Re: VRF TO GLOBAL PROBLEM

Hi Joseph,

I've read about using tunnels to bridge between global and VRF before
but I thought this is not a reliable solution for production because
of the perfomance impact. How much traffic do you actually bridge
between global and VRF and what routers do you use ? What about GRE
overhead and MTU ? I know the 6500's have a fixed MTU of 1514 on
loopbacks.

On Thu, Jan 6, 2011 at 10:47 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com> wrote:
> How about dynamic
>> leaking from VRFs to global ( no static routes in global ), is it
>> possible ?
>
> Yes, for that we do
>
> I'm sure you can figure out how this works (from an real large ISP backbone router, scales to hundreds of customers per router, ip's changed)
>
>
> ip vrf abc
> rd 9999:100
> route-target export 9999:100
> route-target import 9999:100
>
> interface Tunnel100
> description VRF_ABC_BRIDGE_TO_GLOBAL_ROUTING_TABLE
> bandwidth 50000
> ip vrf forwarding abc
> ip address 172.23.254.254 255.255.255.252
> load-interval 30
> tunnel source Loopback0
> tunnel destination 172.24.1.1
> !
> interface Tunnel200
> description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_ABC
> bandwidth 50000
> ip address 172.23.254.253 255.255.255.252
> ip virtual-reassembly
> load-interval 30
> tunnel source Loopback100
> tunnel destination 96.110.188.105
>
>
> then...
>
> router ospf 100 vrf abc
> router-id 172.24.254.254
> log-adjacency-changes
> redistribute static subnets route-map static-vrf-abc-redis-to-ospf-100
> redistribute bgp 17303 subnets route-map redis-bgp-vrf-abc-to-ospf
> network 96.110.188.153 0.0.0.0 area 1
> network 96.110.188.185 0.0.0.0 area 1
> network 96.110.188.245 0.0.0.0 area 1
> default-information originate always
>
>
> router ospf 1
> router-id 172.24.1.1
> log-adjacency-changes
> passive-interface default
>
>
> router bgp 9999
>
> address-family ipv4 vrf abc
> redistribute static route-map static-to-bgp-vrf-100
> redistribute ospf 100 vrf abc route-map ospf-to-bgp-vrf-100
> no synchronization
> exit-address-family
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Carlos G Mendioroz
> Sent: Thursday, January 06, 2011 2:37 PM
> To: Damian Higgins
> Cc: Marko Milivojevic; Marcin Zgola; Cisco certification
> Subject: Re: VRF TO GLOBAL PROBLEM
>
> Does not seem to be doable for the time being.
> There are some hacks using tunnels, but nothing clean.
> This sure is the reason for your using all VRF and no global :)
>
> -Carlos
>
> Damian Higgins @ 06/01/2011 15:05 -0300 dixit:
>> I didn't read the article carefully, I just did a lab ( using
>> fastethernet interfaces ) and it does work :). How about dynamic
>> leaking from VRFs to global ( no static routes in global ), is it
>> possible ?
>>
>>
>> On Thu, Jan 6, 2011 at 5:57 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
>>> Damian,
>>> I've just changed Marko's sample to leak R2-R4 (192.168.24.0/24, global)
>>> into vrf red and R2-R5 (10.0.25.0/24, vrf red) into global and it works.
>>>
>>> @ R2, just:
>>>
>>> ip prefix-list R4-Loopback0 seq 20 permit 192.168.24.0/24
>>>
>>> (should have changed the list name :)
>>> and red knows the R2-R4.
>>>
>>> ip route 10.0.25.0 255.255.255.0 Serial1/0.205
>>>
>>> and R2 knows R2-R5 at global.
>>>
>>> BTW, the sample uses point to point, so AFAIK there is no need to set next
>>> hops, no need for the global for vrf statics if used.
>>>
>>> I can ping from R5 to R2's serial w/o going through R4. That's what is being
>>> looked for, right ?
>>>
>>> Marcin,
>>> would you post relevant config ?
>>> -Carlos
>>>
>>> Damian Higgins @ 06/01/2011 07:22 -0300 dixit:
>>>> Hi Marko,
>>>>
>>>> That's because in your example you needed reachability only between
>>>> the router's loopbacks. Let's say that R2-R6 10.0.26.0/24 is in global
>>>> and R2-R5 10.0.25.0/24 is into a VRF and you need to have reachability
>>>> between these two subnets. Can you give an example routing between
>>>> these two without having to use R4 ?
>>>>
>>>> Regards.
>>>>
>>>> On Thu, Jan 6, 2011 at 11:06 AM, Marko Milivojevic <markom_at_ipexpert.com>
>>>> wrote:
>>>>> Please, re-read the article :-). It shows the example of leaking
>>>>> between global table and VRF using BGP - no next hops involved. I had
>>>>> to build to that point though.
>>>>>
>>>>> --
>>>>> Marko Milivojevic - CCIE #18427
>>>>> Senior Technical Instructor - IPexpert
>>>>>
>>>>> FREE CCIE training: http://bit.ly/vLecture
>>>>>
>>>>> Mailto: markom_at_ipexpert.com
>>>>> Telephone: +1.810.326.1444
>>>>> Web: http://www.ipexpert.com/
>>>>>
>>>>> On Thu, Jan 6, 2011 at 12:14, Damian Higgins <linnewbye_at_gmail.com> wrote:
>>>>>> I don't think your example will help Marcin, you used next-hops, so
>>>>>> you depend on the upstream router to route between global and VRFs.
>>>>>> You can have bidirectional route leaking without next-hops only
>>>>>> between VRFs ( using MP-BGP ) on the same box, but not between global
>>>>>> and a VRF. Although in global you can add directly connected routes (
>>>>>> using exit interface instead of next-hop ) into a VRF, the other way
>>>>>> around doesn't work since you need to specify a next-hop. This is a
>>>>>> very annoying limitation :(.
>>>>>>
>>>>>>
>>>>>> @Marcin, to avoid this limitation I'm using only VRFs for routing on
>>>>>> my 6500's, and I use the global table only for management in case
>>>>>> something goes wrong in the VRFs.
>>>>>>
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>>
>>>>>> On Thu, Jan 6, 2011 at 7:59 AM, Marko Milivojevic <markom_at_ipexpert.com>
>>>>>> wrote:
>>>>>>> Marcin,
>>>>>>>
>>>>>>> I wrote the blog on the subject of the route leaking between VRF and
>>>>>>> the main table sometime ago. I think you will find the solution there:
>>>>>>>
>>>>>>> http://blog.ipexpert.com/2010/12/01/vrf-route-leaking/
>>>>>>>
>>>>>>> Short answer to your last question: yes :-)
>>>>>>>
>>>>>>> --
>>>>>>> Marko Milivojevic - CCIE #18427
>>>>>>> Senior Technical Instructor - IPexpert
>>>>>>>
>>>>>>> FREE CCIE training: http://bit.ly/vLecture
>>>>>>>
>>>>>>> Mailto: markom_at_ipexpert.com
>>>>>>> Telephone: +1.810.326.1444
>>>>>>> Web: http://www.ipexpert.com/
>>>>>>>
>>>>>>> On Thu, Jan 6, 2011 at 06:03, Marcin Zgola <MZgola_at_netrixllc.com>
>>>>>>> wrote:
>>>>>>>> Problem, I want to be able to communicate between VRF and global on
>>>>>>>> the same router.
>>>>>>>>
>>>>>>>> I can leak routes but I need to specify next hop to be another router.
>>>>>>>>
>>>>>>>> Basically packet hits the router on VRF interface, and then it sends
>>>>>>>> it to upstream router, and upstream router sends it back.
>>>>>>>>
>>>>>>>> Can this be avoided?????
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>> _______________________________________________________________________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> --
>>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>>>
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 07 2011 - 11:01:16 ART