Solved: VRF export with route-policy

Tom Sverre Pedersen · ‎01-01-2022

Hello, I need to create a export route policy to the following:

Default routes get a route-target 1:2

All /32 routes get a route-target 1:3

All routes get a route-target 1:1

I have tried different route-policy here, but no luck.

Here is what I have tried so far.

VRF:

vrf FW
 address-family ipv4 unicast
  import route-target
   1:1
  !
  export route-policy rpl_fw
  export route-target
   1:1
   1:2
   1:3
  !
 !
!
end

Prefix-set

prefix-set ps_allow-default-route
  0.0.0.0/0
end-set
!
prefix-set ps_allow-32
  0.0.0.0/0 ge 32
end-set
!
prefix-set ps_allow-all
  0.0.0.0/0 le 32
end-set

route-policy

route-policy rpl_fw
  if source in ps_allow-default-route then
    set extcommunity rt 1:2
  endif
  if source in ps_allow-32 then
    set extcommunity rt 1:3
  endif
  if source in ps_allow-all then
    set extcommunity rt 1:1
  endif
end-policy
!

I get this error message when I commit:

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors

vrf FW
 address-family ipv4 unicast
  export route-policy rpl_fw
!!% Could not find entry in list: Policy [rpl_fw] uses rt set [1:2]. [1:2] must be defined before [rpl_fw] can be attached.
 !
!
end

Do I need to define those communities in a Community-set list?

/Tom

Harold Ritter · ‎01-01-2022

Hi @Tom Sverre Pedersen ,

Happy New Year!

You need to test on destination, not on source. I also added the done statement to each condition, so that processing ends after a successful match. Try the following route-policy.

route-policy rpl_fw
if destination in ps_allow-default-route then
set extcommunity rt (1:2)
done
endif
if destination in ps_allow-32 then
set extcommunity rt (1:3)
done
endif
if destination in ps_allow-all then
set extcommunity rt (1:1)
done
endif
end-policy
!

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎01-07-2022

Hi @Tom Sverre Pedersen ,

> Do I need the route-policy on all the distribution switches?

No. All PE importing the RT 1:2 should automatically import the default.

> The default route gets inn to the routing table of SW-MGMT, but it did not send it to the distribution router/switch in

> SW-MGMT VRF.

Once the route is imported into a VRF, like in the case of import from VRF FW to VRF SW-MGMT, it will not be exported to other PEs. So you need to import RT 1:2 on all remote PEs where the default route is needed.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Tom Sverre Pedersen · ‎01-01-2022

I found out that I missed () on the RT value:

route-policy rpl_fw
  if source in ps_allow-default-route then
    set extcommunity rt (1:2)
  endif
  if source in ps_allow-32 then
    set extcommunity rt (1:3)
  endif
  if source in ps_allow-all then
    set extcommunity rt (1:1)
  endif
end-policy
!

But I don't get any routes trough if I import RT 1:1 or 1:2, but if I import RT 1:3, then I see routes on the other PE, not the default route.

Is there any wrong in my Route-policy?

Harold Ritter · ‎01-01-2022

Hi @Tom Sverre Pedersen ,

Happy New Year!

You need to test on destination, not on source. I also added the done statement to each condition, so that processing ends after a successful match. Try the following route-policy.

route-policy rpl_fw
if destination in ps_allow-default-route then
set extcommunity rt (1:2)
done
endif
if destination in ps_allow-32 then
set extcommunity rt (1:3)
done
endif
if destination in ps_allow-all then
set extcommunity rt (1:1)
done
endif
end-policy
!

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Tom Sverre Pedersen · ‎01-07-2022

Happy New Year!

Sorry for late replay here.

That works, do I just need to do the export and the route-policy on one place or all the places? I import the default route on one place where it originated from one vrf to another. That default route does go to other places in that VRF.

On VRF FW (Have the originate default route, use RT 1:2 for this), I import RT 1:2 in VRF MGMT, that is in the routing table on the switch. But the next one does get that route in VRF MGMT.

Hope that make sense.

Best Regards

Tom

Harold Ritter · ‎01-07-2022

Hi @Tom Sverre Pedersen ,

> That works, do I just need to do the export and the route-policy on one place or all the places?

Can you please provide more information on your design. It is hard to answer this question without knowing what you are trying to achieve.

> I import the default route on one place where it originated from one vrf to another. That default route does go to other places > in that VRF.

That makes sense.

> I import RT 1:2 in VRF MGMT, that is in the routing table on the switch.

Makes sense as well.

> But the next one does get that route in VRF MGMT.

Can you please explain what you mean by "the next one"?

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Tom Sverre Pedersen · ‎01-07-2022

> Can you please provide more information on your design. It is hard to answer this question without knowing what you are trying to achieve.

Of course. I have a Cisco ASR9903 as core, then I use NCS540 as distribution routers/switches. I don't run a traditional P and PE setup.

I have the VRF FW on the core and on the distribution switches. Do I need the route-policy on all the distribution switches? The FW VRF have the default route in it going up to the firewall that I have, in this case I want to take that default route and put in to other VRF. That makes less interface to the firewall.

>Can you please explain what you mean by "the next one"?

I have setup for now two VRFs. One is FW and the second one is SW-MGMT(Switch management). I did import the route-target 1:2, that is default route in to SW-MGMT on the Core. The default route gets inn to the routing table of SW-MGMT, but it did not send it to the distribution router/switch in SW-MGMT VRF.

I hope this make sense.

Best Regards,

Tom

Harold Ritter · ‎01-07-2022

Hi @Tom Sverre Pedersen ,

> Do I need the route-policy on all the distribution switches?

No. All PE importing the RT 1:2 should automatically import the default.

> The default route gets inn to the routing table of SW-MGMT, but it did not send it to the distribution router/switch in

> SW-MGMT VRF.

Once the route is imported into a VRF, like in the case of import from VRF FW to VRF SW-MGMT, it will not be exported to other PEs. So you need to import RT 1:2 on all remote PEs where the default route is needed.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

MHM Cisco World · ‎01-19-2022

follow