• Inter-VRF Local Route leaking using VRF-leak Agent

 
 
Print Friendly, PDF & Email

Introduction

The use of Virtual Routing Forwarding (VRF) to provide a level of segmentation is common practice. In order for traffic to communicate between VRFs, a firewall is generally part of the design. However, situations exist where it is not desirable to place the traffic load between VRFs on the firewall. This article provides a basic solution to leak routes from one VRF to another allowing select subnets to communicate directly.

Platforms

EOS Switch Versions 4.22F and above

Description

The Inter-VRF local route leaking feature allows the leaking of routes from one VRF to another using a route map as a VRF-leak agent. VRF routes are leaked based on the preferences assigned to each VRF.

Use the router general command to configure route maps to leak routes from one VRF to another. Routes in VRF “blue” that match the policy using route map “RM-ALL-ROUTES” are considered for leaking into VRF “red”. In addition, leaking routes from the default VRF that match the policy using route map “RM-DEFAULT-ONLY” are considered for leaking into VRF “red”. If two or more policies specify leaking the same prefix to the same destination VRF, the route with a higher (post-set-clause) distance and preference is chosen.

 

Configuration

Note: This feature is supported only in multi-agent mode, so the following command needs to be enabled. Enabling this command will require a device reboot.

switch(config)#service routing protocols model multi-agent

CLI configuration to build the layer 2 vlans 60 and 70:

switch(config)#vlan 60,70
switch(config)#
switch(config)#show vlan id 60,70
VLAN  Name                             Status    Ports
----- -------------------------------- --------- -------------------------------
60    VLAN0060                         active    Po999
70    VLAN0070                         active    Po999

CLI configuration to build the VRF instances red and blue:

switch(config)#vrf instance blue
switch(config)#vrf instance red

CLI configuration to build the layer 3 vlans for 60 and 70 while assigning to a VRF:

switch(config)#interface Vlan60
switch(config)#no autostate
switch(config)#vrf blue
switch(config)#ip address 60.60.60.2/24
switch(config)#
switch(config)#interface Vlan70
switch(config)#no autostate
switch(config)#vrf red
switch(config)#ip address 70.70.70.2/24
switch(config)#
switch(config)#show vrf
Maximum number of vrfs allowed: 14
  VRF         RD            Protocols     State                     Interfaces
----------- ------------- ------------- --------------------------- ---------------------------
  blue        <not set>     ipv4          v4:no routing,            Vlan60
                                          v6:no routing

  default     <not set>     ipv4,ipv6     v4:routing; multicast,    Ethernet49, Ethernet50,
                                          v6:no routing             Loopback0, Vlan10, Vlan4094

  red         <not set>     ipv4          v4:no routing,            Vlan70
                                          v6:no routing

CLI configuration to enable routing in VRF red and blue:

switch(config)#ip routing vrf red
switch(config)#ip routing vrf blue

CLI configuration to add a static route for the default route to the default VRF:

switch(config)#ip route 0.0.0.0/0 10.10.10.1

CLI configuration to build a route-map to include all routes:

switch(config)#route-map RM-ALL-ROUTES permit 10

CLI configuration to build a route-map to include the default route:

switch(config)#ip prefix-list DEFAULT-ROUTE-ONLY seq 20 permit 0.0.0.0/0
switch(config)#
switch(config)#route-map RM-DEFAULT-ROUTE-ONLY permit 10
switch(config)#match ip address prefix-list DEFAULT-ROUTE-ONLY

CLI configuration to configure the route leak policy under the router general leak agent that will leak the default route from the default VRF and all routes from VRF “blue” into VRF “red”:

switch(config)#router general
switch(config)#vrf red
switch(config)#leak routes source-vrf default subscribe-policy RM-DEFAULT-ROUTE-ONLY
switch(config)#leak routes source-vrf blue subscribe-policy RM-ALL-ROUTES

Example of Complete Configuration

service routing protocols model multi-agent
!
vlan 60,70
!
vrf instance blue
!
vrf instance red
!
interface Vlan60
   no autostate
   vrf blue
   ip address 60.60.60.2/24
!
interface Vlan70
   no autostate
   vrf red
   ip address 70.70.70.2/24
!
ip routing vrf blue
ip routing vrf red
!
ip route 0.0.0.0/0 10.10.10.1
!
route-map RM-ALL-ROUTES permit 10
!
ip prefix-list DEFAULT-ROUTE-ONLY seq 20 permit 0.0.0.0/0
!
route-map RM-DEFAULT-ROUTE-ONLY permit 10
   match ip address prefix-list DEFAULT-ROUTE-ONLY
!
router general
   vrf red
      leak routes source-vrf default subscribe-policy RM-DEFAULT-ROUTE-ONLY
      leak routes source-vrf blue subscribe-policy RM-ALL-ROUTES

Verification

Output from show ip route vrf all confirms that the default route was “L – VRF Leaked” into VRF “red”. Also confirmed is the “C – connected” routes from VRF “blue” were “L – VRF Leaked” into VRF “red”.

switch#show ip route vrf all
VRF: default
Codes: C - connected, S - static, K - kernel,
       O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
       E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
       N2 - OSPF NSSA external type2, B - BGP, B I - iBGP, B E - eBGP,
       R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
       O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
       NG - Nexthop Group Static Route, V - VXLAN Control Service,
       DH - DHCP client installed default route, M - Martian,
       DP - Dynamic Policy Route, L - VRF Leaked

Gateway of last resort:
 S        0.0.0.0/0 [1/0] via 10.10.10.1, Ethernet49

 C        1.1.1.1/32 is directly connected, Loopback1
 C        10.10.10.0/30 is directly connected, Ethernet49
 C        10.100.10.3/32 is directly connected, Loopback0
 C        10.225.10.0/24 is directly connected, Vlan10
 O        70.70.70.0/30 [110/20] via 10.10.10.1, Ethernet49


VRF: blue
Codes: C - connected, S - static, K - kernel,
       O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
       E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
       N2 - OSPF NSSA external type2, B - BGP, B I - iBGP, B E - eBGP,
       R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
       O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
       NG - Nexthop Group Static Route, V - VXLAN Control Service,
       DH - DHCP client installed default route, M - Martian,
       DP - Dynamic Policy Route, L - VRF Leaked

Gateway of last resort is not set
 C        60.60.60.0/24 is directly connected, Vlan60


VRF: red
Codes: C - connected, S - static, K - kernel,
       O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
       E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
       N2 - OSPF NSSA external type2, B - BGP, B I - iBGP, B E - eBGP,
       R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
       O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
       NG - Nexthop Group Static Route, V - VXLAN Control Service,
       DH - DHCP client installed default route, M - Martian,
       DP - Dynamic Policy Route, L - VRF Leaked

Gateway of last resort:
 S L      0.0.0.0/0 [1/0] (source VRF default) via 10.10.10.1, Ethernet49 (egress VRF default)
 C L      60.60.60.0/24 is directly connected (source VRF blue), Vlan60 (egress VRF blue)
 C        70.70.70.0/24 is directly connected, Vlan70

Important Notes

  • Additional route leak policies under the router general leak agent can be created to leak routes from VRF “red” into VRF “blue” and/or the default VRF.
  • Prefixes that are leaked are not re-exported to the leak agent from the target VRF.
  • It is recommended to be at a minimum of EOS 4.22.0F for this feature.

Additional Resource

The linked EOS article provides information on inter-VRF route leaking locally from one VRF into another on the same device by exporting routes from a VRF to the local VPN table using Route Target extended community list and then importing those Route Target extended community lists from the local VPN table in the target VRF. https://eos.arista.com/eos-4-21-3f/inter-vrf-local-route-leaking/

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: