VRF Leaking (bug??)

random_camden · ‎06-13-2007

I am trying to leak specific routes between two VRF's using the following config.

It filters one way, but doesn;t pass any routes the other. If I replace

export map customer-mgt-range

with

route-target import 39097:701

then all routes get learnt. If I then put the original line back in, it all works fine. Looks like a bug to me, but can't find a matching one on CCO.

ip vrf MGT

rd 39097:701

export map mgt-range

route-target import 39097:999

!

ip vrf TWR1

rd 39097:702

export map customer-mgt-range

route-target import 39097:701

access-list 31 permit 172.31.0.0 0.0.255.255

access-list 32 permit 195.60.197.0

!

route-map customer-mgt-range permit 10

match ip address 31

set extcommunity rt 39097:999

!

route-map mgt-range permit 10

match ip address 32

set extcommunity rt 39097:701

swaroop.potdar · ‎06-13-2007

This should work...you have these 2 VRF;s on the same router is that correct.

Also i was unable to understand the quote

"export map customer-mgt-range

with

route-target import 39097:701

"

You mean to say you replaced a export map with route-targe import and it works fine ??..

I am unable to understand as how can a Export funcion is replaced by an Import function.

Post all the relevant parts of the config to better understand.

HTH-Cheers,

Swaroop

random_camden · ‎06-13-2007

Sorry, my typo.

export map customer-mgt-range didn't work.

I replaced it with route-target export 39097:701 and it imported all.

Then I put back the original export map customer-mgt-range and it worked.

Here's the config...

ip vrf MGT

rd 39097:701

export map mgt-range

route-target import 39097:999

!

ip vrf TWR1

rd 39097:702

export map customer-mgt-range

route-target import 39097:701

!

router bgp 39097

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf TWR1

neighbor 10.253.248.133 remote-as 39097

neighbor 10.253.248.133 activate

neighbor 10.253.248.133 route-reflector-client

neighbor 10.253.248.137 remote-as 39097

neighbor 10.253.248.137 activate

neighbor 10.253.248.137 route-reflector-client

neighbor 10.253.248.151 remote-as 39097

neighbor 10.253.248.151 activate

neighbor 10.253.248.171 remote-as 39097

neighbor 10.253.248.171 activate

maximum-paths 2

no auto-summary

no synchronization

network 172.31.99.2 mask 255.255.255.255

exit-address-family

!

address-family ipv4 vrf MGT

neighbor 10.253.0.133 remote-as 39097

neighbor 10.253.0.133 activate

neighbor 10.253.0.133 route-reflector-client

neighbor 10.253.0.137 remote-as 39097

neighbor 10.253.0.137 activate

neighbor 10.253.0.137 route-reflector-client

neighbor 10.253.0.151 remote-as 39097

neighbor 10.253.0.151 activate

neighbor 10.253.0.171 remote-as 39097

neighbor 10.253.0.171 activate

maximum-paths 2

no auto-summary

no synchronization

network 0.0.0.0

network 195.60.197.0

network 195.60.197.10 mask 255.255.255.255

exit-address-family

!

ip route 0.0.0.0 0.0.0.0 172.16.10.1

ip route vrf MGT 0.0.0.0 0.0.0.0 10.253.0.152

ip route vrf MGT 195.60.197.0 255.255.255.0 10.253.0.172

ip prefix-list mgt-range seq 6 permit 195.60.197.0/24 le 32

!

ip prefix-list customer-mgt-range seq 5 permit 172.31.0.0/16 le 32

access-list 31 permit 172.31.0.0 0.0.255.255

access-list 32 permit 195.60.197.0

!

route-map customer-mgt-range permit 10

match ip address 31

set extcommunity rt 39097:999

!

route-map mgt-range permit 10

match ip address 32

set extcommunity rt 39097:701

swaroop.potdar · ‎06-13-2007

Config looks clean....Bug is ruled out as on the same device, same IOS,if it works one way, then definately has to work the other way.

Are you able to recreate this, or this happened once and stopped.

I could think of only one possibility, before you removed the export-map the routes werent matching the ACL you were using, later when you put it back again, they matched.

So could you confirm any other changes were made as well in between the issue detection and resolution.

HTH-Cheers,

Swaroop