Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
1
Helpful
4
Replies

Route Leaking between VRF and GRT

Go to solution
dundient
Level 1
Level 1

‎08-20-2024 06:59 PM

Hello everybody,

I have a router with two interfaces in separate routing tables. G1 in vrf A with 192.168.0.0/24 being an overlay network and G2 in GRT with 1.1.12.0/24 being an underlay network. Both interfaces serve as Default gateway to two devices which are:

USER 192.168.0.1 - GW 192.168.0.254/24 (G1 interface)

SERVER 1.1.12.1 - GW 1.1.12.254/24 (G2 interface)

I need to get access to underlay network SERVER from overlay network USER but the routes shouldn't appear on each others routing tables. This is needed because of the future collabs with other networks and for separating a strong underlay and overlay networks. 

Are there any possible solutions for this problem?

I've tried route leaking, route leaking with PBR but could not archive the result that i wanted. 

Any ideas?

Thank you in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harold Ritter
Level 12
Level 12

‎08-20-2024 09:08 PM - edited ‎08-20-2024 09:23 PM

Hi @dundient ,

And if you do not want the route from vrf A to be present in the global routing table (GRT) and vice versa, you could use the following configuration that just uses PBR to route between vrf A and the GRT.

interface GigabitEthernet1

 vrf forwarding vrfA

 ip address 192.168.0.1 255.255.255.0

 ip policy route-map vrfA_global

!

interface GigabitEthernet2

 ip address 1.1.12.1 255.255.255.0

 ip policy route-map global_vrfA

!

route-map vrfA_global permit 10

 match ip address 101

 set global

!

route-map global_vrfA permit 10

 match ip address 102

 set vrf vrfA

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 1.1.12.0 0.0.0.255

access-list 102 permit ip 1.1.12.0 0.0.0.255 192.168.0.0 0.0.0.255

I am also attaching the configuration guide for VRF aware PBR:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/17-4/configuration_guide/rtng/b_174_rtng_9600_cg/configuring_vrf_aware_pbr.html#id_111673

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

4 Replies 4

Go to solution
Harold Ritter
Level 12
Level 12

‎08-20-2024 07:36 PM - edited ‎08-20-2024 07:57 PM

Hi @dundient ,

Your requirements and what you tried seem to be contradictory. 

First you say

I need to get access to underlay network SERVER from overlay network USER but the routes shouldn't appear on each     > others routing tables.

but then you continue

> I've tried route leaking, route leaking with PBR

Route leaking would cause the route from VRF A to be present in the global routing table and vice versa.

If it is ok for the VRF A route to be present in the global routing table and vice versa, you can fulfill the requirement with that simple configuration.

ip route 192.168.0.0 255.255.255.0 GigabitEthernet1

! Since the ip route vrf command requires a next hop, you would need one host route for each and every server

! The following sample route assumes that the server is configured with address 1.1.12.2

ip route vrf A 1.1.12.2 255.255.255.255 GigabitEthernet2 1.1.12.2

With that configuration, all hosts on subnet 192.168.0.0/24 could access the server with address 1.1.12.2 and vice versa.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12

‎08-20-2024 09:08 PM - edited ‎08-20-2024 09:23 PM

Hi @dundient ,

And if you do not want the route from vrf A to be present in the global routing table (GRT) and vice versa, you could use the following configuration that just uses PBR to route between vrf A and the GRT.

interface GigabitEthernet1

 vrf forwarding vrfA

 ip address 192.168.0.1 255.255.255.0

 ip policy route-map vrfA_global

!

interface GigabitEthernet2

 ip address 1.1.12.1 255.255.255.0

 ip policy route-map global_vrfA

!

route-map vrfA_global permit 10

 match ip address 101

 set global

!

route-map global_vrfA permit 10

 match ip address 102

 set vrf vrfA

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 1.1.12.0 0.0.0.255

access-list 102 permit ip 1.1.12.0 0.0.0.255 192.168.0.0 0.0.0.255

I am also attaching the configuration guide for VRF aware PBR:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/17-4/configuration_guide/rtng/b_174_rtng_9600_cg/configuring_vrf_aware_pbr.html#id_111673

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Go to solution
dundient
Level 1
Level 1
In response to Harold Ritter

‎08-27-2024 10:57 PM

Good day @Harold Ritter 

Apologize for the late response.

This is exactly what I was looking for. Thank you very much!

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to dundient

‎08-28-2024 05:02 AM

You are very welcome @dundient and thanks for the feedback

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card