Solved: reachability issues between VRF and global route table

adamehill87 · ‎04-28-2024

Hello all

i am running into an issue where even though i'm able to successfully leak routes from a VRF to the global routing table and vice versa, devices inside the VRF (4.149.253.0/24) and devices from the global routing table (13.38.0.0/28) are still unable to ping each other. Traceroutes sourcing from either of the networks will die as soon as they get to core 4 where the route leaking is happening. below is pertitent info concerning the network.

TOPOLOGY

CORE 4 INFO WHERE ROUTE LEAKING IS HAPPENING

RUNNING CONFIG
vrf definition ENTERPRISE-A
rd 23444:4
route-target export 22:23444
route-target import 22:23444
address-family ipv4
import ipv4 unicast map GLOBAL_TO_ENTA
export ipv4 unicast map ENTA_TO_GLOBAL
exit-address-family
!
interface GigabitEthernet2.40
encapsulation dot1Q 40
vrf forwarding ENTERPRISE-A
ip address 3.222.44.4 255.255.255.0
!
route-map GLOBAL_TO_ENTA permit 10
match ip address prefix-list DEFAULT
!
route-map ENTA_TO_GLOBAL permit 10
match ip address prefix-list ENTA-PUBLICS
!
ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0
ip prefix-list ENTA-PUBLICS seq 5 permit 4.149.253.0/24
!
router bgp 300
!
address-family ipv4
network 0.0.0.0
!
address-family ipv4 vrf ENTERPRISE-A
redistribute connected
neighbor 3.222.44.44 remote-as 300
neighbor 3.222.44.44 activate
neighbor 3.222.44.44 route-reflector-client
exit-address-family

GLOBAL BGP TABLE
BGP routing table entry for 4.149.253.0/24, version 103
Paths: (1 available, best #1, table default)
Advertised to update-groups:
4 6
Refresh Epoch 3
23444, (Received from a RR-client), imported path from 23444:4:4.149.253.0/24 (ENTERPRISE-A)
3.222.44.44 from 3.222.44.44 (3.0.0.44)
Origin IGP, metric 0, localpref 100, valid, internal, best
Extended Community: RT:22:23444
rx pathid: 0, tx pathid: 0x0
Updated on Apr 29 2024 01:17:09 UTC
!
BGP routing table entry for 0.0.0.0/0, version 2
Paths: (1 available, best #1, table default)
Advertised to update-groups:
4 6
Refresh Epoch 1
Local
0.0.0.0 from 0.0.0.0 (3.0.0.4)
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, af-export(1), best
rx pathid: 0, tx pathid: 0x0
Updated on Apr 29 2024 01:12:56 UTC

GLOBAL ROUTING TABLE
Routing entry for 4.149.253.0/24
Known via "bgp 300", distance 200, metric 0
Tag 23444, type internal
Last update from 3.222.44.44 01:06:12 ago
Routing Descriptor Blocks:
* 3.222.44.44 (ENTERPRISE-A), from 3.222.44.44, 01:06:12 ago
opaque_ptr 0x7F19CAEFC608
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 23444
MPLS label: none
!
Routing entry for 13.38.0.0/28
Known via "ospf 300", distance 110, metric 2, type intra area
Last update from 3.20.34.3 on GigabitEthernet1, 01:18:21 ago
Routing Descriptor Blocks:
* 3.20.34.3, from 255.255.255.3, 01:18:21 ago, via GigabitEthernet1
Route metric is 2, traffic share count is 1
!
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0 (connected), candidate default path
Advertised by bgp 300
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1

VRF BGP TABLE
BGP routing table entry for 23444:4:4.149.253.0/24, version 23
Paths: (2 available, best #1, table ENTERPRISE-A)
Advertised to update-groups:
1
Refresh Epoch 3
23444, (Received from a RR-client)
3.222.44.44 (via vrf ENTERPRISE-A) from 3.222.44.44 (3.0.0.44)
Origin IGP, metric 0, localpref 100, valid, internal, best
Extended Community: RT:22:23444
rx pathid: 0, tx pathid: 0x0
Updated on Apr 29 2024 01:17:09 UTC
Refresh Epoch 3

VRF ROUTING TABLE
Routing Table: ENTERPRISE-A
Routing entry for 4.149.253.0/24
Known via "bgp 300", distance 200, metric 0
Tag 23444, type internal
Last update from 3.222.44.44 01:16:05 ago
Routing Descriptor Blocks:
* 3.222.44.44, from 3.222.44.44, 01:16:05 ago
opaque_ptr 0x7F1956340438
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 23444
MPLS label: none

Harold Ritter · ‎04-29-2024

You are very welcome @adamehill87 .

It is not possible to only leak a default or a summary. You need to leak the specific routes.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

MHM Cisco World · ‎04-28-2024

You need defualt route or static route in Core3 toward Core4 for LO leaking

Or run IGP between Core3 and Core4

MHM

adamehill87 · ‎04-29-2024

thanks for responding.

i have OSPF running between core3 and core4 and core4 knows of core3's routes via OSPF. core4 and core3 can reach each other with no issues at all ..... its just access44 (that lives in VRF) is unable to get to core3.

MHM Cisco World · ‎04-29-2024

Under bgp in leak

Redistrubte ospf x (optional you can use route-map to filter which prefix is inject into bgp from ospf)

Also you need redistrubte bgp into ospf in leaking router

MHM

adamehill87 · ‎04-29-2024

got it.

So i did your suggestion and tried redistributing OSPF into BGP on the leak router (core4) but pings still fail between VRF and global. I also redistributed BGP into OSPF via mutual redistribution just to make sure.

MHM Cisco World · ‎04-29-2024

Can I see your last config after add redistrubte

Thanks

MHM

balaji.bandi · ‎04-29-2024

how is your configuration looks between CORE4 and CORE3 , can you provide the configuration and routing table CORE4 learning from non VRF Router 3 ?

look at the below example :

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xr-software/218336-configure-route-leak-between-grt-and-vrf.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

adamehill87 · ‎04-29-2024

CORE4 CONFIG TOWARDS CORE3

interface GigabitEthernet1
ip address 3.20.34.4 255.255.255.248
ip ospf network point-to-point
ipv6 ospf 300 area 0
end

!

router ospf 300
router-id 255.255.255.4
network 0.0.0.0 255.255.255.255 area 0

!

Neighbor ID Pri State Dead Time Address Interface
255.255.255.3 0 FULL/ - 00:00:37 3.20.34.3 GigabitEthernet1

!

Routing entry for 13.38.0.0/28
Known via "ospf 300", distance 110, metric 2, type intra area
Last update from 3.20.34.3 on GigabitEthernet1, 01:18:21 ago
Routing Descriptor Blocks:
* 3.20.34.3, from 255.255.255.3, 01:18:21 ago, via GigabitEthernet1
Route metric is 2, traffic share count is 1

!

traceroute 13.38.0.3
Type escape sequence to abort.
Tracing the route to 13.38.0.3
VRF info: (vrf in name/id, vrf out name/id)
1 3.20.34.3 2 msec * 1 msec

balaji.bandi · ‎04-29-2024

can you post the config of redistribution Core4 and Core3

show ip route / show ip route vrf all from all the devices?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Harold Ritter · ‎04-29-2024

Hi @adamehill87 ,

It is normal that traffic in the vrf to global direction is getting dropped. You only leak the default route to the vrf and that default route has a next hop of null0 on Core4. You should leak 13.38.0.0/28 from the global to the vrf.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

adamehill87 · ‎04-29-2024

thank you for this!

i took your suggestion and leaked 13.38.0.0/28 into the VRF and i now have reachability. However, is it possible to leak a default into the vrf that way i dont have to always leak every prefix from the global table in order to reach it from the VRF?

MHM Cisco World · ‎04-29-2024

Access 4 have defualt route learn from Core4 (leak router)?

I will check in lab this case

Update you

MHM

adamehill87 · ‎04-29-2024

yes i generated a default on core4s global table and leaked it into the VRF for access 4 to learn it .... but i got my issue resolved. I realized that i cant leak only default routes into a VRF i have to leak all the specific prefixes in order to get reachability, so i am good to go now. Thank you again for your help!

Harold Ritter · ‎04-29-2024

You are very welcome @adamehill87 .

It is not possible to only leak a default or a summary. You need to leak the specific routes.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

adamehill87 · ‎04-29-2024

got it. Thank you once again for helping me better understand VRF capabilities and limitations! have a great day!