Solved: Re: route leak between custom vrfs and global VRF

akshaycjoshi · ‎08-04-2023

I have 7 interfaces

 2 in VRF 120, 2 in VRF 140 and 2 in VRF 160 and 1 in global VRF

configs:

interface TenGigabitEthernet0/1/0
ip address 100.100.100.1 255.255.255.0
ipv6 address 2012:A2::8/64
!
interface TenGigabitEthernet0/1/2
vrf forwarding 120
ip address 71.71.71.1 255.255.255.0
ipv6 address 2071:DB7:0:1::2/64
!
interface TenGigabitEthernet0/1/4
vrf forwarding 120
ip address 81.81.81.1 255.255.255.0
ipv6 address 2081:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/3
vrf forwarding 140
ip address 72.72.72.1 255.255.255.0
ipv6 address 2072:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/6
vrf forwarding 140
ip address 82.82.82.1 255.255.255.0
ipv6 address 2082:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/7
vrf forwarding 160
ip address 83.83.83.1 255.255.255.0
ipv6 address 2083:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/1
no vrf forwarding 160
ip address 73.73.73.1 255.255.255.0
ipv6 address 2073:DB7:0:1::1/64
!

I want each custom VRF to be able to communicate with global VRF and vice versa. However, the VRFs should not be able to speak to each other. How to accomplish it?

EDIT:

Tried the below for VRF 120:

ip route 71.71.71.0 255.255.255.0 TenGigabitEthernet0/1/2

ip route 81.81.81.0 255.255.255.0 TenGigabitEthernet0/1/4

ip route vrf 120 100.100.100.0 255.255.255.0 TenGigabitEthernet0/1/0

% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface

There is no next hop on the TenGigabitEthernet0/1/0 interface.

Harold Ritter · ‎08-04-2023

Hi @akshaycjoshi ,

You could do it using the import/export process. This requires configuring BGP, so that routes can be imported/exported from and to the global routing table. With newer IOS/IOS-XE versions you can also do it using the

route-replicate

feature, which does not require configuring BGP, but unfortunately it does not yet support IPv6.

You can try the following configuration to export VRF routes to the GRT and import routes from the GRT.

vrf definition 120

 rd 65000:1

 route-target export 65000:1

 route-target import 65000:1

 !

 address-family ipv4

  import ipv4 unicast map all

  export ipv4 unicast map all

 exit-address-family

 !

 address-family ipv6

  import ipv6 unicast map all

  export ipv6 unicast map all

 exit-address-family

vrf definition 140

 rd 65000:2

 route-target export 65000:2

 route-target import 65000:2

 !

 address-family ipv4

  import ipv4 unicast map all

  export ipv4 unicast map all

 exit-address-family

 !       

 address-family ipv6

  import ipv6 unicast map all

  export ipv6 unicast map all

 exit-address-family

vrf definition 160

 rd 65000:3

 route-target export 65000:3

 route-target import 65000:3

 !       

 address-family ipv4

  import ipv4 unicast map all

  export ipv4 unicast map all

 exit-address-family

 !       

 address-family ipv6

  import ipv6 unicast map all

  export ipv6 unicast map all

!

route-map all permit 10

!

router bgp 65000

 !

 address-family ipv4

  redistribute connected

 exit-address-family

 !

 address-family ipv6

  redistribute connected

 exit-address-family

 !

 address-family ipv4 vrf 120

  redistribute connected

 exit-address-family

 !

 address-family ipv6 vrf 120

  redistribute connected

 exit-address-family

 !

 address-family ipv4 vrf 140

  redistribute connected

 exit-address-family

 !       

 address-family ipv6 vrf 140

  redistribute connected

 exit-address-family

 !       

 address-family ipv4 vrf 160

  redistribute connected

 exit-address-family

 !       

 address-family ipv6 vrf 160

  redistribute connected

 exit-address-family

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎08-07-2023

Hi @akshaycjoshi ,

Can you provide the output for the following command:

sh runn vrf

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Flavio Miranda · ‎08-04-2023

Hi @akshaycjoshi

The next hop for interface

TenGigabitEthernet0/1/0  must be 100.100.100.X

akshaycjoshi · ‎08-04-2023

Hi @Flavio Miranda I do not have anything as next hop because it's the connected network only

akshaycjoshi · ‎08-04-2023

Flavio Miranda · ‎08-04-2023

The diagram said it all!

which device is it?

akshaycjoshi · ‎08-04-2023

Its a

ASR1002HX

router

Flavio Miranda · ‎08-04-2023

Try to use this example

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/200158-Configure-Route-Leaking-between-Global-a.html

I believe the example with "Policy Based Routing (PBR)" can work for you.

akshaycjoshi · ‎08-04-2023

vrf definition 160
rd 1:1
!
access-list 120 permit ip 100.100.100.0 0.0.0.255 73.73.73.0 0.0.0.255
access-list 120 permit ip 100.100.100.0 0.0.0.255 83.83.83.0 0.0.0.255
!
route-map VRF160_TO_GLOBAL permit 120
match ip address 120

ip policy route-map VRF160_TO_GLOBAL

The last line gave error:

Router(config-route-map)#ip policy route-map VRF160_TO_GLOBAL
^
% Invalid input detected at '^' marker.

Flavio Miranda · ‎08-04-2023

It is complaining about the Router...did you use the Router on the command?

akshaycjoshi · ‎08-04-2023

no, i did not give. the formatting got messed up.

Its complaining as below:

Router(config)#ip policy route-map VRF160_TO_GLOBAL
^
% Invalid input detected at '^' marker.

Router(config)#ip policy route-map ?
deny IP Policy list deny
permit IP Policy list permit

Router(config)#ip policy route-map

Flavio Miranda · ‎08-04-2023

that guide is for IOS, you are using

IOS-XE

it can be it.

Let see if I can find a guide for

IOS-XE

Flavio Miranda · ‎08-04-2023

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/216541-vrf-configuration-examples-on-ios-xe.html

akshaycjoshi · ‎08-04-2023

Thanks, will you be able to please give the commands for my particular scenario. I dont see any example for global to VRF

Flavio Miranda · ‎08-04-2023

YEah, those also are not good example as they are working with dynamic routing protocol, which is not you case.

Let me see something else.

Flavio Miranda · ‎08-04-2023

Checking the diagram, let me ask you something. Does each IP address

100.100.100.X

represent one VRF?

If so, have you tried to point to those IPs?

The syntax would ne

ip route vrf <vrf> <source network wifh mask>  <destination Ip address>  global

ip route vrf  120 71.71.71.1 255.255.255.0 100.100.100.101 global