Re: VRF TO GLOBAL PROBLEM

Cool.
I've read about this hack, and it has its ups and downs.
On the up side, it's "standard" config, works, and you have an interface
(or two) where you can actualy set a policy (ACL, QoS, you name it).
On the down side, you have MTU issues, and sounds like a waste of
switching for a missing control feature.

Has anybody tried to do the hack on the control plane ? It should be
doable with TCL, like a runner checking the vrf for a set (prefix list,
route map) of routes and setting statics, dynamically.

Thoughts ?
-Carlos

Joseph L. Brunner @ 07/01/2011 08:22 -0300 dixit:
> I get 80Mbps between those 2 with very low cpu overhead.
>
> -----Original Message-----
> From: Damian Higgins [mailto:linnewbye_at_gmail.com]
> Sent: Friday, January 07, 2011 4:01 AM
> To: Joseph L. Brunner
> Cc: Carlos G Mendioroz; Marko Milivojevic; Marcin Zgola; Cisco certification
> Subject: Re: VRF TO GLOBAL PROBLEM
>
> Hi Joseph,
>
> I've read about using tunnels to bridge between global and VRF before
> but I thought this is not a reliable solution for production because
> of the perfomance impact. How much traffic do you actually bridge
> between global and VRF and what routers do you use ? What about GRE
> overhead and MTU ? I know the 6500's have a fixed MTU of 1514 on
> loopbacks.
>
>
> On Thu, Jan 6, 2011 at 10:47 PM, Joseph L. Brunner
> <joe_at_affirmedsystems.com> wrote:
>> How about dynamic
>>> leaking from VRFs to global ( no static routes in global ), is it
>>> possible ?
>> Yes, for that we do
>>
>> I'm sure you can figure out how this works (from an real large ISP backbone router, scales to hundreds of customers per router, ip's changed)
>>
>>
>> ip vrf abc
>> rd 9999:100
>> route-target export 9999:100
>> route-target import 9999:100
>>
>> interface Tunnel100
>> description VRF_ABC_BRIDGE_TO_GLOBAL_ROUTING_TABLE
>> bandwidth 50000
>> ip vrf forwarding abc
>> ip address 172.23.254.254 255.255.255.252
>> load-interval 30
>> tunnel source Loopback0
>> tunnel destination 172.24.1.1
>> !
>> interface Tunnel200
>> description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_ABC
>> bandwidth 50000
>> ip address 172.23.254.253 255.255.255.252
>> ip virtual-reassembly
>> load-interval 30
>> tunnel source Loopback100
>> tunnel destination 96.110.188.105
>>
>>
>> then...
>>
>> router ospf 100 vrf abc
>> router-id 172.24.254.254
>> log-adjacency-changes
>> redistribute static subnets route-map static-vrf-abc-redis-to-ospf-100
>> redistribute bgp 17303 subnets route-map redis-bgp-vrf-abc-to-ospf
>> network 96.110.188.153 0.0.0.0 area 1
>> network 96.110.188.185 0.0.0.0 area 1
>> network 96.110.188.245 0.0.0.0 area 1
>> default-information originate always
>>
>>
>> router ospf 1
>> router-id 172.24.1.1
>> log-adjacency-changes
>> passive-interface default
>>
>>
>> router bgp 9999
>>
>> address-family ipv4 vrf abc
>> redistribute static route-map static-to-bgp-vrf-100
>> redistribute ospf 100 vrf abc route-map ospf-to-bgp-vrf-100
>> no synchronization
>> exit-address-family
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Carlos G Mendioroz
>> Sent: Thursday, January 06, 2011 2:37 PM
>> To: Damian Higgins
>> Cc: Marko Milivojevic; Marcin Zgola; Cisco certification
>> Subject: Re: VRF TO GLOBAL PROBLEM
>>
>> Does not seem to be doable for the time being.
>> There are some hacks using tunnels, but nothing clean.
>> This sure is the reason for your using all VRF and no global :)
>>
>> -Carlos
>>
>> Damian Higgins @ 06/01/2011 15:05 -0300 dixit:
>>> I didn't read the article carefully, I just did a lab ( using
>>> fastethernet interfaces ) and it does work :). How about dynamic
>>> leaking from VRFs to global ( no static routes in global ), is it
>>> possible ?
>>>
>>>
>>> On Thu, Jan 6, 2011 at 5:57 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
>>>> Damian,
>>>> I've just changed Marko's sample to leak R2-R4 (192.168.24.0/24, global)
>>>> into vrf red and R2-R5 (10.0.25.0/24, vrf red) into global and it works.
>>>>
>>>> @ R2, just:
>>>>
>>>> ip prefix-list R4-Loopback0 seq 20 permit 192.168.24.0/24
>>>>
>>>> (should have changed the list name :)
>>>> and red knows the R2-R4.
>>>>
>>>> ip route 10.0.25.0 255.255.255.0 Serial1/0.205
>>>>
>>>> and R2 knows R2-R5 at global.
>>>>
>>>> BTW, the sample uses point to point, so AFAIK there is no need to set next
>>>> hops, no need for the global for vrf statics if used.
>>>>
>>>> I can ping from R5 to R2's serial w/o going through R4. That's what is being
>>>> looked for, right ?
>>>>
>>>> Marcin,
>>>> would you post relevant config ?
>>>> -Carlos
>>>>
>>>> Damian Higgins @ 06/01/2011 07:22 -0300 dixit:
>>>>> Hi Marko,
>>>>>
>>>>> That's because in your example you needed reachability only between
>>>>> the router's loopbacks. Let's say that R2-R6 10.0.26.0/24 is in global
>>>>> and R2-R5 10.0.25.0/24 is into a VRF and you need to have reachability
>>>>> between these two subnets. Can you give an example routing between
>>>>> these two without having to use R4 ?
>>>>>
>>>>> Regards.
>>>>>
>>>>> On Thu, Jan 6, 2011 at 11:06 AM, Marko Milivojevic <markom_at_ipexpert.com>
>>>>> wrote:
>>>>>> Please, re-read the article :-). It shows the example of leaking
>>>>>> between global table and VRF using BGP - no next hops involved. I had
>>>>>> to build to that point though.
>>>>>>
>>>>>> --
>>>>>> Marko Milivojevic - CCIE #18427
>>>>>> Senior Technical Instructor - IPexpert
>>>>>>
>>>>>> FREE CCIE training: http://bit.ly/vLecture
>>>>>>
>>>>>> Mailto: markom_at_ipexpert.com
>>>>>> Telephone: +1.810.326.1444
>>>>>> Web: http://www.ipexpert.com/
>>>>>>
>>>>>> On Thu, Jan 6, 2011 at 12:14, Damian Higgins <linnewbye_at_gmail.com> wrote:
>>>>>>> I don't think your example will help Marcin, you used next-hops, so
>>>>>>> you depend on the upstream router to route between global and VRFs.
>>>>>>> You can have bidirectional route leaking without next-hops only
>>>>>>> between VRFs ( using MP-BGP ) on the same box, but not between global
>>>>>>> and a VRF. Although in global you can add directly connected routes (
>>>>>>> using exit interface instead of next-hop ) into a VRF, the other way
>>>>>>> around doesn't work since you need to specify a next-hop. This is a
>>>>>>> very annoying limitation :(.
>>>>>>>
>>>>>>>
>>>>>>> @Marcin, to avoid this limitation I'm using only VRFs for routing on
>>>>>>> my 6500's, and I use the global table only for management in case
>>>>>>> something goes wrong in the VRFs.
>>>>>>>
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Jan 6, 2011 at 7:59 AM, Marko Milivojevic <markom_at_ipexpert.com>
>>>>>>> wrote:
>>>>>>>> Marcin,
>>>>>>>>
>>>>>>>> I wrote the blog on the subject of the route leaking between VRF and
>>>>>>>> the main table sometime ago. I think you will find the solution there:
>>>>>>>>
>>>>>>>> http://blog.ipexpert.com/2010/12/01/vrf-route-leaking/
>>>>>>>>
>>>>>>>> Short answer to your last question: yes :-)
>>>>>>>>
>>>>>>>> --
>>>>>>>> Marko Milivojevic - CCIE #18427
>>>>>>>> Senior Technical Instructor - IPexpert
>>>>>>>>
>>>>>>>> FREE CCIE training: http://bit.ly/vLecture
>>>>>>>>
>>>>>>>> Mailto: markom_at_ipexpert.com
>>>>>>>> Telephone: +1.810.326.1444
>>>>>>>> Web: http://www.ipexpert.com/
>>>>>>>>
>>>>>>>> On Thu, Jan 6, 2011 at 06:03, Marcin Zgola <MZgola_at_netrixllc.com>
>>>>>>>> wrote:
>>>>>>>>> Problem, I want to be able to communicate between VRF and global on
>>>>>>>>> the same router.
>>>>>>>>>
>>>>>>>>> I can leak routes but I need to specify next hop to be another router.
>>>>>>>>>
>>>>>>>>> Basically packet hits the router on VRF interface, and then it sends
>>>>>>>>> it to upstream router, and upstream router sends it back.
>>>>>>>>>
>>>>>>>>> Can this be avoided?????
>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>
>>>>>>>> _______________________________________________________________________
>>>>>>>> Subscription information may be found at:
>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>>>>
>> --
>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net