Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VRF Import/Export - how to filter routes

Hi,

Is there another way of filtering the routes you want to import into a vrf because the 'route-target export' and 'route-target import' imports ALL the routes tagged with the given 'asn:xx'. I wanted to have only selected routes imported from one vrf to another. Vrf 'import map' command does not work for me?

Does filtering makes sense or practical at vrf-vrf level? Where do you use 'import map' command?

thanks

resti

16 REPLIES
Cisco Employee

Re: VRF Import/Export - how to filter routes

Resti,

The import and export maps are purposely designed to selectively import/export routes between VRFs.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: VRF Import/Export - how to filter routes

Thanks Harold for your response.

Do you have an example of this especially the complete route-map used or previous topic citing this example. Cant find a sample fo this in Cisco docs.

thanks,

Cisco Employee

Re: VRF Import/Export - how to filter routes

Resti,

Here's a very simple scenario, where you only want 192.168.1.0/24 to be exported from VRF1 to VRF2 and 192.168.2.0/24 to be exported from VRF2 to VRF1.

ip vrf VRF1

rd 1:1

route-target both 1:1

export map toVRF2

!

ip vrf VRF2

rd 1:2

route-target both 1:2

export map toVRF1

!

route-map toVRF1 permit 10

match ip address 2

set extcommunity rt 1:1

!

route-map toVRF2 permit 10

match ip address 1

set extcommunity rt 1:2

!

access-list 1 permit 192.168.1.0

access-list 2 permit 192.168.2.0

!

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: VRF Import/Export - how to filter routes

Hi,

I tried it but it did not work for me. Anything I'm missing? Here's my config, and 'show ip bgp vpn4 all', and IOS c7200-js-mz.124-16a.bin.:

thanks,

!

ip vrf Customer_A

rd 100:110

route-target export 100:1000

route-target import 100:1000

!

ip vrf Customer_B

rd 100:120

export map CE5_Export

route-target export 100:2000

route-target import 100:2000

!

!

access-list 99 permit 10.30.30.0 0.0.0.255

access-list 99 permit 10.40.40.0 0.0.0.255

!

route-map CE5_Export permit 10

match ip address 99

set extcommunity rt 100:1000

!

PE4#sh ip bgp vpnv4 all

BGP table version is 56, local router ID is 10.128.1.6

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:110 (default for vrf Customer_A)

*>i10.128.1.7/32 10.128.1.3 0 100 0 65100 i

*> 10.128.1.10/32 10.128.4.14 0 0 65400 i

*>i10.128.4.0/30 10.128.1.3 0 100 0 65100 i

r> 10.128.4.12/30 10.128.4.14 0 0 65400 i

*>i172.100.1.0/24 10.128.1.3 0 100 0 65100 i

*> 172.100.4.0/24 10.128.4.14 0 0 65400 i

*> 192.168.1.0 10.128.4.14 0 0 65400 i

*> 192.168.2.0 10.128.4.14 0 0 65400 i

*> 192.168.3.0 10.128.4.14 0 0 65400 i

Route Distinguisher: 100:120 (default for vrf Customer_B)

*> 10.30.30.0/24 10.128.5.14 0 0 65500 i

*> 10.40.40.0/24 10.128.5.14 0 0 65500 i

*> 10.128.1.11/32 10.128.5.14 0 0 65500 i

r> 10.128.5.12/30 10.128.5.14 0 0 65500 i

PE4#

Cisco Employee

Re: VRF Import/Export - how to filter routes

Can you please post the output of "sh ip bgp v a 10.30.30.0"

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: VRF Import/Export - how to filter routes

Hi,

Here's the output of that command:

PE4#sh ip bgp vpnv4 all 10.30.30.0

BGP routing table entry for 100:120:10.30.30.0/24, version 46

Paths: (1 available, best #1, table Customer_B)

Advertised to update-groups:

1

65500

10.128.5.14 from 10.128.5.14 (10.128.1.11)

Origin IGP, metric 0, localpref 100, valid, external, best

Extended Community: RT:100:2000

mpls labels in/out 32/nolabel

PE4#

brgds,

Re: VRF Import/Export - how to filter routes

Hello,

I would try to remove "route-target export 100:2000" from the the following configuration:

ip vrf Customer_B

rd 100:120

export map CE5_Export

route-target export 100:2000

route-target import 100:2000

Also, I would add a further statement in the route-map for the remaining prefixes, such as:

route-map CE5_Export permit 20

set extcommunity rt 100:2000

In all the examples I have seen, when they are using an "export map", they are not using it together with "route-target export" . I do not know why this is so. In your case, it seems that "route-target export" overrides the "export map". In the "export map" command documentation the expected behavior in such a situation is not defined. Interestingly, the "import map" command is required together with "route-target import" (for automatic route filtering to work I guess).

Kind Regards,

M.

Community Member

Re: VRF Import/Export - how to filter routes

Hi,

Thanks M for yr reply. I did not have time to try your suggestion yet but I think I got one solution and it's consistently working for me.

I noticed that you have to clear vrf's bgp session to make sure changes take into effect otherwise SOME changes esp export/import map under 'ip vrf' section do not take into effect automatically.

Below is the command I used on the PE. With this my original configuration works.

#clear ip bgp vrf ipv4 unicast soft

e.g.

PE4# clear ip bgp vrf Customer_B ipv4 unicast 65500 soft

brgds,

Cisco Employee

Re: VRF Import/Export - how to filter routes

Resti,

I ran into a similar issue at initial configuration. The workaround was to remove the route-map and re-apply it. A reload also fixed this issue.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: VRF Import/Export - how to filter routes

Yeah, i guess sometimes we to live with these 'undocumented features'!

Thanks&brgds,

Cisco Employee

Re: VRF Import/Export - how to filter routes

Hi,

Please consider the command "set extcommunity rt additive" in the route-map. If you omit the "additive" keyword then only the value from the route-map will be taken, whereas with the "additive" also the regular export route-targets will be used.

Harold,

What might explain the observed behaviour: modification of the export route-map will NOT trigger a re-import into BGP. So a "clear ip route" or a "clear ip bgp vpnv4 vrf..." can be required.

I usually first configure the route-map and afterwards the export map command. Usually this assures proper marking with the desired values.

Regards,

Martin

Cisco Employee

Re: VRF Import/Export - how to filter routes

Martin,

Excellent observation. It is always a good idea to configure the route-map before applying it.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: VRF Import/Export - how to filter routes

Hi Martin,

Thanks for the tips. I tested it and understand the effect of having the keyword 'additive' in it. Definitely useful feature.

Best regards,

Community Member

Hi Harold,How does VRF export

Hi Harold,

How does VRF export work? Does it export the route regardless or does it have to be present? In your example when you export 192.168.1.0/24 from VRF1 to VRF2, what happens if the 192.168.1.0/24 route goes away from the routing table? Will the export remove that route from VRF2 automatically?

Thanks,

Sam

Cisco Employee

Hi Sam,The route has to be

Hi Sam,

The route has to be present. If 192.168.1.0/24 is removed from VRF1, it is automatically removed from VRF2 as well.

 

Regards,

Harold

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Thanks Harold, I will give it

Hi Harold,

Actually my needs are a little different. Instead of leaking between 2 VRFs, I need to leak to global. Have a default in my VRF that gets imported to global table.

Goals:
1. At hub and spoke both sites, let ISP connection run in a separate VRF. Gets a little extra security from internet.

2. When ISP connection is active, let each site route its traffic out to internet directly. However when the local ISP connection fails, remove the default route that points to ISP so that OSPF learned default from the hub site routes all traffic to hub and puts on internet.

What's working:
DMVPN tunnels work fine across INET VRF.

What's not working:
1. The IP SLA tracked route leak to global VRF is not working. Traffic doesn't go out to internet directly using local connection.

I followed following example for this configuration.
http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/47807-routeleaking.html

Any suggestions? Is it possible or supported configuration?

Below is a diagram of my setup.

Below is my relevant config snapshot. 2.2.2.1 is actually my another FW in front in the lab that does all NAT and provides internet connection to this lab.


ip sla auto discovery
ip sla 1
 icmp-echo 8.8.8.8 source-ip 2.2.2.2
 vrf INET
ip sla schedule 1 life forever start-time now
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 2.2.2.1 track 1
ip route vrf INET 0.0.0.0 0.0.0.0 2.2.2.1

!

Lab-RTR#sh ip sla sumary
IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending

ID           Type        Destination       Stats       Return      Last
                                           (ms)        Code        Run
-----------------------------------------------------------------------
*1           icmp-echo   8.8.8.8           RTT=32      OK          4 seconds ago

!

Lab-RTR#sh ip route | in 0.0.0.0
Gateway of last resort is 10.254.2.99 to network 0.0.0.0
O*E1  0.0.0.0/0 [110/221] via 10.254.2.99, 00:00:59, Tunnel2

As you can see, its learning default from Tunnel instead of taking the static default.

 

 

 

26092
Views
5
Helpful
16
Replies
CreatePlease to create content