3 Replies Latest reply: Aug 29, 2019 7:38 AM by Haider Hani RSS

    IOS XR / Leaking the routes between VRF and global RIB

    Anton Karneliuk, 2xCCIE #49412 (RS/SP)

      Hi all,

       

      I've found an interesting feature at Cisco IOS XR platform that allows you to leak routes between global routing table and VRF. Actually it can be used for combination of MPLS VPN + Internet Acess via VPN, if Internet is routed via Global RIB.

      It looks like the configuration is pretty easy:

       

      RP/0/0/CPU0:R2#sh rpl route-policy IPv4_TO_DEF_VRF

      route-policy IPv4_TO_DEF_VRF

        if destination in (172.16.0.0/16 le 32) then

          done

        endif

      end-policy

      !

      RP/0/0/CPU0:R2#sh rpl route-policy IPV4_DEF_ONLY

      route-policy IPV4_DEF_ONLY

        if destination in (0.0.0.0/0) then

          done

        endif

      end-policy

      !

      RP/0/0/CPU0:R2#sh run vrf VPN_A

      vrf VPN_A

      address-family ipv4 unicast

        import from default-vrf route-policy IPV4_DEF_ONLY advertise-as-vpn

        import route-target

         10.255.255.4:1

        !

        export to default-vrf route-policy IPv4_TO_DEF_VRF

        export route-target

         10.255.255.2:1

        !

      !

      !

      Leaking routes must be in BGP RIB:

       

      RP/0/0/CPU0:R2#sh bgp vpnv4 uni vrf VPN_A

      Status codes: s suppressed, d damped, h history, * valid, > best

                    i - internal, r RIB-failure, S stale, N Nexthop-discard

      Origin codes: i - IGP, e - EGP, ? - incomplete

         Network            Next Hop            Metric LocPrf Weight Path

      Route Distinguisher: 10.255.255.2:1 (default for vrf VPN_A)

      *> 0.0.0.0/0          10.0.21.1                0         32768 i

      *> 10.0.12.0/24       0.0.0.0                  0         32768 ?

      *>i10.0.14.0/24       10.255.255.4             0    100      0 ?

      *> 10.0.111.0/32      0.0.0.0                  0         32768 ?

      *>i10.0.111.1/32      10.255.255.4             0    100      0 ?

      *> 172.16.0.0/16      0.0.0.0                            32768 i

      *> 172.16.1.0/24      10.0.12.1                0   1000      0 13 i

      *>i172.16.2.0/24      10.255.255.4             0   1000      0 13 i

      !

      RP/0/0/CPU0:R2#sh bgp ipv4 uni

      Status codes: s suppressed, d damped, h history, * valid, > best

                    i - internal, r RIB-failure, S stale, N Nexthop-discard

      Origin codes: i - IGP, e - EGP, ? - incomplete

         Network            Next Hop            Metric LocPrf Weight Path

      *> 0.0.0.0/0          10.0.21.1                0         32768 i

      *> 172.16.0.0/16      0.0.0.0                            32768 i

      *> 172.16.1.0/24      10.0.12.1                0   1000      0 13 i

      Looks cool beside the one moment that I want to ask. R2 is my PE who is actually making route leaking. Above you can see the policies and the RIB outputs. The problem is that R2 redistributes to default VRF only the prefix that is learned from directly connected CE (172.16.1.0/24), whereas the prefix learned from another PE (172.16.2.0/24) isn't redistributed. I've tried to make an aggregation under BGP vrf VPN_A configuration for the prefix that should cover all my more detailed (172.16.0.0/16). You can see that such prefix is redistributed to default VRF and even installed in the RIB.

      RP/0/0/CPU0:R2#sh route

      !

      Gateway of last resort is 10.0.21.1 to network 0.0.0.0

      !

      S*   0.0.0.0/0 [1/0] via 10.0.21.1, 01:25:33, GigabitEthernet0/0/0/0.21

      C    10.0.21.0/24 is directly connected, 01:26:32, GigabitEthernet0/0/0/0.21

      L    10.0.21.2/32 is directly connected, 01:26:32, GigabitEthernet0/0/0/0.21

      C    10.0.23.0/24 is directly connected, 03:12:48, GigabitEthernet0/0/0/0.23

      L    10.0.23.2/32 is directly connected, 03:12:48, GigabitEthernet0/0/0/0.23

      L    10.255.255.2/32 is directly connected, 03:12:48, Loopback0

      O    10.255.255.4/32 [110/2] via 10.0.23.3, 03:08:33, GigabitEthernet0/0/0/0.23

      B    172.16.0.0/16 [200/0] via 0.0.0.0 (nexthop in vrf VPN_A), 00:32:25, Loopback111

      B    172.16.1.0/24 [20/0] via 10.0.12.1 (nexthop in vrf VPN_A), 00:32:25

      Unfortunatelly it doesn't help my. I still can't ping from another CE the host in default RIB. My topology looks like:

       

                Internet_HOST

                    |

      (CE) <--> (PE1 (R2)) <---> (PE2P) <---> (CE2)

       

      I'm using IOS XRv 5.3.2. Do you have any ideas, why routes that comes from CE2 to PE2 and then to my actuall PE is not redistibuted to default VRF?

      Thanks in advance.

       

      BR,

      Anton