Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3345
Views
0
Helpful
2
Replies

Route Leaking from global to VRF using static routes only

Netnux
Level 1
Level 1

‎04-28-2016 08:30 AM - edited ‎03-08-2019 05:32 AM

Good Morning.
Maybe my understanding of VRFs and Inter-VRF routing is still someway poor, so I apologize in advance if my question results inappropriate.

I tried to depict my very simple scenario and the simulation I tried to deploy in the attached image.
Basically,  I have a network connetted to the internet and I want to create a new VRF and share the internet connection with it, and I'm not allowed to use any routing protocol.
Mainly, everything happens on a cisco 6500.

Current production Network
global routing:  172.17.0.0/16
VLAN:1
SVI: 172.17.1.1

VRF RED
network: 172.23.0.0/16
VLAN:10
SVI: 172.23.1.1


The aim of the simulation is pinging "8.8.8.8", the loopback on the remote router, from the 172.23.1.2 router on the RED VRF.

Besides of the other static routes, at the beginning on the 6500 I added the following command:

ip route vrf red 8.8.8.8 255.255.255.255 172.17.1.2 global

With this command I have seen that I can reach the loopback interface of the "remote" router with address 8.8.8.8 from the 172.23.1.2, the router replies back, but the answer ends on the 6500 (debug ip icmp), that is not able to send it back to the VRF RED.

So I thought that the "global" keyword allowed me to switch from VRF to global, but I need something to get the replies back from global to VRF.

So i configured a little PBR

!access-list to select traffic
ip access-list extended to-red
 permit ip any 172.23.0.0 0.0.255.255

!Route map to set the vrf
route-map to-red permit 10
 match ip address to-red
 set vrf red

!set the policy on the interface VLAN1
 ip policy route-map to-red

Well, doing so, it works.
I successfully ping 8.8.8.8 from the 172.23.1.2 router!

But..

What if I will need to add another "independent" VRF, or I will need to use the 172.23.0.0/16 on the global routing table itself?
I believe that with this confoguration, at minimum, only the 172.23.0.0 from the RED VRF would be able to use internet.
So, this configuration results similar to simply create another VLAN/Subnet on the same global routing, I think.

So, is it possibile to configure some route leaking and share the same internet link among the global routing and other VRFs, using only static routes?

Many thans for your precious help

 

1 person had this problem
Labels:
Preview file
84 KB
0 Helpful
2 Replies 2

Reza Sharifi
Hall of Fame
Hall of Fame

‎04-28-2016 02:42 PM

Hi,

You should be able to do this with multiple static routes pointing to the global routing table.

ip route vrf red 8.8.8.8 255.255.255.255 172.17.1.2 global

ip route vrf green 8.8.8.8 255.255.255.255 172.17.1.2 global

ip route vrf white 8.8.8.8 255.255.255.255 172.17.1.2 global

0.0.0.0 to Internet

HTH

0 Helpful

Netnux
Level 1
Level 1
In response to Reza Sharifi

‎04-28-2016 09:43 PM

Good Morning Reza,
thank you for your kind reply.

However, I have already done what you suggest for the "RED" VRF:

ip route vrf red 8.8.8.8 255.255.255.255 172.17.1.2 global

and didn't work.
Not without adding that little PBR to let the traffic back to the RED VRF.

As for my understanding, that little PBR means, however, that any traffic from Internet to 172.23.0.0/16 would be set on RED VRF.
So, the one and only 172.23.0.0/16 prefix that would be able to go on Internet is the one from the RED VRF.
IF I had any other VRF or I wanted to use the same prefix on the global routing table itself, I couldn't use it to go to internet.
This sounds very close to simply adding a new VLAN\Subnet to the 6500 and assigning it the 172.23.0.0/16 prefix.

0 Helpful
Customers Also Viewed These Support Documents