vrf-lite on lan

Unanswered Question
Jun 18th, 2008

on our lan we want to use vrf-lite to isolate 2 vlan from the others but they have to interact with the vrf WAN for exemple so there might be route leaking

Just a question about the conf

what's the difference between this config

ip vrf wan

rd 1:1

route-target export 1:1

route-target import 1:1

is it mandatory to apply these 2 route target ???

can we make this?

ip vrf wan

rd 1:1

export map wan-map

so we just export we want to for the vrf wan

What is the best solution

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michaelchoo Wed, 06/18/2008 - 16:49

route-target configs are only required if you run MPLS. Since you only want to run VRF-Lite, you don't have to configure route-target for your VRF(s). Consequently, there's not export-map required either. If you start playing around with export-map and the likes, you're opening up a whole new can of worms, 'cuz then you need to set up MP-BGP, etc. Unless you do want to set up your own MPLS network.

I don't think you need to create a "WAN VRF". You only need the 2 VRFs and the global routing table. How many layer-3 devices do you have? If you only have the WAN router as the routing device, you may not even need to leak routes. Just relevant static VRF routes in each VRF to reach the WAN (default route may be sufficient?). Might help if you can provide your intended network topology.

fd_case17 Thu, 06/19/2008 - 01:25


"You only need the 2 VRFs and the global routing table."

How can I make this?

a static route in the 2 VRF to reach the WAN who

is in global table?


michaelchoo Thu, 06/19/2008 - 16:43

well, what I meant was that you don't need "ip vrf" config for your "WAN segment". Here's an example config:

ip vrf Segment1

rd :1

ip vrf Segment2

rd :2


description SVI for Segment1

ip vrf forwarding Segment1

ip address


description SVI for Segment2

ip vrf forwarding Segment2

ip address

interface serial0/0

description WAN

ip address

Note on RD: best practice typically calls for BGP AS number being used for the 1st part of RD, while the 2nd part is typically an arbitrary number that you choose.

Now, not knowing your exact requirements or your topology, I can't guarantee that the configs above will meet your needs. They're just a guide. Will help heaps if you can provide topology and also state your requirements.


This Discussion