Configure Route Leak Between Global and VRF Routing Table without Next-Hop

Introduction

This document describes how to generate a route leak between Global Routing (GRT) and Virtual Routing Forwarding (VRF) without the use of Next-hop.

Prerequisites

Requirements

Cisco recommends knowledge of these topics:

• Basic IP routing
• Open Shortest Path First (OSPF) routing protocol concepts and terms

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

Route leaking between Global Routing Table (GRT) and Virtual Routing and Forwarding (VRF) table is facilitated with the use of static routes. Either method provides the next-hop IP address (for multi-access segment) or points the route out of an interface (point-to-point interface). However, a static route cannot be used in the absence of a next-hop IP address on a multi-access segment.

Network Diagram

This article refers to this network diagram throughout this process.

BGP Support for IP Prefix Import

Global IPv4 unicast or multicast prefixes are defined as matched criteria for the import route map by the standard Cisco mechanisms like an IP access-list or an IP prefix-list:

access-list 50 permit 10.10.1.0 0.0.0.255
or
ip prefix-list GLOBAL permit 10.10.1.0/24

The IP prefixes that are defined for import and then are processed through a match clause in a route map. IP prefixes that pass through the route map are imported into the VRF:

route-map GLOBAL_TO_VRF permit 10 
 match ip address 50
 or
 match ip address prefix-list GLOBAL
!
ip vrf RED
 rd 1:1
 import ipv4 unicast mapGLOBAL_TO_VRF 
!
ip route 10.10.3.0 255.255.255.0 Vlan900

This method requires you use Border Gateway Protocol (BGP) with VRF lite. This method does not work for all scenarios.

Policy Based Routing (PBR)

PBR can be used to leak routes between GRT and VRF. This is a sample configuration where a route leaking from global routing table to VRF is shown:

ip vrf RED
 rd 1:1
!
interface Vlan100
 description GLOBAL_INTERFACE
 ip address 10.10.1.254 255.255.255.0
!
access-list 101 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
!
route-map VRF_TO_GLOBAL permit 10
 match ip address 101
set global
!
interface Vlan900
 description VRF_RED
 ip vrf forwarding RED
 ip address 10.10.3.254 255.255.255.0
ip policy route-map VRF_TO_GLOBAL

This works well for high-end devices like the 6500 switch, but it is not supported for devices like 3750. It is a platform limitation as in the error message like:

3750X(config)#int vlan 900
3750X(config-if)#ip policy route-map VRF_TO_GLOBAL
3750X(config-if)#
Mar 30 02:02:48.758: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map VRF_TO_GLOBAL not supported for Policy-Based Routing

VRF Receive

You can use VRF Receive feature to insert the connected GRT subnet as a connected route entry in the VRF routing table:

ip vrf RED
 rd 1:1
!
interface Vlan100
 description GLOBAL_INTERFACE
ip vrf select source
ip vrf receive RED
 ip address 10.10.1.254 255.255.255.0
end
!
interface Vlan900
 description VRF_RED
 ip vrf forwarding RED
 ip address 10.10.3.254 255.255.255.0
end
!
ip route 10.10.3.0 255.255.255.0 Vlan900

 

3750X#show ip route vrf RED

Routing Table: RED

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.10.3.0/24 is directly connected, Vlan900
L        10.10.3.254/32 is directly connected, Vlan900
C        10.10.1.0/24 is directly connected, Vlan100
L        10.10.1.254/32 is directly connected, Vlan100

3750X#ping 10.10.3.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

3750X#show ip arp vrf RED vlan 900
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.3.254             -   d072.dc36.7fc2  ARPA   Vlan900
Internet  10.10.3.1               0   c84c.751f.26f0  ARPA   Vlan900

Note: There is no procedure with this configuration for verification or to troubleshoot possible issues.