[c-nsp] IOSXE / route leaking between VRFs and GT

Harold Ritter (hritter) hritter at cisco.com
Sun Sep 15 00:23:04 EDT 2024 

Hi Vladislav,

>2) running a routing protocol between the VRF and the global - iBGP won't work as I can't define a per-VRF cluster-IDs. I'm also not >keen on redistributing mp-bgp routes into an IGP.

You could run eBGP by using local-as, as follow.

router bgp 1
neighbor 10.10.2.2 remote-as 10
neighbor 10.10.2.2 local-as 20 no-prepend replace-as
!
address-family ipv4
  network 11.11.11.11 mask 255.255.255.255
  neighbor 10.10.2.2 activate
exit-address-family
!
address-family ipv4 vrf A
  bgp router-id 10.10.2.2
  neighbor 10.10.2.1 remote-as 20
  neighbor 10.10.2.1 local-as 10 no-prepend replace-as
  neighbor 10.10.2.1 activate
exit-address-family

Regards,

Harold

De : Vladislav A. VASILEV <vladislavavasilev at gmail.com>
Date : samedi, 14 septembre 2024 à 21:39
À : Harold Ritter (hritter) <hritter at cisco.com>
Cc : cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Objet : Re: [c-nsp] IOSXE / route leaking between VRFs and GT
Hi Harold,

That definitely works and it's what I'm doing now. However, I'm looking for a way to avoid having to add static routes for each and every mp-bgp route I receive from remote PEs. The only two options that came to mind were:

1) leaking the route from the VRF to the global as shown below
2) running a routing protocol between the VRF and the global - iBGP won't work as I can't define a per-VRF cluster-IDs. I'm also not keen on redistributing mp-bgp routes into an IGP.

I can't get away without having VASI interfaces, because some of the dst networks I need to leak are directly connected on the same PE router. As such, these routes can't be leaked into the VRF without having a valid next-hop IP (they must be one hop away).

Thanks!

Best Regards,
Vladislav



On Sun, Sep 15, 2024 at 5:03 AM Harold Ritter (hritter) <hritter at cisco.com<mailto:hritter at cisco.com>> wrote:
Hi Vladislav,

The route leaking is normally used when the global and the VRF are isolated from one another. In your case, you have a path between the global the global and VRF A through the vasi interfaces. Please add the following static route and you should get connectivity between R1 Lo1 and R2 Lo1.

Ip route 22.22.22.22 255.255.255.255 10.10.2.2

Regards,

Harold

De : cisco-nsp <cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>> de la part de Vladislav A. VASILEV via cisco-nsp <cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>>
Date : vendredi, 13 septembre 2024 à 16:08
À : cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net> <cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>>
Objet : [c-nsp] IOSXE / route leaking between VRFs and GT
I've got the following three requirements:

1) perform 2) and 3) on the same router
2) source NAT private networks (received as mp-bgp routes) on R1 (no issues
here)
3) leak select mp-bgp prefixes into the global table (from a CP perspective
routes are being leaked, but I can't get any traffic through)

here's the test topology:

global_table---R1---vasileft1---vasiright1---vrf_table---R1(PE)[ge1]---mp-bgp_routes----[ge1]R2(PE)


All config being tested on:
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], Virtual XE Software
(X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3)

in summary: R1's loopback1 (in global table) needs connectivity to R2's
loopback1 (in VRF A)

Configuration on R1:

hostname R1

vrf definition A
rd 1:1
route-target export 1:1
route-target import 1:1
address-family ipv4
export ipv4 unicast map to-global
exit-address-family

interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis ISIS
isis circuit-type level-2-only

interface Loopback1
ip address 11.11.11.11 255.255.255.255

interface GigabitEthernet1
ip address 10.10.1.1 255.255.255.252
ip router isis ISIS
negotiation auto
no mop enabled
no mop sysid
isis circuit-type level-2-only
isis network point-to-point

interface vasileft1
ip address 10.10.2.1 255.255.255.252
no keepalive

interface vasiright1
vrf forwarding A
ip address 10.10.2.2 255.255.255.252
no keepalive

segment-routing mpls
connected-prefix-sid-map
address-family ipv4
1.1.1.1/32<http://1.1.1.1/32> index 1 range 1
exit-address-family

router isis ISIS
net 49.0000.0000.0001.00
is-type level-2-only
metric-style wide
segment-routing mpls

router bgp 1
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
address-family ipv4 vrf A
redistribute static <--- redistribute the leaked route from GT to VRF A

ip route vrf A 11.11.11.11 255.255.255.255 10.10.2.1 <-- leak global route
into VRF A
ip prefix-list to-global seq 10 permit 22.22.22.22/32<http://22.22.22.22/32>

route-map to-global permit 10
match ip address prefix-list to-global
set ip next-hop 10.10.2.2 <------- without setting the next-hoop to
vasiright1's IP the route does not get leaked

R1#sh ip ro

1.0.0.0/32<http://1.0.0.0/32> is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32<http://2.0.0.0/32> is subnetted, 1 subnets
i L2 2.2.2.2 [115/20] via 10.10.1.2, 00:20:55, GigabitEthernet1
10.0.0.0/8<http://10.0.0.0/8> is variably subnetted, 4 subnets, 2 masks
C 10.10.1.0/30<http://10.10.1.0/30> is directly connected, GigabitEthernet1
L 10.10.1.1/32<http://10.10.1.1/32> is directly connected, GigabitEthernet1
C 10.10.2.0/30<http://10.10.2.0/30> is directly connected, vasileft1
L 10.10.2.1/32<http://10.10.2.1/32> is directly connected, vasileft1
11.0.0.0/32<http://11.0.0.0/32> is subnetted, 1 subnets
C 11.11.11.11 is directly connected, Loopback1
22.0.0.0/32<http://22.0.0.0/32> is subnetted, 1 subnets
*B 22.22.22.22 [200/0] via 10.10.2.2 (A), 00:09:50*

R1#sh ip ro 22.22.22.22
Routing entry for *22.22.22.22/32<http://22.22.22.22/32> <http://22.22.22.22/32>*
Known via "bgp 1", distance 200, metric 0, type internal
Last update from 10.10.2.2 00:10:10 ago
Routing Descriptor Blocks:
* *10.10.2.2 (A)*, from 2.2.2.2, 00:10:10 ago
opaque_ptr 0x7F13B34F1938
Route metric is 0, traffic share count is 1
AS Hops 0
MPLS label: none

R1#sh ip ro vrf A
10.0.0.0/8<http://10.0.0.0/8> is variably subnetted, 2 subnets, 2 masks
C 10.10.2.0/30<http://10.10.2.0/30> is directly connected, vasiright1
L 10.10.2.2/32<http://10.10.2.2/32> is directly connected, vasiright1
11.0.0.0/32<http://11.0.0.0/32> is subnetted, 1 subnets
S 11.11.11.11 [1/0] via 10.10.2.1
22.0.0.0/32<http://22.0.0.0/32> is subnetted, 1 subnets
*B 22.22.22.22 [200/0] via 2.2.2.2, 00:10:39*



R2#sh ip ro vrf A
11.0.0.0/32<http://11.0.0.0/32> is subnetted, 1 subnets
*B 11.11.11.11 [200/0] via 1.1.1.1, 00:09:29*
22.0.0.0/32<http://22.0.0.0/32> is subnetted, 1 subnets
C 22.22.22.22 is directly connected, Loopback1


Thank you!
Vladislav Vasilev
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list