2015年1月18日星期日

route leaking between different vrf (using static routing)

I haven't used VRF with static route before. All I used before was vrf with BGP/OPSF/EIGRP.

Here are the solution I found in order to leak traffic between different vrfs using static route.

The BGP on R1 does NOT require BGP neighbor. Also, the vrf RED and BLUE on R1, does NOT require to import its own rd, which is the only difference compared to the solution provided here.
R2 has normal routing without vrf involved.




Configuration
R1(config)#
ip vrf RED
rd 65535:3
route-target export 3:3
route-target import 4:4
!
ip vrf BLUE
rd 65535:4
route-target export 4:4
route-target import 3:3
!
ip route vrf RED 192.168.3.0 255.255.255.0 192.168.1.2
ip route vrf BLUE 192.168.4.0 255.255.255.0 192.168.2.2
!
router bgp 65535
address-family ipv4 vrf RED
redistribute connected
redistribute static
!
address-family ipv4 vrf BLUE
redistribute connected
redistribute static
!

Verification
R1#sh ip bgp vpnv4 all
BGP table version is 13, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 3:3 (default for vrf RED)
*> 192.168.1.0 0.0.0.0 0 32768 ?
*> 192.168.2.0 0.0.0.0 0 32768 ?
*> 192.168.3.0 192.168.1.2 0 32768 i
*> 192.168.4.0 192.168.2.2 0 32768 ?
Route Distinguisher: 4:4 (default for vrf BLUE)
*> 192.168.1.0 0.0.0.0 0 32768 ?
*> 192.168.2.0 0.0.0.0 0 32768 ?
*> 192.168.3.0 192.168.1.2 0 32768 i
*> 192.168.4.0 192.168.2.2 0 32768 ?

R1#ping vrf RED 192.168.4.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/37/60 ms

R1#ping vrf BLUE 192.168.3.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/30/68 ms

*************************************************************************************
After doing more research, there are another way to force VRF leak.

By default, the VRF leak is enabled, which is controlled by "ip route static inter-vrf".

For example, on R1, the complete configuration is:
Configuration
ip vrf RED
rd 65535:3
!
ip route vrf RED 192.168.3.0 255.255.255.0 192.168.1.2
ip route vrf RED 192.168.4.0 255.255.255.0 f0/1 192.168.2.2 global
ip route 192.168.4.0 255.255.255.0 192.168.2.2
ip route 192.168.3.0 255.255.255.0 f0/0 192.168.1.2
!

Verification
R1#sh ip route vrf RED
Routing Table: RED
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set

C 192.168.1.0/24 is directly connected, FastEthernet0/0
S 192.168.3.0/24 [1/0] via 192.168.1.2
S 192.168.4.0/24 [1/0] via 192.168.2.2, FastEthernet0/1

R1#ping vrf RED 192.168.4.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/37/60 ms

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set

C 192.168.2.0/24 is directly connected, FastEthernet0/1
S 192.168.3.0/24 [1/0] via 192.168.1.2, FastEthernet0/0
S 192.168.4.0/24 [1/0] via 192.168.2.2

R1#ping 192.168.3.2 source 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/30/68 ms
发表评论