Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
2
Replies

route-maps + route-target imports across mutliple PE's

Go to solution
johnelliot
Level 1
Level 1

‎06-06-2006 06:55 PM

We have a client that has multiple VRF's (End points terminating on multiple PE's) - They are wanting to have one specific site in VRF_A, to have visibility into all there other VRF's(For support).

Just wondering the most secure way to do this?

If I do something like:

ip vrf VRF_A

route-target import 1:1

route-target export 1:1

route-target export 1:2

ip vrf VRF_B

route-target import 1:2

route-target export 1:1

route-target import 1:3

route-target export 1:3

ip vrf VRF_C

route-target import 1:2

route-target export 1:1

route-target import 1:4

route-target export 1:4

VRF_B + VRF_C would have full visibility into all networks in VRF_A, and all networks in VRF_A would have visibility into VRF_B + C - I want to restrict VRF_B +VRF_C's visibity to only 192.168.10.0/24 (Which then should also remove the rest of VRF_A's networks ability to see the networks in VRF_B+C.)

I'm guessing I would need some combination of export-maps + route-target import's for each VRF....which I'm pretty sure I can work out - The part I'm unsure of is:

If VRF_A's 192.168.10.0/24 is on PE_A, and export-maps are only affective for the routes locally originated on the PE - How will I tell VRF_B+C that are on other PE's about the 192.168.10.0/24 network?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
romccallum
Level 4
Level 4

‎06-07-2006 12:10 AM

use an import-map within the vrf config mode mate. That will do exactly what you want.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
romccallum
Level 4
Level 4

‎06-07-2006 12:10 AM

use an import-map within the vrf config mode mate. That will do exactly what you want.

0 Helpful

Go to solution
johnelliot
Level 1
Level 1
In response to romccallum

‎06-07-2006 06:15 PM

Champion!

Hopefully have done it correctly....but it is functioning as expected with simple test:

PE_A

ip vrf TEST200

rd 17766:200

route-target export 17766:200

route-target import 17766:200

route-target import 17766:199

maximum routes 256 75

address-family ipv4 vrf TEST200

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

interface Loopback200

ip vrf forwarding TEST200

ip address 10.0.200.1 255.255.255.0

PE_B

ip vrf TEST199

rd 17766:199

import map IMPORT_TEST

route-target export 17766:199

route-target import 17766:199

route-target import 17766:200

maximum routes 256 75

access-list 45 permit 10.0.200.0 0.0.0.255

route-map IMPORT_TEST permit 10

match ip address 45

address-family ipv4 vrf TEST199

redistribute connected

redistribute static

default-information originate

no auto-summary

no synchronization

exit-address-family

interface Loopback99

ip vrf forwarding TEST199

ip address 10.0.199.1 255.255.255.255

show ip bgp vpnv4 all

Route Distinguisher: 17766:199 (default for vrf TEST199)

*> 10.0.199.1/32 0.0.0.0 0 32768 ?

*>i10.0.200.0/24 203.149.76.246 0 100 0 ?

Route Distinguisher: 17766:200

*>i10.0.200.0/24 203.149.76.246 0 100 0 ?

#ping vrf TEST199 10.0.200.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.200.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms

0 Helpful
Customers Also Viewed These Support Documents