Hello,

I have a weird setup that I couldn't make it work actually. I might use another set of eyes.

Description:

I have 2 VRF configuration in switch. One of them (Corporate) has BGP neighbors on upstream routers to get all corporate services from Data centers. 2nd VRF is an isolated one for my factory network and not going out or advertised to WAN services.

one machine in CORP network needs to communicate on FACT vrf. I leaked CORP network to FACT network however I couldn't make it other way around without advertising FACT to WAN network.

router bgp 65004
bgp router-id 10.3.20.1
bgp log-neighbor-changes
!
address-family ipv4 vrf MANUFACTURING
no synchronization
exit-address-family
!
address-family ipv4 vrf CORPORATE
redistribute connected
redistribute static
neighbor 10.3.241.66 remote-as 65004
neighbor 10.3.241.66 update-source Vlan970
neighbor 10.3.241.66 activate
neighbor 10.3.241.67 remote-as 65004
neighbor 10.3.241.67 update-source Vlan970
neighbor 10.3.241.67 activate
neighbor 10.3.241.67 route-map DEFAULT_ROUTE in
no synchronization
exit-address-family
!
interface Vlan20
description USER VLAN
ip vrf forwarding CORPORATE
ip address 10.3.20.1 255.255.255.0
!
interface Vlan153
description ENGINEERING VLAN
ip vrf forwarding MANUFACTURING
ip address 10.3.153.1 255.255.255.0
!
interface Vlan970
description CORPORATE WAN TRANSIT
ip vrf forwarding CORPORATE
ip address 10.3.241.65 255.255.255.248
no ip redirects
!
!
ip vrf CORPORATE
rd 65004:1
export map CORPORATE_EXPORT
route-target export 65004:65004 << PSUEDO export for filtering what to leak >>
route-target import 65004:4
!
!
ip vrf MANUFACTURING
rd 65004:4
route-target export 65004:4
route-target import 65004:1
!
ip prefix-list CORPORATE_LEAK seq 5 permit 10.3.20.0/24 le 32
!
route-map CORPORATE_EXPORT permit 10
match ip address prefix-list CORPORATE_LEAK
set extcommunity rt 65004:1