Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

route-maps + route-target imports across mutliple PE's

We have a client that has multiple VRF's (End points terminating on multiple PE's) - They are wanting to have one specific site in VRF_A, to have visibility into all there other VRF's(For support).

Just wondering the most secure way to do this?

If I do something like:

ip vrf VRF_A

route-target import 1:1

route-target export 1:1

route-target export 1:2

ip vrf VRF_B

route-target import 1:2

route-target export 1:1

route-target import 1:3

route-target export 1:3

ip vrf VRF_C

route-target import 1:2

route-target export 1:1

route-target import 1:4

route-target export 1:4

VRF_B + VRF_C would have full visibility into all networks in VRF_A, and all networks in VRF_A would have visibility into VRF_B + C - I want to restrict VRF_B +VRF_C's visibity to only 192.168.10.0/24 (Which then should also remove the rest of VRF_A's networks ability to see the networks in VRF_B+C.)

I'm guessing I would need some combination of export-maps + route-target import's for each VRF....which I'm pretty sure I can work out - The part I'm unsure of is:

If VRF_A's 192.168.10.0/24 is on PE_A, and export-maps are only affective for the routes locally originated on the PE - How will I tell VRF_B+C that are on other PE's about the 192.168.10.0/24 network?

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: route-maps + route-target imports across mutliple PE's

use an import-map within the vrf config mode mate. That will do exactly what you want.

2 REPLIES
Bronze

Re: route-maps + route-target imports across mutliple PE's

use an import-map within the vrf config mode mate. That will do exactly what you want.

New Member

Re: route-maps + route-target imports across mutliple PE's

Champion!

Hopefully have done it correctly....but it is functioning as expected with simple test:

PE_A

ip vrf TEST200

rd 17766:200

route-target export 17766:200

route-target import 17766:200

route-target import 17766:199

maximum routes 256 75

address-family ipv4 vrf TEST200

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

interface Loopback200

ip vrf forwarding TEST200

ip address 10.0.200.1 255.255.255.0

PE_B

ip vrf TEST199

rd 17766:199

import map IMPORT_TEST

route-target export 17766:199

route-target import 17766:199

route-target import 17766:200

maximum routes 256 75

access-list 45 permit 10.0.200.0 0.0.0.255

route-map IMPORT_TEST permit 10

match ip address 45

address-family ipv4 vrf TEST199

redistribute connected

redistribute static

default-information originate

no auto-summary

no synchronization

exit-address-family

interface Loopback99

ip vrf forwarding TEST199

ip address 10.0.199.1 255.255.255.255

show ip bgp vpnv4 all

Route Distinguisher: 17766:199 (default for vrf TEST199)

*> 10.0.199.1/32 0.0.0.0 0 32768 ?

*>i10.0.200.0/24 203.149.76.246 0 100 0 ?

Route Distinguisher: 17766:200

*>i10.0.200.0/24 203.149.76.246 0 100 0 ?

#ping vrf TEST199 10.0.200.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.200.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms

349
Views
0
Helpful
2
Replies
CreatePlease login to create content