11-23-2016 07:52 PM - edited 03-08-2019 08:17 AM
Hello,
I am putting together a test lab for VRFs. I want multiple different VRFs to connect to one VRF but not share any information between the other VRFs.
For an example:
I have a VRF for computers "ip vrf Computers" and I want this to talk to "ip vrf Servers"; however, I want another VRF for phones "ip vrf Phones" to talk to "ip vrf Servers" but not "ip vrf Computers". Is there anyway to do this?
ip vrf Computers |
Solved! Go to Solution.
11-25-2016 12:20 AM
Yes you must use BGP
You can not configure two static routes to advertise each prefix between the VRFs, because this method is not supported—packets will not be routed by the router. To achieve route leaking between VRFs, you must use the import functionality of route-target and enable Border Gateway Protocol (BGP) on the router. No BGP neighbor is required
Heres a quick example you could just redistribute it locally to confirm its working correct on vrf leaking side as a test without setting up neighbours , that should get it working :)
http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/47807-routeleaking.html#diffvrfs
11-24-2016 12:40 AM
Hi
Yes you need to import/export the vrfs between each other and chose what that see that way , vrf route leaking , so below both vrfs green and red can see the shared vrf by importing the RT 65000:99
#example
ip vrf Green
rd 65000:2
route-target export 65000:2
route-target import 65000:99
!
ip vrf Red
rd 65000:1
route-target export 65000:1
route-target import 65000:99
!
ip vrf Shared
rd 65000:99
route-target export 65000:99
route-target import 65000:1
route-target import 65000:2
11-24-2016 08:25 AM
Mark,
Thank you for your response. I made the changes for the route-target imports/exports, however, I am still not able to communicate with that VRF.
rd 25:1 route-target export 25:1 route-target import 71:1 ! rd 10:1 ! rd 71:1 route-target export 71:1 route-target import 25:1 route-target import 49:1 ! rd 49:1 route-target export 49:1 route-target import 71:1 ! |
Do I need BGP as well? I've noticed that some of the examples of VRF to VRF use BGP vpnv4.
11-25-2016 12:20 AM
Yes you must use BGP
You can not configure two static routes to advertise each prefix between the VRFs, because this method is not supported—packets will not be routed by the router. To achieve route leaking between VRFs, you must use the import functionality of route-target and enable Border Gateway Protocol (BGP) on the router. No BGP neighbor is required
Heres a quick example you could just redistribute it locally to confirm its working correct on vrf leaking side as a test without setting up neighbours , that should get it working :)
http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/47807-routeleaking.html#diffvrfs
11-25-2016 11:00 AM
Mark,
I have not really worked much with BGP routing. The setup seems to be working now, sort of. Here's the current issue I am having now:
Router #1:
LAN_Router_1#show Routing Table: Computers Gateway of last resort is not set 192.168.17.0/24 is variably subnetted, 2 subnets, 2 masks |
Switch #1:
LAN_Switch#show ip route vrf Computers Routing Table: Computers Gateway of last resort is 192.168.52.1 to network 0.0.0.0 192.168.52.0/29 is subnetted, 1 subnets Type escape sequence to abort. Type escape sequence to abort. Type escape sequence to abort. Type escape sequence to abort. |
The switch cannot ping
interface GigabitEthernet0/1.71 encapsulation dot1Q 71 |
11-28-2016 12:29 AM
what way do you see that non working route on sw1 compared to another working route from router 1 , check the show ip route 192.168.17.17 and compare it to another route , post what you see , it should be seen as local route looking at the outputs same as 192.168.52.1 is that correct instead of a BGP route ? is there a 192.168.17.x interface on the switch ?
11-29-2016 05:07 AM
Mark,
Sorry for the late response, but here was the finding:
From Switch 1:
Current configuration : 93 bytes
Type escape sequence to abort. Type escape sequence to abort. |
From Router1:
LAN_Router_1#show Interface IP-Address OK? Method Status Protocol GigabitEthernet0/1.71 192.168.17.17 YES NVRAM up up ! LAN_Router_1#show Routing Table: Computers Routing Table: Computers |
11-29-2016 06:33 AM
Is the 192.168.17.17 subnet being advertised through an IGP too , would you mind uploading both full configs if its just a lab might be easier to see whats happening here
11-29-2016 03:42 PM
Mark,
Switch config:
version 12.2 no service pad service service service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname LAN_Switch ! boot-start-marker boot-end-marker ! enable secret ******************* ! username ! ! macro global description NULL | NULL ! no aaa new-model clock timezone CST -6 switch 1 provision ws-c3750-24ts system ! ! rd 25:1 route-target export 25:1 route-target import 71:1 ! rd 10:1 ! rd 71:1 route-target export 71:1 route-target import 25:1 route-target import 49:1 ! rd 49:1 route-target export 49:1 route-target import 71:1 ! ! ! ! ! ! ! ! spanning-tree mode rapid- spanning-tree logging spanning-tree extend system-id spanning-tree ! ! ! ! ! interface Loopback0 ! interface Loopback25410 ! interface Loopback25425 ! interface Loopback25449 ! interface Loopback25471 ! interface FastEthernet1/0/1 spanning-tree ! interface FastEthernet1/0/2 spanning-tree ! interface FastEthernet1/0/3 description ## Raspberry Pi ## spanning-tree ! interface FastEthernet1/0/4 spanning-tree ! interface FastEthernet1/0/5 spanning-tree ! interface FastEthernet1/0/6 spanning-tree ! interface FastEthernet1/0/7 spanning-tree ! interface FastEthernet1/0/8 spanning-tree ! interface FastEthernet1/0/9 spanning-tree ! interface FastEthernet1/0/10 spanning-tree ! interface FastEthernet1/0/11 spanning-tree ! interface FastEthernet1/0/12 spanning-tree ! interface FastEthernet1/0/13 spanning-tree ! interface FastEthernet1/0/14 spanning-tree ! interface FastEthernet1/0/15 spanning-tree ! interface FastEthernet1/0/16 spanning-tree ! interface FastEthernet1/0/17 spanning-tree ! interface FastEthernet1/0/18 spanning-tree ! interface FastEthernet1/0/19 description ## PC ## spanning-tree ! interface FastEthernet1/0/20 description ## X_BOX ## spanning-tree ! interface FastEthernet1/0/21 description ## PC Connected to WiFi Router ## spanning-tree ! interface FastEthernet1/0/22 spanning-tree ! interface FastEthernet1/0/23 ! interface FastEthernet1/0/24 ! interface GigabitEthernet1/0/1 ! interface GigabitEthernet1/0/2 shutdown ! interface Vlan1 no shutdown ! interface Vlan5 ! interface Vlan10 ! interface Vlan17 ! interface Vlan25 ! interface Vlan49 ! interface Vlan52 ! interface Vlan71 ! interface Vlan94 ! interface Vlan100 ! router router-id 192.168.254.10 log-adjacency-changes network 192.168.0.0 0.0.0.3 area 0 network 192.168.254.10 0.0.0.0 area 0 ! router router-id 192.168.254.25 log-adjacency-changes network 192.168.52.0 0.0.0.7 area 0 network 192.168.254.25 0.0.0.0 area 0 ! router router-id 192.168.254.49 log-adjacency-changes network 192.168.94.32 0.0.0.15 area 0 network 192.168.254.49 0.0.0.0 area 0 ! router router-id 192.168.254.71 log-adjacency-changes network 192.168.17.16 0.0.0.7 area 0 network 192.168.254.71 0.0.0.0 area 0 ! router router-id 192.168.254.5 log-adjacency-changes network 192.168.0.5 0.0.0.0 area 1 network 192.168.10.2 0.0.0.0 area 2 network 192.168.17.17 0.0.0.0 area 2 network 192.168.52.1 0.0.0.0 area 2 network 192.168.94.33 0.0.0.0 area 2 network 192.168.254.5 0.0.0.0 area 0 ! router no synchronization no auto-summary ! address-family ipv4 redistribute connected redistribute no synchronization exit-address-family ! address-family ipv4 redistribute connected redistribute no synchronization exit-address-family ! address-family ipv4 redistribute connected redistribute no synchronization exit-address-family ! no ip http server no ! ! permit 192.168.0.0 0.0.0.7 log permit 192.168.52.0 0.0.0.7 log permit 192.168.17.16 0.0.0.7 log permit 192.168.94.32 0.0.0.15 log deny any log ! permit permit permit permit permit permit permit deny ! ! banner login ^C W A R N I N G THIS IS A PRIVATE COMPUTER SYSTEM. This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized used. All computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information including personal information, placed on or sent over this system may be monitored. unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of any such unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to ^C ! line con 0 session-timeout 60 exec-timeout 60 0 logging synchronous login local line access-class SSH_IN in login local line access-class SSH_IN in login local ! event manager environment suspend_ports_config flash:/susp_ports.dat event manager environment suspend_ports_days 7 event manager directory user policy "flash:/policies/" event manager session event manager policy sl_suspend_ports.tcl event manager policy tm_suspend_ports.tcl event manager applet SaveRunConfig event timer action 1.0 action 2.0 ! event manager history size events 50 |
Router config:
version 15.1 THIS IS A PRIVATE COMPUTER SYSTEM. This computer system including all related equipment, network devices All computer systems may be monitored for all lawful purposes, including Monitoring includes active attacks by authorized personnel and their All information including personal information, placed on or sent over Unauthorized use may subject you to criminal prosecution. Evidence of |
12-01-2016 01:16 AM
Hi sorry slow reply bad week in work , try add the redistribute ospf to the router too , the issue is with the redistribution and how the route is been seen
router
address-family ipv4 vrf Servers
redistribute connected
exit-address-family
switch
address-family ipv4 vrf Servers
redistribute connected
redistribute ospf 71 vrf Servers
no synchronization
exit-address-family
12-02-2016 01:22 PM
Mark,
It's alright. I understand. It's been a rough week between work and school for me too. I don't quite understand this. I had turned off my test lab the other day, with all the configuration saved from when I sent it to you. I turned on all the equipment today and without making any configuration changes... I was able to ping everything??? Doesn't quite make sense to me.
12-05-2016 12:30 AM
Hi It should have worked before as you were redistributing connected and both interfaces were connected direct to the switch , sometimes with BGP you need to clear the process if you have been making multiple changes clear bgp * (never use this in the real world but handy for labs) in real world you use soft reset
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide