I was trying to implement inter-VRFs routing in a multi VRF-lite environment – there was a requirement to implement routing between two VRF domains on the same router. I couldn’t make this working through typical static routing or IGP. Later on I found Cisco recommendation – this has to be done through (i)route-target export/import and (ii)BGP.
“You can not configure two static routes to advertise each prefix between the VRFs, because this method is not supported—packets will not be routed by the router. To achieve route leaking between VRFs, you must use the import functionality of route-target and enable Border Gateway Protocol (BGP) on the router. No BGP neighbor is required. http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/47807-routeleaking.html”
Here is my topology diagram–
Routing/connectivity requirements are –
Within “same router” inter-VRFs routing:
|Source Network||Destination Network||Site Number|
Inter site (site 1 & site 2) VRFs routing:
- Multiple site-1 sources to > multiple site-2 destinations;
|Source Network||Destination Network|
- One site-1 source to > one site-2 destination;
|Source Network||Destination Network|
Based on above mentioned scenario –
- VRFs routing between Site 1 and Site 2 – static route or any dynamic routing protocol such as EIGRP, OSPF are suitable.
- VRFs routing within the same router at each site (routing for web & app on the same site) need to be done through multiprotocol BGP and route-target import – which is a recommendation by Cisco.
I will show here how to do inter VRFs routing within the same router using BGP and route-target export-import.
Following are configurations on SITE-1-Router-01,
(Step 1) Define VRFs and route-target export & import as following:
ip vrf a-1-webserver
route-target export 65111:101
route-target import 65111:101
route-target import 65111:102 ;import “a-1-network-appserver”
ip vrf a-1-appserver
route-target export 65111:102
route-target import 65111:102
route-target import 65111:101 ;import “a-1-network-webserver”
ip vrf a-1-iscsi
rd 65111:103 ;no network export-import here
ip vrf b-1-appserver
rd 65111:104 ;no network export-import here
(Step 2) Apply the VRFs to proper interfaces – assign IP address to interfaces as well.
(Step 3) Configure BGP without neighbour with the VPN instances name as following:
(we need routing between webserver & appserver on the same router)
router bgp 65111
address-family ipv4 vrf a-1-webserver
address-family ipv4 vrf a-1-appserver
Once the BGP is done – do a “#show ip route vrf a-1-webserver”; it should display both a-1-appserver & a-1-webserver networks. Same result should display for “#show ip route vrf a-1-appserver”. At this stage a-1-webservers should be able to talk to a-1-appservers. Configure the same on SITE-2-Router-02 router.
####rest of the configuration are for inter site (site-1 & site-2) communication####
(Step 4) For routing between SITE-1 and SITE-2 following is an example with static routing:
In this example –
Site-1 (source) networks are-
-Customer A webserver network is – 192.168.101.0/24; default route is 192.168.101.254
-Customer A appserver network is – 192.168.102.0/24; default route is 192.168.102.254
-Customer A iscsi network is – 192.168.103.0/24
-Customer B appserver network is – 192.168.104/24
Site-2 (destination) networks are-
-Customer A webserver network is – 192.168.201.0/24
-Customer A appserver network is – 192.168.202.0/24
-Customer A iscsi network is – 192.168.203.0/24
-Customer B appserver network is – 192.168.204/24
SITE-1-ROUTER-01 inter site routing commands are following –
ip route vrf a-1-webserver 0.0.0.0 0.0.0.0 192.168.101.254
ip route vrf a-1-webserver 192.168.201.0 255.255.255.0 172.16.101.2; (A-1 web to A-2 web)
ip route vrf a-1-webserver 192.168.201.0 255.255.255.0 172.16.101.2; (A-1 web to A-2 app)
ip route vrf a-1-appserver 0.0.0.0 0.0.0.0 192.168.102.254
ip route vrf a-1-appserver 192.168.202.0 255.255.255.0 172.16.102.2; (A-1 app to A-2 web)
ip route vrf a-1-appserver 192.168.202.0 255.255.255.0 172.16.102.2; (A-1 app to A-2 app)
ip route vrf a-1-iscsi 192.168.203.0 255.255.255.0 172.16.103.2; (A-1 iscsi to A-2 iscsi)
ip route vrf b-1-iscsi 192.168.204.0 255.255.255.0 172.16.104.2; (B-1 app to B-2 app)
Configure the SITE-2-Router-02 same way (change the source and destination networks).
Do “#show ip vrf vrfname” to check your routes; also do ping test “#ping vrf vrfname ip ipAddr”.