By adding a unique route-distinguisher to each advertisement, and by adding that route-distinguisher to the start of the prefix, two VRFs can advertise the same prefix, and the receiving routers don’t override one prefix with the other. For example, instead of advertising just 192.168.10.0/24, a router might instead advertise something like “64512:900:192.168.10.0/24”. In this example, “64512:900” might be the route-distinguisher assigned to a particular customer.
What the route distinguisher does NOT do is tell the receiving router which VRF the prefix is a part of. That is exclusively the job of the route target.
Route Target - are sent to other routers
vrf CustA
rd 65000:10
route-target export 65000:10
route-target import 65000:10
vrf CustB
rd 65000:20
route-target export 65000:20 = takes all routes in VRF and adds the customer tag to them
route-target import 65000:10 = received routes imported to correct VRF (incoming routes with tag 65000:10 imported to vrf CustB)
route-target import 65000:20
-----------------------------
- auto-summary (BGP)
- if enabled: BGP automatically summarizes routes to classful network boundaries
- route summarization is used to reduce the amount of routing information in routing tables
- Automatic summarization applies to connected, static, and redistributed routes.
- By default, automatic summarization is disabled and BGP accepts subnets redistributed from IGP
- To advertise and carry subnet routes in BGP when auto-summ is enabled, use an explicit network command to advertise the subnet.
- does not apply to routes injected into BGP via the network command or through iBGP or eBGP.
- no synchronization -- it's an old loop prevention mechanism that is no longer used,
Basically the SYNC Logic is: Do not consider an iBGP route in the BGP table BEST unless the EXACT PREFIX was learned via IGP and is currently in the routing table.
- bgp redistribute-internal -- iBGP routes are not forwarded to an IGP with the 'redistribute' command, must be used this instead
VPN Routing/Forwarding instance information
Shows a summary of all VRFs present on the current router and their associated route-distinguishers and interface(s).
https://learningnetwork.cisco.com/thread/97007
route-target export 1:1
route-target import 1:1
That prefix is sent (exported) with a RT (tag) of 1:1.
Site 4 is configured to install (import) all prefixes with a RT (tag) of 1:1
As the prefix 1:1:192.168.1.0/24 is sent across the SP network it carries the RT value with it.
Once the update arrives at Site-4, Route at Site-4 should install that prefix in the routing table.
A VRF is a Virtual Routing and Fowarding table.
VRF-lite is normally VRF without MPLS.
VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time.
Initial configuration
UP-LEFT and UP-RIGHT will use EIGRP 1
DOWN-LEFT and DOWN-RIGHT will use OSPF 1
"ISP" router will use VRFs to separate RIBs for UP and DOWN networks.
UP-LEFT
ISP
1) Create and define VRFs
- VRF name and RD is locally significant.
BGP/MPLS IP VPNs - http://tools.ietf.org/html/rfc4364
Route Distinguisher
- A RD is the most basic requirement to activate the VRF and create the VRF tables.
- Route Distinguisher (RD) - is simply a number, and it does not contain any inherent information; it does not identify the origin of the route or the set of VPNs to which the route is to be distributed.
- A VPN-IPv4 address is a 12-byte quantity, beginning with an 8-byte (64bits) Route Distinguisher (RD) and ending with a 4-byte(32 bits) IPv4 address.
- A RD identifier is prepended to a IPv4 address which turns a non-unique IPv4 prefix into a unique 96-bit VPNv4 prefix.
Route Target
- What counts is what you import and export. Importing and exporting route targets use the same syntax as the RD and it is ASN:NN as shown by the example below.
- A RT or route-target on the other hand is a BGP extended community which gets attached when a prefix is exported from the VRF RIB table into the VRF-aware BGP table to identify VPN membership. The confusing part is that the RT import/export function in Cisco IOS is defined under the VRF configuration section and not under the BGP section. Thus to use RTs BGP is required. This means without BGP enabled on Router1, the RT import/export would yield no result.
- By definition the routes that you "export" are only the routes you advertise on the vrf address family in BGP.
- The BGP process is required for the creation of the VRF-aware BGP tables.
- BGP neighbors are not necessary.
- Lastly since BGP is used the BGP next-hop must be reachable, else the imported routes will not be considered for route-selection.
(Exported route is now a VPNv4 route in MP-BGP and the RT is included as an extended BGP community.)
route-target import = redistribute from another VRF BGP to current (selected) VRF BGP.
Ping from ISP vrf ALL to UP-LEFT's lo1 (vrf UP) failed
Route 99.99.99.0/24 is present in RIB but not EIGRP topology
Redistribute this network
- if enabled: BGP automatically summarizes routes to classful network boundaries
- route summarization is used to reduce the amount of routing information in routing tables
- Automatic summarization applies to connected, static, and redistributed routes.
- By default, automatic summarization is disabled and BGP accepts subnets redistributed from IGP
- To advertise and carry subnet routes in BGP when auto-summ is enabled, use an explicit network command to advertise the subnet.
- does not apply to routes injected into BGP via the network command or through iBGP or eBGP.
- no synchronization -- it's an old loop prevention mechanism that is no longer used,
Basically the SYNC Logic is: Do not consider an iBGP route in the BGP table BEST unless the EXACT PREFIX was learned via IGP and is currently in the routing table.
- bgp redistribute-internal -- iBGP routes are not forwarded to an IGP with the 'redistribute' command, must be used this instead
VPN Routing/Forwarding instance information
Shows a summary of all VRFs present on the current router and their associated route-distinguishers and interface(s).
R7609# show ip vrf
Name Default RD Interfaces
DNS 9999:853 Po11.851
Po12.852
Vl853
INTERNET 9999:100 Po11.374
Po12.373
Vl224
https://learningnetwork.cisco.com/thread/97007
route-target export 1:1
route-target import 1:1
SITE1-vrfA 1:1:192.168.1.0/24 SP SITE-3-vrfB 2:2:10.10.10.0/24Site 1 originates prefix 1:1:192.168.1.0/24
SITE2-vrfB 2:2:192.168.1.0/24 SITE-4-vrfA 1:1:172.16.1.0/24
That prefix is sent (exported) with a RT (tag) of 1:1.
Site 4 is configured to install (import) all prefixes with a RT (tag) of 1:1
As the prefix 1:1:192.168.1.0/24 is sent across the SP network it carries the RT value with it.
Once the update arrives at Site-4, Route at Site-4 should install that prefix in the routing table.
A VRF is a Virtual Routing and Fowarding table.
VRF-lite is normally VRF without MPLS.
VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time.
 | ||
| VRF 'UP' and 'DOWN' are configured on ISP router |
UP-LEFT and UP-RIGHT will use EIGRP 1
DOWN-LEFT and DOWN-RIGHT will use OSPF 1
"ISP" router will use VRFs to separate RIBs for UP and DOWN networks.
UP-LEFT
!UP-RIGHT
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
!
router eigrp 1
network 1.0.0.0
network 10.0.0.0
no auto-summary
eigrp router-id 1.1.1.1
!
!DOWN-LEFT
interface Loopback1
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.2.2 255.255.255.0
!
router eigrp 1
network 2.0.0.0
network 10.0.0.0
no auto-summary
eigrp router-id 2.2.2.2
!
!DOWN-RIGHT
interface Loopback1
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.3.2 255.255.255.0
!
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 3.3.3.0 0.0.0.255 area 0
network 10.0.0.0 0.255.255.255 area 0
!
!
interface Loopback1
ip address 4.4.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.4.2 255.255.255.0
duplex auto
speed auto
!
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.0 0.0.0.255 area 0
network 10.0.0.0 0.255.255.255 area 0
!
ISP
1) Create and define VRFs
- VRF name and RD is locally significant.
BGP/MPLS IP VPNs - http://tools.ietf.org/html/rfc4364
Route Distinguisher
- A RD is the most basic requirement to activate the VRF and create the VRF tables.
- Route Distinguisher (RD) - is simply a number, and it does not contain any inherent information; it does not identify the origin of the route or the set of VPNs to which the route is to be distributed.
- A VPN-IPv4 address is a 12-byte quantity, beginning with an 8-byte (64bits) Route Distinguisher (RD) and ending with a 4-byte(32 bits) IPv4 address.
- A RD identifier is prepended to a IPv4 address which turns a non-unique IPv4 prefix into a unique 96-bit VPNv4 prefix.
ISP(config-vrf)#rd ?
ASN:nn or IP-address:nn VPN Route Distinguisher
Route Target
- What counts is what you import and export. Importing and exporting route targets use the same syntax as the RD and it is ASN:NN as shown by the example below.
- A RT or route-target on the other hand is a BGP extended community which gets attached when a prefix is exported from the VRF RIB table into the VRF-aware BGP table to identify VPN membership. The confusing part is that the RT import/export function in Cisco IOS is defined under the VRF configuration section and not under the BGP section. Thus to use RTs BGP is required. This means without BGP enabled on Router1, the RT import/export would yield no result.
- By definition the routes that you "export" are only the routes you advertise on the vrf address family in BGP.
- The BGP process is required for the creation of the VRF-aware BGP tables.
- BGP neighbors are not necessary.
- Lastly since BGP is used the BGP next-hop must be reachable, else the imported routes will not be considered for route-selection.
ISP(config-vrf)#route-target ?route-target export = redistribute from VRF RIB to VRF BGP.
ASN:nn or IP-address:nn Target VPN Extended Community
both Both import and export Target-VPN community
export Export Target-VPN community
import Import Target-VPN community
(Exported route is now a VPNv4 route in MP-BGP and the RT is included as an extended BGP community.)
route-target import = redistribute from another VRF BGP to current (selected) VRF BGP.
ISP#2) Set IP on interfaces according to VRF
!
ip vrf UP
rd 123:1
route-target export 123:1
route-target import 123:99
!
ip vrf DOWN
rd 123:2
route-target export 123:2 <- export routes from VRF DOWN's RIB to BGP-VRF-DOWN
route-target import 123:99 <- import routes from VRF-ALL's RIB to this VRF
!
ip vrf ALL
rd 123:99
route-target export 123:99
route-target import 123:1
route-target import 123:2
!
!3) Configure routing protocols in specific VRF's
interface Loopback99
ip vrf forwarding ALL
ip address 99.99.99.99 255.255.255.0
!
interface FastEthernet0/0
ip vrf forwarding UP
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet0/1
ip vrf forwarding DOWN
ip address 10.0.3.1 255.255.255.0
!
interface FastEthernet1/0
ip vrf forwarding UP
ip address 10.0.2.1 255.255.255.0
!
interface FastEthernet1/1
ip vrf forwarding DOWN
ip address 10.0.4.1 255.255.255.0
!
!4) Configure BGP to make possible VRF iport/export process to work
router eigrp 1
auto-summary
!
address-family ipv4 vrf UP
network 10.0.0.0
network 99.0.0.0
no auto-summary
autonomous-system 1
exit-address-family
!
router ospf 1 vrf DOWN
router-id 5.5.5.5
log-adjacency-changes
redistribute bgp 1 subnets
network 10.0.0.0 0.255.255.255 area 0
network 99.99.99.0 0.0.0.255 area 0
!
!5) Verification
router bgp 1
no synchronization
bgp log-neighbor-changes
bgp redistribute-internal <-- iBGP routes are not forwarded to an IGP with the 'redistribute' command
no auto-summary
!
address-family ipv4 vrf UP
redistribute connected
redistribute eigrp 1 metric 99
no synchronization
bgp redistribute-internal
exit-address-family
!
address-family ipv4 vrf DOWN
redistribute connected
redistribute ospf 1 vrf DOWN metric 110
no synchronization
bgp redistribute-internal
exit-address-family
!
address-family ipv4 vrf ALL
redistribute connected
no synchronization
bgp redistribute-internal
exit-address-family
!
UP-LEFT#sh ip route | be Gatewa
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback1
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/158720] via 10.0.1.1, 2d21h, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
D 10.0.2.0 [90/30720] via 10.0.1.1, 2d21h, FastEthernet0/0
C 10.0.1.0 is directly connected, FastEthernet0/0
UP-LEFT#
DOWN-LEFT#sh ip route | be Gatewa
Gateway of last resort is not set
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback1
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/3] via 10.0.3.1, 2d21h, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.3.0 is directly connected, FastEthernet0/0
O 10.0.4.0 [110/2] via 10.0.3.1, 2d21h, FastEthernet0/0
DOWN-LEFT#
ISP# sh ip route | beg Gate
Gateway of last resort is not set
ISP#
ISP# sh ip route vrf UP | b Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/156160] via 10.0.1.2, 2d21h, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/156160] via 10.0.2.2, 2d21h, FastEthernet1/0
99.0.0.0/24 is subnetted, 1 subnets
B 99.99.99.0 is directly connected, 2d21h, Loopback99
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.2.0 is directly connected, FastEthernet1/0
C 10.0.1.0 is directly connected, FastEthernet0/0
ISP#
ISP# sh ip route vrf DOWN | b Gate
Gateway of last resort is not set
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/2] via 10.0.3.2, 2d21h, FastEthernet0/1
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/2] via 10.0.4.2, 2d21h, FastEthernet1/1
99.0.0.0/24 is subnetted, 1 subnets
B 99.99.99.0 is directly connected, 2d21h, Loopback99
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.3.0 is directly connected, FastEthernet0/1
C 10.0.4.0 is directly connected, FastEthernet1/1
ISP#
ISP# sh ip route vrf ALL | b Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets <-imported from VRF 'UP'
B 1.1.1.0 [20/99] via 10.0.1.2 (UP), 2d21h, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
B 2.2.2.0 [20/99] via 10.0.2.2 (UP), 2d21h, FastEthernet1/0
3.0.0.0/32 is subnetted, 1 subnets <-imported from VRF 'DOWN'
B 3.3.3.3 [20/110] via 10.0.3.2 (DOWN), 2d21h, FastEthernet0/1
4.0.0.0/32 is subnetted, 1 subnets
B 4.4.4.4 [20/110] via 10.0.4.2 (DOWN), 2d21h, FastEthernet1/1
99.0.0.0/24 is subnetted, 1 subnets
C 99.99.99.0 is directly connected, Loopback99
10.0.0.0/24 is subnetted, 4 subnets
B 10.0.2.0 is directly connected, 2d21h, FastEthernet1/0
B 10.0.3.0 is directly connected, 2d21h, FastEthernet0/1
B 10.0.1.0 is directly connected, 2d21h, FastEthernet0/0
B 10.0.4.0 is directly connected, 2d21h, FastEthernet1/1
ISP#
ISP#show ip bgp vpnv4 all
% BGP cannot run because the router-id is not configured
BGP table version is 34, local router ID is 0.0.0.0
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 123:1 (default for vrf UP)
*> 1.1.1.0/24 10.0.1.2 99 32768 ?
*> 2.2.2.0/24 10.0.2.2 99 32768 ?
*> 10.0.1.0/24 0.0.0.0 0 32768 ?
*> 10.0.2.0/24 0.0.0.0 0 32768 ?
*> 99.99.99.0/24 0.0.0.0 0 32768 ?
Route Distinguisher: 123:2 (default for vrf DOWN)
*> 3.3.3.3/32 10.0.3.2 110 32768 ?
*> 4.4.4.4/32 10.0.4.2 110 32768 ?
*> 10.0.3.0/24 0.0.0.0 0 32768 ?
*> 10.0.4.0/24 0.0.0.0 0 32768 ?
*> 99.99.99.0/24 0.0.0.0 0 32768 ?
Route Distinguisher: 123:99 (default for vrf ALL)
*> 1.1.1.0/24 10.0.1.2 99 32768 ?
*> 2.2.2.0/24 10.0.2.2 99 32768 ?
*> 3.3.3.3/32 10.0.3.2 110 32768 ?
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 10.0.4.2 110 32768 ?
*> 10.0.1.0/24 0.0.0.0 0 32768 ?
*> 10.0.2.0/24 0.0.0.0 0 32768 ?
*> 10.0.3.0/24 0.0.0.0 0 32768 ?
*> 10.0.4.0/24 0.0.0.0 0 32768 ?
*> 99.99.99.0/24 0.0.0.0 0 32768 ?
ISP#
ISP#show ip bgp vpnv4 vrf UP 1.1.1.0
% BGP cannot run because the router-id is not configured
BGP routing table entry for 123:1:1.1.1.0/24, version 10
Paths: (1 available, best #1, table UP)
Not advertised to any peer
Local
10.0.1.2 from 0.0.0.0 (0.0.0.0)
Origin incomplete, metric 99, localpref 100, weight 32768, valid, sourced, best
Extended Community: RT:123:1 Cost:pre-bestpath:128:156160
0x8800:32768:0 0x8801:1:130560 0x8802:65281:25600 0x8803:65281:1500
mpls labels in/out 18/nolabel
ISP#
ISP# ping vrf ALL 4.4.4.4 source loopback 99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 99.99.99.99
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms
ISP#
Ping from ISP vrf ALL to UP-LEFT's lo1 (vrf UP) failed
ISP# ping vrf ALL 1.1.1.1 source loopback 99
Packet sent with a source address of 99.99.99.99
.....
Success rate is 0 percent (0/5)
Route 99.99.99.0/24 is present in RIB but not EIGRP topology
ISP#sh ip route vrf UP
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/156160] via 10.0.1.2, 2d22h, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/156160] via 10.0.2.2, 2d22h, FastEthernet1/0
99.0.0.0/24 is subnetted, 1 subnets
B 99.99.99.0 is directly connected, 00:06:46, Loopback99
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.2.0 is directly connected, FastEthernet1/0
C 10.0.1.0 is directly connected, FastEthernet0/0
ISP#
Redistribute this network
ISP(config)#router eigrp 1Check again
ISP(config-router)#address-family ipv4 vrf UP
ISP(config-router-af)#redistribute bgp 1 metric 1 1 1 1 1500
ISP# ping vrf ALL 1.1.1.1 source loopback 99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 99.99.99.99
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/18/24 ms
ISP#