Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8033
Views
0
Helpful
10
Replies

Nexus 9k VRF-Lite route leaking filter

Go to solution
gsancassano
Level 1
Level 1

‎02-01-2017 12:24 PM - edited ‎03-08-2019 09:08 AM

Hi all,

I´m configuring VRF route leaking between 3 VRF (SERVICES, AAA, BBB) using VRF-Lite as shown in the configuration below.
With this configuration, VRF AAA and BBB will learn the 4 static route from VRF SERVICES.

I would like to know if there is a way to only learn route 10.10.10.0 and 10.20.20.0 in VRF AAA and only routes 10.30.30.0 and 10.40.40.0 in VRF BBB. In

other words, I would like to filter witch route are learn form SERVICES in VRF AAA and VRF BBB.

Thanks in advance.

======================Config===================================
!
ip prefix-list MAP-SERVICES seq 5 permit 10.10.10.0/24
ip prefix-list MAP-SERVICES seq 10 permit 10.20.20.0/24
ip prefix-list MAP-SERVICES seq 15 permit 10.30.30.0/24
ip prefix-list MAP-SERVICES seq 20 permit 10.40.40.0/24
ip prefix-list MAP-AAA seq 5 permit 100.100.100.0/24
ip prefix-list MAP-BBB seq 5 permit 200.200.200.0/24
!
!
route-map MAP-SERVICES permit 10
  match ip address prefix-list MAP-SERVICES
!
route-map MAP-AAA permit 10
  match ip address prefix-list MAP-AAA
!
route-map MAP-BBB permit 10
  match ip address prefix-list MAP-BBB
!
!
vrf context SERVICES
  ip route 10.10.10.0/24 10.1.1.1  !(for VRF AAA)  ip route 10.20.20.0/24 10.1.1.1  !(for VRF AAA)  ip route 10.30.30.0/24 10.1.1.1  !(for VRF BBB)  ip

route 10.40.40.0/24 10.1.1.1  !(for VRF BBB)
  address-family ipv4 unicast
    route-target import 65500:2
    route-target import 65500:3
    route-target export 65500:1
!
vrf context AAA
  address-family ipv4 unicast
    route-target import 65500:1
    route-target export 65500:2
!
vrf context BBB
  address-family ipv4 unicast
    route-target import 65500:1
    route-target export 65500:3
!
!
interface Vlan100  description AAA  no shutdown  vrf member AAA  ip address 100.100.100.1/24
!
interface Vlan200  description BBB  no shutdown  vrf member BBB  ip address 200.200.200.1/24
!
!
router bgp 65500
  vrf SERVICES
    address-family ipv4 unicast
      redistribute static route-map MAP-SERVICES
  vrf AAA
    address-family ipv4 unicast
      redistribute direct route-map MAP-AAA
  vrf BBB
    address-family ipv4 unicast
      redistribute direct route-map MAP-BBB
!

======================End_Config===================================

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Paul Chapman
Level 4
Level 4
In response to gsancassano

‎02-06-2017 06:08 PM

Hi -

After some digging I found a reference to an "import map" which will allow you to filter the routes as they are leaked between the VRFs.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/command_references/configuration_commands/b_Using_N9K_Config_Commands/b_N9K_Bookmap_chapter_010101.html#wp1300260430

PSC

View solution in original post

0 Helpful

Go to solution
willwetherman
Spotlight
Spotlight
In response to gsancassano

‎02-09-2017 12:51 PM

Hi,


The import-map feature as suggested by Paul should work as I have a similar setup on a pair of Nexus 9Ks.

Note that the route-target import 65500:1 command still needs to be applied to the AAA and BBB VRFs to trigger the import of the Services prefixes. The import map filter is then applied before the prefixes are imported into the routing table

Try the following:


ip prefix-list IMPORT-AAA seq 5 permit 10.10.10.0/24
ip prefix-list IMPORT-AAA seq 10 permit 10.20.20.0/24
!
ip prefix-list IMPORT-BBB seq 5 permit 10.30.30.0/24
ip prefix-list IMPORT-BBB seq 10 permit 10.40.40.0/24
!
route-map IMPORT-MAP-AAA permit 10
  match ip address prefix-list IMPORT-AAA
!
route-map IMPORT-MAP-BBB permit 10
  match ip address prefix-list IMPORT-BBB
!
vrf context AAA
  address-family ipv4 unicast
    route-target import 65500:1
    import map IMPORT-MAP-AAA
!
vrf context BBB
  address-family ipv4 unicast
    route-target import 65500:1
    import map IMPORT-MAP-BBB

Hope this helps

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Paul Chapman
Level 4
Level 4

‎02-02-2017 04:53 PM

Hi -

I see your import/exports for the route targets, but I don't see that you actually defined your RDs in the vrf configuration.

vrf context SERVICES
 rd 65500:1
vrf context AAA
 rd 65500:2
vrf context BBB
 rd 65500:3

PSC

0 Helpful

Go to solution
gsancassano
Level 1
Level 1
In response to Paul Chapman

‎02-03-2017 06:43 AM

Hi Paul, thanks for your answer.

I haven't define the RDs in the different VRF because I'm using VRF-Lite and as I know is not need to import/export routes.

The config I provided is working fine, the only thing I would like to change is the routers learned from SERVICES in VRF AAA and BBB.

0 Helpful

Go to solution
Paul Chapman
Level 4
Level 4
In response to gsancassano

‎02-03-2017 08:05 AM

Hi -

Can you post a "show ip route vrf all"?

PSC

0 Helpful

Go to solution
gsancassano
Level 1
Level 1
In response to Paul Chapman

‎02-06-2017 09:38 AM

Hi Paul,

Here is the output of the "show ip route vrf all"

Thanks for any suggestion on how can I filter which route are learned from SERVICES to AAA and BBB.

N9k# sh ip route vrf all   
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
 
IP Route Table for VRF "management"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
 
10.22.1.0/24, ubest/mbest: 1/0, attached
    *via 10.22.1.248, mgmt0, [0/0], 00:06:40, direct
10.22.1.248/32, ubest/mbest: 1/0, attached
    *via 10.22.1.248, mgmt0, [0/0], 00:06:40, local
 
IP Route Table for VRF "SERVICES"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
 
10.10.10.0/24, ubest/mbest: 1/0
    *via 10.1.1.1, [1/0], 00:00:33, static
10.20.20.0/24, ubest/mbest: 1/0
    *via 10.1.1.1, [1/0], 00:00:33, static
10.30.30.0/24, ubest/mbest: 1/0
    *via 10.1.1.1, [1/0], 00:00:33, static
10.40.40.0/24, ubest/mbest: 1/0
    *via 10.1.1.1, [1/0], 00:00:33, static
10.1.1.0/29, ubest/mbest: 1/0, attached
    *via 10.1.1.2, Vlan3100, [0/0], 00:04:04, direct
10.1.1.2/32, ubest/mbest: 1/0, attached
    *via 10.1.1.2, Vlan3100, [0/0], 00:04:04, local
100.100.100.0/24, ubest/mbest: 1/0, attached
    *via vrf BBB, Vlan100, [20/0], 00:04:04, bgp-65500, external, tag 65500
200.200.200.0/24, ubest/mbest: 1/0, attached
    *via 172.21.4.248%AAA, Vlan200, [20/0], 00:04:04, bgp-65500, external, tag 65500
 IP Route Table for VRF "AAA"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
 
10.10.10.0/24, ubest/mbest: 1/0
    *via 10.1.1.2%SERVICES, [20/0], 00:04:04, bgp-65500, external, tag 65500
10.20.20.0/24, ubest/mbest: 1/0
    *via 10.1.1.2%SERVICES, [20/0], 00:04:04, bgp-65500, external, tag 65500
10.30.30.0/24, ubest/mbest: 1/0
    *via 10.1.1.2%SERVICES, [20/0], 00:04:04, bgp-65500, external, tag 65500
10.40.40.0/24, ubest/mbest: 1/0
    *via 10.1.1.2%SERVICES, [20/0], 00:04:04, bgp-65500, external, tag 65500
200.200.200.0/24, ubest/mbest: 1/0, attached
    *via 200.200.200.1, Vlan200, [0/0], 00:04:04, direct
200.200.200.1/32, ubest/mbest: 1/0, attached
    *via 200.200.200.1, Vlan200, [0/0], 00:04:04, local
 
IP Route Table for VRF "BBB"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
 
10.10.10.0/24, ubest/mbest: 1/0
    *via 10.1.1.2%SERVICES, [20/0], 00:04:04, bgp-65500, external, tag 65500
10.20.20.0/24, ubest/mbest: 1/0
    *via 10.1.1.2%SERVICES, [20/0], 00:04:04, bgp-65500, external, tag 65500
10.30.30.0/24, ubest/mbest: 1/0
    *via 10.1.1.2%SERVICES, [20/0], 00:04:04, bgp-65500, external, tag 65500
10.40.40.0/24, ubest/mbest: 1/0
    *via 10.1.1.2%SERVICES, [20/0], 00:04:04, bgp-65500, external, tag 65500
100.100.100.0/24, ubest/mbest: 1/0, attached
    *via 100.100.100.1, Vlan100, [0/0], 00:04:04, direct
100.100.100.1/32, ubest/mbest: 1/0, attached
    *via 100.100.100.1, Vlan100, [0/0], 00:04:04, local
 N9k# 

0 Helpful

Go to solution
Paul Chapman
Level 4
Level 4
In response to gsancassano

‎02-06-2017 06:08 PM

Hi -

After some digging I found a reference to an "import map" which will allow you to filter the routes as they are leaked between the VRFs.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/command_references/configuration_commands/b_Using_N9K_Config_Commands/b_N9K_Bookmap_chapter_010101.html#wp1300260430

PSC

0 Helpful

Go to solution
gsancassano
Level 1
Level 1
In response to Paul Chapman

‎02-07-2017 03:33 AM

Hi Paul,

I thought that "import map" command only allow import routes from the Default VRF to others VRF.

I will try it an then post my results.

0 Helpful

Go to solution
gsancassano
Level 1
Level 1
In response to gsancassano

‎02-09-2017 11:48 AM

Hi Paul,

I made some tests using "import map" but unfortunately I don't get working what I wanted.

Could you share an example of import route using "import map" were I can filter which route import form one VRF to another?

Thanks in advance.

0 Helpful

Go to solution
willwetherman
Spotlight
Spotlight
In response to gsancassano

‎02-09-2017 12:51 PM

Hi,


The import-map feature as suggested by Paul should work as I have a similar setup on a pair of Nexus 9Ks.

Note that the route-target import 65500:1 command still needs to be applied to the AAA and BBB VRFs to trigger the import of the Services prefixes. The import map filter is then applied before the prefixes are imported into the routing table

Try the following:


ip prefix-list IMPORT-AAA seq 5 permit 10.10.10.0/24
ip prefix-list IMPORT-AAA seq 10 permit 10.20.20.0/24
!
ip prefix-list IMPORT-BBB seq 5 permit 10.30.30.0/24
ip prefix-list IMPORT-BBB seq 10 permit 10.40.40.0/24
!
route-map IMPORT-MAP-AAA permit 10
  match ip address prefix-list IMPORT-AAA
!
route-map IMPORT-MAP-BBB permit 10
  match ip address prefix-list IMPORT-BBB
!
vrf context AAA
  address-family ipv4 unicast
    route-target import 65500:1
    import map IMPORT-MAP-AAA
!
vrf context BBB
  address-family ipv4 unicast
    route-target import 65500:1
    import map IMPORT-MAP-BBB

Hope this helps

0 Helpful

Go to solution
gsancassano
Level 1
Level 1
In response to willwetherman

‎02-10-2017 11:31 AM

Hi,

I made some new tests with the "import map" command and now is working.

Thnaks to all.

0 Helpful

Go to solution
Cormac Champion
Level 1
Level 1
In response to willwetherman

‎01-16-2018 06:17 AM - edited ‎01-16-2018 07:35 AM

To leak routes between the Default VRF and another created VRF, should I be doing something like this ?

ip prefix-list IMPORT-AAA seq 5 permit 10.10.10.0/24
ip prefix-list IMPORT-AAA seq 10 permit 10.20.20.0/24
!
ip prefix-list EXPORT-BBB seq 5 permit 10.30.30.0/24
ip prefix-list EXPORT-BBB seq 10 permit 10.40.40.0/24
!
route-map IMPORT-MAP-AAA permit 10
  match ip address prefix-list IMPORT-AAA
!
route-map EXPORT-MAP-BBB permit 10
  match ip address prefix-list EXPORT-BBB
!
vrf context AAA
  address-family ipv4 unicast
    route-target both 1:1
    import map IMPORT-MAP-AAA

    import map EXPORT-MAP-BBB

 !

I tried this but no joy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card