cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1979
Views
0
Helpful
3
Replies

VRF route leaking issue

kmelchior
Level 1
Level 1

Here is my scenario

I have 3 business units that I need to connect to my infrastructure in order to provide them access to the our International WAN that will be coming into two of my data centers (a primary and a backup). These business units are not controlled by us so want to keep them separate and also force all of their traffic through a firewall. There will be two 'circuits' connecting us to the business units -MPLS into DC1 and IPsec VTI into DC2. I need to be able to fail over to the backup circuit automatically for each business unit.

My design has the following layout

An MPLS circuit at each business unit on a new VRF for each business unit terminating on an existing MPLS OC12 in DC1. Each business unit VRF has a subinterface on the OC12 associated with it. There is also a pair of ethernet interfaces with a subinterface for each business unit with the associated VRF configured on it.

The MPLS 'VRF' interfaces are connected to a Palo Alto and the Palo Alto the a 6500 VSS core. The 6500 has a subinterface for each business unit as well and the same VRF configured for each business unit too. We have BGP established between the core and MPLS router via BGP address family for each VRF.

Up to this point everything is working.

The part that is not working is on the 6500 I need to import routes from the global routing table into each VRF routing table and export routes from each VRF routing table into the global routing table. The international WAN that each of these business units need access to are part of the global routing table, they also need access to our internal LAN as well which is part of the global routing table.

I also have a backup circuit for each business unit using IPsec VTI with the same basic setup using VRF's for each business unit, a Palo Alto, etc (the only difference between the two setups is MPLS vs VTI for the WAN circuit) So since I have a backup circuit that I need to be able to fail over to automatically I can't use static routes for import/export functions as the static route will never go away and therefore we will never fail over.

Attached is a visio of the planned VRF setup and International WAN as well as the config I have in the MPLS router and core 6500 VSS

I see the global route I am trying to import into the VRF table in global BGP table and I see the routes I am trying to export into global in the VRF BGP table.

Any help is much appreciated!

Kevin

3 Replies 3

Edison Ortiz
Hall of Fame
Hall of Fame

You need static routing to leak between GRT and VRF.

What would the static route look like to leak 10.81.101.0/24 from the GRT to VRF? How does using a static to leak routes affect failing over to a backup automatically?

I did get this working in GNS3, however I realize that is not 'real life' and was not on a 6500.

Kevin

http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

You can use tracking on the static routes to verify reachability.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco