Solved: Route leaking using Prefix-Lists on Fusion Router only works with directly connected networks

Andrew.Bratchell · ‎02-18-2021

Hi All,

I'm trying to emulate as best as possible SD Access under Eve-NG using CSR routers as the Border node and Fusion Router and a combination of CSRs and L2 IOL switches to emulate Fabric nodes. The CSR's don't work with subinterfaces so I have had to use Bridge Domain Interfaces as a work around to run VRFs. There are two VRT's IT and OT. For the OT VRF I can route leak the shared services network, however I have also created a 'legacy OT network' that I would like to route leak as well into the OT VRF. The problem is this: I have used prefix-lists and then import these prefix-lists into the OT VRF. If the prefix list refers to a directly connected network segment on the fusion router, the route leaking will work and the routes are advertised using mBGP to the border router. If the Prefix-list refers to prefix that it not directly connected, the routes are not advertised. I have put static routes on the fusion router pointing to the next hop OT router for the legacy OT networks in question, but this does not work. Attached is the topology in Eve-NG for reference. Any suggestions would be most welcome. Many Thanks Andrew

Andrew.Bratchell · ‎02-19-2021

Hi,

Adding the BGP network statements as you suggested did the trick.

Silly mistake.

Thank you for your help. Very much appreciated.

View solution in original post

jalejand · ‎02-18-2021

From the Fusion router can you please upload a show run, show ip route (for any relevant vrf) and show bgp vpnv4 uni all.

Also, please provide at least 1 subnet which is not leaked from globalrib/shared services vrf to OT vrf.

Regards

Andrew.Bratchell · ‎02-18-2021

Hi, attached is the output you requested.

As an example of a connected route that is being leaked correctly into the OT VRF, this is the shared services network (172.16.254.0/24).

As you can see from the config I have tried the same approach for the OT networks (172.16.50.0/24 and 172.16.60.0/24). These networks are behind the OT router that is directly connected to the Fusion Router. What is interesting is that I can leak the subnet 10.1.2.0/30 that connects the Fusion Router with the OT router as this is directly connected.

Thank you for looking at this.

Thanks

Andrew

jalejand · ‎02-18-2021

vrf definition OT
rd 1:4101
!
address-family ipv4
import ipv4 unicast map IMPORT_OT

Based on this, you are trying to import routes from the global routing table into vrf OT, matching these:

ip prefix-list LEGACY_OT seq 5 permit 172.16.50.0/24
ip prefix-list LEGACY_OT seq 10 permit 172.16.60.0/24
ip prefix-list LEGACY_OT seq 15 permit 10.1.2.0/30

While the only one which was leaked was:

B 10.1.2.0/30 is directly connected, 02:09:59, GigabitEthernet3

Which is leaked because it is added into the BGP on the add ipv4 /GRIB family:

address-family ipv4
network 0.0.0.0
redistribute connected -----------------------***********

Try adding 172.16.50.0 and 172.16.60.0 on the BGP process for add ipv4 / GRIB family with either network statements or redistribution in case you use any IGP.

Regards

Andrew.Bratchell · ‎02-19-2021

Hi,

Adding the BGP network statements as you suggested did the trick.

Silly mistake.

Thank you for your help. Very much appreciated.