I have a reason I would like to do this also, and cant really figure out a good way to do this.

We need to move our current global internet routing table to a vrf, that is a big job and will take some time to do, moving every customer interface, bgp peer etc.. to a new Internet vrf, and out of the global table.

To do this it would be nice to just make a new vrf and import all routes in and out of the global table and the new vrf, untill everyone is moved then break the import export.

To import its not to bad, but I cant find a really good way to export from the new vrf out to the global table, where the unmoved customers will still reside.

maybe this will help give you a example of why someone would want to do this.

It would be nice if there was just a "route-target export global" or "route-target export null" command under the vrf config.

Hi,

maybe for a VRF_Internet on IPv4 gateway?

See that:

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml

Some months ago it didn't work (6500 platform, sup720 3BXL); a cross-cable from interface in VRF to interface in global does the trick.

HTH

Andrea

This type of funtionality may be desired as pointed out in the posts and for mainly migration of customers and service onto MPLS from IPV4.

1) To import GLobal routes in VRF you can use the IPV4 prefix import into VRF.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803b8db9.html

2) Now for route leak of VRF in to Global table you need to use a simple static route for the subnets in a given VRF and pointing to the Interface on the PE side which connects to the CE.

One more thing I would like all to note here is we need to be careful what we are importing into the VRF from the global table. As we dont want two routes for the same deatination.

This does a two way route leak into VRF and Global table. But such fixup solutions should be used only for a transitionary state, and it would be dificult to maintain the state as is.

Having said that, the solution we generally have adopted and recommended to customers for migration is different from what we are discussing.

HTH-Cheers,

Swaroop

Hi,

you could take an IP interface from "VRF internet" on PE1 to global IP routing table in PE2 and setup OSPF and iBGP through this link. Somewhat messy and error prone, but it will only be for a transition phase anyhow.

Regards, Martin

How about ebgp customers that sit, currently in the global routing table, and I want to move to that new vrf, I cant add a static route for there address space, cause it will remove their AS peering.

You run in to the same issue if you use another routing protocol like ospf to distribute the routes.

You said "Having said that, the solution we generally have adopted and recommended to customers for migration is different from what we are discussing."

Mind sharing that info?

FOr migration customer we generally adopt a two pronged approach.

1) Migrate the Core for Label Switching.

2) Enable all service including Internet, Central Hosted Service Like Mail, Telephony etc onto a dual connected scenario. That is each service will have two links one for VRF and other into Global Table.

3) Start migrating customers one at a time,

when you put them in VRF they acces all the services as is through VRF and who are left over they access through global table.

This requires each VPN/Customer to be migrated at a time. Hope this method suits you, as its very subjective.

HTH-Cheers,

Swaroop

Ok this is a Service Provider network, so I could do like what you say here.

So I have 2 routing tables with full Internet routes, I have to have full Internet routes cause some cusomers ask for them from us.

Now lets say I have services like Mail, DNS, Websites, News, stuff like that in both vrfs with 2 links.

What about customers getting to other customers? maybe some kind of default route could be used between the VRFs that can cause some issues.

The Internet routes come in from my up stream providers, 4 of them.

Now I can easily get those routes in to the new Internet VRF but when I move the customers over to that VRF I need to get their routes back out to everyone else still in the global routing table.

This is a big issue when it comes to EBGP customers since I cant use static routes or anything like that to get connections from the global table to them, since they need to be advertised upstream from my border routers from the global VRF, at least untill I move those boarders into the new VRF also.

Seems like if just it was as easy to export VRF routes from a VRF back to the global table, as it is to export routes from a VRF to another VRF, then this all would allot easier to me.

I mean to do that would not the router just have to export a copy of that route with no RD? remove the RD.

Q-What about customers getting to other customers? maybe some kind of default route could be used between the VRFs that can cause some issues.

A- //

Before migrating to a VPN structure an Internet ISP would not be providing any VPN service. If the one customer has been talking to another customer then it has to be via Internet, so when you provision you provision with Internet service also for each customer who has availed of that service.

//

Q- The Internet routes come in from my up stream providers, 4 of them.

Now I can easily get those routes in to the new Internet VRF but when I move the customers over to that VRF I need to get their routes back out to everyone else still in the global routing table.

A- //

you are missing a major point here, when you create an Internet VRF the VRF is just not holding the Internet Routes, in fact its your IBGP extended within a VRF for your customers to peer with so the control lies with you to give full or default route, having said that your customer is doing an EBGP with you for this service so he obviously can announce routes, which would be announced on the internet via your border routers.Other customer who are not migrated would know of this migrated customer routes via your border router.

//

Q- Seems like if just it was as easy to export VRF routes from a VRF back to the global table, as it is to export routes from a VRF to another VRF, then this all would allot easier to me.

I mean to do that would not the router just have to export a copy of that route with no RD? remove the RD.

A- //

Think about this, if you export the route in Global Table, how would the routing take place, as IPV4 wont know how the route originated, so only method left is redistributing with static route,

//

On a lighter note, Having to work withing available resources and constraints is where we scale :-))

I believe you should be good to go with this approach, if you dont have anything which is different in terms of setup than what i had described.

if you have any more specific queries regarding the same do put across.

HTH-Cheers,

Swaroop

On this topic

A- //

you are missing a major point here, when you create an Internet VRF the VRF is just not holding the Internet Routes, in fact its your IBGP extended within a VRF for your customers to peer with so the control lies with you to give full or default route, having said that your customer is doing an EBGP with you for this service so he obviously can announce routes, which would be announced on the internet via your border routers.Other customer who are not migrated would know of this migrated customer routes via your border router.

//

I am still playing with some of this in our lab, with a 7609 router.

And you are right I must be missing something major here.

On my current boarder routers, my upstreams only peer to the global table, to them there is no MPBGP (no address familys)

So I can either on that border router import those global routes in to the new Internet VRF with a a import map, under the "ip vrf Internet" area of the config or I can do this out on the network somewhere on a PE router.

So out on a PE router I have a customer that is currently EBGP peering and I move him to peer with VRF internet (I am still working on how that is done cleanly) his routes are now only in VRF Internet and not in the global table, as far as I understand it.

How would I get those routes back out to the global table so that I can advertises that customers EBGP routes to my customers in the global table and also to the my Internet peers.

I mentioned above that I was still working on peering a EBGP peer to a vrf cleanly. When I say that, I mean, so that the customer does not run MPBGP, and to him the peering looks that same as before I moved him into that VRF.

Currently customers I have in vrfs are just static routed and don't do BGP with my AS.

When I move the customers peering interface in to the new vrf in the lab BGP can no longer get to his peering IP to peer anymore, then I move the neighbors ip peer to the Internet VRF under BGP, the session only comes up on the Customers router.

Here is the config on the LAB PE router.

address-family ipv4 vrf Internet

redistribute connected

redistribute static

neighbor 192.168.168.2 remote-as 65000

neighbor 192.168.168.2 activate

neighbor 192.168.168.2 default-originate

neighbor 192.168.168.2 prefix-list DEFAULT-ONLY out

Customer Interface in PE

interface GigabitEthernet2/3

description 7200 - BGP VRF TESTING

ip vrf forwarding Internet

ip address 192.168.168.1 255.255.255.252

On the Customers router (lab) its like this

Simple as I can keep it.

router bgp 65000

no synchronization

bgp log-neighbor-changes

neighbor 192.168.168.1 remote-as 3505

BTW any help is appriciated, I emailed my Cisco SE and havent herd from him yet, that was a couple days agao, he is slack!

The config should be like this.

PE connecting to Customer Router.

address-family ipv4 vrf Internet

redistribute connected

redistribute static

neighbor 192.168.168.2 remote-as 65000

neighbor 192.168.168.2 remove-private-as

neighbor 192.168.168.2 activate

neighbor 192.168.168.2 default-originate !

neighbor 192.168.168.2 prefix-list DEFAULT-ONLY out ! If you want to advertise full routing table you can omit your this statement.

PE router connecting to Border Router.

!

address-family ipv4 vrf Internet

redistribute connected

neighbor 192.168.168.100 remote-as xxx ! EBGP Peering to your border router.

neighbor 192.168.168.100 activate

!

This gets all your internet routes into the VRF and also advertises the customer route learnt at other PE to the Border Router or IGW. Since now border router has your customer routes non-migrated customer can reach this customer via border router, which will inturn direct traffic via Internet VRF towards the customer.

If you are using the same AS for MPLS service then you can use local-as feature to propagate IBGP learnt routes within your MPLS VPN.

HTH-Cheers,

Swaroop

Humm that still does not work, here is the current BGP config from LAB PE router.

router bgp 65001

bgp log-neighbor-changes

bgp graceful-restart restart-time 120

bgp graceful-restart stalepath-time 360

bgp graceful-restart

neighbor RR-Clients peer-group

neighbor RR-Clients remote-as 65001

neighbor RR-Clients description Route Reflector Clients

neighbor RR-Clients update-source Loopback0

neighbor 192.168.X.X peer-group RR-Clients ! our route reflectors ips

neighbor 192.168.X.X peer-group RR-Clients ! our route reflectors ips

!

! NOTICE I DONT MENTION THE VRF NEIGHBOR ANYWHERE ABOVE

!

address-family ipv4

redistribute connected

redistribute static

neighbor RR-Clients next-hop-self

neighbor 192.168.X.X activate

neighbor 192.168.X.X activate

no auto-summary

no synchronization

exit-address-family

!

address-family vpnv4

neighbor RR-Clients send-community extended

neighbor 192.168.X.X activate

neighbor 192.168.X.X activate

exit-address-family

!

address-family ipv4 vrf Internet

redistribute connected

redistribute static

neighbor 192.168.168.2 remote-as 65000

neighbor 192.168.168.2 activate

neighbor 192.168.168.2 default-originate

neighbor 192.168.168.2 remove-private-as

neighbor 192.168.168.2 prefix-list DEFAULT-ONLY out

no synchronization

exit-address-family

Remember this is a LAB so I am using as private AS just for testing, it would be a real customers AS, that would be a public arin given AS number in a real senario.

Also I have changes the ips and as number of our router even in the LAB just cause!

Here is the problem, I guess, that neighbor does not even show up

show ip bgp sum

BGP router identifier 192.168.X.X, local AS number 65001

BGP table version is 2496500, main routing table version 2496500

196854 network entries using 23031918 bytes of memory

393695 path entries using 20472140 bytes of memory

53824/35129 BGP path/bestpath attribute entries using 7535360 bytes of memory

23 BGP rrinfo entries using 552 bytes of memory

48481 BGP AS-PATH entries using 1234350 bytes of memory

4 BGP extended community entries using 96 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 52274416 total bytes of memory

BGP activity 308201/111251 prefixes, 726748/332871 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

192.168.X.X 4 3505 647559 16249 2496500 0 0 1w4d 196841

192.168.X.X 4 3505 570050 16249 2496500 0 0 1w4d 196841

show ip bgp neighbors 192.168.168.2

% No such neighbor

When I add the neighbor under the main BGP IPV4 area it shows up in the commands above.

But still stays in idle, thing is I dont want the neighbor to peer in global or insert routes there.

You are using the wrong command to see the neighbor adjacency.

Use this:

"show ip bgp vpnv4 all summ"

"show ip bgp vpnv4 vrf Internet neighbor 192.168.168.2"

And most important is verify the ip 192.168.168.2 is in the Internet VRF.

Till now we have discussed,

1) How to do the migration.

2) What is you Internet Setup.

3) How to migrate Internet.

4) How to view VRF BGP neighbors :-)

I would recommend, that you throughly read and practise, the scenario before your go for the real migration.

You have anything else do let me know.

HTH-Cheers,

Swaroop

Thanks, I have not tried this yet, but yes you have helped allot.

Sorry it seems as if I am askeding about so many different things but they are somewhat tied together.

And I have never setup the above senario before.