01-02-2012 04:09 AM - edited 03-07-2019 04:08 AM
Hello all, I am wondering if there is "ip route VRF..." command available in NX-OS to support VRF route leaking? Thank you.
01-02-2012 05:21 AM
Hi,
VRF export-import of routes (a.k.a "route leaking") is supported starting with NX-OS 5.2(1) for both VRF lite and MPLS Layer 3 VPNs. This is accomplished by using VPN route target communities as part of BGP extended communities.
It is important to note that if using this for VRF lite, MPLS license is NOT required. User will be able to configure route-target commands after enabling BGP feature. Configuring route distinguisher is not needed in VRF lite scenario but is required for MPLS VPNs. User will be able to configure rd command after enabling feature mpls l3vpn, which will require MPLS license.
In other word you cannot use static routes for that (by the way, to configure static routes in NX-OS you need to enter the vrf context).
Following is an example for MPLS VPN VRF leaking. You can use it as a template removing the RD command which is not needed for vrf-lite.
n7000(config)# feature ospf
n7000(config)# feature bgp
n7000(config)# feature mpls l3vpn
!VRF context “vpn-1” configured to import routes from VRF context “vpn-2”
n7000(config)# vrf context vpn-1
n7000(config-vrf)# rd 1:1
n7000(config-vrf)# address-family ipv4 unicast
n7000(config-vrf-af-ipv4)# route-target import 1:1
n7000(config-vrf-af-ipv4)# route-target import 2:2
n7000(config-vrf-af-ipv4)# route-target export 1:1
!VRF context “vpn-2” configured to import routes from VRF context “vpn-1”
n7000(config)# vrf context vpn-2
n7000(config-vrf)# rd 2:2
n7000(config-vrf)# address-family ipv4 unicast
n7000(config-vrf-af-ipv4)# route-target import 1:1
n7000(config-vrf-af-ipv4)# route-target import 2:2
n7000(config-vrf-af-ipv4)# route-target export 2:2
!Route-map to permit all routes
n7000(config)# route-map vpn-route-leaking permit 10
!OSPF Route Redistribution
n7000(config)# router ospf 1
n7000(config-router)# vrf vpn-1
n7000(config-router-vrf)# redistribute bgp 1 route-map vpn-route-leaking
n7000(config-router)# vrf vpn-2
n7000(config-router-vrf)# redistribute bgp 1 route-map vpn-route-leaking
!BGP Route Redistribution
n7000(config-router-vrf)# router bgp 1
n7000(config-router)# vrf vpn-1
n7000(config-router-vrf)# address-family ipv4 unicast
n7000(config-router-vrf-af)# redistribute ospf 1 route-map vpn-route-leaking
n7000(config-router)# vrf vpn-2
n7000(config-router-vrf)# address-family ipv4 unicast
n7000(config-router-vrf-af)# redistribute ospf 1 route-map vpn-route-leaking
!Interface configuration
n7000(config)# interface Ethernet2/1
n7000(config-if)# vrf member vpn-1
n7000(config-if)# ip address 192.168.10.1/24
n7000(config-if)# ip router ospf 1 area 0.0.0.0
n7000(config)# interface Ethernet2/2
n7000(config-if)# vrf member vpn-2
n7000(config-if)# ip address 192.168.11.1/24
n7000(config-if)# ip router ospf 1 area 0.0.0.0
regards,
Riccardo
03-13-2012 12:42 PM
Hi Ricardo,
thanks for that answer though I've got some questions.
How can MP-BGP know what to import/export if you don't use the rd command?
I mean, the route-target import/export commands explicitly use the value you enter in the rd command.
Also, I was wondering if inter-VRF lite route-leaking is supported on the Nexus 5500 with L3 module+license?
The N5500 unicast routing cfg guide contains some VRF commands, but it doesn't say anything about the existence of the route-target import/export commands.
Thanks
03-28-2012 12:21 PM
Hi
route target import / export commands use extended community which is not same as RD. RD setting is not required in VRF-lite scenario. In a simple example with BGP doing route leaking, BGP router has no neighbors to send VPNV4/v6 route to and VPNv4/v6 prefix is the one that needs to have not just IP address but also RD. If we are not doing MPLS VPN, then its not required.
Nexus 5500 with L3 module+ license does not currently support route leaking, but it does have support for VRFs and VRF awareness for every component, just like Nexusw 7000 was doing prior to release 5.2
Hope this helps,
Arkadiy Shapiro
03-28-2013 11:01 AM
Hi,
It woks very well between 2 VRF's.
But, how can I acheive route leaking betwenn VRF default and another VRF ? Because it's not possible to use the "route-target" command with VRF default.
Thanks.
08-13-2013 07:11 AM
I am also having a problem leaking between VRF default and another VRF. Here are the possibilities under the vrf, address-family ipv4 unicast :
7K_nexus(config-vrf-af-ipv4)# ?
maximum Set a limit
no Negate a command or set its defaults
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
7K_nexus(config-vrf-af-ipv4)#
Thanks,
dennis
08-20-2014 11:11 AM
I know its been over 3 years... is haveing a working static route between the vrf's (VRF-lite only) require BGP features? can this task be done in any other way?
Thankls,
08-20-2014 05:01 PM
static extranet route can work OK without BGP.
08-20-2014 05:11 PM
Can you ellaborate? I'm on NX-OS 6.2.
08-20-2014 05:12 PM
Yes its in 6.2. What specific config you are trying to put in?
08-20-2014 05:50 PM
I need to route a specific TCP traffic from VRFA to VRFB (single hop), and prefer not to use BGP for this minor task.
VRFA
VLAN 100(1.1.1.1/16)
VRFB
VLAN 200(1.2.1.1/16)
08-20-2014 11:27 PM
You can use policy based routing (PBR) as well for route leaking between VRFs. You need to use "set vrf" feature of PBR. Somethings like following:
feature pbr
vlan 10,20
vrf context vlanA
vrf context vlanB
ip access-list vlanA_to_vlanB
permit ip 10.10.10.0/24 10.10.20.0/24
ip access-list vlanB_to_vlanA
permit 10.10.20.0/24 10.10.10.0/24
route-map vlanA_to_vlanB
match ip address vlanA_to_vlanB
set vrf vlanB
route-map vlanB_to_vlanA
match ip address vlanB_to_vlanA
set vrf vlanA
int vlan10
vrf member vlanA
ip add 10.10.10.1/24
ip policy route-map vlanA_to_vlanB
int vlan20
vrf member vlanB
ip add 10.10.20.1/24
ip policy route-map vlanB_to_vlanA
Hope this helps.
08-21-2014 04:42 AM
Thanks!
01-16-2018 04:49 AM
I am trying to use this configuration on a N9K but it won't accept the "SET VRF xxx" command.
Is this no longer supported or has the method of implementation changed ?
01-16-2018 05:08 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide