×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VRF route leaking issue

Unanswered Question
Jul 9th, 2013
User Badges:

Here is my scenario


I have 3 business units that I need to connect to my infrastructure in order to provide them access to the our International WAN that will be coming into two of my data centers (a primary and a backup). These business units are not controlled by us so want to keep them separate and also force all of their traffic through a firewall. There will be two 'circuits' connecting us to the business units -MPLS into DC1 and IPsec VTI into DC2. I need to be able to fail over to the backup circuit automatically for each business unit.


My design has the following layout


An MPLS circuit at each business unit on a new VRF for each business unit terminating on an existing MPLS OC12 in DC1. Each business unit VRF has a subinterface on the OC12 associated with it. There is also a pair of ethernet interfaces with a subinterface for each business unit with the associated VRF configured on it.


The MPLS 'VRF' interfaces are connected to a Palo Alto and the Palo Alto the a 6500 VSS core. The 6500 has a subinterface for each business unit as well and the same VRF configured for each business unit too. We have BGP established between the core and MPLS router via BGP address family for each VRF.


Up to this point everything is working.


The part that is not working is on the 6500 I need to import routes from the global routing table into each VRF routing table and export routes from each VRF routing table into the global routing table. The international WAN that each of these business units need access to are part of the global routing table, they also need access to our internal LAN as well which is part of the global routing table.


I also have a backup circuit for each business unit using IPsec VTI with the same basic setup using VRF's for each business unit, a Palo Alto, etc (the only difference between the two setups is MPLS vs VTI for the WAN circuit) So since I have a backup circuit that I need to be able to fail over to automatically I can't use static routes for import/export functions as the static route will never go away and therefore we will never fail over.


Attached is a visio of the planned VRF setup and International WAN as well as the config I have in the MPLS router and core 6500 VSS


I see the global route I am trying to import into the VRF table in global BGP table and I see the routes I am trying to export into global in the VRF BGP table.


Any help is much appreciated!


Kevin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Tue, 07/09/2013 - 08:22
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You need static routing to leak between GRT and VRF.

kmelchior Tue, 07/09/2013 - 10:22
User Badges:

What would the static route look like to leak 10.81.101.0/24 from the GRT to VRF? How does using a static to leak routes affect failing over to a backup automatically?


I did get this working in GNS3, however I realize that is not 'real life' and was not on a 6500.


Kevin

Actions

This Discussion

Related Content