Re: ASR9K Route leaking between Global routing table and VRF

takao.nakamaru · ‎06-10-2015

Hello All

I am trying to check route leaking between VRF and default routing tables in IOS XR. Specifically I would like to have PE router without using any "hairpin" interfaces to be able:

- To "leak" traffic received through a BGP VPNv4 destination (not just though a directly connected CE) to a destination reachable thriugh default VRF
- To "leak" traffic received through a source reachable though global routing table to a destination reachable through a BGP VPNv4 route (not connected through a CE using locally connected interface)

IOS XR has a set of commands that control the route leaking between a VRF and Global routing table. By using them I was able to create the proper routes in VRF and global routing tables. As far as the traffic
forwarding is concerned the direction VRF => Global routing works ok but I have not been able to make the reverse work (Global => VRF)

My Topology is simple:

(PE1) [VPNA:192.168.1.1] ===> (P)[Global:172.16.2.2] ====> (PE3)

The PE1 and PE2 have configured the VRF VPNA.
I to make 172.16.2.2 (in P) through global routing table to access the VRF VPNA destination 192.168.1.1 (in PE1) and have PE2 perform the leaking between global routing table and VRF VPN.

The config in PE3:

vrf VPNA
address-family ipv4 unicast
import from default-vrf route-policy DEF2VRF advertise-as-vpn
import route-target
   123:123
!
export to default-vrf route-policy VRF2DEF
export route-target
   123:123
!
!
route-policy DEF2VRF
if destination in (172.16.2.0/24) then
    pass
else
    drop
endif
end-policy
!
route-policy VRF2DEF
if destination in (192.168.1.0/24) then
    pass
endif
end-policy
!
router bgp 65000
bgp router-id 3.3.3.3
address-family ipv4 unicast
network 172.16.2.0/24
!
address-family vpnv4 unicast
!
neighbor 1.1.1.1
remote-as 65000
update-source Loopback0
address-family ipv4 unicast
!
address-family vpnv4 unicast
!
!
vrf VPNA
rd 123:123
address-family ipv4 unicast
   network 192.168.3.3/32
   aggregate-address 192.168.1.0/24 summary-only
!
!
!

Appropriate routes are installed as expected:

RP/0/0/CPU0:PE3#sh route vrf VPNA

B    192.168.1.0/24 [200/0] via 0.0.0.0, 00:27:41, Null0
B    192.168.1.1/32 [200/0] via 1.1.1.1 (nexthop in vrf default), 00:29:53
B    172.16.2.0/24 [200/0] via 2.2.2.2 (nexthop in vrf default), 00:27:41 !!!!!!!!!!!!!! ok global route installed
L    192.168.3.3/32 is directly connected, 00:32:42, Loopback333

RP/0/0/CPU0:PE3# sh route bgp

B 192.168.1.0/24 [200/0] via 0.0.0.0 (nexthop in vrf VPNA), 00:35:19, Loopback333 !!!!! this is again ok but forwarding from default vrf => VPNA does not work. Also I cannot understand why Loopback333 is referenced here

The cef entry is created but points to a drop adjacency:

RP/0/0/CPU0:PE3#sh cef ipv4 192.168.1.1 detail
Wed Jun 10 23:31:30.488 UTC
192.168.1.0/24, version 29, drop adjacency, internal 0x5000001 0x0 (ptr 0xa13ed474) [1], 0x0 (0xa13b8680), 0x0 (0x0)
Updated Jun 10 23:29:54.094
Prefix Len 24, traffic index 0, precedence n/a, priority 4
gateway array (0xa1281334) reference count 1, flags 0x0, source rib (7), 0 backups
                [2 type 3 flags 0x8081 (0xa13368c0) ext 0x0 (0x0)]
LW-LDI[type=3, refc=1, ptr=0xa13b8680, sh-ldi=0xa13368c0]
   via point2point, Loopback333, 9 dependencies, weight 0, class 0 [flags 0x6000]
    path-idx 0 NHID 0x0 [0xa0ed8134 0x0]
    next hop VRF - 'VPNA', table - 0xe0000011
    next hop point2point
     drop adjacency

Load distribution: 0 (refcount 2)

    Hash OK Interface                 Address
    0     Y   Unknown                   drop     !!!!!!!!!!!!!!!!!!!!!

Is there a way to overcome this behavior? (I was hoping that since in VPNA a more specific route exists for 192.168.1.1/32 this could be used to forward traffic to its destination).

takao.nakamaru · ‎06-25-2015

I want to add to the previous that I have seen this behaviour working in an existing setup

Namely I have seen that in an ASR9K a VPNv4 route learned through BGP and summarized in ASR9K

B 192.168.1.0/24 [200/0] via 0.0.0.0, 00:27:41, Null0
B 192.168.1.1/32 [200/0] via 1.1.1.1 (nexthop in vrf default), 00:29:53

Then leak the summaty to the default vrf

RP/0/0/CPU0:PE3#sh route 192.168.1.0.0/24
Thu Jun 25 11:29:26.716 EEDT

Routing entry for 192.168.1.0/24
Known via "bgp 65000", distance 200, metric 0, type locally generated
Installed Jun 4 14:27:03.421 for 2w6d
Routing Descriptor Blocks
    directly connected
      Nexthop in Vrf: "VPNA", Table: "default", IPv4 Unicast, Table Id: 0xe0000011
      Route metric is 0
No advertising protos.

But the route intalled in CEF has not null0 as next hop

RP/0/0/CPU0:PE3#sh cef 192.168.1.0/24 detail
Thu Jun 25 11:30:02.755 EEDT
100.65.0.0/17, version 110110, internal 0x14000001 0x0 (ptr 0x720424ec) [1], 0x0 (0x9272cc40), 0x0 (0x0)
Updated Jun 4 14:27:03.425
Prefix Len 17, traffic index 0, precedence n/a, priority 4
gateway array (0x71568b70) reference count 1, flags 0x0, source rib (6), 0 backups
                [2 type 3 flags 0x10101 (0x716f6938) ext 0x0 (0x0)]
LW-LDI[type=3, refc=1, ptr=0x7272cc40, sh-ldi=0x716f6938]
   via point2point, 0 dependencies, weight 0, class 0 [flags 0x6000]
    path-idx 0 NHID 0x0 [0x71372090 0x0]
    next hop VRF - 'VPNA', table - 0xe0000011
    next hop point2point

Load distribution: 0 (refcount 2)

Hash OK Interface Address
0 Y Unknown Lookup in table !!!!!<<<<<===

The difference from my setup is that in this case the ASR9K is equiped with a VSM linecard for CGN. The leaking in this case aims at bypassing the NAT for certain types of traffic (moving them between global vrf and VRF VPN without passing the NAT in the VSM. The VSM should not affect the leaking behaviour but this is the only difference that I can think of.

Is it possible that route leaking from a VRF to the global routing table is affected by the VSM linecard?

yangminggl · ‎10-26-2018

Hi Takao,

Did you get this issue fixed?

Thanks!