[c-nsp] PE-CE running BGP : How to deny a VRF to advertise routes learned from another VRF.

Murilo Antonio Pugliese mpugliese at diveo.net.br
Mon Apr 3 09:41:47 EDT 2006 

Folks.

I'm facing a problem which I'll try to describe in a really short and simple manner.

Scenario description: 
Suppose a Full Mesh MPLS-based VPN containing only three sites, lets name it Sites A, B, and C.
The sites A & B deploys BGP between its CEs & VRFs, and Site C deploys routing through static routes.

So, I have:  Site A CE <--------BGP--------> VRF A
                   Site B CE <--------BGP--------> VRF B
                   Site C CE <-- static routes --> VRF C
                   VRF A, VRF B, and VRF C export and import the same route-target.
                   Platforms : Cisco 75XX , version 12.0(27)S4

Both Sites A & B have Internet access.
Site A CE advertises a default route to its VRF (VRF A) through BGP when its Internet connection is operational
Site B CE also advertises a default route to its VRF (VRF B) through BGP  when its Internet connection is operational

Both sites A & B may provide Internet access to Site C. When both VRF A & VRF B are learning a default route
from its respective CE, they retransmit these default routes to VRF C. In this scenario VRF C must choose access through 
VRF A, and this choice is guaranteed through local-preference associated to both routes learned (from VRF A & from VRF B).

Now the problem description:
When the Site A Internet access goes down, Site A CE stops to advertise a default route to its VRF (VRF A) as expected, 
VRF A learns the default route that VRF B learns from Site B CE and advertises (that's fine), and VRF A advertises the 
default route (from VRF B) to Site A CE (that's fine); "BUT" VRF A also advertises the default route learned from VRF B 
to VRF C, and that's the problem. 
 
I wish that VRF A would not advertise to VRF C the route it learns from VRF B !
As the VPN topology is Full Mesh, VRF C learns the same route straight from VRF B and also from VRF A (as VRF A is redistributing 
the route learned from B), and due the metrics associated to the routes according to its source, VFR C is chosen to route 
redistributed from VRF A as the best path. 

To overcome this problem, at VRF A using "import map" I associate a specific route-target (lets say : ASN:96) to the routes 
learned from VRF B (that works fine), and though "export map" I tried to deny VRF A to advertise it but this did not work.

When I issue a "sh ip bgp vpnv4 <VRF-A> 0.0.0.0" I can verify that the routes learned from VRF B got associated to the desirable RT 
(ASN:96), but looks like at the time the route is advertised by VRF A (export route-target) that RT (ASN:96) is not been considered, 
the route is advertised, and (ASN:96) is removed. Due it, it doesn't work to deploy a "import map" at VRF C denying routes marked 
with RT "ASN:96".

So I wonder how could I deny VRF A to advertise routes learned from VRF B, knowing that a prefix-list is not feasible ?

I'd appreciate a lot any feedback that could help me solving this specific matter. 

Yours Truly.

Murilo Pugliese.

More information about the cisco-nsp mailing list