cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3450
Views
3
Helpful
20
Replies

route leak between custom vrfs and global VRF

akshaycjoshi
Level 1
Level 1

I have 7 interfaces

 2 in VRF 120, 2 in VRF 140 and 2 in VRF 160 and 1 in global VRF

configs:

interface TenGigabitEthernet0/1/0
ip address 100.100.100.1 255.255.255.0
ipv6 address 2012:A2::8/64
!
interface TenGigabitEthernet0/1/2
vrf forwarding 120
ip address 71.71.71.1 255.255.255.0
ipv6 address 2071:DB7:0:1::2/64
!
interface TenGigabitEthernet0/1/4
vrf forwarding 120
ip address 81.81.81.1 255.255.255.0
ipv6 address 2081:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/3
vrf forwarding 140
ip address 72.72.72.1 255.255.255.0
ipv6 address 2072:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/6
vrf forwarding 140
ip address 82.82.82.1 255.255.255.0
ipv6 address 2082:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/7
vrf forwarding 160
ip address 83.83.83.1 255.255.255.0
ipv6 address 2083:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/1
no vrf forwarding 160
ip address 73.73.73.1 255.255.255.0
ipv6 address 2073:DB7:0:1::1/64
!

 

I want each custom VRF to be able to communicate with global VRF and vice versa. However, the VRFs should not be able to speak to each other. How to accomplish it?

EDIT:

Tried the below for VRF 120:

ip route 71.71.71.0 255.255.255.0 TenGigabitEthernet0/1/2

ip route 81.81.81.0 255.255.255.0 TenGigabitEthernet0/1/4

ip route vrf 120 100.100.100.0 255.255.255.0 TenGigabitEthernet0/1/0

% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface

There is no next hop on the TenGigabitEthernet0/1/0 interface.
2 Accepted Solutions

Accepted Solutions

Harold Ritter
Spotlight
Spotlight

Hi @akshaycjoshi ,

You could do it using the import/export process. This requires configuring BGP, so that routes can be imported/exported from and to the global routing table. With newer IOS/IOS-XE versions you can also do it using the

route-replicate

feature, which does not require configuring BGP, but unfortunately it does not yet support IPv6.

You can try the following configuration to export VRF routes to the GRT and import routes from the GRT.

vrf definition 120

 rd 65000:1

 route-target export 65000:1

 route-target import 65000:1

 !

 address-family ipv4

  import ipv4 unicast map all

  export ipv4 unicast map all

 exit-address-family

 !

 address-family ipv6

  import ipv6 unicast map all

  export ipv6 unicast map all

 exit-address-family

vrf definition 140

 rd 65000:2

 route-target export 65000:2

 route-target import 65000:2

 !

 address-family ipv4

  import ipv4 unicast map all

  export ipv4 unicast map all

 exit-address-family

 !       

 address-family ipv6

  import ipv6 unicast map all

  export ipv6 unicast map all

 exit-address-family

vrf definition 160

 rd 65000:3

 route-target export 65000:3

 route-target import 65000:3

 !       

 address-family ipv4

  import ipv4 unicast map all

  export ipv4 unicast map all

 exit-address-family

 !       

 address-family ipv6

  import ipv6 unicast map all

  export ipv6 unicast map all

!

route-map all permit 10

!

router bgp 65000

 !

 address-family ipv4

  redistribute connected

 exit-address-family

 !

 address-family ipv6

  redistribute connected

 exit-address-family

 !

 address-family ipv4 vrf 120

  redistribute connected

 exit-address-family

 !

 address-family ipv6 vrf 120

  redistribute connected

 exit-address-family

 !

 address-family ipv4 vrf 140

  redistribute connected

 exit-address-family

 !       

 address-family ipv6 vrf 140

  redistribute connected

 exit-address-family

 !       

 address-family ipv4 vrf 160

  redistribute connected

 exit-address-family

 !       

 address-family ipv6 vrf 160

  redistribute connected

 exit-address-family

 

Regards,

 

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

View solution in original post

Hi @akshaycjoshi ,

Can you provide the output for the following command:

sh runn vrf

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

View solution in original post

20 Replies 20

Hi @akshaycjoshi 

 The next hop for interface

TenGigabitEthernet0/1/0  must be 100.100.100.X

Hi @Flavio Miranda I do not have anything as next hop because it's the connected network only

pic.jpg

The diagram said it all!

 which device is it?

Its a

ASR1002HX

router

Try to use this example

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/200158-Configure-Route-Leaking-between-Global-a.html

I believe the example with "Policy Based Routing (PBR)" can work for you.

vrf definition 160
rd 1:1
!
access-list 120 permit ip 100.100.100.0 0.0.0.255 73.73.73.0 0.0.0.255
access-list 120 permit ip 100.100.100.0 0.0.0.255 83.83.83.0 0.0.0.255
!
route-map VRF160_TO_GLOBAL permit 120
match ip address 120

ip policy route-map VRF160_TO_GLOBAL

The last line gave error:

Router(config-route-map)#ip policy route-map VRF160_TO_GLOBAL
^
% Invalid input detected at '^' marker.

It is complaining about the Router...did you use the Router on the command?

no, i did not give. the formatting got messed up.

Its complaining as below:

 

Router(config)#ip policy route-map VRF160_TO_GLOBAL
^
% Invalid input detected at '^' marker.

Router(config)#ip policy route-map ?
deny IP Policy list deny
permit IP Policy list permit

Router(config)#ip policy route-map

 

 

that guide is for IOS, you are using

IOS-XE

it can be it.

Let see if I can find a guide for

IOS-XE

Thanks, will you be able to please give the commands for my particular scenario. I dont see any example for global to VRF

YEah, those also are not good example as they are working with dynamic routing protocol, which is not you case.

Let me see something else.

FlavioMiranda_0-1691170757268.jpeg

Checking the diagram, let me ask you something. Does each IP address

100.100.100.X

represent one VRF?

If so, have you tried to point to those IPs?

The syntax would ne

ip route vrf <vrf> <source network wifh mask>  <destination Ip address>  global

ip route vrf  120 71.71.71.1 255.255.255.0 100.100.100.101 global