[c-nsp] VRF Route-leaking question

Peter Rathlev peter at rathlev.dk
Sun Jan 13 08:43:38 EST 2008


On Sun, 2008-01-13 at 10:28 +0200, Mihai Tanasescu wrote:
> Hello,
> 
> 
> I have some trouble  with VRF and route leaking unfortunately and wanted
> some explanations or help if possible.
> 
> I have 2 VRFs (out of many other) between which I leak routes (all
> routes currently).
> I can't have them in one VRF unfortunately.
> 
> The problem:

The configuration below was not copy+pasted from an IOS configuration.
It's usually a very good idea to do just that, and not try writing it in
hand. The initial command for configuring a VRF is "ip vrf <name>", not
just "vrf <name>" and IOS doesn't use shorthand itself.

> Ex:
> vrf aaa
> rd 1:1
> route-target export 1:1
> route-target import 1:2
> 
> vrf bbb
> rd 1:2
> route-target export 1:2
> route-target import 1:1

You need to import from "yourself", otherwise it won't work. This goes
for any VRF, leaked elsewhere or not. (Minus some strange scenarios...)

! On your router
ip vrf aaa
 rd 1:1
 route-target import 1:1
 route-target export 1:1
 route-target import 1:2
 exit
!
ip vrf bbb
 rd 1:2
 route-target import 1:2
 route-target export 1:2
 route-target import 1:1
 exit
!

BTW, the import and export commands for 1:1 can be shortened to
"route-target both 1:1" when configuring. (Same for 1:2 of course.

> router bgp 1
> address-family ipv4 vrf aaa
> redistribute connected
> 
> address-family ipv4 vrf bbb
> redistribute connected
> 
> int gi1/1
> ip vrf forwarding aaa
> ip address 192.168.1.1 255.255.255.0
> 
> int gi1/2
> ip vrf forwarding bbb
> ip address 192.168.2.1 255.255.255.0
> 
> 
> if I issue:
> ping vrf aaa 192.168.1.1 - OK
> ping vrf bbb 192.168.1.1 - NOT OK
> I get:
>  %IP-3-LOOPPAK: Looping packet detected and dropped -
> src=192.168.2.1, dst=192.168.1.1, hl=20, tl=100, prot=1, sport=0, dport=0
> in=GigabitEthernet1/2, nexthop=192.168.1.1, out=GigabitEthernet1/2
> options=none -Process= "IP Input", ipl= 0, pid= 194
> 
> ping vrf bbb 192.168.1.2 (an IP accessible via gi1/1
> from aaa) - OK.

Try looking at the routing table after leaking, with a "show ip route
vrf bbb". It should show your Gi1/1 as connected, learned via BGP. Same
goes for VRF aaa and Gi1/2. You should be able to ping local interfaces
too.

This difference between a local and non-local address could maybe point
at something like FIB-problems. What does "show mls cef vrf bbb
192.168.1.1" show?

> Can I make it also somehow that ping works on the local interface
> assigned IP  addresses with route leaking ?

You could apply an import-map to your leaking, with an ACL to choose
only your local routes. But unless you know exactly what you're doing,
it's problably a bad idea to mix your VRFs like that.

Regards,
Peter




More information about the cisco-nsp mailing list