Solved: Re: VRFs configuration and Routes leaking

KestutisGrigas2465 · ‎07-15-2021

Hello,

Hello I got stuck with VRF's configuration. Could someone help to understand how to configure VRF's and routing between them?

Some technical information:
I'm using Cisco C4503 switch for testing this configuration. After the VRF's are tested, the entire configuration will be used on the Cisco C6807XL switch.

Problem: Cant access internet because forwarding router's ip is in global vrf, also from employee PC cant access Servers network.

Topology:

2 VRF's maybe more in the future: Servers VRF and Employee VRF and global VRF.

Attaching running configuration. Please help!

Alex Pfeil · ‎07-15-2021

I think this might be what you are looking for. Please rate helpful posts.

Inter-VRF routing on the same Router (VRF-lite route leak) – Cisco IOS | iCookServers-&-Networks

View solution in original post

Giuseppe Larosa · ‎07-15-2021

Hello @KestutisGrigas2465 ,

for routing between VRFs the most elegant and powerful solution is to use route-targets as explained in the article linked by the other colleague

ip vrf Employee
description Employee and students
!
ip vrf Servers
description Servers
!

you need to add a RD route distinguisher and route-targets and use MP BGP defining the address family for each VRF .

RD values must be unique per VRF per node.

Route-targets can be imported and exported multiple values ( they are extended communities)

if VRF A exports routes with at least one route-target associated to it that VRF B imports the routes will appear in VRF B routing table , the same is valid in the opposite direction.

For leaking routes between a VRF and the global routing table the things are different : you cannot use route targets because route in Global routing table have no route targets associated to them by definition.

You can create a link between one port in GRT and one port in VRF and using a common IP subnet, and you can use static routes to create bidirectional connectivity.

Routes in global routing table have the form

ip route ....

statci routes in VRF

ip route vrf <vrf-name>.

At the end of the static route you can add the interface name in addition to the next-hop.

This is the oldest approach with a LAN cable between two ports.

Some improvements have been introduced so that for example static routes in VRF can add the keyword global to say the next-hop is to be searched in global routing table.

Hope to help

Giuseppe

View solution in original post

Harold Ritter · ‎07-16-2021

> My hosts don't have internet connection. Route leak between VRF's and Global Routing table not working. I put "ip route vrf <vrf-name> > x.x.x.x x.x.x.x x.x.x.x global" command and still don't have internet connection.

For Internet access to work, you also have to add a route for Internet traffic back the end users.

ip route 192.168.101.0 255.255.255.0 Vlan2001

ip route 192.168.102.0 255.255.255.0 Vlan2002

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Alex Pfeil · ‎07-15-2021

I think this might be what you are looking for. Please rate helpful posts.

Inter-VRF routing on the same Router (VRF-lite route leak) – Cisco IOS | iCookServers-&-Networks

Giuseppe Larosa · ‎07-15-2021

Hello @KestutisGrigas2465 ,

for routing between VRFs the most elegant and powerful solution is to use route-targets as explained in the article linked by the other colleague

ip vrf Employee
description Employee and students
!
ip vrf Servers
description Servers
!

you need to add a RD route distinguisher and route-targets and use MP BGP defining the address family for each VRF .

RD values must be unique per VRF per node.

Route-targets can be imported and exported multiple values ( they are extended communities)

if VRF A exports routes with at least one route-target associated to it that VRF B imports the routes will appear in VRF B routing table , the same is valid in the opposite direction.

For leaking routes between a VRF and the global routing table the things are different : you cannot use route targets because route in Global routing table have no route targets associated to them by definition.

You can create a link between one port in GRT and one port in VRF and using a common IP subnet, and you can use static routes to create bidirectional connectivity.

Routes in global routing table have the form

ip route ....

statci routes in VRF

ip route vrf <vrf-name>.

At the end of the static route you can add the interface name in addition to the next-hop.

This is the oldest approach with a LAN cable between two ports.

Some improvements have been introduced so that for example static routes in VRF can add the keyword global to say the next-hop is to be searched in global routing table.

Hope to help

Giuseppe

KestutisGrigas2465 · ‎07-16-2021

Hello,

Thank you for your replies. I solved one problem, with route-targets. Now i can access from employee network servers network.

One problem left with internet connection. My hosts don't have internet connection. Route leak between VRF's and Global Routing table not working. I put "ip route vrf <vrf-name> x.x.x.x x.x.x.x x.x.x.x global" command and still don't have internet connection.

Attaching running configuration.

Also have some questions about rd and route-targets. What these values mean? like 1:100 or 655111:100 ? What values should be on my topology?

Giuseppe Larosa · ‎07-16-2021

Hello @KestutisGrigas2465 ,

RD and route-targets values can be chosen.

RD is a 64 bit value that will be prepended to the VRF IPv4 prefix to create a VPNv4 prefix

VPNv4 = <RD >:<IP prefix>

so a VPNv4 prefix is 96 bit long.

RD is used to be able to support multiple customers having overlapping IP subnets in different VRFs

RD can be built in two way:

BGP AS number : <32 bit value>

if AS number is two bytes less then 65535

Route targets use the format AS number: value and express an extended community attribute "color" that is used by remote PE nodes to decide if a received VPNv4 prefix should be imported in a local VRF or not.

Multiple route targets values can be associated to a VPNv4 prefix at the same time.

The RD can be written as <local-Loopback -address>: value (16 bit)

For making a working communication with GRT I would suggest you to use two ports and a LAN cable at the end it is easier.

Hope to help

Giuseppe

Harold Ritter · ‎07-16-2021

> My hosts don't have internet connection. Route leak between VRF's and Global Routing table not working. I put "ip route vrf <vrf-name> > x.x.x.x x.x.x.x x.x.x.x global" command and still don't have internet connection.

For Internet access to work, you also have to add a route for Internet traffic back the end users.

ip route 192.168.101.0 255.255.255.0 Vlan2001

ip route 192.168.102.0 255.255.255.0 Vlan2002

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

KestutisGrigas2465 · ‎07-19-2021

Thank you. I now have access to Internet computers and can connect to the server network from the employee network. Thank you all a lot.

KestutisGrigas2465 · ‎01-24-2022

Hello again,

I tried to change network infrastructure into VRFs with configuration above and it successfully worked. Now i need to access private VLANs into VRF from public interface. For example:
From:
interface vlan 2009
ip address 5.5.5.254 255.255.255.0

To:
interface vlan 2001

ip address 192.168.103.254 255.255.255.0

ip vrf forwarding Employee

Tried to leak routes with PBR, but still not working.
When i use GRT leak routing using "ip vrf receive Employee" then i can access private VLANs which are in Employee VRFs, but then i can't access networks from Servers VRFs.