Inter-VRF routing on the same Router (VRF-lite route leak) – Cisco IOS

I was trying to implement inter-VRFs routing in a multi VRF-lite environment – there was a requirement to implement routing between two VRF domains on the same router. I couldn’t make this working through typical static routing or IGP. Later on I found Cisco recommendation – this has to be done through (i)route-target export/import and (ii)BGP.

“You can not configure two static routes to advertise each prefix between the VRFs, because this method is not supported—packets will not be routed by the router. To achieve route leaking between VRFs, you must use the import functionality of route-target and enable Border Gateway Protocol (BGP) on the router. No BGP neighbor is required. http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/47807-routeleaking.html

Here is my topology diagram–

inter-vrfs-BGP

Routing/connectivity requirements are –

Within “same router” inter-VRFs routing:

Source Network Destination Network Site Number
A-1-network-webserver A-1-network-appserver Site 1
A-2-network-webserver A-2-network-appserver Site 2

Inter site (site 1 & site 2) VRFs routing:

  1. Multiple site-1 sources to > multiple site-2 destinations;
Source Network Destination Network
A-1-network-webserver A-2-network-webserver
A-1-network-webserver A-2-network-appserver
A-1-network-appserver A-2-network-appserver
A-1-network-appserver A-2-network-webserver
  1. One site-1 source to > one site-2 destination;
Source Network Destination Network
A-1-network-iscsi A-2-network-scsi
B-1-network-appserver B-2-network-app

Based on above mentioned scenario –

  1. VRFs routing between Site 1 and Site 2 – static route or any dynamic routing protocol such as EIGRP, OSPF are suitable.
  2. VRFs routing within the same router at each site (routing for web & app on the same site) need to be done through multiprotocol BGP and route-target import – which is a recommendation by Cisco.

I will show here how to do inter VRFs routing within the same router using BGP and route-target export-import.

Following are configurations on SITE-1-Router-01,

(Step 1) Define VRFs and route-target export & import as following:

!
ip vrf a-1-webserver
rd 65111:101
route-target export 65111:101
route-target import 65111:101
route-target import 65111:102  ;import “a-1-network-appserver”
!
ip vrf a-1-appserver
rd 65111:102
route-target export 65111:102
route-target import 65111:102
route-target import 65111:101  ;import “a-1-network-webserver”
!
ip vrf a-1-iscsi
rd 65111:103      ;no network export-import here
!
ip vrf b-1-appserver
rd 65111:104      ;no network export-import here
!

(Step 2) Apply the VRFs to proper interfaces – assign IP address to interfaces as well.

(Step 3) Configure BGP without neighbour with the VPN instances name as following:

(we need routing between webserver & appserver on the same router)

!
router bgp 65111
bgp log-neighbor-changes
!
address-family ipv4 vrf a-1-webserver
redistribute connected
exit-address-family
!
address-family ipv4 vrf a-1-appserver
redistribute connected
exit-address-family
!

Once the BGP is done – do a “#show ip route vrf a-1-webserver”; it should display both a-1-appserver & a-1-webserver networks. Same result should display for “#show ip route vrf a-1-appserver”. At this stage a-1-webservers should be able to talk to a-1-appservers. Configure the same on SITE-2-Router-02 router.

####rest of the configuration are for inter site (site-1 & site-2) communication####

(Step 4) For routing between SITE-1 and SITE-2 following is an example with static routing:

In this example –

Site-1 (source) networks are-

-Customer A webserver network is – 192.168.101.0/24; default route is 192.168.101.254
-Customer A appserver network is – 192.168.102.0/24; default route is 192.168.102.254
-Customer A iscsi network is – 192.168.103.0/24
-Customer B appserver network is – 192.168.104/24

Site-2 (destination) networks are-

-Customer A webserver network is – 192.168.201.0/24
-Customer A appserver network is – 192.168.202.0/24
-Customer A iscsi network is – 192.168.203.0/24
-Customer B appserver network is – 192.168.204/24

SITE-1-ROUTER-01 inter site routing commands are following –

!
ip route vrf a-1-webserver 0.0.0.0 0.0.0.0 192.168.101.254
ip route vrf a-1-webserver 192.168.201.0 255.255.255.0 172.16.101.2; (A-1 web to A-2 web)
ip route vrf a-1-webserver 192.168.201.0 255.255.255.0 172.16.101.2; (A-1 web to A-2 app)
ip route vrf a-1-appserver 0.0.0.0 0.0.0.0 192.168.102.254
ip route vrf a-1-appserver 192.168.202.0 255.255.255.0 172.16.102.2; (A-1 app to A-2 web)
ip route vrf a-1-appserver 192.168.202.0 255.255.255.0 172.16.102.2; (A-1 app to A-2 app)
ip route vrf a-1-iscsi 192.168.203.0 255.255.255.0 172.16.103.2; (A-1 iscsi to A-2 iscsi)
ip route vrf b-1-iscsi 192.168.204.0 255.255.255.0 172.16.104.2; (B-1 app to B-2 app)
!

Configure the SITE-2-Router-02 same way (change the source and destination networks).

Do “#show ip vrf vrfname” to check your routes; also do ping test “#ping vrf vrfname ip ipAddr”.

2 thoughts on “Inter-VRF routing on the same Router (VRF-lite route leak) – Cisco IOS

  1. I think there’s a small typo near the end (missing the word “route”).
    [ Do “#show ip vrf vrfname” to check your routes ]
    ought to be
    #show ip route vrf vrfname
    Just running “show ip vrf vrfname” spits out the information (route distinguisher) for a particular VRF.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s