Re: Route leak between VRF issue

grock · ‎04-17-2022

Hey folks, I am working on a VRF task, and I am getting stuck. I see the leak route of 63.2.0.4 on the VRF routing table for Boston, however, I cannot ping it from the Boston VRF table, nor is it being sent across to the Boston router across the link. I am only seeing it the VRF Boston routing table on this router. Any thoughts? Below is a snippet of the config and show commands.

Configs:

ip vrf Boston
description VRF for DataCenter-Boston
rd 123:100
import map FROM-HAWAII-TO-BOSTON-VRF
route-target export 123:100
route-target import 123:100
route-target import 123:103
!
ip vrf Hawaii
description VRF for DataCenter-Hawaii
rd 123:103
export map EXPORT-OUT-OF-HAWAII
route-target export 123:103
route-target import 123:103
route-target import 123:100
!
interface Ethernet0/0
description DataCenter-Boston
ip vrf forwarding Boston
ip address 192.168.0.2 255.255.255.252
!
interface Ethernet0/3
description DataCenter-Hawaii
ip vrf forwarding Hawaii
ip address 192.168.0.2 255.255.255.252
!
router bgp 65300
bgp log-neighbor-changes
!
address-family ipv4 vrf Boston
network 0.0.0.0
neighbor 5.200.0.1 remote-as 123
neighbor 5.200.0.1 ebgp-multihop 3
neighbor 5.200.0.1 password ciscocisco
neighbor 5.200.0.1 activate
neighbor 5.200.0.1 send-community
neighbor 5.200.0.1 soft-reconfiguration inbound
default-information originate
exit-address-family
!
address-family ipv4 vrf Hawaii
network 0.0.0.0
neighbor 5.200.0.1 remote-as 123
neighbor 5.200.0.1 ebgp-multihop 3
neighbor 5.200.0.1 password ciscocisco
neighbor 5.200.0.1 activate
neighbor 5.200.0.1 send-community
neighbor 5.200.0.1 soft-reconfiguration inbound
default-information originate
exit-address-family
!
ip route vrf Boston 5.200.0.1 255.255.255.255 192.168.0.1
ip route vrf Hawaii 5.200.0.1 255.255.255.255 192.168.0.1
!
!
ip prefix-list EXPORT-OUT-OF-BOSTON seq 5 permit 63.25.0.1/32
!
ip prefix-list EXPORT-OUT-OF-HAWAII seq 5 permit 63.25.0.4/32
!
ip prefix-list FROM-HAWAII-TO-BOSTON-VRF seq 5 permit 63.25.0.4/32
!
route-map FROM-HAWAII-TO-BOSTON-VRF permit 10
description FROM-HAWAII-TO-BOSTON-VRF
match ip address prefix-list FROM-HAWAII-TO-BOSTON-VRF
!
route-map EXPORT-OUT-OF-BOSTON permit 10
description EXPORT-OUT-OF-BOSTON
match ip address prefix-list EXPORT-OUT-OF-BOSTON
!
route-map EXPORT-OUT-OF-HAWAII permit 10
match ip address prefix-list EXPORT-OUT-OF-HAWAII
!
end

Show route command on local router

Verizon-MPLS#sh ip route vrf Boston bgp
Routing Table: Boston
Gateway of last resort is not set

63.0.0.0/32 is subnetted, 2 subnets
B 63.25.0.1 [20/0] via 5.200.0.1, 00:18:54
B 63.25.0.4 [20/0] via 5.200.0.1 (Hawaii), 00:07:09

Show advertised routes on local router

Verizon-MPLS#$pnv4 vrf Boston neighbors 5.200.0.1 advertised-routes
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 123:100 (default for vrf Boston)
*> 63.25.0.4/32 5.200.0.1 0 0 123 i

Total number of prefixes 1

Show commands on remote BGP router

Boston#sh ip route bg
Gateway of last resort is 192.168.18.2 to network 0.0.0.0
Boston#sh ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 5.200.0.1/32 0.0.0.0 0 32768 i
*> 63.25.0.1/32 0.0.0.0 0 32768 i

Georg Pauwen · ‎04-17-2022

Hello,

post a diagram of your topology showing how your devices are connected (and which devices you have), also post the full running configurations (sh run) of all devices in your topology...

Flavio Miranda · ‎04-18-2022

When you try to ping this IP from the VRF Boston, which IP address is used as your orign ? May you need to ping like:

ping vrf Boston 63.2.0.4 source-interface xxxx.

Keep in mind that the packet must leave and return so the exit point is important. The other side needs to know how to handle the packets.

grock · ‎04-18-2022

Which interface would I source the ping from? The Boston interface, correct?

Flavio Miranda · ‎04-18-2022

It depend a bit but that would be my first option.

MHM Cisco World · ‎04-18-2022

Verizon-MPLS#sh ip route vrf Boston bgp
Routing Table: Boston
Gateway of last resort is not set

63.0.0.0/32 is subnetted, 2 subnets
B 63.25.0.1 [20/0] via 5.200.0.1, 00:18:54
B 63.25.0.4 [20/0] via 5.200.0.1 (Hawaii), 00:07:09 <- the route is there but the next-hop no appear in routing table connect or local so the ping never success, You need ip route vrf 0.0.0.0 0.0.0.0 for next-hop global to make the ping success.

Note:- if you want config only static route for next-hop

grock · ‎04-18-2022

Why is the static route needed? Can you explain or send a link explaining please?

MHM Cisco World · ‎04-18-2022

5.200.0.1

this IP which is the next-hop of

63.25.0.4

Are it know by the VRF Boston ?
can I see the show ip vrf Boston <-not show ip vrf Boston BGP ?

jamesduv9 · ‎04-18-2022

I was able to get a similar setup working in a lab. Since both your peers in the Hawaii and Boston VRF are in AS123, you need to allow the local AS in on Boston/Hawaii, or override the AS at the Verizon PoP.

On the Verizon PoP:

router bgp 65300
 address-family ipv4 vrf Boston
  neigh 5.200.0.1 as-override
 address-family ipv4 vrf Hawaii
  neigh 5.200.0.1 as-override

OR

On Hawaii/Boston:

router bgp 123
 address-family ipv4 
  neighbor (Verizon peer) allowas-in

If this is already configured and you still have the issue, please include the configuration of Boston/Hawaii.