Welcome to the Network Engineering Domain
Pape O. Fall's Blog

Route Leaking – Global & VRF Routing Table

What’s a blog called “RouteLeak” without a Route Leaking post. As the name implies, route leaking implies leaking routes or importing/exporting network prefixes between VRFs or between the global routing table and a VRF segment. I will show you different methods to get it configured as follow:

  1. Route Leaking between Global and VRF table: Static Route & Policy-Based Routing
  2. Route Leaking between VRFs: Static Routing
  3. Route Leaking between VRFs: GRE Tunnel
  4. Route Leaking between VRFs: MP-BGP

We will be working with the following setup.

Here, 10.2.2.0/30 is in a VRF called ROUTELEAK and 10.1.1.0/30 is in the main routing table. The goal here is to be able to ping R3 from R1.

Let me show you what the preliminary configuration looks like.

R1

R1#sh ip int br | exc una
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.1.1.2        YES manual up                    up      
Loopback0                  1.1.1.1         YES manual up                    up

R2

ip vrf ROUTELEAK
!         
!         
          
R2#sh ip int br | exc una
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.1.1.1        YES manual up                    up      
Ethernet0/1                10.2.2.1        YES manual up                    up      

R2#      
R2#sh run int eth0/1
Building configuration...

Current configuration : 95 bytes
!
interface Ethernet0/1
 ip vrf forwarding ROUTELEAK
 ip address 10.2.2.1 255.255.255.252

R3

R3#sh ip int br | exc una
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.2.2.2        YES manual up                    up      
Loopback0                  3.3.3.3         YES manual up                    up

You can see here that we’ve placed R2’s Eth0/1 in vrf ROUTELEAK. Let’s dive deep into the CLI and see how we can use static routes to achieve end to end reachability.

Global – VRF: Static Route & Policy-Based Routing

R2#sh ip route | b Gateway                
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/30 is directly connected, Ethernet0/0
L        10.1.1.1/32 is directly connected, Ethernet0/0
R2#
R2#sh ip route vrf ROUTELEAK | b Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.2.2.0/30 is directly connected, Ethernet0/1
L        10.2.2.1/32 is directly connected, Ethernet0/1

We can clearly see here that 10.2.2.0/30 is not in the main routing table but in the routing table referencing VRF ROUTELEAK. This is expected since we’ve placed Eth0/1 under the VRF.

Let’s first create a default route on R1 and R3 to point to R2.

R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.1

Great, our next step is to run Policy-Based Routing on R2 and set our next-hop to be the far side of the ROUTELEAK VRF. We will also instruct Eth0/0 on R2 to receive prefixes from the VRF domain. Traffic is policy routed at that point.

Let me show you what it looks like.

R2#sh run int Ethernet0/0 
Building configuration...

Current configuration : 124 bytes
!
interface Ethernet0/0
 ip vrf receive ROUTELEAK
 ip address 10.1.1.1 255.255.255.252
 ip policy route-map LEAK-ROUTE
!
interface Ethernet0/1
 ip vrf forwarding ROUTELEAK
 ip address 10.2.2.1 255.255.255.252
!
route-map LEAK-ROUTE permit 10
 match ip address 100
 set ip vrf ROUTELEAK next-hop 10.2.2.2
!
!
access-list 100 permit ip host 10.1.1.2 host 10.2.2.2

Here, we’ve enabled PBR by creating a route-map and match on the interesting traffic (R1 to R3). We’ve then set the next hop to be the far side of the VRF domain. Also, note that that the “ip vrf receive” command is used in conjunction with an access list or an interface to define the source address or source interface criteria for accepting packets into the VRF.

Let’s now check if we can ping across.

R1#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Great ! Mission accomplished. Let’s move on to the next one !

VRF to VRF: Static Routing

We will be working with the below diagram in this section.

Here, we have 2 VRFs (ENG & ACCOUNTING). The idea is to be able now to get to the loopback addresses. Let me show you what the preliminary configuration looks like on R2. Everything else remains the same on R1 and R3.

hostname R2
!
!
ip vrf ACCOUNTING
!
ip vrf ENG
!         
interface Ethernet0/0
 ip vrf forwarding ENG
 ip address 10.1.1.1 255.255.255.252
!
interface Ethernet0/1
 ip vrf forwarding ACCOUNTING
 ip address 10.2.2.1 255.255.255.252

We now have Eth0/0 in VRF ENG and Eth0/1 in VRF ACCOUNTING. This means that the main routing table on R2 is empty. As of the day of this post, route leaking from VRF to VRF is not supported. In order to achieve end-to-end connectivity here, we will need to bounce into the global routing table before hoping to the far side VRF. Let me show you what the configuration looks like.

R2(config)#ip route vrf ENG 3.3.3.3 255.255.255.255 10.2.2.2 global
R2(config)#ip route vrf ACCOUNTING 1.1.1.1 255.255.255.255 10.1.1.2 global

Here we have 2 static routes:

  • In VRF ENG, we’re saying in order to get to 3.3.3.3 then your next hop is 10.2.2.2 in the global routing table
  • In VRF ACCOUNTING, we’re saying in order to get to 1.1.1.1 then your next hop is 10.1.1.2 in the global routing table

So basically, we’re routing from the VRFs to the main routing table. However, if you remember correctly there’s no routes in the main routing table. Let’s take a look.

R2#sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override

Gateway of last resort is not set

R2#

As you can see, we’re pointing to the addresses that do not exist in the main routing table. In order for R2 to know how to get to 10.1.1.2 and 10.2.2.2, we need to add two more static routes and point them to their respective exit interface. Let’s do that.

R2(config)#ip route 10.1.1.2 255.255.255.255 Eth0/0
R2(config)#ip route 10.2.2.2 255.255.255.255 Eth0/1
R2(config)#
R2(config)#
R2(config)#do sh ip route | b Gateway              
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 2 subnets
S        10.1.1.2 is directly connected, Ethernet0/0
S        10.2.2.2 is directly connected, Ethernet0/1
R2(config)#

This should be all we need. We can now see the next hop addresses in the main routing table. Let’s check our routing tables now for VRF ENG and VRF ACCOUNTING.

R2#sh ip route vrf ENG | b Gateway
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 1 subnets
S        3.3.3.3 [1/0] via 10.2.2.2
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/30 is directly connected, Ethernet0/0
L        10.1.1.1/32 is directly connected, Ethernet0/0
R2#
R2#
R2#sh ip route vrf ACCOUNTING | b Gateway
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
S        1.1.1.1 [1/0] via 10.1.1.2
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.2.2.0/30 is directly connected, Ethernet0/1
L        10.2.2.1/32 is directly connected, Ethernet0/1

Let’s now confirm whether or not we can ping from Loopback to Loopback.

R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3#ping 1.1.1.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Looks pretty good ! Let’s move on to the next method I want to show you.

VRF to VRF: GRE Tunnel

We will be working with the below setup. The use of GRE tunnels make more sense if R1 and R3 are in their own VRFs. Let’s do that.

Here, Eth0/0 on both R1 and R3 are in VRF ENG and VRF ACCOUNTING respectively. Let me show you what the configuration looks like.

R1

R1#sh ip vrf
  Name                             Default RD            Interfaces
  ENG                                           Et0/0
R1#
R1#sh run int eth0/0
Building configuration...

Current configuration : 89 bytes
!
interface Ethernet0/0
 ip vrf forwarding ENG
 ip address 10.1.1.2 255.255.255.252

R2

R2#sh ip vrf
R2#
R2#
R2#sh run int eth0/0
Building configuration...

Current configuration : 66 bytes
!
interface Ethernet0/0
 ip address 10.1.1.1 255.255.255.252
end

R2#sh run int eth0/1
Building configuration...

Current configuration : 66 bytes
!
interface Ethernet0/1
 ip address 10.2.2.1 255.255.255.252

R3

R3#sh ip vrf
  Name                             Default RD            Interfaces
  ACCOUNTING                                    Et0/0
R3#
R3#sh run int eth0/0
Building configuration...

Current configuration : 96 bytes
!
interface Ethernet0/0
 ip vrf forwarding ACCOUNTING
 ip address 10.2.2.2 255.255.255.252

Here, notice that the Eth0/0 interfaces on R1 and R3 are in their appropriate VRFs. Let’s create our tunnels.

R1

R1#sh run int tu100
Building configuration...

Current configuration : 136 bytes
!
interface Tunnel100
 ip address 172.16.1.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 10.2.2.2
 tunnel vrf ENG
end

R1#sh run | inc route
ip route vrf ENG 10.2.2.2 255.255.255.255 Ethernet0/0 10.1.1.1 global

R3

R3#sh run int tu100
Building configuration...

Current configuration : 143 bytes
!
interface Tunnel100
 ip address 172.16.1.2 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 10.1.1.2
 tunnel vrf ACCOUNTING
end

R3#sh run | inc route
ip route vrf ACCOUNTING 10.1.1.2 255.255.255.255 Ethernet0/0 10.2.2.1 global
R1#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Fantastic. Here, we simply injected routes from the main table into the VRF routing tables in order to bring the tunnels up. In order to bring the GRE tunnel up, we have to be able to hit the destination address from the source address.

Let’s move on to the next on.

VRF to VRF: MP-BGP

Leveraging MP-BGP is also an efficient way to leak routes between VRFs. It involves RD (Route Distinguisher) which is essentially a 64 bit value used to distinguish routes from one another. This way, we can safely route traffic through a network with overlapping prefixes. We will also need RT (Route Target) which allow us to import/export routes into different domains. If you wish to learn a bit more about how it works, please read this post here.

We will be working with the following topology here.

 

Here, Eth0/0 and Eth0/1 are in VRF ENG and ACCOUNTING respectively. Let’s first create a default route on R1 and R3 that point to R2 so that they know how to get out.

R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.1

Very well ! Our next step is to configure our VRFs and assign RD and RT under each VRFs.

  • VRF ENG RD: 65100:1
  • VRF ACCOUNTING RD: 65100:3

We will export routes from VRF ENG using RT 65100:1 and we will export routes from VRF ACCOUNTING using RD 65100:3.

Let me show you what it looks like.

R2(config)#ip vrf ENG
R2(config-vrf)#rd 65100:1
R2(config-vrf)#route-target export 65100:1
R2(config-vrf)#route-target import 65100:3
R2(config)#ip vrf ACCOUNTING
R2(config-vrf)#rd 65100:3
R2(config-vrf)#route-target export 65100:3
R2(config-vrf)#route-target import 65100:1

Let’s now map the appropriate interfaces into the VRFs.

R2#sh run int Ethernet0/0
Building configuration...

Current configuration : 89 bytes
!
interface Ethernet0/0
 ip vrf forwarding ENG
 ip address 10.1.1.1 255.255.255.252
end

R2#sh run int Ethernet0/1
Building configuration...

Current configuration : 96 bytes
!
interface Ethernet0/1
 ip vrf forwarding ACCOUNTING
 ip address 10.2.2.1 255.255.255.252

Good ! In order to be able to ping the far side loopback from the local loopback between R1 and R3, We have to have a way of injecting the loopback prefixes into the VRF domains. I will simply use static routes here to do that.

R2(config)#ip route vrf ENG 3.3.3.3 255.255.255.255 10.2.2.2
R2(config)#ip route vrf ACCOUNTING 1.1.1.1 255.255.255.255 10.1.1.2

Great ! We’re now ready to inject our routes in the VRF routing domains.

R2(config)#router bgp 65100
R2(config-router)# bgp router-id 2.2.2.2
R2(config-router)# bgp log-neighbor-changes
R2(config-router)# !
R2(config-router)# address-family ipv4 vrf ACCOUNTING
R2(config-router-af)#  redistribute connected
R2(config-router-af)#  redistribute static
R2(config-router-af)# exit-address-family
R2(config-router)# !
R2(config-router)# address-family ipv4 vrf ENG
R2(config-router-af)#  redistribute connected
R2(config-router-af)#  redistribute static
R2(config-router-af)# exit-address-family

Here, we’ve redistributed static because of the static routes referencing the loopback addresses we’ve configured earlier. We’ve also redistributed the connected routes because of the local exit interfaces pointing to the next hop address.

Both of our static and connected routes are now in MP-BGP. Let’s confirm.

R2#sh ip bgp vpnv4 all 
BGP table version is 9, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65100:1 (default for vrf ENG)
 *>  1.1.1.1/32       10.1.1.2                 0         32768 ?
 *>  3.3.3.3/32       10.2.2.2                 0         32768 ?
 *>  10.1.1.0/30      0.0.0.0                  0         32768 ?
 *>  10.2.2.0/30      0.0.0.0                  0         32768 ?
Route Distinguisher: 65100:3 (default for vrf ACCOUNTING)
 *>  1.1.1.1/32       10.1.1.2                 0         32768 ?
 *>  3.3.3.3/32       10.2.2.2                 0         32768 ?
 *>  10.1.1.0/30      0.0.0.0                  0         32768 ?
 *>  10.2.2.0/30      0.0.0.0                  0         32768 ?

Awesome, this proves that our routes are in MP-BGP. Let’s see if we have connectivity between R1 and R3.

R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/5 ms

Great ! This is what we expected. Note that here we do not have any BGP neighbor relationship. We only used the protocol to leverage MP-BGP and get our routes across.

That’s the end of this post. I’ll catch you later.

Classification: ADVANCED SERVICES
Posted On: 2019/03/02

Comments

  1. Said says:
    March 11, 2019 at 3:51 am

    Hello Papy, Nice post c’est Clair et Concis.
    A noter que sur les ASR100 et ISR 4K tu as aussi la possibilité de faire du leaking de vrf en s’appuyant sur la technologie Vasi (vrf aware software infrastructure), ça permet par exemple de pouvoir fournir des services partagés type « INTERNET: VRF INTERNET » à différents types de populations type « GUEST:VRF GUEST ».

  2. Pape says:
    March 11, 2019 at 8:16 am

    Hello Said. Tu as parfaitement raison; En effet, je prendrais le temps d’écrire un post là-dessus. Je pense que ce serait intéressant de mettre en évidence les différentiels vis-à-vis de IOS-XE.

  3. Joe says:
    April 2, 2021 at 6:15 pm

    Nice article. In scenario 1, how does R2 have a route for the ICMP reply from 10.2.2.2 in the route leak VRF to 10.1.1.1 in the default VRF?

  4. Joe says:
    April 2, 2021 at 6:25 pm

    OK, I figured out the question in my last comment. ip vrf receive actually adds the connected route of the interface the command is applied to, to the VRF specified. So, in this case, 10.1.1.0/24 is actually added to the ROUTELEAK VRF, which makes sense.

    I think you have a typo then in the explanation of that command. Thanks!

  5. Niru says:
    May 8, 2023 at 7:19 am

    Hello I realize this is a little dated but still very useful in my opinion. Need some clarification if you don’t mind. I don’t quite follow the first example. First, For traffic going from R1 to R3 why would you need to policy route anything if you have already leaked the routes into the Global routing table via the command ? Wouldn’t that mean that the ICMP traffic sourced from R1 10.1.1.2 and destined to 10.2.2.2 would find the route to 10.2.2.2 in R2’s Global Route table? Second, for ICMP traffic returning from 10.2.2.2 destined 10.1.1.2, how would R2 be able to route that to 10.1.1.2 if the interface between R2 and R3 is in a VRF? From the configuration it doesn’t look like we have done anything to address the return traffic from R3 destined to R1. I’m sure I am missing something. Thank you for any clarification.

  6. Pape says:
    June 18, 2023 at 2:00 pm

    Correct ! The “ip vrf receive” command is used in conjunction with an access list or an interface to define the source address or source interface criteria for accepting packets into the VRF.

  7. Pape says:
    June 18, 2023 at 2:44 pm

    Question 1: First, For traffic going from R1 to R3 why would you need to policy route anything if you have already leaked the routes into the Global routing table via the command ?
    Answer: From which command ? We have not leaked the routes here

    Question 2: Wouldn’t that mean that the ICMP traffic sourced from R1 10.1.1.2 and destined to 10.2.2.2 would find the route to 10.2.2.2 in R2’s Global Route table?
    Answer: On R2, you have 2 interfaces, 1 in the global routing table and the other in the ROUTELEAK vrf

    Question 3: For ICMP traffic returning from 10.2.2.2 destined 10.1.1.2, how would R2 be able to route that to 10.1.1.2 if the interface between R2 and R3 is in a VRF?
    Answer: On R2, I’m using the “ip vrf receive ROUTELEAK” command subsequently allowing the injection of R1 route into the VRF. This command is applied on the interface pointing to R1 from R2

Leave a Reply

Your email address will not be published. Required fields are marked *

A Little About Myself

Hello I'm Pape. My friends call me Pop. I'm CCIE #48357. I enjoy my field and love to share it with others. I love to write so I'm sharing my blog with you.

Sign up to receive notifications and updates whenever new topics or videos are uploaded!

RouteLeak Calendar

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  
© Copyright 2024 @ RouteLeak