Vinit's Tech Blog

Life has meaning as long as you keep learning.

Inter-VRF Route Leaking using Route Replication

Route-leaking has been one of the most common challenges that most network engineers face in their day to day job. Routing tables for different entities / customers are segregated by Virtual Routing and Forwarding (VRF) instances. On IOS-XE, in order to perform route-leaking, there were few options available such as :

  1. Route leaking using Route-Targets (RT import and export)
  2. Using static route
  3. Policy-Based routing

With RT based route-leaking, we land into a dependency of using BGP as RT is a BGP extended community that gets attached to the prefix. Static routes and PBR on the other hand are a bit complex and cannot perform intra-box route leaking i.e. the packet has to go out to the next-hop and then return in order for the ping to work between two VRF's. 

On the newer version of IOS/IOS-XE, route replication feature was introduced. This feature was introduced with Easy Virtual Networks (EVN) on IOS-XE platforms. In EVN environment, VRF route leaking is achieved using route replication. Route replication does not require any complex configuration or features to be enabled. In other words, you don't need BGP, RT/RD configuration, etc.

To understand how route replication works, examine the below topology:

R1 is having VRFA facing CE1 and VRFB facing CE2. R1 is having OSPF running towards each of the CE routers in different VRFs. Lets look at the routing table before route replication implementation:

VRFA
R1#sh ip route vrf VRFA
Routing Table: VRFA
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Ethernet0/1
L 172.16.1.1/32 is directly connected, Ethernet0/1
192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.1 [110/11] via 172.16.1.2, 00:01:08, Ethernet0/1

VRFB
R1#sh ip route vrf VRFB
Routing Table: VRFB
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.2.0/24 is directly connected, Ethernet0/2
L 172.16.2.1/32 is directly connected, Ethernet0/2
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.2 [110/11] via 172.16.2.2, 00:00:26, Ethernet0/2

In the above outputs, we can see an OSPF route on both VRF RIB, which is the loopback address learnt from each CE routers. Note that at this point, there is just ip vrf vrf-name configuration as part of the VRF.

Now in order to establish connectivity between the two VRF's we configure route replicate cli.

ip vrf VRFA
route-replicate from vrf VRFB unicast connected
route-replicate from vrf VRFB unicast ospf 2
!
router ospf 1 vrf VRFA
default-information originate always
!
ip vrf VRFB
route-replicate from vrf VRFA unicast connected
route-replicate from vrf VRFA unicast ospf 1
!
router ospf 2 vrf VRFB
default-information originate always
!

In the above configuration, we are replicating the connected and OSPF route from VRFB into VRFA and vice versa. Lets now look at how the routing table looks on R1, CE1 and CE2:

R1
R1#show ip route vrf VRFA
Routing Table: VRFA
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Ethernet0/1
L 172.16.1.1/32 is directly connected, Ethernet0/1
C + 172.16.2.0/24 is directly connected, Ethernet0/2
L 172.16.2.1/32 is directly connected, Ethernet0/2
192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.1 [110/11] via 172.16.1.2, 01:57:37, Ethernet0/1
192.168.2.0/32 is subnetted, 1 subnets
O + 192.168.2.2 [110/11] via 172.16.2.2 (VRFB), 01:56:52, Ethernet0/2

R1#show ip route vrf VRFB
Routing Table: VRFB
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C + 172.16.1.0/24 is directly connected, Ethernet0/1
L 172.16.1.1/32 is directly connected, Ethernet0/1
C 172.16.2.0/24 is directly connected, Ethernet0/2
L 172.16.2.1/32 is directly connected, Ethernet0/2
192.168.1.0/32 is subnetted, 1 subnets
O + 192.168.1.1 [110/11] via 172.16.1.2 (VRFA), 01:57:55, Ethernet0/1
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.2 [110/11] via 172.16.2.2, 01:57:10, Ethernet0/2

CE1
CE1#sh ip route
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 172.16.1.1, 01:53:30, Ethernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Ethernet0/0
L 172.16.1.2/32 is directly connected, Ethernet0/0
192.168.1.0/32 is subnetted, 1 subnets
C 192.168.1.1 is directly connected, Loopback0

CE2
CE2#show ip route
Gateway of last resort is 172.16.2.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 172.16.2.1, 01:53:45, Ethernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.2.0/24 is directly connected, Ethernet0/0
L 172.16.2.2/32 is directly connected, Ethernet0/0
192.168.2.0/32 is subnetted, 1 subnets
C 192.168.2.2 is directly connected, Loopback0

Since we have default-information-originate always command configured on R1, both CE1 and CE2 are receiving a default route. Note that the replicated routes on R1 are not advertised towards CE routers. Thus, when sending a ping from CE1 loopback towards CE2 loopback, the packet will reach R1 and perform a lookup in VRFA and then use the replicated route reference to send the traffic towards CE2 in VRFB.

CE1#ping 192.168.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Hope this post was useful.

 

 

 

Comments (2) -

  • Rahul

    7/17/2019 9:30:20 PM |

    Nice Blog. Any option of leaking specific routes from  VRF A to B vice versa .

    • Vinit

      7/18/2019 10:53:34 AM |

      Hi Rahul
      Yes, you can use route-maps along with route-replicate configuration and filter the prefixes that you want to be replicated.

Comments are closed