Re: Vrf Export Map from Bilal Hansrod on 2011-06-13 (Ccielab archives 06/2011)

From: Bilal Hansrod <bilal.hansrod_at_gmail.com>
Date: Tue, 14 Jun 2011 10:48:23 +1000

Thanks once again- It has helped me reinforce my understanding about
import/export process. It was really easy explanantion that can be
understood quickly,

Bilal Hansrod

On Mon, Jun 13, 2011 at 11:39 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar>wrote:

> Bilal,
> yes, I would call the import process a filter, from vpnv4 into
> vrf table. But as mentioned, it has "side effects" on the vpnv4
> table as well.
> (In fact, by default, it filters even what gets accepted into vpnv4 as
> well)
>
> On the other hand, I would not call the export a filter, just a marking.
> It becomes a filter if you use an export map though.
>
> -Carlos
>
> Bilal Hansrod @ 13/06/2011 10:13 -0300 dixit:
>
>> Thanks Carlos for the quick reply- Is it correct to say that import
>> process filters route when it imports from VPNV4 table into vrf table and
>> export process filters before going into VPNV4 table from vrf?
>>
>> Bilal Hansrod
>>
>>
>>
>> On Mon, Jun 13, 2011 at 10:49 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar<mailto:
>> tron_at_huapi.ba.ar>> wrote:
>>
>> Bilal,
>> when you do a show ip bgp vpnv4 all, the show is *not* listing the
>> routes open by VRF, but the routes open by RD, corresponding to the
>> VRFs.
>>
>> When you receive a route coming from elsewhere (e.g. the
>> 192.168.6.0/24 <http://192.168.6.0/24>
>>
>> @ R5 which is originated from R6) it is in the vpnv4 table with its
>> original RD (100:2).
>>
>> But as you are importing it to VPN_B_at_R5, it gets also copied
>> with the associated RD, 100:1. That's why you see it with both RDs.
>> The import process assigns a new RD in the vpnv4 table.
>>
>> -Carlos
>>
>>
>> Bilal Hansrod @ 13/06/2011 07:35 -0300 dixit:
>>
>> Hello,
>>
>> I was configuring export map for vrf and saw results which I am
>> unable to
>> understand. I used export map to match particular prefix from
>> VPN_A (R5) and
>> imported on R6 router in VPN_B. I can see in VPN_B routing table
>> the prefix
>> from R5 and don't see same prefix in VPN_A vrf. It seems good,
>> but why do I
>> see matched prefix on R6 on both vrf when I run show ip bgp
>> vpnv4 all. It
>> seems it imported on R6 in both vrf, but only installed in vrf
>> VPN_B routing
>> table due to export map.
>>
>> Anyone can explain this behaviour.
>>
>> Feel free to read in detail with configuration and output if you
>> want to
>> understand the topology.
>>
>>
>> Thanks,
>>
>> Bilal Hansrod
>>
>>
>>
>>
>>
>> Topology:
>>
>> R6 connected to R4 via Ethernet and R4 is also connected to R5
>> via FR and
>> Serial
>>
>> R4 is BGP Route Reflector and R5 and R6 as clients
>>
>> R6 R4 R5
>>
>> |
>>
>> R5
>>
>> A loopback interface is configured on R5 VRF VPN_A
>> 172.16.5.5/24 <http://172.16.5.5/24>
>>
>> A loopback interface is configured on R6 VRF VPN_B
>> 192.168.6.6/24 <http://192.168.6.6/24>
>>
>>
>> Both VRF exist on R5 and R6.
>>
>> Task: R6 VPN_A doesn't see prefix-list 172.16.5.0/24
>> <http://172.16.5.0/24> and R5 does not see
>> the prefix 192.168.6.0/24 <http://192.168.6.0/24>
>>
>>
>> Solution Configuration:
>>
>> R5:
>>
>> ip vrf VPN_A
>>
>> rd 100:1
>>
>> export map R5
>>
>> route-target export 100:1
>>
>> route-target import 100:1
>>
>> route-target import 100:66
>>
>> !
>>
>> ip vrf VPN_B
>>
>> rd 100:2
>>
>> route-target export 100:2
>>
>> route-target import 100:2
>>
>>
>> ip prefix-list VPN_A seq 10 permit 172.16.5.0/24
>> <http://172.16.5.0/24>
>>
>>
>>
>> route-map R5 permit 10
>>
>> match ip address prefix-list VPN_A
>>
>> set extcommunity rt 100:55
>>
>> !
>>
>> route-map R5 permit 20
>>
>> set extcommunity rt 100:1
>>
>>
>> R6:
>>
>>
>> ip vrf VPN_A
>>
>> rd 100:1
>>
>> route-target export 100:1
>>
>> route-target import 100:1
>>
>> !
>>
>> ip vrf VPN_B
>>
>> rd 100:2
>>
>> export map R6
>>
>> route-target export 100:2
>>
>> route-target import 100:2
>>
>> route-target import 100:55
>>
>>
>> ip prefix-list VPN_B seq 10 permit 192.168.6.0/24
>> <http://192.168.6.0/24>
>>
>>
>>
>> route-map R6 permit 10
>>
>> match ip address prefix-list VPN_B
>>
>> set extcommunity rt 100:66
>>
>> !
>>
>> route-map R6 permit 20
>>
>> set extcommunity rt 100:2
>>
>>
>> Results: The below results ensure that R5 VPN_B does not see
>> 192.168.6.0
>> from R6 and R6 VPN_A does not see 172.16.5.0/24
>> <http://172.16.5.0/24> from R5.
>>
>>
>>
>> R5#show ip route vrf VPN_A 192.168.6.0
>>
>> Routing entry for 192.168.6.0/24 <http://192.168.6.0/24>
>>
>>
>> Known via "bgp 100", distance 200, metric 0, type internal
>>
>> Last update from 150.1.6.6 00:32:17 ago
>>
>> Routing Descriptor Blocks:
>>
>> * 150.1.6.6 (Default-IP-Routing-Table), from 150.1.4.4, 00:32:17
>> ago
>>
>> Route metric is 0, traffic share count is 1
>>
>> AS Hops 0
>>
>>
>> R5#show ip route vrf VPN_B 192.168.6.0
>>
>> % Network not in table
>>
>>
>> R6#show ip route vrf VPN_A 172.16.5.0
>>
>> % Subnet not in table
>>
>>
>> R6#show ip route vrf VPN_B 172.16.5.0
>>
>> Routing entry for 172.16.5.0/24 <http://172.16.5.0/24>
>>
>>
>> Known via "bgp 100", distance 200, metric 0, type internal
>>
>> Last update from 150.1.5.5 00:35:49 ago
>>
>> Routing Descriptor Blocks:
>>
>> * 150.1.5.5 (Default-IP-Routing-Table), from 150.1.4.4, 00:35:49
>> ago
>>
>> Route metric is 0, traffic share count is 1
>>
>> AS Hops 0
>>
>> Now when I run show ip bgp vpnv4 all on R5 and R6, I still see
>> routes in
>> both VPN tables.
>>
>> For instance, R sees 192.168.6.0 in vrf VPN_A and VPN_B. Can
>> anyone please
>> explain why I can't see in routing table of vrf but still see in
>> VPNV4
>> table.
>>
>> R5#show ip bgp vpnv4 all
>>
>> BGP table version is 37, local router ID is 150.1.5.5
>>
>> Status codes: s suppressed, d damped, h history, * valid, >
>> best, i -
>> internal,
>>
>> r RIB-failure, S Stale
>>
>> Origin codes: i - IGP, e - EGP, ? - incomplete
>>
>> Network Next Hop Metric LocPrf Weight Path
>>
>> Route Distinguisher: 100:1 (default for vrf VPN_A)
>>
>> *> 155.1.58.0/24 <http://155.1.58.0/24> 0.0.0.0 0 32768 ?
>>
>> *>i155.1.67.0/24 150.1.6.6 0 100 0 <tel:150.1.6.6%200%20100%200> ?
>>
>> *> 172.16.5.0/24 <http://172.16.5.0/24> 0.0.0.0 0 32768 ?
>>
>> *>i172.16.7.0/24 150.1.6.6 0 100 0 <tel:150.1.6.6%200%20100%200> ?
>>
>> *>i192.168.6.0 150.1.6.6 0 100 0 <tel:150.1.6.6%200%20100%200> ?
>>
>>
>> Route Distinguisher: 100:2 (default for vrf VPN_B)
>>
>> *> 155.1.5.0/24 <http://155.1.5.0/24> 0.0.0.0 0 32768 ?
>>
>> *>i155.1.76.0/24 150.1.6.6 0 100 0 <tel:150.1.6.6%200%20100%200> ?
>>
>> *>i192.168.6.0 150.1.6.6 0 100 0 <tel:150.1.6.6%200%20100%200> ?
>>
>> *>i192.168.7.0 150.1.6.6 0 100 0 <tel:150.1.6.6%200%20100%200> ?
>>
>>
>> Thanks,
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> -- Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar
>> >>
>> LW7 EQI Argentina
>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina

Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 14 2011 - 10:48:23 ART

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART