Versions Compared

Old Version 12

changes.mady.by.user Olga Ļ.

Saved on

compared with

New Version 13

changes.mady.by.user Olga Ļ.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note that this could be not the most typical setup, because routes are usually not exchanged between different customers. In contrast, by default it should not be possible to gain access from one VRF site to a different VRF site in another VPN. (This is the "Private" aspect of VPNs.) Separate routing is a way to provide privacy; and it is also required to solve the problem of overlapping IP network prefixes. Route exchange is in direct conflict with these two requirement but may sometimes be needed (e.g. temp. solution when two customers are migrating to single network infrastructure).

CE1 Router, cust-one

Code Block
languageros
/ip route add dst-address=10.4.4.0/24 gateway=10.1.1.2

...


CE2 Router, cust-one

 Code Block
languageros
/ip route add dst-address=10.4.4.0/24 gateway=10.3.3.3


CE1 Router,
...
cust-two
 Code Block
languageros
/ip address add address=10.4.4.5 interface=ether1
...
 /ip route add dst-address=10.1.1.0/24 gateway=10.3.3.3
...
 /ip route add dst-address=10.3.3.0/24 gateway=10.3.3.3
...

PE1 Router
 Code Block
languageros
# replace the old VRF with this:
/ip route vrf add disabled=no routing-mark=cust-one route-distinguisher=1.1.1.1:111 \

...
export-route-targets=1.1.1.1:111 import-route-targets=1.1.1.1:111,2.2.2.2:222 interfaces=ether1


PE2 Router (Cisco)
 Code Block
languageros
ip vrf cust-one 

...
rd 1.1.1.1:111 

...
route-target export 1.1.1.1:111 

...
route-target import 1.1.1.1:111 

...
route-target import 2.2.2.2:222 
exit 
...


ip vrf cust-two 

...
rd 2.2.2.2:222 

...
route-target export 2.2.2.2:222 

...
route-target import 1.1.1.1:111 

...
route-target import 2.2.2.2:222 
exit 
...


interface FastEthernet2/0 

...
ip vrf forwarding cust-two 

...
ip address 10.4.4.3 255.255.255.0 

router bgp 65000 

...
address-family ipv4 vrf cust-two 

...
redistribute connected 

...
exit-address-family
...

Variation: replace the Cisco with another MT
PE2 Mikrotik config

 Code Block
languageros
/interface bridge add name=lobridge
/ip address

...
add address=10.2.2.3/24 interface=ether1

...
add address=10.3.3.3/24 interface=ether2

...
add address=10.4.4.3/24 interface=ether3

...
add address=10.5.5.3/32 interface=lobridge
/ip route vrf

...
add disabled=no routing-mark=cust-one route-distinguisher=1.1.1.1:111 \

...
export-route-targets=1.1.1.1:111 import-route-targets=1.1.1.1:111,2.2.2.2:222 \

...
interfaces=ether2

...
add disabled=no routing-mark=cust-two route-distinguisher=2.2.2.2:222 \

...
export-route-targets=2.2.2.2:222 import-route-targets=1.1.1.1:111,2.2.2.2:222 \

...
interfaces=ether3
/mpls ldp set enabled=yes transport-address=10.5.5.3
/mpls ldp interface add interface=ether1
/routing bgp instance set default as=65000
/routing bgp instance vrf add instance=default routing-mark=cust-one redistribute-connected=yes
/routing bgp instance vrf add instance=default routing-mark=cust-two redistribute-connected=yes
/routing bgp peer add remote-address=10.5.5.2 remote-as=65000 address-families=vpnv4 \

...
update-source=lobridge

...
# add route to the remote BGP peer's loopback address
/ip route add dst-address=10.5.5.2/32 gateway=10.2.2.2


Results
The output of /ip route print now is interesting enough to deserve detailed observation.

 Code Block
languageros
[admin@PE2] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

...
# 
...
DST-ADDRESS 
...
PREF-SRC
...
 GATEWAY 
...
DISTANCE

...
0 ADb 
...
10.1.1.0/24 
...
10.5.5.2 recurs... 20

...
1 ADC
...
 10.3.3.0/24
...
 
...
10.3.3.3 
...
ether2 
...
0

...
2 ADb 
...
10.4.4.0/24 20
3 ADb 10.1.1.0/24 10.5.5.2 
...
recurs... 20
4 ADb 10.3.3.0/24 20
5 ADC 10.4.4.0/24
...
 
...
10.4.4.3 
...
ether3
...
 
...
0

...
6 ADC 
...
10.2.2.0/24
...
 10.2.2.3
...
 
...
ether1
...
 
...
0

...
7 A S 
...
10.5.5.2/32
...
 
...
10.2.2.2 reacha... 1

...
8 ADC 
...
10.5.5.3/32 
...
10.5.5.3
...
 
...
lobridge
...
 
...
0


The route 10.1.1.0/24 was received from remote BGP peer and is installed in both VRF routing tables.
The routes 10.3.3.0/24 and 10.4.4.0/24 are also installed in both VRF routing tables. Each is as connected route in one table and as BGP route in another table. This has nothing to do with their being advertised via BGP. They are simply being "advertised" to local VPNv4 route table and locally reimported after that. Import and export route-targets determine in which tables they will end up.
This can be deduced from its attributes - they don't have the usual BGP properties. (Route 10.4.4.0/24.).)

 Code Block
languageros
[admin@PE2] /ip route> print detail where routing-mark=cust-one
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

...
0 ADb
...
 dst-address=10.1.1.0/24 gateway=10.5.5.2 recursive via 10.2.2.2 ether1

...
distance=20 scope=40 target-scope=30 routing-mark=cust-one

...
bgp-local-pref=100 bgp-origin=incomplete

...
bgp-ext-communities="RT:1.1.1.1:111"


...
1 ADC 
...
dst-address=10.3.3.0/24 pref-src=10.3.3.3 gateway=ether2 distance=0 scope=10

...
routing-mark=cust-one


...
2 ADb 
...
dst-address=10.4.4.0/24 distance=20 scope=40 target-scope=10

...
routing-mark=cust-one bgp-ext-communities="RT:2.2.2.2:222"


Static inter-VRF routes
In general it is recommended that all routes between VRF should be exchanged using BGP local import and export functionality. If that is not enough, static routes can be used to achieve this so-called route leaking.
...
The first way is to explicitly specify routing table in gateway field when adding route. This is only possible when leaking a route and gateway from the "main" routing table to a different routing table (VRF). Example:
 Code Block
languageros
# add route to 5.5.5.0/24 in 'vrf1' routing table with gateway in the main routing table 
add dst-address=5.5.5.0/24 gateway=10.3.0.1@main routing-mark=vrf1
...

The second way is to explicitly specify interface in gateway field. The interface specified can belong to a VRF instance. Example:
 Code Block
languageros
# add route to 5.5.5.0/24 in the main routing table with gateway at 'ether2' VRF interface 
add dst-address=5.5.5.0/24 gateway=10.3.0.1%ether2 routing-mark=main 

...
# add route to 5.5.5.0/24 in the main routing table with 'ptp-link-1' VRF interface as gateway 
add dst-address=5.5.5.0/24 gateway=ptp-link-1 routing-mark=main
...

As can be observed, there are two variations possible - to specify gateway as ip_address%interface or to simply specify interface. The first should be used for broadcast interfaces in most cases. The second should be used for point-to-point interfaces, and also for broadcast interfaces, if the route is a connected route in some VRF. For example, if you have address 1.2.3.4/24 on interface ether2 that is put in a VRF, there will be connected route to 1.2.3.0/24 in that VRF's routing table. It is acceptable to add static route 1.2.3.0/24 in a different routing table with interface-only gateway, even though ether2 is a broadcast interface:

 Code Block
languageros
add dst-address=1.2.3.0/24 gateway=ether2 routing-mark=main


References
RFC 4364: BGP/MPLS IP Virtual Private Networks (VPNs)
...