Inter-VRFs routing on the same router (VRF-lite route leak) with MP-BGP – HP 5820 (Comware5)

I was trying to implement inter-VRFs routing in a multi VRF-lite environment – there was a requirement to implement routing between two VRFs on the same router. This time the routers are HP 5820 series Layer-3 switches running Comware5 network Operating System (HP 5820 is a 24 port 10GB SFT+ Layer3 device). I have done the same on Cisco IOS (check my previous post on this).

I couldn’t find any specific recommendation on HP documentation regarding inter-VRFs routing on the “same device”. Also HP docs say when you configure BGP you need to specify BGP neighbor (I was thinking the same – without a neighbor BGP is incomplete!).

However, Cisco already published a recommendation on this – so I took Cisco’s recommendation and configured BGP without neighbor on Comware5 and found its working fine! Cisco recommendation specify two items (i) vrf route-target import (ii)BGP redistribution but no neighbor required.

“You can not configure two static routes to advertise each prefix between the VRFs, because this method is not supported—packets will not be routed by the router. To achieve route leaking between VRFs, you must use the import functionality of route-target and enable Border Gateway Protocol (BGP) on the router. No BGP neighbor is required. http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/47807-routeleaking.html

Here is the topology –

inter-vrfs-BGP

Routing/connectivity requirements are –

Within same router inter-VRF routing:

Source Network Destination Network Site Number
A-1-network-web A-1-network-app Site 1
A-2-network-web A-2-network-app Site 2

Inter-site VRFs routing:

1. Single source to > multiple destinations

Source Network Destination Network
A-1-network-web A-2-network-web
A-1-network-web A-2-network-app
A-1-network-app A-2-network-app
A-1-network-app A-2-networl-web

2. Single source to > single destination

Source Network Destination Network
A-1-network-iscsi A-2-network-scsi
B-1-network-appserver B-2-network-app

Based on above mentioned scenario –

  1. VRFs routing between Site 1 and Site 2 – static route or any dynamic routing protocol such as EIGRP, OSPF are suitable.
  2. VRFs routing within the same router at each site (routing for web & app on the same site) need to be done through multiprotocol BGP and route-target import – which is a recommendation by Cisco.

In this example –

Site-1 (source) networks are-

-Customer A webserver network is – 192.168.101.0/24 (VLAN101); default route is 192.168.101.254

-Customer A appserver network is – 192.168.102.0/24 (VLAN102); default route is 192.168.102.254

-Customer A iscsi network is – 192.168.103.0/24 (VLAN103)

-Customer B appserver network is – 192.168.104/24 (VLAN104)

Site-2 (destination) networks are-

-Customer A webserver network is – 192.168.201.0/24 (VLAN201); default route is 192.168.201.254

-Customer A appserver network is – 192.168.202.0/24 (VLAN202); default route is 192.168.202.254

-Customer A iscsi network is – 192.168.203.0/24 (VLAN203)

-Customer B appserver network is – 192.168.204/24 (VLAN204)

Interconnect network between Site-1 & Site-2 are (both sites are connected through dark fibre which is Layer 2 connectivity)-

-“A-1-Web” to “A-2-Web” interconnect is 172.16.101.0/24 (VLAN 171)

-“A-1-App” to “A-2-App” interconnect is 172.16.102.0/24 (VLAN 172)

-“A-1-iSCSI” to “A-2-iSCSI” interconnect is 172.168.103.0/24 (VLAN 173)

-“B-1-App” to “B-2-App” interconnect is 172.168.104.0/24 (VLAN 174)

I will show here two things –

  1. Inter-VRFs routing on the same site through BGP and vpn-target export-import.
  2. SITE-1 and SITE-2 inter- VRFs routing through static routing (dynamic can be done as well).

Following are configuration commands on SITE-1-Router-01,

01. Define VRFs and route-target export & import as following:

#
ip vpn-instance a-1-webserver
 route-distinguisher 65111:101
 vpn-target 65111:101 export-extcommunity
 vpn-target 65111:101 65111:102 import-extcommunity ;import “a-1-network-appserver”
#
ip vpn-instance a-1-appserver
 route-distinguisher 65111:102
 vpn-target 65111:102 export-extcommunity
 vpn-target 65111:101 65111:102 import-extcommunity ;import “a-1-network-webserver”
#
ip vpn-instance a-1-iscsi
 route-distinguisher 65111:103 ;no import-export required
#
ip vpn-instance b-1-appserver
 route-distinguisher 65111:104 ;no import-export required
#

2. Apply VRFs to interfaces and also configure interface IP address

#
interface Vlan-interface101
 description A-1-Web Servers
 ip binding vpn-instance a-1-webserver
 ip address 192.168.101.254 255.255.255.0
#
interface Vlan-interface102
 description A-1-App Servers
 ip binding vpn-instance a-1-appserver
 ip address 192.168.102.254 255.255.255.0
#
interface Vlan-interface103
 description A-1-iSCSI
 ip binding vpn-instance a-1-iscsi
 ip address 192.168.103.254 255.255.255.0
#
interface Vlan-interface701
 description A-1-web to A-2-web interconnect
 ip binding vpn-instance a-1-webserver
 ip address 172.16.101.254 255.255.255.0
#
interface Vlan-interface702
 description A-1-app to A-2-app interconnect
 ip binding vpn-instance a-1-appserver
 ip address 172.16.102.254 255.255.255.0
#
interface Vlan-interface703
 description A-1-iscsi to A-2-iscsi interconnect
 ip binding vpn-instance a-1-iscsi
 ip address 172.16.103.254 255.255.255.0
#
interface Vlan-interface704
 description B-1-app to B-2-App interconnect
 ip binding vpn-instance b-1-appserver
 ip address 172.16.104.254 255.255.255.0
#

3. Configure BGP without neighbor with the VPN instances name as following:

(we need routing between webserver & appserver on the same router)

#
bgp 65111
 router-id 1.1.1.1
 undo synchronization
 #
 ipv4-family vpn-instance a-1-webserver
  import-route direct
 #
 ipv4-family vpn-instance a-1-appserver
  import-route direct!
#

Once the BGP is done – you should be able to ping between “a-1-webserver” and “a-1-appserver” networks.

Its time check routing table for the VRFs – you will find BGP is doing the routing for the same switch inter-VRFs.

#display ip routing-table vpn-instance a-1-webserver
#display ip routing-table vpn-instance a-1-appserver
#display bgp vpnv4 vpn-instance a-1-webserver routing-table
#display bgp vpnv4 vpn-instance a-1-appserver routing-table

####rest of the configurations are for inter site (site-1 & site-2) communication####

4. Following are routing between SITE-1 and SITE-2 VRFs via static routing:

(static routes to be added to SITE-1-Router-01)

#
ip route-static vpn-instance a-1-webserver 0.0.0.0 0.0.0.0 192.168.101.254
ip route-static vpn-instance a-1-webserver 192.168.201.0 255.255.255.0 172.16.101.2; (A-1 web to A-2 web)
ip route-static vpn-instance a-1-webserver 192.168.202.0 255.255.255.0 172.16.101.2; (A-1 web to A-2 app)
ip route-static vpn-instance a-1-appserver 0.0.0.0 0.0.0.0 192.168.102.254
ip route-static vpn-instance a-1-appserver 192.168.202.0 255.255.255.0 172.16.102.2; (A-1-app to A-2-app)
ip route-static vpn-instance a-1-appserver 192.168.201.0 255.255.255.0 172.16.102.2; (A-1-app to A-2-web app)
ip route-static vpn-instance a-1-iscsi 192.168.203.0 255.255.255.0 172.16.103.2; (A-1 iscsi to A-2 iscsi)
ip route-static vpn-instance b-1-iscsi 192.168.204.0 255.255.255.0 172.16.104.2; (B-1 app to B-2 app)
#

Configure the SITE-2-Router-02 same way (change the source and destination networks).

At this stage routing between both the site-1 and site-2 VRFs should be fine.

Check routing table for all the VRFs –
#display ip routing-table vpn-instance vrf_name

Do ping test as well; command is –
#ping -vpn-instance vrf_name IP_address

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s