[c-nsp] IOSXE / route leaking between VRFs and GT
Vladislav A. VASILEV
vladislavavasilev at gmail.com
Sat Sep 14 23:38:53 EDT 2024
Hi Harold,
That definitely works and it's what I'm doing now. However, I'm looking for
a way to avoid having to add static routes for each and every mp-bgp route
I receive from remote PEs. The only two options that came to mind were:
1) leaking the route from the VRF to the global as shown below
2) running a routing protocol between the VRF and the global - iBGP won't
work as I can't define a per-VRF cluster-IDs. I'm also not keen on
redistributing mp-bgp routes into an IGP.
I can't get away without having VASI interfaces, because some of the dst
networks I need to leak are directly connected on the same PE router. As
such, these routes can't be leaked into the VRF without having a valid
next-hop IP (they must be one hop away).
Thanks!
Best Regards,
Vladislav
On Sun, Sep 15, 2024 at 5:03 AM Harold Ritter (hritter) <hritter at cisco.com>
wrote:
> Hi Vladislav,
>
>
>
> The route leaking is normally used when the global and the VRF are
> isolated from one another. In your case, you have a path between the global
> the global and VRF A through the vasi interfaces. Please add the following
> static route and you should get connectivity between R1 Lo1 and R2 Lo1.
>
>
>
> Ip route 22.22.22.22 255.255.255.255 10.10.2.2
>
>
>
> Regards,
>
>
>
> Harold
>
>
>
> *De : *cisco-nsp <cisco-nsp-bounces at puck.nether.net> de la part de
> Vladislav A. VASILEV via cisco-nsp <cisco-nsp at puck.nether.net>
> *Date : *vendredi, 13 septembre 2024 à 16:08
> *À : *cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
> *Objet : *[c-nsp] IOSXE / route leaking between VRFs and GT
>
> I've got the following three requirements:
>
> 1) perform 2) and 3) on the same router
> 2) source NAT private networks (received as mp-bgp routes) on R1 (no issues
> here)
> 3) leak select mp-bgp prefixes into the global table (from a CP perspective
> routes are being leaked, but I can't get any traffic through)
>
> here's the test topology:
>
>
> global_table---R1---vasileft1---vasiright1---vrf_table---R1(PE)[ge1]---mp-bgp_routes----[ge1]R2(PE)
>
>
> All config being tested on:
> Cisco IOS XE Software, Version 17.03.02
> Cisco IOS Software [Amsterdam], Virtual XE Software
> (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3)
>
> in summary: R1's loopback1 (in global table) needs connectivity to R2's
> loopback1 (in VRF A)
>
> Configuration on R1:
>
> hostname R1
>
> vrf definition A
> rd 1:1
> route-target export 1:1
> route-target import 1:1
> address-family ipv4
> export ipv4 unicast map to-global
> exit-address-family
>
> interface Loopback0
> ip address 1.1.1.1 255.255.255.255
> ip router isis ISIS
> isis circuit-type level-2-only
>
> interface Loopback1
> ip address 11.11.11.11 255.255.255.255
>
> interface GigabitEthernet1
> ip address 10.10.1.1 255.255.255.252
> ip router isis ISIS
> negotiation auto
> no mop enabled
> no mop sysid
> isis circuit-type level-2-only
> isis network point-to-point
>
> interface vasileft1
> ip address 10.10.2.1 255.255.255.252
> no keepalive
>
> interface vasiright1
> vrf forwarding A
> ip address 10.10.2.2 255.255.255.252
> no keepalive
>
> segment-routing mpls
> connected-prefix-sid-map
> address-family ipv4
> 1.1.1.1/32 index 1 range 1
> exit-address-family
>
> router isis ISIS
> net 49.0000.0000.0001.00
> is-type level-2-only
> metric-style wide
> segment-routing mpls
>
> router bgp 1
> bgp router-id 1.1.1.1
> bgp log-neighbor-changes
> neighbor 2.2.2.2 remote-as 1
> neighbor 2.2.2.2 update-source Loopback0
> address-family vpnv4
> neighbor 2.2.2.2 activate
> neighbor 2.2.2.2 send-community extended
> address-family ipv4 vrf A
> redistribute static <--- redistribute the leaked route from GT to VRF A
>
> ip route vrf A 11.11.11.11 255.255.255.255 10.10.2.1 <-- leak global route
> into VRF A
> ip prefix-list to-global seq 10 permit 22.22.22.22/32
>
> route-map to-global permit 10
> match ip address prefix-list to-global
> set ip next-hop 10.10.2.2 <------- without setting the next-hoop to
> vasiright1's IP the route does not get leaked
>
> R1#sh ip ro
>
> 1.0.0.0/32 is subnetted, 1 subnets
> C 1.1.1.1 is directly connected, Loopback0
> 2.0.0.0/32 is subnetted, 1 subnets
> i L2 2.2.2.2 [115/20] via 10.10.1.2, 00:20:55, GigabitEthernet1
> 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
> C 10.10.1.0/30 is directly connected, GigabitEthernet1
> L 10.10.1.1/32 is directly connected, GigabitEthernet1
> C 10.10.2.0/30 is directly connected, vasileft1
> L 10.10.2.1/32 is directly connected, vasileft1
> 11.0.0.0/32 is subnetted, 1 subnets
> C 11.11.11.11 is directly connected, Loopback1
> 22.0.0.0/32 is subnetted, 1 subnets
> *B 22.22.22.22 [200/0] via 10.10.2.2 (A), 00:09:50*
>
> R1#sh ip ro 22.22.22.22
> Routing entry for *22.22.22.22/32 <http://22.22.22.22/32>*
> Known via "bgp 1", distance 200, metric 0, type internal
> Last update from 10.10.2.2 00:10:10 ago
> Routing Descriptor Blocks:
> * *10.10.2.2 (A)*, from 2.2.2.2, 00:10:10 ago
> opaque_ptr 0x7F13B34F1938
> Route metric is 0, traffic share count is 1
> AS Hops 0
> MPLS label: none
>
> R1#sh ip ro vrf A
> 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
> C 10.10.2.0/30 is directly connected, vasiright1
> L 10.10.2.2/32 is directly connected, vasiright1
> 11.0.0.0/32 is subnetted, 1 subnets
> S 11.11.11.11 [1/0] via 10.10.2.1
> 22.0.0.0/32 is subnetted, 1 subnets
> *B 22.22.22.22 [200/0] via 2.2.2.2, 00:10:39*
>
>
>
> R2#sh ip ro vrf A
> 11.0.0.0/32 is subnetted, 1 subnets
> *B 11.11.11.11 [200/0] via 1.1.1.1, 00:09:29*
> 22.0.0.0/32 is subnetted, 1 subnets
> C 22.22.22.22 is directly connected, Loopback1
>
>
> Thank you!
> Vladislav Vasilev
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list