0 [200/0] via 10.70.70.2, 00:08:44
10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C 10.70.70.0/30 is directly connected, Vlan970 <++++++++++++++ /30
L 10.70.70.1/32 is directly connected, Vlan970
C 10.100.100.0/24 is directly connected, Vlan100 <+++++++++++++/24
L 10.100.100.1/32 is directly connected, Vlan100
C 10.101.101.0/24 is directly connected, Vlan101 <+++++++++++++ /24
L 10.101.101.1/32 is directly connected, Vlan101

/32 are normally advertised for loopback interfaces. Why are you trying to advertise /32 for subnets that are greater than /32?

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

cihanogeturk · ‎12-06-2021

the design that we are trying to implement requires 1 machine in one vrf needs to talk another machine in another vrf.

we don't want to end up leaking whole subnet so instead we are trying to advertise /32.

i.e: One PC in Corp VRF needs to access CCTV device in INT vrf.

Harold Ritter · ‎12-06-2021

Hi @cihanogeturk ,

You could use a static route towards that host and the use a network statement under bgp to advertise the specific route.

router bgp 65000

address-family ipv4 vrf CORPORATE

network 10.100.100.100 mask 255.255.255.255

!

ip route vrf CORPORATE 10.100.100.100 255.255.255.255 Gi1/0

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

cihanogeturk · ‎12-06-2021

Hi Harold,

thank you but as Gi1/0 is a switch port (not L3), it does not accept static route.

Switch(config)#ip route vrf CORPORATE 10.100.100.100 255.255.255.255 gig 1/0

% Must specify a L3 port as the next hop interface

all the subnets are on vlan, ports are trunk and gateways are on switch under respective SVIs

if I try to advertise static into vlan; 
Switch(config)#ip route vrf CORPORATE 10.100.100.100 255.255.255.255 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface

Harold Ritter · ‎12-06-2021

Hi @cihanogeturk ,

Try the following:

ip route vrf CORPORATE 10.100.100.100 255.255.255.255 vlan 100 10.100.100.100

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

cihanogeturk · ‎12-07-2021

Hi Harold,

sorry still not accessible.

VPCS> trace 10.200.200.200 -P 1
trace to 10.200.200.200, 8 hops max (ICMP), press Ctrl+C to stop
1 10.100.100.1 12.619 ms 8.363 ms 8.931 ms
2 *10.100.100.1 8.898 ms (ICMP type:3, code:1, Destination host unreachable) *




Switch:

router bgp 65000
bgp router-id 10.70.70.1
bgp log-neighbor-changes
network 10.100.100.100 mask 255.255.255.255
network 10.200.200.200 mask 255.255.255.255
!
address-family ipv4 vrf CORPORATE
redistribute connected
neighbor 10.70.70.2 remote-as 65000
neighbor 10.70.70.2 update-source Vlan970
neighbor 10.70.70.2 activate
neighbor 10.70.70.2 soft-reconfiguration inbound
exit-address-family
!
address-family ipv4 vrf INTERNET
redistribute connected
neighbor 10.71.71.2 remote-as 65000
neighbor 10.71.71.2 update-source Vlan971
neighbor 10.71.71.2 activate
neighbor 10.71.71.2 soft-reconfiguration inbound
exit-address-family
!
ip route vrf CORPORATE 10.100.100.100 255.255.255.255 Vlan100 10.100.100.100
ip route vrf INTERNET 10.200.200.200 255.255.255.255 Vlan200 10.200.200.200

GRT is empty as expected and static route is appeared only respective VRF routing table.

Switch#sh ip route
Gateway of last resort is not set


Switch#sh ip route vrf CORPORATE

Routing Table: CORPORATE



Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
C 10.70.70.0/30 is directly connected, Vlan970
L 10.70.70.1/32 is directly connected, Vlan970
C 10.100.100.0/24 is directly connected, Vlan100
L 10.100.100.1/32 is directly connected, Vlan100
S 10.100.100.100/32 [1/0] via 10.100.100.100, Vlan100
C 10.101.101.0/24 is directly connected, Vlan101
L 10.101.101.1/32 is directly connected, Vlan101

Harold Ritter · ‎12-07-2021

Hi @cihanogeturk ,

You need to move the network statement under the respective vrf as follow:

router bgp 65000
!
address-family ipv4 vrf CORPORATE
network 10.100.100.100 mask 255.255.255.255

!
address-family ipv4 vrf INTERNET
network 10.200.200.200 mask 255.255.255.255
!

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

cihanogeturk · ‎12-08-2021

Hi Harold,

no luck.

As I am redistributing connected networks into BGP under respective vrf's, I dont think the issue will be network statement.

I also removed the default route advertisement from router to keep this routing to be occurred within Switch only.

!
ip vrf CORPORATE
rd 65000:100
!
ip vrf INTERNET
rd 65000:200
!
!
interface Vlan100
ip vrf forwarding CORPORATE
ip address 10.100.100.1 255.255.255.0
!
interface Vlan101
ip vrf forwarding CORPORATE
ip address 10.101.101.1 255.255.255.0
!
interface Vlan200
ip vrf forwarding INTERNET
ip address 10.200.200.1 255.255.255.0
!
interface Vlan201
ip vrf forwarding INTERNET
ip address 10.201.201.1 255.255.255.0
!
interface Vlan970
ip vrf forwarding CORPORATE
ip address 10.70.70.1 255.255.255.252
!
interface Vlan971
ip vrf forwarding INTERNET
ip address 10.71.71.1 255.255.255.252
! 
router bgp 65000
bgp router-id 10.70.70.1
bgp log-neighbor-changes
!
address-family ipv4 vrf CORPORATE
network 10.100.100.100 mask 255.255.255.255
redistribute connected
neighbor 10.70.70.2 remote-as 65000
neighbor 10.70.70.2 update-source Vlan970
neighbor 10.70.70.2 activate
neighbor 10.70.70.2 soft-reconfiguration inbound
exit-address-family
!
address-family ipv4 vrf INTERNET
network 10.200.200.200 mask 255.255.255.255
redistribute connected
neighbor 10.71.71.2 remote-as 65000
neighbor 10.71.71.2 update-source Vlan971
neighbor 10.71.71.2 activate
neighbor 10.71.71.2 soft-reconfiguration inbound
exit-address-family
!
!
ip route vrf CORPORATE 10.100.100.100 255.255.255.255 Vlan100 10.100.100.100
ip route vrf INTERNET 10.200.200.200 255.255.255.255 Vlan200 10.200.200.200
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

Harold Ritter · ‎12-08-2021

Hi @cihanogeturk ,

The "redistribute connected" will not help here, as the /32 routes you are trying to leak are static routes. You either need a "redistribute static" or a network statement. I prefer the network statement whenever it is possible.

Can you provide "sh bgp vpnv4 uni all", "show ip route vrf CORPORATE" and "show ip route vrf INTERNET" so we can further analyze the reason why it is not working.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

cihanogeturk · ‎12-08-2021

Sure thing.

Switch#sh bgp vpnv4 unicast all
BGP table version is 87, local router ID is 10.70.70.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65000:100 (default for vrf CORPORATE)
* i 10.70.70.0/30 10.70.70.2 0 100 0 ?
*> 0.0.0.0 0 32768 ?
*> 10.100.100.0/24 0.0.0.0 0 32768 ?
*> 10.100.100.100/32
10.100.100.100 0 32768 i
*> 10.101.101.0/24 0.0.0.0 0 32768 ?
Route Distinguisher: 65000:200 (default for vrf INTERNET)
* i 10.71.71.0/30 10.71.71.2 0 100 0 ?
*> 0.0.0.0 0 32768 ?
*> 10.200.200.0/24 0.0.0.0 0 32768 ?
*> 10.200.200.200/32
10.200.200.200 0 32768 i
Network Next Hop Metric LocPrf Weight Path
*> 10.201.201.0/24 0.0.0.0 0 32768 ?







Switch#show ip route vrf CORPORATE

Routing Table: CORPORATE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
C 10.70.70.0/30 is directly connected, Vlan970
L 10.70.70.1/32 is directly connected, Vlan970
C 10.100.100.0/24 is directly connected, Vlan100
L 10.100.100.1/32 is directly connected, Vlan100
S 10.100.100.100/32 [1/0] via 10.100.100.100, Vlan100
C 10.101.101.0/24 is directly connected, Vlan101
L 10.101.101.1/32 is directly connected, Vlan101







Switch#show ip route vrf INTERNET

Routing Table: INTERNET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
C 10.71.71.0/30 is directly connected, Vlan971
L 10.71.71.1/32 is directly connected, Vlan971
C 10.200.200.0/24 is directly connected, Vlan200
L 10.200.200.1/32 is directly connected, Vlan200
S 10.200.200.200/32 [1/0] via 10.200.200.200, Vlan200
C 10.201.201.0/24 is directly connected, Vlan201
L 10.201.201.1/32 is directly connected, Vlan201

Harold Ritter · ‎12-09-2021

Hi @cihanogeturk ,

Can you also provide a "sh bgp vpnv4 unicast all 10.100.100.100/32" and "sh bgp vpnv4 unicast all 10.200.200.200/32".

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

cihanogeturk · ‎12-09-2021

Hi Harold,

sure, please see below.

switch#sh bgp vpnv4 unicast all 10.100.100.100/32
BGP routing table entry for 65000:100:10.100.100.100/32, version 86
Paths: (1 available, best #1, table CORPORATE)
Advertised to update-groups:
11
Refresh Epoch 1
Local
10.100.100.100 (via vrf CORPORATE) from 0.0.0.0 (10.70.70.1)
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best
rx pathid: 0, tx pathid: 0x0


Switch#sh bgp vpnv4 unicast all 10.200.200.200/32
BGP routing table entry for 65000:200:10.200.200.200/32, version 87
Paths: (1 available, best #1, table INTERNET)
Advertised to update-groups:
12
Refresh Epoch 1
Local
10.200.200.200 (via vrf INTERNET) from 0.0.0.0 (10.70.70.1)
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best
rx pathid: 0, tx pathid: 0x0

cihanogeturk · ‎12-09-2021

Hi Harold,

I have deleted route maps and re-added.

now it is working.

Thank you all your help.

Switch#sh ip route vrf CORPORATE

Routing Table: CORPORATE

C 10.70.70.0/30 is directly connected, Vlan970
L 10.70.70.1/32 is directly connected, Vlan970
C 10.100.100.0/24 is directly connected, Vlan100
L 10.100.100.1/32 is directly connected, Vlan100
S 10.100.100.100/32 [1/0] via 10.100.100.100, Vlan100
C 10.101.101.0/24 is directly connected, Vlan101
L 10.101.101.1/32 is directly connected, Vlan101
B 10.200.200.200/32
[20/0] via 10.200.200.200 (INTERNET), 00:00:55, Vlan200




Switch#sh ip route vrf INTERNET

Routing Table: INTERNET

10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
C 10.71.71.0/30 is directly connected, Vlan971
L 10.71.71.1/32 is directly connected, Vlan971
B 10.100.100.100/32
[20/0] via 10.100.100.100 (CORPORATE), 00:01:09, Vlan100
C 10.200.200.0/24 is directly connected, Vlan200
L 10.200.200.1/32 is directly connected, Vlan200
S 10.200.200.200/32 [1/0] via 10.200.200.200, Vlan200
C 10.201.201.0/24 is directly connected, Vlan201
L 10.201.201.1/32 is directly connected, Vlan201

Harold Ritter · ‎12-09-2021

Hi @cihanogeturk ,

Glad to hear it works now.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México