cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22077
Views
5
Helpful
17
Replies

Nexus VRF-Lite static route leak

pfillips11
Level 1
Level 1

Hello all, I am wondering if there is "ip route VRF..." command available in NX-OS to support VRF route leaking? Thank you.

17 Replies 17

rsimoni
Cisco Employee
Cisco Employee

Hi,

VRF export-import of routes (a.k.a "route leaking") is supported starting with NX-OS 5.2(1) for both VRF lite and MPLS Layer 3 VPNs. This is accomplished by using VPN route target communities as part of BGP extended communities.

It is important to note that if using this for VRF lite, MPLS license is NOT required. User will be able to configure route-target commands after enabling BGP feature. Configuring route distinguisher is not needed in VRF lite scenario but is required for MPLS VPNs. User will be able to configure rd command after enabling feature mpls l3vpn, which will require MPLS license.

In other word you cannot use static routes for that (by the way, to configure static routes in NX-OS you need to enter the vrf context).

Following is an example for MPLS VPN VRF leaking. You can use it as a template removing the RD command which is not needed for vrf-lite.

n7000(config)# feature ospf

n7000(config)# feature bgp

n7000(config)# feature mpls l3vpn

!VRF context “vpn-1” configured to import routes from VRF context “vpn-2”

n7000(config)# vrf context vpn-1

n7000(config-vrf)# rd 1:1

n7000(config-vrf)# address-family ipv4 unicast

n7000(config-vrf-af-ipv4)# route-target import 1:1

n7000(config-vrf-af-ipv4)# route-target import 2:2

n7000(config-vrf-af-ipv4)# route-target export 1:1

!VRF context “vpn-2” configured to import routes from VRF context “vpn-1”

n7000(config)# vrf context vpn-2

n7000(config-vrf)# rd 2:2

n7000(config-vrf)# address-family ipv4 unicast

n7000(config-vrf-af-ipv4)# route-target import 1:1

n7000(config-vrf-af-ipv4)# route-target import 2:2

n7000(config-vrf-af-ipv4)# route-target export 2:2

!Route-map to permit all routes

n7000(config)# route-map vpn-route-leaking permit 10

!OSPF Route Redistribution

n7000(config)# router ospf 1

n7000(config-router)# vrf vpn-1

n7000(config-router-vrf)# redistribute bgp 1 route-map vpn-route-leaking

n7000(config-router)# vrf vpn-2

n7000(config-router-vrf)# redistribute bgp 1 route-map vpn-route-leaking

!BGP Route Redistribution

n7000(config-router-vrf)# router bgp 1

n7000(config-router)# vrf vpn-1

n7000(config-router-vrf)# address-family ipv4 unicast

n7000(config-router-vrf-af)# redistribute ospf 1 route-map vpn-route-leaking

n7000(config-router)# vrf vpn-2

n7000(config-router-vrf)# address-family ipv4 unicast

n7000(config-router-vrf-af)# redistribute ospf 1 route-map vpn-route-leaking

!Interface configuration

n7000(config)# interface Ethernet2/1

n7000(config-if)# vrf member vpn-1

n7000(config-if)# ip address 192.168.10.1/24

n7000(config-if)# ip router ospf 1 area 0.0.0.0

n7000(config)# interface Ethernet2/2

n7000(config-if)# vrf member vpn-2

n7000(config-if)# ip address 192.168.11.1/24

n7000(config-if)# ip router ospf 1 area 0.0.0.0

regards,

Riccardo

Hi Ricardo,

thanks for that answer though I've got some questions.

How can MP-BGP know what to import/export if you don't use the rd command?

I mean, the route-target import/export commands explicitly use the value you enter in the rd command.

Also, I was wondering if inter-VRF lite route-leaking is supported on the Nexus 5500 with L3 module+license?

The N5500 unicast routing cfg guide contains some VRF commands, but it doesn't say anything about the existence of the route-target import/export commands.

Thanks

Hi

route target import / export commands use extended community which is not same as RD. RD setting is not required in VRF-lite scenario. In a simple example with BGP doing route leaking, BGP router has no neighbors to send VPNV4/v6 route to and VPNv4/v6 prefix is the one that needs to have not just IP address but also RD. If we are not doing MPLS VPN, then its not required.

Nexus 5500 with L3 module+ license does not currently support route leaking, but it does have support for VRFs and VRF awareness for every component, just like Nexusw 7000 was doing prior to release 5.2

Hope this helps,

Arkadiy Shapiro

Hi,

It woks very well between 2 VRF's.

But, how can I acheive route leaking betwenn VRF default and another VRF ?  Because it's not possible to use the "route-target" command with VRF default.

Thanks.

I am also having a problem leaking between VRF default and another VRF.  Here are the possibilities under the vrf, address-family ipv4 unicast :

7K_nexus(config-vrf-af-ipv4)# ?

  maximum  Set a limit

  no       Negate a command or set its defaults

  end      Go to exec mode

  exit     Exit from command interpreter

  pop      Pop mode from stack or restore from name

  push     Push current mode to stack or save it under name

  where    Shows the cli context you are in

7K_nexus(config-vrf-af-ipv4)#

Thanks,

dennis

I know its been over 3 years... is haveing a working static route between the vrf's (VRF-lite only) require BGP features? can this task be done in any other way?

 

Thankls, 

static extranet route can work OK without BGP.

Can you ellaborate? I'm on NX-OS 6.2.

Yes its in 6.2. What specific config you are trying to put in?

I need to route a specific TCP traffic from VRFA to VRFB (single hop), and prefer not to use BGP for this minor task.

 

VRFA
 VLAN 100(1.1.1.1/16)

VRFB
 VLAN 200(1.2.1.1/16)

 

 

You can use policy based routing (PBR) as well for route leaking between VRFs. You need to use "set vrf" feature of PBR. Somethings like following:

feature pbr

vlan 10,20

vrf context vlanA
vrf context vlanB

ip access-list vlanA_to_vlanB
permit ip 10.10.10.0/24 10.10.20.0/24
ip access-list vlanB_to_vlanA
permit 10.10.20.0/24 10.10.10.0/24

 

route-map vlanA_to_vlanB
match ip address vlanA_to_vlanB
set vrf vlanB
route-map vlanB_to_vlanA
match ip address vlanB_to_vlanA
set vrf vlanA

 

int vlan10
vrf member vlanA
ip add 10.10.10.1/24
ip policy route-map vlanA_to_vlanB

 

int vlan20
vrf member vlanB
ip add 10.10.20.1/24
ip policy route-map vlanB_to_vlanA

Hope this helps.

Thanks!

I am trying to use this configuration on a N9K but it won't accept the "SET VRF xxx" command.

 

Is this no longer supported or has the method of implementation changed ?

 

None of my 9ks have that and i have multiple models but my 7ks do , the 9ks dont have a full nx-os feature list same as 7ks that one of the reasons there so much cheaper

(config-route-map)# set ?
as-path Prepend string for a BGP AS-path attribute
comm-list Set BGP community list (for deletion)
community Set BGP community attribute
dampening Set BGP route flap dampening parameters
distance Set the Administrative distance of route
extcomm-list Set BGP extcommunity list (for deletion)
extcommunity Set BGP extcommunity attribute
forwarding-address Set the forwarding address
interface Output interface
ip Configure IP features
ipv6 Configure IPv6 features
level Where to import route
local-preference BGP local preference path attribute
metric Set metric for destination routing protocol
metric-type Type of metric for destination routing protocol
nssa-only OSPF NSSA Areas
origin BGP origin code
path-selection Path selection criteria for BGP
tag Tag value for destination routing protocol
vrf Set the VRF for next-hop resolution
weight BGP weight for routing table

(config-route-map)# do sh ver | i 7
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
kickstart image file is: bootflash:///n7000-s1-kickstart-npe.6.2.16.bin


9ks
(config-route-map)# set ?
as-path Prepend string for a BGP AS-path attribute
comm-list Set BGP community list (for deletion)
community Set BGP community attribute
dampening Set BGP route flap dampening parameters
distance Set the Administrative distance of route
extcomm-list Set BGP extcommunity list (for deletion)
extcommunity Set BGP extcommunity attribute
forwarding-address Set the forwarding address
interface Output interface
ip Configure IP features
ipv6 Configure IPv6 features
label-index Set Segment Routing (SR) label index of route
level Where to import route
local-preference BGP local preference path attribute
metric Set metric for destination routing protocol
metric-type Type of metric for destination routing protocol
nssa-only OSPF NSSA Areas
origin BGP origin code
path-selection Path selection criteria for BGP
tag Tag value for destination routing protocol
weight BGP weight for routing table

(config-route-map)# do sh ver | i 9
cisco Nexus9000 93180YC-EX chassis


from i doc i just checked
he Cisco Nexus 9000 Series switches do not support the set vrf and set default next-hop commands. Policy-based routing traffic cannot be ...
‎Guidelines and Limitations · ‎Configuring Policy-Based ...

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3pbr.html
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco