Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Leaking connected routes into VRF Routing table

Hi,

In my campus, we have deployed vrf lite and is working fine for a situation where we have to leak the routing table between vrf and Global routing table on a switch where i had one arm in VRF and other in global routing table.

I had another situation in which i have to leak the connected vlan subnets of global routing table to vrf routing table. I tried it with static routes but i didnt seems to work.

Regards

Hitesh Vinzoda

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hi,

VRF-select allows you to have an interface in a VRF in addition to the GRT.

So if it's supported, I would remove the BGP config and configure both VLAN interfaces with VRF select so both interfaces will be seen on the GRT and the VRF:

int VLAN 70

ip vrf select source

ip vrf receive vendor

!

int VLAN 10

ip vrf select source

ip vrf receive vendor

!

So no need for specific routes to join the VLAN but only for the remote subnets

HTH

Laurent.

22 REPLIES
Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hitesh,

Can you perhaps post your configuration here, or at least the command you have tried that has failed? You are saying - 'it didn't seem to work'. Can you be more specific about that?

Best regards,

Peter

Re: Leaking connected routes into VRF Routing table

Hi Peter,

In first case, where it happens to work is i had a switch in which its one interface is configured as VRF RED and other interface of the switch is connected to firewall (which is in global routing domain). What i have done is configured static route for each VRF subnet in VRF domain and it results in routing entry of VRF routes in Global routing table. Also i had Global routing prefixes are configured via Static routes in VRF routing table. e.g.

Switch Interfaces

10.0.56.5 255.255.255.252 ( VRF RED) Int gi1/0/1 ( Connected to VRF Interface on Core switch)

10.0.56.129 255.255.255.128 Fa1/0/1 connected to Firewall)

Routes configured on switch are:

ip route 10.0.56.5 255.255.255.252 gi1/0/1

ip route vrf RED 10.0.56.128 255.255.255.128 fa1/0/1 10.0.56.130

This config works as it seems that the Switch is sitting in between VRF and Global routing table and allowing to enter the next hop ip address.

My problematic situation is say for example switch in above case is also having some connected vlan interfaces in global routing domain. and i enter the commamds as follow

ip route vrf RED 10.0.110.0 255.255.255.0 vlan 110 10.0.110.1

it doesn't ping, although it is present in VRF RED's routing table across the VRF domain via OSPF and reverse route entry in global routing table entry is also present configured via static routes.

Please let me know if you want further inputs.

I roamed around the forums and found that we can import the routes from global routing table to vrf via "BGP Support for ipv4 Prefix Import".

I can see the prefixes in switches vrf routing table as "B" via BGP and redistributed across the vrf ospf domain.

but still i doesnt pings from switch's global interface to interface in vrf.

Link for reference

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2273a/1

Regards

Hitesh Vinzoda

Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hi Hitesh,

if 10.0.110.1 is the ip address of the switch itself, it's expected not to work.

You have two solutions:

- BGP import v4 route as describe in your link reference. You first need to redistribute your VLAN into BGP

- VRF select: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Service%20Providers&topic=MPLS&topicID=.ee8558c&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd353fc

You are talking about switched so not sure if those features are supported.

HTH

Laurent.

Re: Leaking connected routes into VRF Routing table

Hi Laurent,

Thanks for reply.

- BGP import v4 route as describe in your link reference. You first need to redistribute your VLAN into BGP

I have done it as illustrated in the post for redistribution vlan into BGP and than into OSPF instance of VRF. the Vlan subnets are propagated down the VRF. But could you help me out in leaking VRF routes in global routing table, Shall i proceed with the static routes as illustrated above...?

Im testing this setup on 3750 12.2 IP services, if successfull will be deployed on 4507R 12.2(50)SG1.

TIA

Hitesh Vinzoda

Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hi,

VRF-select allows you to have an interface in a VRF in addition to the GRT.

So if it's supported, I would remove the BGP config and configure both VLAN interfaces with VRF select so both interfaces will be seen on the GRT and the VRF:

int VLAN 70

ip vrf select source

ip vrf receive vendor

!

int VLAN 10

ip vrf select source

ip vrf receive vendor

!

So no need for specific routes to join the VLAN but only for the remote subnets

HTH

Laurent.

Cisco Employee

Re: Leaking connected routes into VRF Routing table

Laurent,

Wow. I did not know about this until you pointed it out. Thank you very much indeed!

Best regards,

Peter

Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hitesh,

I gave it a few tries. The fact is that in a VRF, I can't define a static route pointing just to a global LAN interface because the IOS complains that it is not a point-to-point interface and therefore it needs a next-hop address. However, obviously, the BGP using the Prefix Import functionality is able to do it.

The solution with the BGP Prefix Import is probably the most clean here. However, you are saying that despite the routes being present in the VRF, you can not ping them.

I have configured three routers in a row called PC, R1 and R2. The network between PC and R1 is 192.168.12.0/24, the network between R1 and R2 is 10.0.23.0/24. This is a configuration that works for me:

On PC:

hostname PC

!

interface FastEthernet0/0

ip address 192.168.12.1 255.255.255.0

no shutdown

!

ip route 0.0.0.0 0.0.0.0 192.168.12.2

R1:

hostname R1

!

ip vrf V1

rd 1:1

import ipv4 unicast map RM_Conn

!

interface Loopback0

ip address 10.255.255.1 255.255.255.255

ip ospf 1 area 0

!

interface FastEthernet0/0

ip vrf forwarding V1

ip address 192.168.12.2 255.255.255.0

no shutdown

!

interface FastEthernet0/1

ip address 10.0.23.2 255.255.255.0

ip ospf 1 area 0

no shutdown

!

router ospf 1

redistribute static subnets

!

router bgp 64512

redistribute connected

!

ip route 192.168.12.0 255.255.255.0 FastEthernet0/0

!

route-map RM_Conn permit 10

On R2:

hostname R2

!

interface Loopback0

ip address 10.255.255.2 255.255.255.255

ip ospf 1 area 0

!

interface FastEthernet0/1

ip address 10.0.23.3 255.255.255.0

ip ospf 1 area 0

no shutdown

Note that on R1, I have a static route in global table pointing to the VRF network between PC and R1 and I redistribute it into OSPF so that R2 knows about it.

Now, from PC, observe these pings:

PC#ping 10.255.255.1 ! Pinging the lo0 on R1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.255.255.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

PC#ping 10.0.23.2 ! Pinging the Fa0/1 on R1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.23.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

PC#ping 10.0.23.3 ! Pinging the Fa0/1 on R2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

Here, I am pinging two directly connected interfaces on R1 - the lo0 and the Fa0/1. I am also pinging the Fa0/1 on R2 to test the reachability beyond R1. As you can see, the pings are successful.

PC#ping 10.255.255.2 ! Pinging the lo0 on R2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.255.255.2, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

The last ping does not work because on R1, the VRF V1 does not contain route to lo0 on R2 - I have not imported nor defined it, so it is normal that it does not work.

Can you compare your configuration with this one?

Best regards,

Peter

Re: Leaking connected routes into VRF Routing table

Hi Peter,

I will give a try with the config you just posted. can you please tell me what we are matching under route-map in R1's config?

route-map RM_Conn permit 10

is it prefixes or interfaces..?

Regards

Hitesh Vinzoda

Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hello,

That route-map is empty and works simply as "permit any" for the sake of simplicity here.

If you were to implement a selective route-map, you should use a prefix list or an ACL in the route-map. I am not sure if the route-map can refer to interfaces because it basically filters networks that are present in the BGP database. Give it a try :)

Best regards,

Peter

Re: Leaking connected routes into VRF Routing table

Hi Peter,

As i m at home i dont have access to Lab equipments. but the config looks this below and attached is the topology for your reference

ip vrf vendor

import ipv4 unicast map GLOBAL

router bgp 1

redistribute connected route-map CONNECTED_BGP

address-family ipv4 vrf vendor

interface vlan 110

ip address 10.0.110.1 255.255.255.0

ip prefix-list GLOBAL permit 10.0.110.1/24

route-map CONNECTED_BGP

match interface vlan 110

route-map GLOBAL

match ip address prefix GLOBAL

int vlan 70

ip vrf forwading vendor

ip address 10.0.70.4 255.255.255.0

router ospf 10 vrf vendor

network 10.0.70.4 255.255.255.0 area 0

ip route 10.0.70.0 255.255.255.0 vlan 70

ip route 10.0.255.1 255.255.255.0 vlan 70 (interface down the vrf)

TIA

Hitesh Vinzoda

Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hitesh,

Can you please also describe where are the PCs located when you are trying to do that ping, and what exact IP address are you trying to ping? I am trying to visualize the entire path from the PC to the destination IP and back to the PC.

Best regards,

Peter

Re: Leaking connected routes into VRF Routing table

Im trying with extended ping from source as vlan 110 on vrf switch (ref Diag) and destination address as 10.0.255.2 ( in vrf)

Regards

Hitesh Vinzoda

Re: Leaking connected routes into VRF Routing table

Hi Peter and Laurent,

After comments from both of you. I was able to successfully ping the vrf interface from GRT. The functional config is posted below,

Many thanks to both of you for helping me on this issue. One more question before we end this discussion. My vlan 110 is in GRT and is functional and i m going to change it as suggested by Laurent (ip vrf receive vrf-name). I think that it is not going to impact any connectivity issues for vlan 110 in GRT. please advice

Regards

Hitesh Vinzoda

Functional config

==================

ip routing

!

!

ip vrf SAS

rd 100:1

!

vlan 70,109-110,200,251

!

interface GigabitEthernet1/0/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan70

ip vrf forwarding SAS

ip address 10.4.70.4 255.255.255.0

!

interface Vlan110

ip vrf select source

ip vrf receive SAS

ip address 10.4.110.1 255.255.255.0

!

router ospf 10 vrf SAS

log-adjacency-changes

redistribute connected subnets

network 10.4.70.0 0.0.0.255 area 0

IDC-TEST#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets

C 10.4.110.0 is directly connected, Vlan110

IDC-TEST#sh ip route vr

IDC-TEST#sh ip route vrf SAS

Routing Table: SAS

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.4.70.0/24 is directly connected, Vlan70

C 10.4.110.0/24 is directly connected, Vlan110

O 10.4.255.0/30 [110/2] via 10.4.70.2, 00:03:27, Vlan70

IDC-TEST#sh ip route sta

IDC-TEST#sh ip route static

IDC-TEST#

IDC-TEST#ping vrf SAS

Protocol [ip]:

Target IP address: 10.4.255.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.4.110.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.4.255.2, timeout is 2 seconds:

Packet sent with a source address of 10.4.110.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

IDC-TEST#

Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hi Hitesh,

I am glad you got it working. If it works for you I would personally say that you can go with it but as I do not have enough experiences with the VRF Source Select feature I would like ask Laurent to give his final opinion here.

Best regards,

Peter

Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hi,

I'm not expecting any side effect with this command but think this configuration as a Hack as it's not really the purpose of vrf select:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/vrfselec.html#wp1042154

The idea of VRF is to separate traffics. If you end with a lot of traffic leaking between VRFs and GRT maybe the design should be change to integrate this requirement otherwise you have a complex configuration difficult to troubleshoot.

HTH

Laurent.

Re: Leaking connected routes into VRF Routing table

Hi Laurent,

Thanks for the response.

Why i want to do this is i have a fwsm which sits in between my lan and serverfarm and other entity A. This means that to access anything behind fwsm one had to come to fwsm and checked and than forwarded.

We have entity XYZ whose network is hosted on 4507 which is protected and sits behing fwsm.

the devices which belongs this entity XYZ is in my LAN to be connected via diff VLAN other than my LAN.

layer 3 interface of this vlan will be in diff VRF than LAN.

separete link to 4507 behind fwsm is connected to the switch hosting vrf l3 interface. no fwsm in between vrf and 4507.

this means i have whole of the entity in my campus connected directly to the 4507 behind fwsm.

on 4507 route leaking will be done for the connected interfaces and vrf to all subnets on 4507 and vrf and talk to each other.

anything which wants to communicate with from entity XYZ from 4507 to LAN will come through fwsm checked with ACL.

default route will be injected in OSPF of vrf with next hop as inside interface of fwsm connected with 4507.

So i think only default route + connected routes on 4507 will leaked from GRT to VRF. and when someone wants to communicate to LAN side they have to come through fwsm with default route injected in ospf.

Do you think it is going to be an issue with design basis and troubleshooting point of view. Do tell me if you want further inputs on design

Please advice

Thanks in advance

Hitesh Vinzoda

Cisco Employee

Re: Leaking connected routes into VRF Routing table

Hi Hitesh,

a L3 level drawing would be helpful here. From this drawing, tell me who needs to talk to who and which path communication should follow.

Thanks

Laurent.

Re: Leaking connected routes into VRF Routing table

Attached is the drawing with details.

Regards

Hitesh Vinzoda

Cisco Employee

Re: Leaking connected routes into VRF Routing table

HI Hitesh,

Looks good to me. Another solution could be to terminate the VRF directly on the Cat 6 with the FWSM and use the FWSM to provide routing between the GRT and the VRF. I have to say I never tested such implementation ;-)

HTH

Laurent.

Re: Leaking connected routes into VRF Routing table

Hi,

The things we tested were extended ping in vrf. But the problem i faced today is that i have connected a host in the vlan where we have configured vrf select source and vrf receive vrf-name. this host is not able to reach the subnets in the vrf table. It can only ping the default gateway nothing else. All routes are showing up in GRT and VRF as well.

As per previous posts, we successfully received the connected interfaces in GRT and VRF table as well. but the hosts in connected vlan are not able to reach the subnets in vrf table.

Please advice

Regards

Hitesh Vinzoda

Community Member

Re: Leaking connected routes into VRF Routing table

Hi,

I didnot see "vrf selection source " configuration in the config you provided????

vrf selection source vrf - to populate a single source IP address or a range of source IP addresses to a VRF Selection table.

Re: Leaking connected routes into VRF Routing table

Hi Amit,

I think when you use "vrf receive" command by default all traffic generated beside the interface is assigned to vrf. no need to define the source or ip addresses.

By the way i had resolved the issue...

the problem was when you use vrf select source and vrf receive command it makes the interface to be shown up in GRT and VRF table. but when any hosts whose traffic originated within the connected vlan or interface by default belong to GRT, so we have to leak the routes from Vrf to GRT to make the communication happen..

Regards

Hitesh Vinzoda

2815
Views
5
Helpful
22
Replies
CreatePlease to create content