Recently we implemented VRF-Lite I our struture.
In that job we also implemented RouteLeaking Between Coustumer VRFs, and our VRF(where we provide some services as Backup, Monitoring, NFS/iSCSI), etc, etc, etc...
We control those route-leaking with route-maps(there are many examples in this forum).
It is working fine, and does no consume so much resource of our cores as we were expecting.
But what we would like to do is to filter the traffic passing from one VRF to another VRF.
Lets imagine that those VRF would be different phisical routers.
Wolud exist common interface between then.
And wolud be possible to aply ACLs on those Interfaces.
What we want to do is something like that, but inside the same router, between the VRFs.
I tried to search some solution to that(google, cisco, supportforum), but I think that I'm not using the correct terms on the search.
I was looking the possible commands related to that and a found:
Possibility A
- This is the VRF of our costumer, and my undestanding of that command is that any traffic leaked via from this VRF via BGP would be sourced from an specific loopback and there we would aply the ACLs that we need. Am I right?
core-siteA(config)#ip vrf costumer-a
core-siteA(config-vrf)#?
VPN Routing/Forwarding instance configuration commands:
bgp Commands pertaining to BGP
default Set a command to its defaults
description VRF specific description
exit Exit from VRF configuration mode
export VRF export
import VRF import
inter-as-hybrid Inter AS hybrid mode
maximum Set a limit
mdt Backbone Multicast Distribution Tree
no Negate a command or set its defaults
protection Configure local repair
rd Specify Route Distinguisher
route-target Specify Target VPN Extended Communities
snmp Modify snmp parameters
vpn Configure VPN ID as specified in rfc2685
core-siteA(config-vrf)#bgp ?
next-hop Next-hop for the routes of a VRF in the backbone
core-siteA(config-vrf)#bgp next-hop ?
Loopback Loopback interface
core-siteA(config-vrf)#bgp next-hop loopback ?
<0-2147483647> Loopback interface number
core-siteA(config-vrf)#bgp next-hop loopback 0 ?
<cr>
Possibility B
- This would be the route-map used on reoute leaking, and the Idea in this case is force the traffic that goes to our-company VRF to pass for an specific Loopback and there we would aply the ACLs that we need. But my doubt is if this SET can be used on a route-leaking route-map !?!
core-siteA(config)#route-map VRF_COSTUMER-A_TO_OUR-COMPANY permit 10
core-siteA(config-route-map)#set ?
as-path Prepend string for a BGP AS-path attribute
automatic-tag Automatically compute TAG value
clns OSI summary address
comm-list set BGP community list (for deletion)
community BGP community attribute
dampening Set BGP route flap dampening parameters
default Set default information
extcomm-list Set BGP/VPN extended community list (for deletion)
extcommunity BGP extended community attribute
global Set to global routing table
interface Output interface
ip IP specific information
ipv6 IPv6 specific information
level Where to import route
local-preference BGP local preference path attribute
metric Metric value for destination routing protocol
metric-type Type of metric for destination routing protocol
mpls-label Set MPLS label for prefix
origin BGP origin code
tag Tag value for destination routing protocol
traffic-index BGP traffic classification number for accounting
vrf Define VRF name
weight BGP weight for routing table
core-siteA(config-route-map)#set ip ?
address Specify IP address
default Set default information
df Set DF bit
global global routing table
next-hop Next hop address
precedence Set precedence field
qos-group Set QOS Group ID
tos Set type of service field
vrf VRF name
core-siteA(config-route-map)#set ip vrf ?
WORD VRF name
core-siteA(config-route-map)#set ip vrf our-company ?
next-hop Next hop address
core-siteA(config-route-map)#set ip vrf our-company next-hop ?
A.B.C.D IP address of next hop
core-siteA(config-route-map)#set ip vrf our-company next-hop 10.10.10.10 ?
A.B.C.D IP address of next hop
<cr>
Could any one make some correction or suggestion?