Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nexus VRF-Lite static route leak

Hello all, I am wondering if there is "ip route VRF..." command available in NX-OS to support VRF route leaking? Thank you.

12 REPLIES
Cisco Employee

Nexus VRF-Lite static route leak

Hi,

VRF export-import of routes (a.k.a "route leaking") is supported starting with NX-OS 5.2(1) for both VRF lite and MPLS Layer 3 VPNs. This is accomplished by using VPN route target communities as part of BGP extended communities.

It is important to note that if using this for VRF lite, MPLS license is NOT required. User will be able to configure route-target commands after enabling BGP feature. Configuring route distinguisher is not needed in VRF lite scenario but is required for MPLS VPNs. User will be able to configure rd command after enabling feature mpls l3vpn, which will require MPLS license.

In other word you cannot use static routes for that (by the way, to configure static routes in NX-OS you need to enter the vrf context).

Following is an example for MPLS VPN VRF leaking. You can use it as a template removing the RD command which is not needed for vrf-lite.

n7000(config)# feature ospf

n7000(config)# feature bgp

n7000(config)# feature mpls l3vpn

!VRF context “vpn-1” configured to import routes from VRF context “vpn-2”

n7000(config)# vrf context vpn-1

n7000(config-vrf)# rd 1:1

n7000(config-vrf)# address-family ipv4 unicast

n7000(config-vrf-af-ipv4)# route-target import 1:1

n7000(config-vrf-af-ipv4)# route-target import 2:2

n7000(config-vrf-af-ipv4)# route-target export 1:1

!VRF context “vpn-2” configured to import routes from VRF context “vpn-1”

n7000(config)# vrf context vpn-2

n7000(config-vrf)# rd 2:2

n7000(config-vrf)# address-family ipv4 unicast

n7000(config-vrf-af-ipv4)# route-target import 1:1

n7000(config-vrf-af-ipv4)# route-target import 2:2

n7000(config-vrf-af-ipv4)# route-target export 2:2

!Route-map to permit all routes

n7000(config)# route-map vpn-route-leaking permit 10

!OSPF Route Redistribution

n7000(config)# router ospf 1

n7000(config-router)# vrf vpn-1

n7000(config-router-vrf)# redistribute bgp 1 route-map vpn-route-leaking

n7000(config-router)# vrf vpn-2

n7000(config-router-vrf)# redistribute bgp 1 route-map vpn-route-leaking

!BGP Route Redistribution

n7000(config-router-vrf)# router bgp 1

n7000(config-router)# vrf vpn-1

n7000(config-router-vrf)# address-family ipv4 unicast

n7000(config-router-vrf-af)# redistribute ospf 1 route-map vpn-route-leaking

n7000(config-router)# vrf vpn-2

n7000(config-router-vrf)# address-family ipv4 unicast

n7000(config-router-vrf-af)# redistribute ospf 1 route-map vpn-route-leaking

!Interface configuration

n7000(config)# interface Ethernet2/1

n7000(config-if)# vrf member vpn-1

n7000(config-if)# ip address 192.168.10.1/24

n7000(config-if)# ip router ospf 1 area 0.0.0.0

n7000(config)# interface Ethernet2/2

n7000(config-if)# vrf member vpn-2

n7000(config-if)# ip address 192.168.11.1/24

n7000(config-if)# ip router ospf 1 area 0.0.0.0

regards,

Riccardo

New Member

Nexus VRF-Lite static route leak

Hi Ricardo,

thanks for that answer though I've got some questions.

How can MP-BGP know what to import/export if you don't use the rd command?

I mean, the route-target import/export commands explicitly use the value you enter in the rd command.

Also, I was wondering if inter-VRF lite route-leaking is supported on the Nexus 5500 with L3 module+license?

The N5500 unicast routing cfg guide contains some VRF commands, but it doesn't say anything about the existence of the route-target import/export commands.

Thanks

New Member

Nexus VRF-Lite static route leak

Hi

route target import / export commands use extended community which is not same as RD. RD setting is not required in VRF-lite scenario. In a simple example with BGP doing route leaking, BGP router has no neighbors to send VPNV4/v6 route to and VPNv4/v6 prefix is the one that needs to have not just IP address but also RD. If we are not doing MPLS VPN, then its not required.

Nexus 5500 with L3 module+ license does not currently support route leaking, but it does have support for VRFs and VRF awareness for every component, just like Nexusw 7000 was doing prior to release 5.2

Hope this helps,

Arkadiy Shapiro

New Member

Nexus VRF-Lite static route leak

Hi,

It woks very well between 2 VRF's.

But, how can I acheive route leaking betwenn VRF default and another VRF ?  Because it's not possible to use the "route-target" command with VRF default.

Thanks.

New Member

Nexus VRF-Lite static route leak

I am also having a problem leaking between VRF default and another VRF.  Here are the possibilities under the vrf, address-family ipv4 unicast :

7K_nexus(config-vrf-af-ipv4)# ?

  maximum  Set a limit

  no       Negate a command or set its defaults

  end      Go to exec mode

  exit     Exit from command interpreter

  pop      Pop mode from stack or restore from name

  push     Push current mode to stack or save it under name

  where    Shows the cli context you are in

7K_nexus(config-vrf-af-ipv4)#

Thanks,

dennis

New Member

I know its been over 3 years.

I know its been over 3 years... is haveing a working static route between the vrf's (VRF-lite only) require BGP features? can this task be done in any other way?

 

Thankls, 

New Member

static extranet route can

static extranet route can work OK without BGP.

New Member

Can you ellaborate? I'm on NX

Can you ellaborate? I'm on NX-OS 6.2.

New Member

Yes its in 6.2. What specific

Yes its in 6.2. What specific config you are trying to put in?

New Member

I need to route a specific

I need to route a specific TCP traffic from VRFA to VRFB (single hop), and prefer not to use BGP for this minor task.

 

VRFA
 VLAN 100(1.1.1.1/16)

VRFB
 VLAN 200(1.2.1.1/16)

 

 

Cisco Employee

You can use policy based

You can use policy based routing (PBR) as well for route leaking between VRFs. You need to use "set vrf" feature of PBR. Somethings like following:

feature pbr

vlan 10,20

vrf context vlanA
vrf context vlanB

ip access-list vlanA_to_vlanB
permit ip 10.10.10.0/24 10.10.20.0/24
ip access-list vlanB_to_vlanA
permit 10.10.20.0/24 10.10.10.0/24

 

route-map vlanA_to_vlanB
match ip address vlanA_to_vlanB
set vrf vlanB
route-map vlanB_to_vlanA
match ip address vlanB_to_vlanA
set vrf vlanA

 

int vlan10
vrf member vlanA
ip add 10.10.10.1/24
ip policy route-map vlanA_to_vlanB

 

int vlan20
vrf member vlanB
ip add 10.10.20.1/24
ip policy route-map vlanB_to_vlanA

Hope this helps.

New Member

Thanks!

Thanks!

13612
Views
5
Helpful
12
Replies
CreatePlease login to create content