Route-target imports - scalable

Hi,
at the moment i´m using the following config for route-target imports:
ip vrf NAME-0001
rd 65123:1
route-target import 65123:1
route-target import 65123:2
route-target import 65123:3
route-target import 65123:4
route-target import 65123:5
route-target import 65123:999
I would like the following:
ip vrf NAME-0001
rd 65123:1
import map ALL
route-map ALL permit 10
match "ROUTE-TARGET" 65123:*
But my config doesn´t work - even if i permit ANYTHING within the route-map ALL
What´s the way to do this?

The import map can be only used to further filter a prefix that has already been accepted by the "route-target import" statement.
In a point to multipoint scenario, you could include the RT of the hub VRF on the spokes VRFs, which would alleviate the need to add new "route-target import" on the hub PE every time you add a new PE.
In an any to any scenario, you could define a RT that is common to all PEs, which doesn't necessarily need to match the RD.
Hope this helps,

Similar Messages

Using "route-target import" only connected routes?

When using the route-target import, the only routes imported are ones directly connected on one of the other PE routers. How does one get the advertised routes and the connected routes imported?
PE1 -- PE2
|
|
PE3
Customer's remote site attaches to PE1 which peers to PE2. PE2 connects to Customer HQ.
Another VRF (100:110) provides a centralized service that will be used by several different customers. Some of the subnets for this shared service are directly connected to PE2 while other subnets are directly connected to PE3.
Since PE1 and PE2 were already peered, I thought all that was needed was an import statement to get the routes from the shared service vrf into the customer's vrf.
PE1:
ip vrf customer1
rd 100:105
route-target export 100:105
route-target import 100:105
route-target import 100:110
When I do a 'show ip route vrf Customer1' the only routes that appear are the ones directly connected to PE2. I then peered PE1 to PE3, creating a full mesh but no other routes appeared in the routing table.
PE1 -- PE2
\ |
\ |
\ PE3
I plan to use an export map and import map to filter the networks to the desired ones, but in this example, should not all routes be seen from the shared services VRF (100:110)?
Thanks!

Frank,
Performing the import on one PE doesn't cause that one PE to start advertising the imported prefixes to other member of the same VRF on other PEs.
If you want the prefixes from the shared services VRF to show up in the customer VRF on all PEs, you need to import RT 100:10 in VRF Customer1 on all PEs.
Hope this helps,

Changing default route after import route-target

Hi there,
Before I import route-target, the default route is set to 192.168.0.22 . After import the vrf, suddently it change to another PE, which is 192.168.0.19 . How do I force the default route to use 192.168.0.22 ?
before adding route-target import 4000:1
PE#sh ip route vrf customer 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 100", distance 200, metric 0, candidate default path,
type internal
Last update from 192.168.0.22 00:14:08 ago
Routing Descriptor Blocks:
* 192.168.0.22 (Default-IP-Routing-Table), from 192.168.0.3, 00:14:08 ago
Route metric is 0, traffic share count is 1
AS Hops 0
PE#sh ip bgp vpnv4 vrf customer 0.0.0.0
BGP routing table entry for 100:239:0.0.0.0/0, version 335256
Paths: (2 available, best #2, table customer)
Not advertised to any peer
Local
192.168.0.22 (metric 4) from 192.168.0.45 (192.168.0.45)
Origin incomplete, metric 0, localpref 100, valid, internal
Extended Community: RT:100:120
Originator: 192.168.0.50, Cluster list: 192.168.0.45
Local
192.168.0.22 (metric 4) from 192.168.0.3 (192.168.0.3)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Extended Community: RT:100:120
Originator: 192.168.0.50, Cluster list: 192.168.0.3
after adding route-target import 4000:1
PE#sh ip route vrf customer 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 100", distance 200, metric 0, candidate default path,
type internal
Last update from 192.168.0.19 00:00:09 ago
Routing Descriptor Blocks:
* 192.168.0.19 (Default-IP-Routing-Table), from 192.168.0.3, 00:00:09 ago
Route metric is 0, traffic share count is 1
AS Hops 0
PE#sh ip bgp vpnv4 vrf customer 0.0.0.0
BGP routing table entry for 100:239:0.0.0.0/0, version 335386
Paths: (3 available, best #1, table customer)
Flag: 0x1820
Not advertised to any peer
Local, imported path from 4000:1:0.0.0.0/0
192.168.0.19 (metric 2) from 192.168.0.3 (192.168.0.3)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Extended Community: RT:4000:1
Originator: 192.168.0.19, Cluster list: 192.168.0.3
Local
192.168.0.22 (metric 4) from 192.168.0.45 (192.168.0.45)
Origin incomplete, metric 0, localpref 100, valid, internal
Extended Community: RT:100:120
Originator: 192.168.0.50, Cluster list: 192.168.0.45
Local
192.168.0.22 (metric 4) from 192.168.0.3 (192.168.0.3)
Origin incomplete, metric 0, localpref 100, valid, internal
Extended Community: RT:100:120
Originator: 192.168.0.50, Cluster list: 192.168.0.3
thanks in advance.
maher

Maher,
Here's an example:
router bgp xx
address-family vpnv4
nei x.x.x.x route-map localpref in
ip extcommunity 1 permit rt 4000:1
route-map localpref permit 10
match extcommunity 1
set local-preference 110
route-map localpref permit 20
BTW: if the route with RT 4000:1 had a different RD both routes would get imported in the VRF and you could set the local-pref using an import map instead of an inbound route-map on the VPNv4 session.
Hope this helps,

Importing route targets

Dear friends,
Just to give an example, lets take vrf A (source vrf) and vrf B (destination vrf where we are saying route-target import) and let x:y be the export route-target used by vrf A.
When i say route-target import x:y in vrf B, then what exactly am i importing?
Am i importing only routes for directly connected networks on vrf A and static routes redistributed into vrf A?
What about routes that are exported from other vrf's but set with the extcommunity that matches this route-target x:y. Are they also imported?
What about the other route-targets imported into vrf A? Do they also land into vrf B?
Thanks a lot
Gautam

Hi Gautam,
When you configure route-target import x:y under a VRF, you actually import into the PE VPNv4 table all the VPNv4 prefixes which has one of their RT set to x:y.
To export a route, the PE needs first to add it into the VRF BGP table. So you need to redistribute those routes into the address-family ipv4 vrf sub-mode configuration. The way those routes are learned from the CE depends of the configuration: could be dynamic via BGP, OSPF,.. or static
An imported route is never exported back to the backbone.
HTH
Laurent.

Route-target propagation from PE up to CE

Hi,
Little question for expert please.
Is there a way to propagate RT extended community from PE to CE ? (ie : on an address family ipv4 eBGP neighbor)
During my tests, I activated "send extended community ebgp" from PE to CE and successfully verified that the RT was propagated on the CE side.
Unfortunately, the RT tag is not inserted in the BGP table and so are not usable for route-maps on the CE side.
Perhaps I'm missing a magical command to activate on the CE...
Thanks a lot for your opinion.
Regards.

Hi,
Yes we are.
After some tips by another way, I finally get the following information :
IOS-XR respect the section 7.4.d of RFC 4364 (http://tools.ietf.org/search/rfc4364#section-7)
Specifically the following point :
The CE may suggest a particular Route Target for each
route, from among the Route Targets that the PE is
authorized to attach to the route. The PE would then
attach only the suggested Route Target, rather than
the full set. This gives the CE administrator some
dynamic control of the distribution of routes from
the CE.
Even if this trick is given on the way CE to PE, I tried it on my use case and, if you export "every RT" on the CE side, it keeps only the RT matching the one sent by the PE
(a bit weird, but it's "working")
If you have another point a view, I'm interrested to ear it.
Thanks

Bgp default route-target filter

Hi folks,
how that command works, and why it don't need to be configured on an ASBR that is functioning as RR?
Thank you very much for your support
Regards
Andrea

By default, a cisco router will filter out prefixes that contain a route-target that is not use locally on that router.
This check is disabled when you configure a route-reflector-client, since the client may need one of those routes.
On an ASBR that IS already a RR, you don't need to mess with this command because the rt filter check is already turned off.
However, if your ASBR is not a RR ( or doesn't have a particular VPN configured locally) and you need to advertise VPN prefixes to another AS, then you need to turn this check off or the ASBR will filter out the prefixes when they are received from its internal peers, so it will not have them to advertise to another else. In this case, you would do a "no bgp default route-target filter" on the ASBR so the routes are accepted even though they will not be used locally.
HTH
-Rob

Import/export route targets from E-BGP ?

hi all,
a newbie question again,
can i import/export rte target in a vrf from/to ebgp session,
in all my readings i only see samples from import/export with iBGP peering
thanks for answer

Yes you can do it this way as well, without the MP-EBGP peering between the both AS's RR's. (You have missed the multi-hop neighbor statement)
This will achieve the RT exchange between the PE's, so next you will have to import that RT on the other side.
Once you have the RT with the routes exchanged you will have VPN labels as well populated for the routes on the remote side.
Now you will have to implement a method to assign an IGP label on top of the VPN label (this label should be for the PE's loopback of AS 100 who advertised this route to AS 200)
In your case, you can use the send-label command at the ASBR's for the IGP route of the PE;s in their AS' with a label. For this you can redistribute IGP into BGP and again BGP into IGP (with a route-map matching only PE's loopback in their AS and the remote AS).
So you will effectively have 2 labels to switch traffic between the AS's (IGP and the VPN label).
HTH-Cheers,
Swaroop

STMS Transport Route Administration - Import Targets not modifiable.

Hello. I'm trying to configure cCTS for use with CHARM. I have created my system clusters and defined a consolidation and delivery route for the clusters. Now when I double click on my clusters in edit mode and navigate to the Import Targets tab, I am not able to modify this tab. I have been following the cCTS for CHARM and QGM Configuration guide.

Thanks Jessica
I'm also working with OSS SAP Support now to try and resolve my issue.
In short I can some up the problem and testing completed so far.
To Start:
The Server group removed old QA server from our SAP Landscape, therefore STMS Transport Route required rebuilding.
Systems:
We have a very complex system setup with SAP R3, CRM and BW systems. Each system has it's own server (Dev = R3D, CRD & BWD, QA Testing is now = R3T, CRT & BWT, Production = R3P, CRP & BWP) The Original QA servers are now being removed (R3Q, CRQ & BWQ)
CRD is the Transport Domain Controller, with transport bins located on CRD for R3D & BWD, CRT for R3T & BWT and CRP for R3P & BWP. (Firewalls and Server locations are the root cause for the different Trans Directories)
Transport route:
Transport route for SAP R3 was: R3D -> R3Q -> R3T & R3P (in a delivery group). The new Transport Route needs to be R3D -> R3T -> R3P.
Main Problem now: With the Transport Route configured like R3D -> R3T -> R3P, any new transport requests created in R3D moves to the R3T Import Queue automatically when the transport is released. Once the transport is successfully imported into R3T, it should automatically be added to the R3P Import Queue, but does not.
Present work around: I've reconfigured the Transport route to R3D -> R3T & R3P. Any tranport request once released, is successfully added to both the R3T & R3P Import Queues.
I have checked all SAPService<sid> OS users and passwords, ensured that the TMSADM user was recreated and working on each of the systems, used telnet to log onto each of the servers from each of the other servers at the OS level (to ensure it's not a landscape firewall security issue), I've also checked all RFC connections in the same manner (to ensure each system can reach the others), recreated the route from R3T to R3P as both a Consolidation and a Delivery type of route,
I will post any resolution found later.
Thanks for the help anyway

Route Target Quantity limitation

anyone know how many(quantity) different RT's you can import into 1 central VRF. What the limitation is?

Hi,
import can be "any number", I myself tried more than 500 in a lab environment with no problem. RT export is different in that you may only have up to 128 extended communities in a single BGP update and additionally a maximum BGP update size of 4096 Bytes exists. Whichever limit you hit first will prevent you from announcing a VPNv4 prefix.
Hope this helps! Please rate all posts.
Regards, Martin

VRF Import/Export - how to filter routes

Hi,
Is there another way of filtering the routes you want to import into a vrf because the 'route-target export' and 'route-target import' imports ALL the routes tagged with the given 'asn:xx'. I wanted to have only selected routes imported from one vrf to another. Vrf 'import map' command does not work for me?
Does filtering makes sense or practical at vrf-vrf level? Where do you use 'import map' command?
thanks
resti

Hi Harold,
Actually my needs are a little different. Instead of leaking between 2 VRFs, I need to leak to global. Have a default in my VRF that gets imported to global table.
Goals:
1. At hub and spoke both sites, let ISP connection run in a separate VRF. Gets a little extra security from internet.
2. When ISP connection is active, let each site route its traffic out to internet directly. However when the local ISP connection fails, remove the default route that points to ISP so that OSPF learned default from the hub site routes all traffic to hub and puts on internet.
What's working:
DMVPN tunnels work fine across INET VRF.
What's not working:
1. The IP SLA tracked route leak to global VRF is not working. Traffic doesn't go out to internet directly using local connection.
I followed following example for this configuration.
http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/47807-routeleaking.html
Any suggestions? Is it possible or supported configuration?
Below is a diagram of my setup.
Below is my relevant config snapshot. 2.2.2.1 is actually my another FW in front in the lab that does all NAT and provides internet connection to this lab.
ip sla auto discovery
ip sla 1
icmp-echo 8.8.8.8 source-ip 2.2.2.2
vrf INET
ip sla schedule 1 life forever start-time now
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 2.2.2.1 track 1
ip route vrf INET 0.0.0.0 0.0.0.0 2.2.2.1
Lab-RTR#sh ip sla sumary
IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending
ID           Type        Destination       Stats       Return      Last
                                           (ms)        Code        Run
*1           icmp-echo   8.8.8.8           RTT=32      OK          4 seconds ago
Lab-RTR#sh ip route | in 0.0.0.0
Gateway of last resort is 10.254.2.99 to network 0.0.0.0
O*E1 0.0.0.0/0 [110/221] via 10.254.2.99, 00:00:59, Tunnel2
As you can see, its learning default from Tunnel instead of taking the static default.

Trouble getting internet route table distributet in a VRF

Hi every one ..
I'm have some trouble getting distributed the internet routing table between PE routers ...
CE1 og PE1 works fine, BGP routes all internet routes are shown i en route table, but distributing between PE1 and PE2 is now working .. any one having a clue !!.
My gold is to move internet access into it's oven VRF, and away from the global routing table
In the MPLS core aim running the same AS number as our official AS, that we use for peering to the internet..
snap of configurations
***CE1***
router bgp 65534
neighbor 172.31.61.55 remote-as 65534
neighbor 172.31.61.55 description PE-1
neighbor 172.31.61.55 shutdown
neighbor 172.31.61.55 update-source Loopback0
neighbor 172.31.61.55 next-hop-self
***MPLS PE1***
ip vrf NET-INTERNET
rd 65534:10051
route-target export 65534:10051
route-target import 65534:10051
interface Port-channel1.35
encapsulation dot1Q 35
ip vrf forwarding NET-INTERNET
ip address 172.31.61.55 255.255.255.224
mpls label protocol ldp
tag-switching mtu 1546
tag-switching ip
router bgp 65534
neighbor 192.168.0.146 remote-as 65534
neighbor 192.168.0.146 description PE2
neighbor 192.168.0.146 update-source Loopback0
neighbor 192.168.0.146 version 4
neighbor 192.168.0.146 next-hop-self
address-family vpnv4
neighbor 192.168.0.146 activate
neighbor 192.168.0.146 send-community both
exit-address-family
address-family ipv4 vrf NET-INTERNET
neighbor 172.31.1.2 remote-as 65534
neighbor 172.31.1.2 activate
neighbor 172.31.1.2 description CE1
no auto-summary
no synchronization
exit-address-family
***MPLS PE2***
ip vrf NET-INTERNET
rd 65534:10051
route-target export 65534:10051
route-target import 65534:10051
interface Port-channel1.67
encapsulation dot1Q 67
ip vrf forwarding NET-INTERNET
ip address 172.31.254.1 255.255.255.252
mpls label protocol ldp
tag-switching mtu 1546
tag-switching ip
router bgp 65534
neighbor 192.168.0.132 remote-as 65534
neighbor 192.168.0.132 description PE1
neighbor 192.168.0.132 update-source Loopback0
neighbor 192.168.0.132 version 4
address-family ipv4 vrf NET-INTERNET
neighbor 172.31.254.2 remote-as 65534
neighbor 172.31.254.2 activate
Best regards
/Peter

For VPN routes to be exchanged between the two PEs, you first need to configure VPNv4 address family on each one of the PEs.
Carrying the full Internet routing table over VPNv4 will work but it is not very scalable since all PE routers have to hold the full Internet routing table in the VRF context in addition to potentially full Internet routing table in the global routing table. If you want to exchange full Internet routing table between the two CEs, it would be preferable to use something Carrier Supporting Carrier (CSC).
Please refer to the following URL for additional information on CSC:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s23/fscscl23.htm
Hope this helps,

Interface Vlan is not installed in routing table

Dear All,
Today I faced a strange problem and I want to share it with you to find what is the problem ?
we have a VRF for one customer and we use interface vlan to define customer's branch.
The customer interface is VLAN 422 and it is defined under customer VRF probably .
PE#sh running-config vrf V3056:RIYADHBANK
Building configuration...
Current configuration : 1321 bytes
ip vrf V3056:RIYADHBANK
rd 65000:3887
maximum routes 1400 80
route-target export 65000:5405
route-target import 65000:5405
route-target import 65000:5406
interface Vlan422
description By *****
ip vrf forwarding V3056:RIYADHBANK
ip address 172.29.12.97 255.255.255.252
service-policy input 2M_IN
PE#sh vlan id 422
VLAN Name Status Ports
422 422 active Gi3/0/11 efp_id 422
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
422 enet 100422 1500 - - - - - 0 0
Remote SPAN VLAN
Disabled
Primary Secondary Type Ports
PE#
we can see the interface vlan is up
PE-L3Agg-Khu-107-2#sh int vlan 422 description
Interface Status Protocol Description
Vl422 up up ****
PE#
and we can see the vlan 422 belongs to the correct VRF
PE#sh vrf V3056:RIYADHBANK
Name Default RD Protocols Interfaces
V3056:RIYADHBANK 65000:3887 ipv4 Vl627
Vl775
Vl422
PE#
when we tried to troubleshoot the customer routing we found :
PE-L3Agg-Khu-107-2#ping vrf V3056:RIYADHBANK 172.29.12.97
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.29.12.97, timeout is 2 seconds:
Success rate is 0 percent (0/5)
PE-#
we could not ping the ip address of interface vlan 422.
PE#sh ip route vrf V3056:RIYADHBANK 172.29.12.97
Routing Table: V3056:RIYADHBANK
% Subnet not in table
PE#
PE#show ip route vrf V3056:RIYADHBANK connected
Routing Table: V3056:RIYADHBANK
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.111.16 to network 0.0.0.0
172.29.0.0/16 is variably subnetted, 338 subnets, 2 masks
C 172.29.12.44/30 is directly connected, Vlan627
L 172.29.12.45/32 is directly connected, Vlan627
PE-L3Agg-Khu-107-2#
PE-L3Agg-Khu-107-2#
My question is: Why the interface vlan 422 is not installed in VRF Table as it is UP ??
thanks in advance!
Rashed Wardi.

what platform is this? can you please paste the output of show version and show run?
Also when you tested this was int Gi3/0/11 up/up?
Best Regards,
Bheem

Route Leaking between VRF:s (Shared services)

Hi,
I'm a bit confused by this setup that i'm trying to achieve.
The setup is classic though, I have one VRF for education (EDU), one for administrators (ADM) and then a shared VRF (GEM) like this:
ip vrf ADM
description *** ADMIN NET ***
rd 2:2
export map ADM-to-EDU
route-target export 2:2
route-target import 1:1
route-target import 2:2
ip vrf EDU
description *** ELEV NET ***
rd 3:3
route-target export 3:3
route-target import 1:1
route-target import 33:33
route-target import 3:3
ip vrf GEM
description *** GEMENSAM NET ***
rd 1:1
route-target export 1:1
route-target import 2:2
route-target import 3:3
route-target import 1:1
As you can see, i have also configured an export map for vrf ADM, which i'm then importing routes from.
the Map looks as follows:
access-list 1 permit 172.18.254.37
route-map ADM-to-EDU permit 10
match ip address 1
set extcommunity rt 33:33 additive
A relevant part of the ip setup is as follows:
interface Loopback3
ip vrf forwarding EDU
ip address 3.3.3.3 255.255.255.255
interface Loopback37
ip vrf forwarding ADM
ip address 172.18.254.37 255.255.255.255
I'm running BGP:
router bgp 65235
no synchronization
bgp log-neighbor-changes
no auto-summary
address-family ipv4 vrf GEM redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
address-family ipv4 vrf EDU
redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
address-family ipv4 vrf ADM
redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
Now, the thing is, the leaking is working, i can see the leaked route in the EDU routing table below,
Router#sh ip route vrf EDU
Routing Table: EDU
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.19.16.5 to network 0.0.0.0
 1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 is directly connected, 04:53:31, Loopback1
 3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback3
 172.19.0.0/32 is subnetted, 1 subnets
B 172.19.16.5 is directly connected, 02:27:51, Loopback0
 172.18.0.0/32 is subnetted, 1 subnets
B 172.18.254.37 is directly connected, 00:32:14, Loopback37
B* 0.0.0.0/0 [20/0] via 172.19.16.5 (GEM), 02:08:42
but i cannot reach it:
Router#ping vrf EDU 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
Success rate is 0 percent (0/5)
But if i run "debug ip packet" and the perform another ping, i get this result which i think is a bit weird? to me it seems as if it works.
Router#ping vrf EDU 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
*Mar 1 05:42:40.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:40.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:40.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:40.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:40.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:40.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:42.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:42.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:42.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:42.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:42.582: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:42.586: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:42.590: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:42.590: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:44.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:44.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:44.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:44.574: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:44.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:44.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:46.566: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:46.570: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:46.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:46.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:46.570: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:46.574: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:48.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:48.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:48.566: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:48.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:48.574: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:48.574: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:48.582: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:48.582: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
Success rate is 0 percent (0/5)
Router#
However, if i add leaking for 3.3.3.3 in ADM vrf like this:
access-list 2 permit 3.3.3.3
route-map EDU-to-ADM permit 10
match ip address 2
set extcommunity rt 22:22 additive
ip vrf ADM
description *** ADMIN NET ***
rd 2:2
export map ADM-to-EDU
route-target export 2:2
route-target import 1:1
route-target import 22:22 < - added line
route-target import 2:2
ip vrf EDU
description *** ELEV NET ***
rd 3:3
export map EDU-to-ADM < - added line
route-target export 3:3
route-target import 1:1
route-target import 33:33
route-target import 3:3
Then it will work:
Router#ping vrf EDU 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms
So actually, my big question is, am i doing this the right or wrong way? i'm a bit confused.
Sorry about the rant, maybe it will clarify some things for others who are confused, or maybe just make it worse!
Some additional thoughts:
Why can't i perform this ping, shouldnt this work?
Router#ping vrf GEM 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Router#
bgp info:
Router#sh ip bgp vpnv4 all
BGP table version is 79, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
 r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
 Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf GEM)
*> 0.0.0.0 172.19.16.5 0 32768 ?
*> 1.1.1.1/32 0.0.0.0 0 32768 ?
*> 2.2.2.2/32 0.0.0.0 0 32768 ?
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 172.18.254.37/32 0.0.0.0 0 32768 ?
*> 172.19.16.5/32 0.0.0.0 0 32768 ?
Route Distinguisher: 2:2 (default for vrf ADM)
*> 0.0.0.0 172.19.16.5 0 32768 ?
*> 1.1.1.1/32 0.0.0.0 0 32768 ?
*> 2.2.2.2/32 0.0.0.0 0 32768 ?
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 172.18.254.37/32 0.0.0.0 0 32768 ?
*> 172.19.16.5/32 0.0.0.0 0 32768 ?
Route Distinguisher: 3:3 (default for vrf EDU)
*> 0.0.0.0 172.19.16.5 0 32768 ?
*> 1.1.1.1/32 0.0.0.0 0 32768 ?
 Network Next Hop Metric LocPrf Weight Path
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 172.18.254.37/32 0.0.0.0 0 32768 ?
*> 172.19.16.5/32 0.0.0.0 0 32768 ?
Router#

Thank you for your answer Aravala.
Ok, so i think i'm beginning to understand this now after several hours..
Below is my setup now, and it works, but the thing is that it ONLY works from nets that are actually configured on interfaces.
What i mean by this is,
i want to reach ONLY the ip 172.18.254.37(ADM net) from ANY adress on 172.19.0.0/16 (EDU net)
so naturally i try and change the prefix list to:
ip prefix-list 1 seq 5 permit 172.18.254.37/32
ip prefix-list 2 seq 5 permit 172.19.0.0/16
But this doesnt work, i would be very grateful if someone could explain why and how to get around it..! i dont want to define every subnet on 172.19.0.0/16 and at the same time leave all of the 172.18.254.0/24 network open.
working setup:
ip vrf ADM
description *** ADMIN NET ***
rd 2:2
export map ADM-to-EDU
route-target export 2:2
route-target import 1:1
route-target import 22:22
route-target import 2:2
ip vrf EDU
description *** ELEV NET ***
rd 3:3
export map EDU-to-ADM
route-target export 3:3
route-target import 1:1
route-target import 33:33
route-target import 3:3
ip vrf GEM
description *** GEMENSAM NET ***
rd 1:1
route-target export 1:1
route-target import 2:2
route-target import 3:3
route-target import 1:1
ip prefix-list 1 seq 5 permit 172.18.254.0/24
ip prefix-list 2 seq 5 permit 172.19.64.0/21
route-map ADM-to-EDU permit 10
match ip address prefix-list 1
set extcommunity rt 33:33 additive
route-map EDU-to-ADM permit 10
match ip address prefix-list 2
set extcommunity rt 22:22 additive

CSR1000V VRF Route Leaking vs GNS

Hi folks,
working on 2 lab envronments. I have successfully configured VRF route leaking on GNS3, however can't get it working on CSR1000v with same config (only IP's and name's of VRF etc is different). Is there something on the CSR1000v that I have to do that's different from GNS? Is there a reason why the route in GNS is in both the OSPF database and the routing table yet in ESXi it's only in the database?
OSPF between neighbors
BGP to do route leaking
GNS - leaking route 220.0.0.0
GNS - Neighbor running OSPF has 220.0.0.0 in the database and the routing table for VRF 100
ESXi - leaking route 45.0.0.0
ESXi - Neighbor running OSPF has 45.0.0.0 in the database and is NOT in the routing table for VRF cavia
GNS - 3640's with c3640-js-mz.124-17
ESXi - CSR1000V with Cisco IOS XE Software, Version 03.12.00.S
On both labs using BGP to leak routes between VRF's.
GNS LAB
VRF's --------------------------------------------------
ip vrf 100
rd 100:100
route-target export 1:100
route-target import 1:300
ip vrf 200
rd 200:200
route-target export 1:200
route-target import 1:300
ip vrf 300
rd 300:300
route-target export 1:300
route-target import 1:100
route-target import 1:200
OSPF --------------------------------------------------------------
router ospf 100 vrf 100
router-id 4.4.4.4
log-adjacency-changes
redistribute bgp 10 subnets
network 100.0.0.0 0.0.0.3 area 0
network 0.0.0.0 255.255.255.255 area 0
router ospf 200 vrf 200
router-id 44.44.44.44
log-adjacency-changes
redistribute bgp 10 subnets
network 200.0.0.0 0.0.0.3 area 0
network 0.0.0.0 255.255.255.255 area 0
BGP -------------------------------------------------------------
router bgp 10
no synchronization
bgp log-neighbor-changes
no auto-summary
address-family ipv4 vrf 300
no synchronization
network 220.0.0.0 mask 255.255.255.252
exit-address-family
address-family ipv4 vrf 200
redistribute ospf 200 vrf 200
no synchronization
exit-address-family
address-family ipv4 vrf 100
redistribute ospf 100 vrf 100
no synchronization
exit-address-family
R4#sh ip bgp vpnv4 all
BGP table version is 17, local router ID is 44.44.44.44
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:100 (default for vrf 100)
*> 10.0.0.0/24 100.0.0.1 2 32768 ?
*> 100.0.0.0/30 0.0.0.0 0 32768 ?
*> 220.0.0.0/30 0.0.0.0 0 32768 i
Route Distinguisher: 200:200 (default for vrf 200)
*> 20.0.0.0/24 200.0.0.1 2 32768 ?
*> 200.0.0.0/30 0.0.0.0 0 32768 ?
*> 220.0.0.0/30 0.0.0.0 0 32768 i
Route Distinguisher: 300:300 (default for vrf 300)
*> 10.0.0.0/24 100.0.0.1 2 32768 ?
*> 20.0.0.0/24 200.0.0.1 2 32768 ?
*> 100.0.0.0/30 0.0.0.0 0 32768 ?
*> 200.0.0.0/30 0.0.0.0 0 32768 ?
*> 220.0.0.0/30 0.0.0.0 0 32768 i
-----------------------on neighbor R3 220.0.0.0 (in vrf 300) is in the routing table for vrf 100 as designed----------------------
R3#sh ip route vrf 100
220.0.0.0/30 is subnetted, 1 subnets
O E2 220.0.0.0 [110/1] via 100.0.0.2, 00:29:48, FastEthernet1/0.10
100.0.0.0/30 is subnetted, 1 subnets
C 100.0.0.0 is directly connected, FastEthernet1/0.10
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/0
----------------------OSPF Database on neighbor R3-------------------------------------------
R3#sh ip ospf data
OSPF Router with ID (33.33.33.33) (Process ID 200)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
33.33.33.33 33.33.33.33 521 0x80000006 0x005A0E 2
44.44.44.44 44.44.44.44 541 0x80000006 0x001C18 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
200.0.0.2 44.44.44.44 540 0x80000005 0x006820
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
220.0.0.0 44.44.44.44 540 0x80000005 0x009BAE 3489660938
OSPF Router with ID (3.3.3.3) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
3.3.3.3 3.3.3.3 722 0x80000006 0x008C9F 2
4.4.4.4 4.4.4.4 581 0x80000006 0x00F845 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
100.0.0.2 4.4.4.4 581 0x80000005 0x00FEA7
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
220.0.0.0 4.4.4.4 581 0x80000005 0x00509A 3489660938
ESXi LAB
VRF's----------------------------------------------------------
vrf definition cavia
rd 1:100
address-family ipv4
route-target export 1000:100
route-target import 1000:300
exit-address-family
vrf definition microsoft
rd 1:200
address-family ipv4
route-target export 1000:200
route-target import 1000:300
exit-address-family
vrf definition shared
rd 1:300
address-family ipv4
route-target export 1000:300
route-target import 1000:100
route-target import 1000:200
exit-address-family
OSPF ----------------------------------------------------------------
router ospf 100 vrf cavia
redistribute bgp 50 subnets
network 172.100.200.0 0.0.0.3 area 0
network 0.0.0.0 255.255.255.255 area 0
router ospf 200 vrf microsoft
redistribute bgp 50 subnets
network 172.200.200.0 0.0.0.3 area 0
network 0.0.0.0 255.255.255.255 area 0
BGP -----------------------------------------------------------------
router bgp 50
bgp log-neighbor-changes
address-family ipv4 vrf cavia
redistribute ospf 100
exit-address-family
address-family ipv4 vrf microsoft
redistribute ospf 200
exit-address-family
address-family ipv4 vrf shared
network 45.0.0.0 mask 255.255.255.252
exit-address-family
---------------45.0.0.0 is in the correct BGP VRF's----------------
R8#sh ip bgp vpnv4 all
BGP table version is 20, local router ID is 8.8.8.8
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf cavia)
*> 45.0.0.0/30 0.0.0.0 0 32768 i
*> 80.100.0.0/30 172.100.200.1 2 32768 ?
*> 172.100.100.0/30 172.100.200.1 2 32768 ?
*> 172.100.100.4/30 172.100.200.1 2 32768 ?
*> 172.100.200.0/30 0.0.0.0 0 32768 ?
Route Distinguisher: 1:200 (default for vrf microsoft)
*> 45.0.0.0/30 0.0.0.0 0 32768 i
*> 80.200.0.0/30 172.200.200.1 2 32768 ?
*> 172.200.100.0/30 172.200.200.1 2 32768 ?
*> 172.200.100.4/30 172.200.200.1 2 32768 ?
*> 172.200.200.0/30 0.0.0.0 0 32768 ?
Route Distinguisher: 1:300 (default for vrf shared)
*> 45.0.0.0/30 0.0.0.0 0 32768 i
*> 80.100.0.0/30 172.100.200.1 2 32768 ?
*> 80.200.0.0/30 172.200.200.1 2 32768 ?
*> 172.100.100.0/30 172.100.200.1 2 32768 ?
*> 172.100.100.4/30 172.100.200.1 2 32768 ?
*> 172.100.200.0/30 0.0.0.0 0 32768 ?
*> 172.200.100.0/30 172.200.200.1 2 32768 ?
Network Next Hop Metric LocPrf Weight Path
*> 172.200.100.4/30 172.200.200.1 2 32768 ?
*> 172.200.200.0/30 0.0.0.0 0 32768 ?
-----------------------on neighbor R1 45.0.0.0 (in vrf shared) is not in the routing table for vrf cavia----------------------
R1#sh ip route vrf cavia
Gateway of last resort is 172.100.200.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.100.200.2
80.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 80.100.0.0/30 is directly connected, GigabitEthernet1.1
L 80.100.0.1/32 is directly connected, GigabitEthernet1.1
B 80.100.0.4/30 [20/0] via 80.100.0.2, 03:52:22
172.100.0.0/16 is variably subnetted, 7 subnets, 2 masks
C 172.100.100.0/30 is directly connected, GigabitEthernet3.1
L 172.100.100.2/32 is directly connected, GigabitEthernet3.1
C 172.100.100.4/30 is directly connected, GigabitEthernet2.1
L 172.100.100.6/32 is directly connected, GigabitEthernet2.1
B 172.100.101.0/30 [20/0] via 80.100.0.2, 03:52:22
C 172.100.200.0/30 is directly connected, GigabitEthernet4.1
L 172.100.200.1/32 is directly connected, GigabitEthernet4.1
----------------------OSPF Database on neighbor R1 -------------------------------------------
R1#
R1#sh ip ospf data
OSPF Router with ID (172.100.200.1) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
172.100.200.1 172.100.200.1 668 0x8000000A 0x009F4E 4
172.100.200.2 172.100.200.2 681 0x80000007 0x005F5C 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.100.200.1 172.100.200.1 668 0x80000002 0x0012BD
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
45.0.0.0 172.100.200.2 441 0x80000002 0x0047E1 3489660978
80.100.0.4 172.100.200.1 1679 0x80000008 0x00A883 3489725929
172.100.101.0 172.100.200.1 1679 0x80000008 0x00C4A9 3489725929

BUMP

IP VRF to VRF Definition Import-Map behaviour changes

Have the import rules changed from IP VRF syntax (IPV4 only) to VRF Definitions (IPV4&6)?
The issue being we have a management VRF which is used for access, monitoring, archiving. which works well in the IP vrf sytnax example:
ip vrf A-IPVPN
rd 9282:1002
import map Customer-Mgmt-Infrastructure
route-target export 9282:1002
route-target import 9282:1002
route-target import 9282:1999
ip vrf Customer-Mgmt
rd 9282:1999
import map Import-Customer-Mgmt
route-target export 9282:1999
route-target import 9282:1999
route-target import 9282:2010
route-target import 9282:1002
route-target import 9282:2011
route-target import 9282:1005
route-map Import-Customer-Mgmt permit 10
match ip address prefix-list Customer-Mgmt-CPE
ip prefix-list Customer-Mgmt-CPE: 2 entries
seq 5 deny 169.254.254.0/24
seq 10 permit 169.254.0.0/16 le 32
This allows all PE's to learn Customers Routes and import and export management details, I believe I have followed best practice and the result is what I would expect, however since creating some new customers with the vrf definition syntax it appears that the Import-Customer-Mgmt now filters out BGP routes within the Local VRF PE-PE, however the the routes are visible via :
show ip bgp vpnv4 rd
but not imported into BGP table.
Vrf definition
rf definition S-C-IPVPN
rd 9282:1005
route-target export 9282:1005
route-target import 9282:1005
route-target import 9282:1999
address-family ipv4
import map Customer-Mgmt-Infrastructure
exit-address-family
After hitting my head against a wall for longer than I would like to admit, I removed the import map and routes in the RD are installed into the BGP Table?
My question is, is this now default behaviour or is it a bug in our particular version (asr1002x-universalk9.03.09.01.S.153-2.S1.SPA.bin)
I had been considering upgrading our syntax using the vrf upgrade-cli, glad i didnt as this would have caused a major outage as we use the a fair amount of import maps with our Internet transit circuits.
If this is normal behaviour what it the best way to match and permit Local vrf RD? baring in mind I would like ideally to reuse the same route-map.
I will continue to investigate, but if anyone has had experience of this behaviour I would appropriate there input
Regard Neil

The following route map has no impact:
route-map Customer-Mgmt-Infrastructure-2 permit, sequence 10
Match clauses:
    community (community-list filter): S-C-IPVPN
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Named Community expanded list S-C-IPVPN
    permit RT:9282:1005
Think i will need to lab up.
Neil

Route-target imports - scalable

Similar Messages

Maybe you are looking for