PDF(152.2 KB) View with Adobe Reader on a variety of devices
ePub(102.9 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(91.3 KB) View on Kindle device or Kindle app on multiple devices
Updated:July 13, 2022
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to generate a route leak without the use of Next-hop between Global Routing (GRT) and Virtual Routing Forwarding (VRF).
Cisco recommends knowledge of these topics:
Basic IP routing
Open Shortest Path First (OSPF) routing protocol concepts and terms
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Route leaking between Global Routing Table (GRT) and Virtual Routing and Forwarding (VRF) table is facilitated with the use of static routes. Either method provides the next-hop IP address (for multi-access segment) or points the route out of an interface (point-to-point interface). However, a static route cannot be used in the absence of a next-hop IP address on a multi-access segment.
This article refers to this network diagram throughout this process.
BGP Support for IP Prefix Import
Global IPv4 unicast or multicast prefixes are defined as matched criteria for the import route map by the standard Cisco mechanisms like an IP access-list or an IP prefix-list:
access-list 50 permit 10.10.1.0 0.0.0.255 or ip prefix-list GLOBAL permit 10.10.1.0/24
The IP prefixes that are defined for import and then are processed through a match clause in a route map. IP prefixes that pass through the route map are imported into the VRF:
route-mapGLOBAL_TO_VRFpermit 10 matchipaddress50 or match ip address prefix-list GLOBAL ! ip vrf RED rd 1:1 importipv4unicast mapGLOBAL_TO_VRF ! ip route 10.10.3.0 255.255.255.0 Vlan900
This method requires you use Border Gateway Protocol (BGP) with VRF lite. This method does not work for all scenarios.
Policy Based Routing (PBR)
PBR can be used to leak routes between GRT and VRF. This is a sample configuration where a route leaking from global routing table to VRF is shown:
ip vrf RED rd 1:1 ! interface Vlan100 description GLOBAL_INTERFACE ip address 10.10.1.254 255.255.255.0 ! access-list 101 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255 ! route-map VRF_TO_GLOBAL permit 10 match ip address 101 set global ! interface Vlan900 description VRF_RED ip vrf forwarding RED ip address 10.10.3.254 255.255.255.0 ip policy route-map VRF_TO_GLOBAL
This works well for high end devices like the 6500 switch, but it is not supported for devices like 3750. It is a platform limitation as in the error message like:
3750X(config)#int vlan 900 3750X(config-if)#ip policy route-map VRF_TO_GLOBAL 3750X(config-if)# Mar 30 02:02:48.758: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map VRF_TO_GLOBAL not supported for Policy-Based Routing
You can use VRF Receive feature to insert the connected GRT subnet as a connected route entry in the VRF routing table:
ip vrf RED rd 1:1 ! interface Vlan100 description GLOBAL_INTERFACE ip vrf select source ip vrf receive RED ip address 10.10.1.254 255.255.255.0 end ! interface Vlan900 description VRF_RED ip vrf forwarding RED ip address 10.10.3.254 255.255.255.0 end ! ip route 10.10.3.0 255.255.255.0 Vlan900
3750X#show ip route vrf RED
Routing Table: RED
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.10.3.0/24 is directly connected, Vlan900 L 10.10.3.254/32 is directly connected, Vlan900 C 10.10.1.0/24 is directly connected, Vlan100 L 10.10.1.254/32 is directly connected, Vlan100
3750X#ping 10.10.3.1 source vlan 100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.1, timeout is 2 seconds: Packet sent with a source address of 10.10.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
3750X#show ip arp vrf RED vlan 900 Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.3.254 - d072.dc36.7fc2 ARPA Vlan900 Internet 10.10.3.1 0 c84c.751f.26f0 ARPA Vlan900
Note: There is no procedure with this configuration for verification or to troubleshoot possible issues.