Re: Problem with route leaking in the vxlan/evpn multisite fabric.

bgpripe · ‎08-24-2025

Hello everyone! I have a vxlan/evpn multisite fabric, two data centers 65502 - DC-2, 65503 - DC-3 and two vrfs: vrf_2 and vrf_3. I'm trying to route leaking between them DC-2-BGW-1-1/1-2 (anycast bgw) and everything is correct on the routes in two vrfs, everything is correct on DC-3 on bgw in vrf_2, but there are not enough routes in vrf_3. Tell me where the error is.

config:

DC-2 bgw:

vrf context vrf_2

vni 4000502

rd auto

address-family ipv4 unicast

route-target both auto

route-target both auto evpn

route-target import 65502:5000502

route-target import 65502:5000502 evpn

route-target export 65502:5000502

route-target export 65502:5000502 evpn

import map import_vrf_2

import vrf advertise-vpn

export vrf allow-vpn

vrf context vrf_3

vni 5000502

rd auto

address-family ipv4 unicast

route-target both auto

route-target both auto evpn

route-target import 65502:4000502

route-target import 65502:4000502 evpn

route-target export 65502:4000502

route-target export 65502:4000502 evpn

import map import_vrf_1

import vrf advertise-vpn

export vrf allow-vpn

dc-2-bgw-1-1# sh ip ro su vrf vrf_2

IP Route Table for VRF "vrf_2"

Total number of routes: 5391

Total number of paths: 5391

Unicast paths:

Best paths per protocol: Backup paths per protocol:

bgp-65502 : 5366 None

broadcast : 13

direct : 5

local : 5

urib_internal : 2

Number of routes per mask-length:

/0 : 1 /8 : 2 /12: 1 /16: 3 /22: 3

/23: 7 /24: 985 /26: 1148 /27: 1734 /28: 519

/29: 520 /30: 7 /31: 10 /32: 451

dc-2-bgw-1-1# sh ip ro su vrf vrf_3

IP Route Table for VRF "vrf_3"

Total number of routes: 5387

Total number of paths: 5388

Unicast paths:

Best paths per protocol: Backup paths per protocol:

bgp-65502 : 5369 None

broadcast : 5

direct : 2

local : 2

urib_internal : 10

Number of routes per mask-length:

/0 : 1 /8 : 2 /12: 1 /16: 3 /22: 3

/23: 7 /24: 985 /26: 1148 /27: 1734 /28: 519

/29: 520 /30: 7 /31: 10 /32: 447

DC-3 bgw:

vrf context vrf_2

vni 4000502

rd auto

address-family ipv4 unicast

route-target both auto

route-target both auto evpn

vrf context vrf_3

vni 5000502

rd auto

address-family ipv4 unicast

route-target both auto

route-target both auto evpn

dc-3-bgw-1-1# sh ip ro su vrf vrf_2

IP Route Table for VRF "vrf_2"

Total number of routes: 5057

Total number of paths: 5058

Unicast paths:

Best paths per protocol: Backup paths per protocol:

bgp-65503 : 5027 None

broadcast : 15

direct : 8

local : 8

Number of routes per mask-length:

/0 : 1 /8 : 2 /12: 1 /16: 3 /22: 3

/23: 7 /24: 972 /26: 1124 /27: 1703 /28: 519

/29: 520 /30: 7 /31: 10 /32: 185

dc-3-bgw-1-1# sh ip ro su vrf vrf_3

IP Route Table for VRF "vrf_3"

Total number of routes: 38

Total number of paths: 38

Unicast paths:

Best paths per protocol: Backup paths per protocol:

bgp-65503 : 35 None

broadcast : 3

Number of routes per mask-length:

/0 : 1 /8 : 1 /24: 17 /31: 4 /32: 15

MHM Cisco World · ‎08-24-2025

What plat you have NXOS/XE/XR?

MHM

bgpripe · ‎08-24-2025

My Platform N9k - NXOS.

MHM Cisco World · ‎08-24-2025

Show vrf <> detail <<- shar this for both vrf

MHM

Stefan Mihajlov · ‎08-24-2025

@bgpripe

Your config on DC-2 shows leaking between vrf_2 and vrf_3 using route-targets, but on DC-3 the BGWs only have the default both auto RTs. That’s why vrf_3 on DC-3 only learns a handful of routes — it isn’t importing the leaked RTs coming from DC-2.

For inter-VRF leaking to work across sites you need:

Matching import/export RTs on both VRFs in both sites.
The import vrf advertise-vpn and export vrf allow-vpn knobs set on the leaking side.

add the same explicit import/export route-targets for vrf_3 on DC-3 that you used on DC-2, otherwise those leaked routes will never be imported.