What is the best way to route between 2 VRF on N7k

Guohua Zhang · ‎03-14-2013

We have two VRFs on our N7K and there is some traffic needs to be routed between. What is the best way to do this? I am thinking to create a separate VDC as a router to do routing. Can anybody point out if there is a problem with that or suggest a better solution. Thanks.

Gregory Snipes · ‎03-14-2013

If you want to connect the two VRFs together, why do you need VRFs? You could just drop the VRF configuration and merge them together then look for a different tool to perform whatever function they are doing for you.

Could you describe your situation in more detail?

Guohua Zhang · ‎03-14-2013

Thanks for your concern. The second VRF is used for a small group of backup Storage devices. They are used for copying data from a separate Data Center and they request high bandwidth, low latency. Basically we created it for bypassing our FW. But those device also need to talk to some devices at the default VRF, e.g. syslog. So we now try to build a route for those management traffic from one VRF to the defalt one.

Gregory Snipes · ‎03-14-2013

Well considering you only want to pass a small amount of traffic between the two VRFs the easiest thing to do would probably be to just configure a physical interface in each VRF and connect them together. Then put an ACL on the interfaces to block all traffic except what you want i.e. syslog.

You could still merge the two VRFs and switch over to doing policy routing to let these device bypass the firewalls but this would be a much more involed change.

Guohua Zhang · ‎03-14-2013

Thanks, Gregory.

Routing seems not working with the physically connecting two interfaces in each VRFs on Nexus 7000. That is why we brought up a seperate VDC for it.

Does anyone have successful experience routing between two VRFs locally on N7K? Thanks.

Reza Sharifi · ‎03-14-2013

Hi,

You can create a 3rd vrf and use it as shared vrf and then import RT from the other 2 VRFs into the 3rd vrf.

Have a look at the example below:

in this case vrf a is the shared vrf and both vrf b and c have access to it. Now, in your case, you put your syslog server or any other server that needs to be access by vrf b and c in vrf a.

ip vrf a

rd 1:1

route-target export 1:1

route-target import 1:1

route-target import 2:2

route-target import 3:3

!

ip vrf b

rd 2:2

route-target export 2:2

route-target import 2:2

route-target import 1:1

!

ip vrf c

rd 3:3

route-target export 3:3

route-target import 3:3

route-target import 1:1

HTH

Guohua Zhang · ‎03-18-2013

VRF with RT is a good idea to do this. I tested it with just two VRFs + BGP and worked. We can use "export map" to control which subnet to be exported from the VRF and import to the other one.

But I still prefer using VDC, which is like adding a seperate router. It is easier with static routes and ACLs can also easily added for more detail control. It worked. Thank a lot for your concern.

Reza Sharifi · ‎03-18-2013

Can you please rate and mark the post as answered, so others can benefit from it?

Thanks,

Petri Kemppainen · ‎05-21-2016

Hi!

"I tested it with just two VRFs + BGP and worked". Can you send me or write here example configuration? We have Nexus 9000 and i cant get this route-target thing work. What kind of configuration i have to do for BGP?. If i add example static route to vrf a and want to leak it to vrf b, i think that route-target is not enough. Something else should do also.

-Petri