Cisco Support Community
Community Member

VRF-Lite, Route Leaking, ACL to control traffic between VRFs

Recently we implemented VRF-Lite I our struture.

In that job we also implemented RouteLeaking Between Coustumer VRFs, and our VRF(where we provide some services as Backup, Monitoring, NFS/iSCSI), etc, etc, etc...

We control those route-leaking with route-maps(there are many examples in this forum).

It is working fine, and does no consume so much resource of our cores as we were expecting.

But what we would like to do is to filter the traffic passing from one VRF to another VRF.

Lets imagine that those VRF would be different phisical routers.

Wolud exist common interface between then.

And wolud be possible to aply ACLs on those Interfaces.

What we want to do is something like that, but inside the same router, between the VRFs.

I tried to search some solution to that(google, cisco, supportforum), but I think that I'm not using the correct terms on the search.

I was looking the possible commands related to that and a found:

Possibility A

  • This is the VRF of our costumer, and my undestanding of that command is that any traffic leaked via from this VRF via BGP would be sourced from an specific loopback and there we would aply the ACLs that we  need. Am I right?

core-siteA(config)#ip vrf costumer-a


VPN Routing/Forwarding instance configuration commands:

  bgp              Commands pertaining to BGP

  default          Set a command to its defaults

  description      VRF specific description

  exit             Exit from VRF configuration mode

  export           VRF export

  import           VRF import

  inter-as-hybrid  Inter AS hybrid mode

  maximum          Set a limit

  mdt              Backbone Multicast Distribution Tree

  no               Negate a command or set its defaults

  protection       Configure local repair

  rd               Specify Route Distinguisher

  route-target     Specify Target VPN Extended Communities

  snmp             Modify snmp parameters

  vpn              Configure VPN ID as specified in rfc2685

core-siteA(config-vrf)#bgp ?

  next-hop  Next-hop for the routes of a VRF in the backbone

core-siteA(config-vrf)#bgp next-hop ?

  Loopback  Loopback interface

core-siteA(config-vrf)#bgp next-hop loopback ?

  <0-2147483647>  Loopback interface number

core-siteA(config-vrf)#bgp next-hop loopback 0 ?


Possibility B

  • This would be the route-map used on reoute leaking, and the Idea  in this case is force the traffic that goes to our-company VRF to pass  for an specific Loopback and there we would aply the ACLs that we need. But my doubt is if this SET can be used on a route-leaking route-map !?!

core-siteA(config)#route-map VRF_COSTUMER-A_TO_OUR-COMPANY permit 10

core-siteA(config-route-map)#set ?

  as-path           Prepend string for a BGP AS-path attribute

  automatic-tag     Automatically compute TAG value

  clns              OSI summary address

  comm-list         set BGP community list (for deletion)

  community         BGP community attribute

  dampening         Set BGP route flap dampening parameters

  default           Set default information

  extcomm-list      Set BGP/VPN extended community list (for deletion)

  extcommunity      BGP extended community attribute

  global            Set to global routing table

  interface         Output interface

  ip                IP specific information

  ipv6              IPv6 specific information

  level             Where to import route

  local-preference  BGP local preference path attribute

  metric            Metric value for destination routing protocol

  metric-type       Type of metric for destination routing protocol

  mpls-label        Set MPLS label for prefix

  origin            BGP origin code

  tag               Tag value for destination routing protocol

  traffic-index     BGP traffic classification number for accounting

  vrf               Define VRF name

  weight            BGP weight for routing table

core-siteA(config-route-map)#set ip ?       

  address     Specify IP address

  default     Set default information

  df          Set DF bit

  global      global routing table

  next-hop    Next hop address

  precedence  Set precedence field

  qos-group   Set QOS Group ID

  tos         Set type of service field

  vrf         VRF name

core-siteA(config-route-map)#set ip vrf ?

  WORD  VRF name

core-siteA(config-route-map)#set ip vrf our-company ?

  next-hop  Next hop address

core-siteA(config-route-map)#set ip vrf our-company next-hop ?

  A.B.C.D  IP address of next hop

core-siteA(config-route-map)#set ip vrf our-company next-hop ?

  A.B.C.D  IP address of next hop


Could any one make some correction or suggestion?

CreatePlease to create content