Howto control/filter traffic between VRF-(lite) using route leaking?

Unanswered Question
Aug 8th, 2012
User Badges:


does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?

Scenario 1:

I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.

Scenario 2:

Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns

Kind Regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ashish Panda Mon, 08/13/2012 - 10:34
User Badges:
  • Cisco Employee,

If you want to do filtering on the PE router, you can apply Access-lists the same way that you use for Non MPLS ip networks.

To be specific, you can create the ACL allowing the TCP port 80 and source/destination IPs and apply the same on physical interface towards CE in the VRF1 or VRF2

If you are having a PE acting as Router in stick (in scenario 2), same logic applies too.

hope this helps.

thorsten.steffen Mon, 08/13/2012 - 23:17
User Badges:


That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.

Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.

Does cisco offer software for managing this?

Ashish Panda Tue, 08/14/2012 - 02:27
User Badges:
  • Cisco Employee,


Yes. One ACL per VRF to control communication with other VRFs has to be used. If the requirement is only to allow TCP 80 between, then it shouldn’t be big and moreover same ACL can be reused over multiple VPNs.

If you want to have complex filtering you may not be able to reuse and it may grow large based on your design and requirement.


Ashish Panda


This Discussion