Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MPLS VRF Routes Leaking

I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.

Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).

Customer is requiring the access for internet along with VPN services to all the 2000+ locations.

What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

Hall of Fame Super Silver

Re: MPLS VRF Routes Leaking

Hello Smiteshah,

the PE router can advertise a default route in VRF because it has a default static route pointing to the FWSM interface in VRF.

the FWSM routed context performs routing to/from  GRT (Global Routing Table), NAT for customer1 IP subnets in VRF and can implemente stateful access control.

The customer can perfom its own NAT to present to your devices with agreed IP address blocks.

For redundancy you should use two PE nodes each with a FWSM that are a failover pair.

We are doing so to provide internet services to VRFs used for a part of the company.

Technically it is not a form of route leaking but a third device the FWSM routed context interconnects VRF and GRT.

Hope to help


Re: MPLS VRF Routes Leaking

you could do one of the following ways to implement Internet access for L3 MPLS VPN

1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs

2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.

inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface

3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values

good luck

if helpful Rate

Re: MPLS VRF Routes Leaking

see this document might help you

god luck