WAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

Route leaking between vpn-instance and the global route table

 
SOLVED
Go to solution
MartiBarber
Occasional Contributor

Route leaking between vpn-instance and the global route table

Hi, 

 

Anyone know if it is possible to route-leak between a vpn-instance and the global route table? This seems to be possible on Cisco equipment using an import map...but i can't find the equivalent configuration in comware...

 

There doesnt seem to be way to reference the global route table in a vpn-target (I guess it is not a vpn by definition). 

 

Any idea's?

 

Thanks,

-marti-

11 REPLIES 11
Peter_Debruyne
Honored Contributor
Solution

Re: Route leaking between vpn-instance and the global route table

Hi,

 

yes this is possible, either static or dynamic (using local mbgp)

static example:

ip vpn-instance customerA

 route-distinguisher 65000:1

 

# create static route inside VRF, pointing to a nexthop in the public routing table

ip route-static vpn-instance customerA 0.0.0.0 0 192.168.1.1 public

 

# create static route inside public routing table, pointing to nexthope in a VRF

ip route-static 10.1.0.0 16 vpn-instance customerA 10.1.1.1

 

Above cli based on cmw7 device, cmw5 may be slightly different (but concept should be same)

 

I do not have a ready example for the dynamic exchange using route targets, but I have done this some years ago and it worked.

 

Best regards,Peter.

Highlighted
MartiBarber
Occasional Contributor

Re: Route leaking between vpn-instance and the global route table

Thanks Peter, what i was missing was the "public" keyword on the first route. 

 

 

Juseq
Occasional Visitor

Re: Route leaking between vpn-instance and the global route table

HI!

Sorry to bump an old thread, but this is quite relevant to the topic. Has someone configured this statically with CMW5? Trying to leak routes inside a A-MSR930.

First route is applied successfully:

 ip route-static vpn-instance TEST1 0.0.0.0 0.0.0.0 10.220.1.5 public

Appears normally in the routing table:

 0.0.0.0/0           Static 60   0            10.220.1.5      GE0/0

 

While trying to route from public to vpn-instance:

[MSR930_VRFTEST]ip route-static 10.201.1.0 24 vpn-instance TEST1 10.201.1.1
Error: Invalid Nexthop Address

I haven't had the chance to test this on a CMW7 device yet to determine if my design is feasible. Maybe the problem here is that the public routing table doesn't know about the 10.201.1.1 - network. But shouldn't this be achieved through route leaking?

Mike_ES
Valued Contributor

Re: Route leaking between vpn-instance and the global route table

Hi,

Your entry:

ip route-static 10.201.1.0 24 vpn-instance TEST1 10.201.1.1

is not correct.

You are trying add route to the network which is the same as your VPN-INSTANCE TEST1 next-hop scope.

Br,

Mike

Juseq
Occasional Visitor

Re: Route leaking between vpn-instance and the global route table

Hi,

Not sure if I understood your comment as you ment it. The next hop address is indeed in the TEST1 vrf. The address 10.201.1.1 is in a loopback-interface that is bound to the vpn-instance TEST1 that I'd like to use for management. Other VRFs I'm using I have bound to various VLAN-interfaces.

I'd like to get a route to these networks in the public routing table.

I'll try to post tomorrow a topology pic and my test config but I'll explain the matter beforehand. Some of the VRFs should be routed to our firewall (separate clients/restricted networks) and others to our core routers (internal networks). I'm trying to get all of the VRF-subnets to the public routing table., thus the next hop in the TEST1 vrf..

The 10.220.0.0 - network is used here between routers and on the firewall. The 0-routes inside the VRFs would point either to the firewall or the core in the 10.220.0.0-network depending on the role of the network.

Should this be possible? I think this could be achieved also through PBR by altering the next-hop address by the source address. The limitation in this scenario is that the core doesn't support VRFing, being a Procurve device. Otherwise I presume it would be sensible to implement a full MPLS solution instead of VRF-lite.

Thank you for your input.

Juseq
Occasional Visitor

Re: Route leaking between vpn-instance and the global route table

Replying to myself and if someone else stumbles across this;

In my scenario I did this by using MBGP and route-policies to filter the BGP routes.

Cisco had a document stating that Inter-VRF static routing isn't supported (though there is ways to bypass and make it work). Don't know if this is the case with Comware-devices, but CMW5 didn't seem to accept the routing as I'd assume from the examples. Still haven't had a chance to try this on a CMW7 device.

drolfe
Valued Contributor

Re: Route leaking between vpn-instance and the global route table

Hi,

I've tried this on a HP 5900AF comware7 switch

I can't get the client nets vlan to ping no matter what I try

Can anyone see the issue ?

[HP-5900-Stack-vpn-instance-Client-Nets]dis this
#
ip vpn-instance Client-Nets
route-distinguisher 100:1
#
return
[HP-5900-Stack-vpn-instance-Client-Nets]

ip route-static 10.10.10.0 24 vpn-instance Client-Nets 10.10.10.1 ip route-static vpn-instance Client-Nets 0.0.0.0 0 192.168.10.1 public [HP-5900-Stack]dis cur int vlan 100 # interface Vlan-interface100 ip binding vpn-instance Client-Nets ip address 10.10.10.1 255.255.255.0 # return [HP-5900-Stack] [HP-5900-Stack]dis int vlan 100 Vlan-interface100 Current state: UP Line protocol state: UP Description: Vlan-interface100 Interface Bandwidth: 10000000kbps Maximum Transmit Unit: 1500 Internet Address is 10.10.10.1/24 Primary
Krasimir_Ivanov
Regular Visitor

Re: Route leaking between vpn-instance and the global route table

Hi,

The problem is that the next hop IP address for 10.10.10.0/24 subnet is a local IP address. The static route should point to a neigbouring device instesd to the same box itself. In your scenario to have a proper route leaking you should configure that on the upstream device which has L3 interface in VLAN 100 broadcast domain.

You can try this on Comware7  simulator:


SVI 100                  .2                                   .1             Lo 0
10.10.10.1/24 --SW1 - -- -192.168..0.0/24 - - - -SW2--1.1.1.1/32
                          |                                                        route 10.10.10.0/24 to 192.168.0.2
                          |
            Access Vlan100
                         |
                         |
                         |
                     SW3
                         |
               10.10.10.30/24
       route 0.0.0.0/0 to 10.10.10.1


[SW1]display current-configuration | i static
ip route-static 10.10.10.0 24 vpn-instance Client-Nets 10.10.10.1
ip route-static vpn-instance Client-Nets 0.0.0.0 0 192.168.10.1 public

 

[SW1]display ip routing-table 10.10.10.0 24 

###--- No entrty in the RIB ---###

 

[SW1]undo ip route-static 10.10.10.0 24
[SW1]ip route-static 10.10.10.0 24 vpn-instance Client-Nets 10.10.10.30

 


[SW1]display current-configuration | i static
ip route-static 10.10.10.0 24 vpn-instance Client-Nets 10.10.10.30
ip route-static vpn-instance Client-Nets 0.0.0.0 0 192.168.10.1 public

 

[SW1]display ip routing-table 10.10.10.0 24

Summary Count : 1

Destination/Mask Proto Pre Cost NextHop Interface
10.10.10.0/24 Static 60 0 10.10.10.30 Vlan100

 


[SW1]display fib 10.10.10.0 24

Destination count: 1 FIB entry count: 1

Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay F:FRR

Destination/Mask Nexthop Flag OutInterface/Token Label
10.10.10.0/24 10.10.10.30 USGR Vlan100 Null

 

<SW3>ping 1.1.1.1
Ping 1.1.1.1 (1.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 1.1.1.1: icmp_seq=0 ttl=254 time=7.464 ms
56 bytes from 1.1.1.1: icmp_seq=1 ttl=254 time=2.721 ms
56 bytes from 1.1.1.1: icmp_seq=2 ttl=254 time=4.410 ms
56 bytes from 1.1.1.1: icmp_seq=3 ttl=254 time=2.739 ms
56 bytes from 1.1.1.1: icmp_seq=4 ttl=254 time=2.863 ms

 

 

 

 

Krasimir_Ivanov
Regular Visitor

Re: Route leaking between vpn-instance and the global route table


@Juseq wrote:

Replying to myself and if someone else stumbles across this;

In my scenario I did this by using MBGP and route-policies to filter the BGP routes.

Cisco had a document stating that Inter-VRF static routing isn't supported (though there is ways to bypass and make it work). Don't know if this is the case with Comware-devices, but CMW5 didn't seem to accept the routing as I'd assume from the examples. Still haven't had a chance to try this on a CMW7 device.


Route leaking should be configured on a transit device. Just one remark. Haven't tried on Comware5 but it has to work like on Comeware7. You can check an exapmle above. 

BTW, Cisco CLI looks like this:

!---  Static route in the VRF instance. Next hop is a  neghbour device ---

ip route vrf <vrf name> <destination subnet> <mask> <next hop IP address> global

!---  And reverse static route in the global routing table ---

ip route <destination subnet> <mask> <interface name> <next hop IP address> 

!--- Interface name is the interface belonging to the corresponding VRF you are routing to ---