Export summary routes

pucko · ‎03-31-2008

Hi,

I run a city network in Sweden with a lot of different service providers. The service providers assign a IP network to us for use with their service. Ex. an ISP assign a /19 to us and its up to us to mask it and run DHCP to the customers. To make things easy I put the DHCP server (and som other stuff like a customer portal) in a, lets call it service vrf. My plan was then to take the /19 null route (its originated in the RR) and export it to the service vrf, and the other way around, export a null summary from the service vrf to all other SP vrf:s. I want to do this to keep it as simple as possible and the routing table as small as possible. And of course since I'm postning here it does not work. So I thought there might be the null interface that were the problem so I did a static to an other interface /19 -> 1.1.1.1. Now it works a tad better, the route comes into the service vrf and I have connectivity with localy connected interfaces within the /19. Interfaces connected elswhere are not reachable. Anybody have any ideas ?

Regards

Jonas Lindqvist

mheusing · ‎04-01-2008

Hi,

How does your config look like?

To add a /19 to the service VRF BGP table you could use

ip vrf test

rd 65000:1

route-target import 65000:1

route-target export 65000:1

ip route vrf test 10.0.0.0 255.255.224.0 Null0

router bgp 65000

address-family ipv4 vrf test

no auto-summary

network 10.0.0.0 mask 255.255.224.0

exit-address-family

Obviously addresses and names need to be adjusted to your environment.

Be aware, that the router you configure this on, will get all traffic following the /19. To access the more specifics an IP lookup is required. Thus you need the more specific networks in the VRF, where the /19 is created. Also be aware that likely you need a default route for the return traffic.

Hope this helps! Please use the rating system.

Regards, Martin

pucko · ‎04-01-2008

Hi,

That should work if everything was in the same vrf. I'm trying to do something like the following:

ip vrf a

description ### VRF A ###

rd 100:1

export map vrf-b-export

route-target export 100:1

route-target import 100:1

ip vrf b

description ### VFR B ###

rd 200:1

export map vrf-a-export

route-target export 200:1

route-target import 200:1

ip route vrf a 10.0.0.0 255.255.224.0 null0

ip route vrf a 20.0.0.0 255.255.224.0 null0

ip route vrf b 30.0.0.0 255.255.254.0 null0

ip prefix-list vrf-a seq 5 permit 10.0.0.0/19

ip prefix-list vrf-a seq 10 permit 20.0.0.0/19

ip prefix-list vrf-b seq 5 permit 30.0.0.0/23

route-map vrf-b-export permit 10

match ip address prefix-list vrf-a

set extcommunity rt 200:1 additive

route-map vrf-a-export permit 10

match ip address prefix-list vrf-b

set extcommunity rt 100:1 additive

It works (on localy connected if:s) if I instead of the null routes just put up a dummy

interface on another router and point the summary route there like this:

ip route vrf a 10.0.0.0 255.255.224.0 1.1.1.1

ip route vrf a 20.0.0.0 255.255.224.0 1.1.1.1

ip route vrf b 30.0.0.0 255.255.254.0 2.2.2.2

Then I have connectivity between local vlan:s vrf a <-> vrf b. I cannot access a vlan from vrf a to a vlan in vrf b in another PE.

Regards

Jonas

mirco.orlandi · ‎04-01-2008

Hi,

Martin's approach is a correct/scalable solution to generate the blackhole you need.

You can import the blackhole in customer vrf on PE router, by using

ip vrf customer_A

router-target import 65000:1

you wrote: My plan was then to take the /19 null route (its originated in the RR) and export it to the service vrf, and the other way around, export a null summary from the service vrf to all other SP vrf:s

It means the blackhole is not generated in service vrf but in another vrf?

"service" vrf cannot export blackhole if "service" import it from another vrf! ....but I think I miss some requirement.

Help me to better understand scenario details.

Regards,

Mirco.

pucko · ‎04-01-2008

Hi Mirco,

I see your point, I do not have any problem getting the /19 route distributed within the vrf I originated it in (the service vrf for example). I do redistribute static in bgp so it's in all the boxes. The thing is that I wanted to do export instead of import since import is local to the router where it's made, and I have a few routers. Export on the other hand is global so if I do export I can do it on the route reflector and then it's done. Much easier to be on top of things if it's a simple config.

Import works like a charm but it has to be done in all routers.

Regards

Jonas

mirco.orlandi · ‎04-02-2008

Hi Jonas,

ok, your target is mantain a clean config of customer vrf. To obtain that you have to use many export statements in central vrf, as many spoke vrf you have (in the same ISP address space).

PE1#

ip vrf x

router-target both 65000:x

RR#

ip vrf A

router-target both 65000:A

router-target export 65000:x

router-target export 65000:y

router-target export 65000:z

...

This solution have low scalability drawback. In this scenario is preferable use additional rt to and obtain an hub&spoke vpn, but this require and additional import statement in spoke vrf.

PE1#

ip vrf x

router-target both 65000:x

router-target import 65000:hub

RR#

ip vrf A

router-target both 65000:A

router-target export 65000:hub

If you want attach 65000:hub rt only to some prefix, you can use export-map. Be careful, export-map work in boolean AND with other export statements.

I know this post don't resolve "null static route announce" problem, but may be a functional step towards solution. Post RR config extract and output of "show ip bgp vpnv4 vrf hub prefix/19"

Regards,

Mirco.