Solved: Re: route leak between custom vrfs and global VRF - Page 2

akshaycjoshi · ‎08-04-2023

I have 7 interfaces

 2 in VRF 120, 2 in VRF 140 and 2 in VRF 160 and 1 in global VRF

configs:

interface TenGigabitEthernet0/1/0
ip address 100.100.100.1 255.255.255.0
ipv6 address 2012:A2::8/64
!
interface TenGigabitEthernet0/1/2
vrf forwarding 120
ip address 71.71.71.1 255.255.255.0
ipv6 address 2071:DB7:0:1::2/64
!
interface TenGigabitEthernet0/1/4
vrf forwarding 120
ip address 81.81.81.1 255.255.255.0
ipv6 address 2081:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/3
vrf forwarding 140
ip address 72.72.72.1 255.255.255.0
ipv6 address 2072:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/6
vrf forwarding 140
ip address 82.82.82.1 255.255.255.0
ipv6 address 2082:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/7
vrf forwarding 160
ip address 83.83.83.1 255.255.255.0
ipv6 address 2083:DB7:0:1::1/64
!
interface TenGigabitEthernet0/1/1
no vrf forwarding 160
ip address 73.73.73.1 255.255.255.0
ipv6 address 2073:DB7:0:1::1/64
!

I want each custom VRF to be able to communicate with global VRF and vice versa. However, the VRFs should not be able to speak to each other. How to accomplish it?

EDIT:

Tried the below for VRF 120:

ip route 71.71.71.0 255.255.255.0 TenGigabitEthernet0/1/2

ip route 81.81.81.0 255.255.255.0 TenGigabitEthernet0/1/4

ip route vrf 120 100.100.100.0 255.255.255.0 TenGigabitEthernet0/1/0

% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface

There is no next hop on the TenGigabitEthernet0/1/0 interface.

akshaycjoshi · ‎08-04-2023

All the

100.x IPs come under global VRF

I had tried your option but it did not work.

Harold Ritter · ‎08-04-2023

Hi @akshaycjoshi ,

You could do it using the import/export process. This requires configuring BGP, so that routes can be imported/exported from and to the global routing table. With newer IOS/IOS-XE versions you can also do it using the

route-replicate

feature, which does not require configuring BGP, but unfortunately it does not yet support IPv6.

You can try the following configuration to export VRF routes to the GRT and import routes from the GRT.

vrf definition 120

 rd 65000:1

 route-target export 65000:1

 route-target import 65000:1

 !

 address-family ipv4

  import ipv4 unicast map all

  export ipv4 unicast map all

 exit-address-family

 !

 address-family ipv6

  import ipv6 unicast map all

  export ipv6 unicast map all

 exit-address-family

vrf definition 140

 rd 65000:2

 route-target export 65000:2

 route-target import 65000:2

 !

 address-family ipv4

  import ipv4 unicast map all

  export ipv4 unicast map all

 exit-address-family

 !       

 address-family ipv6

  import ipv6 unicast map all

  export ipv6 unicast map all

 exit-address-family

vrf definition 160

 rd 65000:3

 route-target export 65000:3

 route-target import 65000:3

 !       

 address-family ipv4

  import ipv4 unicast map all

  export ipv4 unicast map all

 exit-address-family

 !       

 address-family ipv6

  import ipv6 unicast map all

  export ipv6 unicast map all

!

route-map all permit 10

!

router bgp 65000

 !

 address-family ipv4

  redistribute connected

 exit-address-family

 !

 address-family ipv6

  redistribute connected

 exit-address-family

 !

 address-family ipv4 vrf 120

  redistribute connected

 exit-address-family

 !

 address-family ipv6 vrf 120

  redistribute connected

 exit-address-family

 !

 address-family ipv4 vrf 140

  redistribute connected

 exit-address-family

 !       

 address-family ipv6 vrf 140

  redistribute connected

 exit-address-family

 !       

 address-family ipv4 vrf 160

  redistribute connected

 exit-address-family

 !       

 address-family ipv6 vrf 160

  redistribute connected

 exit-address-family

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

akshaycjoshi · ‎08-07-2023

Does not work as expected.

VRF 120 for example gets the route for VRF 140 and 160




Router#show ip route vrf 120

Routing Table: 120
71.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 71.71.71.0/24
is directly connected, 00:00:09, TenGigabitEthernet0/1/2
L 71.71.71.1/32 is directly connected, TenGigabitEthernet0/1/2
72.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 72.72.72.0/24
is directly connected, 00:00:09, TenGigabitEthernet0/1/3
L 72.72.72.1/32 is directly connected, TenGigabitEthernet0/1/3
81.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 81.81.81.0/24
is directly connected, 00:00:09, TenGigabitEthernet0/1/4
L 81.81.81.1/32 is directly connected, TenGigabitEthernet0/1/4
82.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 82.82.82.0/24
is directly connected, 00:00:09, TenGigabitEthernet0/1/6
L 82.82.82.1/32 is directly connected, TenGigabitEthernet0/1/6
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 100.100.100.0/24
is directly connected, 00:00:09, TenGigabitEthernet0/1/0
L 100.100.100.1/32 is directly connected, TenGigabitEthernet0/1/0

Harold Ritter · ‎08-07-2023

Hi @akshaycjoshi ,

Can you provide the output for the following command:

sh runn vrf

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

akshaycjoshi · ‎08-07-2023

My bad, I had messed up the commands. Its working fine.

Harold Ritter · ‎08-07-2023

I am glad it worked as expected and thanks for the feedback @akshaycjoshi

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México