[c-nsp] vs route leaking
Saku Ytti
saku at ytti.fi
Sun Jun 9 01:48:36 EDT 2024
And your problem is, you get multiple default routes?
route-map FOO permit 100
match extcommunity 100
match ip address prefix-list DEFAULT
route-map FOO deny 200
match ip address prefix-list DEFAULT
route-map FOO permit 300
in your VRF_SHARED_SERVICE, so that you only import DEFAULT from RT
defined in extcommunity 100.
On Sun, 9 Jun 2024 at 07:57, Arne Larsen <arlarndk at gmail.com> wrote:
>
> Sort off, I need the default route from the vrf with the import target
> 64515:112, that's our leak for the shared vrf to the internet
>
>
> /Arne
>
> On 08/06/2024 17.31, Saku Ytti wrote:
> > On Sat, 8 Jun 2024 at 18:26, Arne Larsen via cisco-nsp
> > <cisco-nsp at puck.nether.net> wrote:
> >
> >> Yes, it'd with route-target I'm trying to get it to work, and what I'm
> >> trying to get rid off is the default route from the IOT vrf to be
> >> imported into the SHARED vrf.
> > Ok so the problem is not sharing routes between VRF, problem is
> > sharing selectively routes between VRF?
> >
> > In the example the problem is that VRF_SHARED_SERVICE gets default
> > route from VN_IOT.
> >
> > You could accomplish this two ways
> >
> > a) VRF_SHARED_SERVICE has import policy, which drops the default route
> > for 64515:136
> > b) VN_IOT has export policy, which doesn't set 64515:95 on default route
> >
> >
> > I think a) is more robust, you'd probably just deny importing any
> > default route at all, if you know you're going to have the 64515:95
> > default route you want. So no matter what happens in the other VRFs,
> > you'd never end up importing their default.
> >
> > Like
> >
> > vrf definition VRF_SHARED_SERVICE
> > address-family ipv4
> > import map FOO
> >
> > route-map FOO deny 100
> > match ip address prefix-list DEFAULT
> > route-map FOO permit 200
> >
> >
> >> Here are the vrf definition.:
> >>
> >>
> >> vrf definition VRF_SHARED_SERVICE
> >> rd 192.168.101.110:95
> >> !
> >> address-family ipv4
> >> route-target export 64515:95
> >> route-target import 64515:95
> >> route-target import 64515:10
> >> route-target import 64515:136
> >> route-target import 64515:112
> >> route-target import 64515:101
> >> exit-address-family
> >>
> >>
> >>
> >> vrf definition VN_IOT
> >> rd 192.168.101.110:136
> >> !
> >> address-family ipv4
> >> route-target export 64515:136
> >> route-target import 64515:136
> >> route-target import 64515:95
> >> exit-address-family
> >>
> >>
> >> /Arne
> >>
> >>
> >>
> >> On 08/06/2024 12.25, James Bensley wrote:
> >>> Hi Arne,
> >>>
> >>> The normal way to do this is with route targets but you didn't mention route targets in your email. Are you importing the export RTs from VRF1 and VRF2 in to VRF3?
> >>>
> >>> You also mentioned route-maps. Are you already importing the export RTs and trying to filter which routes are imported to only be the default route?
> >>>
> >>> You didn't post any config, it always helps people to help you if you can show what you have tried already.
> >>>
> >>> Cheers,
> >>> James.
> >>>
> >>>
> >>>
> >>> -------- Ursprüngliche Nachricht --------
> >>> Am 08.06.24 08:04 um Arne Larsen via cisco-nsp schrieb <cisco-nsp at puck.nether.net>:
> >>>
> >>>> Hi all
> >>>>
> >>>> I’m struggling with an 9606 Cisco router and route leaking between vrf’s.
> >>>>
> >>>> I have 2 vrf’s with a default route that needs to imported into a 3.
> >>>>
> >>>> The default route from the one vrf’s is direct connected on the box,
> >>>> andthe other is via mBGP.
> >>>>
> >>>> I’ve tried several forms for import maps base on community, prefix, acl
> >>>> and so on, but I always ends up with pulling my legs.
> >>>>
> >>>> The 3 vrf is for shared services, so I import more the the 2 vrf’s with
> >>>> the default route.
> >>>>
> >>>> Can someone give me a hint how to get this to work.
> >>>>
> >>>> The 2 vrf’s with the def route has community xxxxx:112 and xxxxx:114.
> >>>> I need to import all other routes from all other vrf’s including the 2
> >>>> with the def route.
> >>>>
> >>>> Hope someone can help me out here
> >>>>
> >>>> Regards Arne
> >>>> _______________________________________________
> >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
> >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>>
> >> _______________________________________________
> >> cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
--
++ytti
More information about the cisco-nsp
mailing list