[c-nsp] route leaking from global to VRF on cisco 7401

Warwick Duncan warwick at frogfoot.com
Thu Nov 8 09:48:58 EST 2012 

Hi

I'm having a problem leaking routes from the global routing table into a
VRF on a Cisco 7401 and I'd appreciate an opinion on whether my config
or the router is at fault.  The IOS image is c7400-jk9s-mz.124-21a.bin,
which is the most recent to which I have access.

Let's say my local router is 1.1.1.1, remote router is 1.2.2.2, my ASN
is 11111 and upstream provider ASN is 99999.  I want to distribute
10.0.0.0/0 for the MYVPN VRF between the two routers and Internet
breakout is via the remote router, but I want to import local peering
routes (let's say ASN 55555) on the local router from the global routing
table into MYVPN.  There is source based VRF selection on the downstream
facing interface.

Before configuring route leaking, the relevant parts of the (sanitised)
config look like this:

========================================================================
ip vrf MYVPN
 rd 11111:21003
 route-target export 11111:21003
 route-target import 11111:21003
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
 mtu 1580
 no ip address
 duplex auto
 speed auto
 media-type gbic
 negotiation auto
!
interface GigabitEthernet0/0.2
 description Downstream Interconnect
 encapsulation dot1Q 2
 ip vrf receive MYVPN
 ip address 192.168.0.9 255.255.255.248
 no ip redirects
 no ip proxy-arp
 ip mtu 1500
 ip flow ingress
 ip flow egress
 ip ospf cost 1000
 ip policy route-map pbr-from-downstream
!
router bgp 11111
 no synchronization
 bgp router-id 1.1.1.1
 bgp default local-preference 1000
 no bgp enforce-first-as
 bgp log-neighbor-changes
 neighbor REMOTE peer-group
 neighbor REMOTE remote-as 11111
 neighbor REMOTE update-source Loopback0
 neighbor REMOTE next-hop-self
 neighbor REMOTE send-community both
 neighbor REMOTE soft-reconfiguration inbound
 neighbor REMOTE weight 100
 neighbor REMOTE prefix-list ANY in
 neighbor PEERING peer-group
 neighbor PEERING soft-reconfiguration inbound
 neighbor PEERING weight 50
 neighbor PEERING route-map recv-from-peers in
 neighbor PEERING maximum-prefix 1000
 neighbor 2.2.2.2 peer-group REMOTE
 neighbor 4.3.2.1 peer-group PEERING
 default-metric 10
 no auto-summary
 !
 address-family vpnv4
  neighbor REMOTE send-community extended
  neighbor 2.2.2.2 activate
 exit-address-family
 !
 address-family ipv4 vrf MYVPN
  no synchronization
  network 10.1.1.0 mask 255.255.255.0
 exit-address-family
!
ip route vrf MYVPN 10.1.1.0 255.255.255.0 192.168.0.1 global permanent
!
ip community-list standard peer-com permit 11111:11050
!
route-map pbr-from-downstream permit 10
 match ip address FROM-10-1-1-0
 set vrf MYVPN
!
route-map recv-from-peers permit 10
 set community 11111:11050
========================================================================

At this point both the entries in the BGP RIB for MYVPN are as expected,
as is the VRF's routing table itself, i.e. it sees the remote VPN prefix
10.1.1.0/24 and the default route propagated from an eBGP peer:

========================================================================
router1#show ip bgp vpnv4 all 
BGP table version is 14, local router ID is 1.1.1.1
[..]
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 11111:21003 (default for vrf MYVPN)
*>i0.0.0.0          2.2.2.2                  0   2000      0 99999 i
*>i10.2.2.0/24      2.2.2.2                 10   1000      0 i
*> 10.1.1.0/24      192.168.0.1             10         32768 i
========================================================================
router1#show ip route vrf MYVPN

Routing Table: MYVPN
[..]
Gateway of last resort is 2.2.2.2 to network 0.0.0.0

B       10.2.2.0/24 [200/10] via 2.2.2.2, 11:31:20
C       192.168.0.8/29 is directly connected, GigabitEthernet0/0.2
S       10.1.1.0/24 [1/0] via 192.168.0.1
B*   0.0.0.0/0 [200/0] via 2.2.2.2, 11:31:20
========================================================================

So far so good; now I modify the config to import the peering routes
from the global routing table into the MYVPN VRF:

========================================================================
ip vrf MYVPN
 rd 11111:21003
 import ipv4 unicast map leak-peering
 route-target export 11111:21003
 route-target import 11111:21003
!
route-map leak-peering permit 10
 match community peer-com
========================================================================

At this point, things fall apart.  The BGP RIB is correct but in my most
recent attempt, the peering routes appeared in the VRF routing table
(FIB) but the default route disappeared.  On various other attempts
- all routes except the peering routes disappear from FIB;
- all routes except connected and static disappear from FIB;
- some VPN routes disappear from RIB.

(I hope I'm using RIB and FIB correctly...)

If I remove the 'import ipv4 ...' config item, the leaked peering routes
remain in the BGP RIB but disappear from the VRF FIB; clearing all BGP
neighbors causes no visible change.  Removing the VRF entirely leaves
the peering routes in the RIB.

Am I doing something wrong or is the router not behaving as it should?

Regards
Warwick

-- 
Warwick Duncan
Frogfoot Networks ISP
http://www.frogfoot.com/
+27.21.448.7225

More information about the cisco-nsp mailing list