Route Leaks in MPLS (VPN) Networks

Let's have a look on two configuration examples:

Route Leaking from a Global Routing Table into a VRF and Route Leaking from a VRF into a Global Routing Table

This configuration describes route leaking from a global routing table into a VRF and route leaking from a VRF into a global routing table:

BGP leaks

In this example, a Network Management System (NMS) station located in a VRF is accessed from the global routing table. The provider edge (PE) routers and provider (P) routers have to export the netflow information to an NMS station (10.0.2.2) in a VRF. 10.0.2.2 is reachable via a VRF interface on PE-4.

To access 10.0.2.0/30 from the global table, a static route to 10.0.2.0/30 that points out of the VRF interface is introduced on the PE-4. This static route is then redistributed via Interior Gateway Protocol (IGP) to all PE and P routers. This ensures that all PE and P routers can reach 10.0.2.0/30 via PE-4.

A static VRF route is also added. The static VRF route points to the subnet in the global network that sends the traffic to this NMS station. Without this addition, the PE-4 drops traffic, from the NMS station, that is received on the VRF interface; and the PE-4 sends the ICMP: host unreachable rcv message to the NMS station.

This section uses this configuration:

PE-4
!
ip cef
!
ip vrf vpn2
rd 200:1
route-target export 200:1
route-target import 200:1
!
interface Serial1/0
ip address 10.1.2.5 255.255.255.252
no ip directed-broadcast
!
interface Serial2/0
ip vrf forwarding vpn2
ip address 10.0.2.1 255.255.255.0
no ip directed-broadcast
!
ip classless
ip route 10.0.2.0 255.255.255.252 Serial2/0
ip route vrf vpn2 10.1.2.4 255.255.255.252 Serial1/0
!

The static routes can now be redistributed into any IGP to be announced network-wide. The same applies if the VRF interface is a LAN interface (for example, Ethernet). The exact configuration command for that is:

ip route 10.0.2.0 255.255.255.252 Ethernet2/0 10.0.2.2

Note: The IP address configured after the interface name is only used by Address Resolution Protocol (ARP), to know what address to resolve.

Note: For 4500 series switches, you must configure static ARP entries in the VRF tables for the respective next hop addresses.

Note: By default, Cisco IOS® software accepts static VRF routes as configured. This might compromise security because it might introduce route leaking between different VRFs. You can use the no ip route static inter-vrf command to prevent the installation of such static VRF routes.

Verify

This section provides information to confirm that your configuration is working properly.

Certain show commands allows you to view an analysis of show command output.

  • show ip route 10.0.2.0—Displays a specified IP address routing entry.

  • show ip route vrf vpn2 10.1.2.4—Displays a specified IP address VRF routing entry.

PE-4# show ip route 10.0.2.0

Routing entry for 10.0.2.0/30
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Serial2/0
Route metric is 0, traffic share count is 1

PE-4# show ip route vrf vpn2 10.1.2.4

Routing entry for 10.1.2.4/30
Known via "static", distance 1, metric 0 (connected)
Redistributing via bgp 1
Advertised by bgp 1
Routing Descriptor Blocks:
* directly connected, via Serial1/0
Route metric is 0, traffic share count is 1

Route Leaking Between Different VRFs

This configuration describes route leaking between different VRFs:

BGP hijacking

You can not configure two static routes to advertise each prefix between the VRFs, because this method is not supported—packets will not be routed by the router. To achieve route leaking between VRFs, you must use the import functionality of route-target and enable Border Gateway Protocol (BGP) on the router. No BGP neighbor is required.
PE-4
!
ip vrf vpn1
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 route-target import 200:1
!
ip vrf vpn2
 rd 200:1
 route-target export 200:1
 route-target import 200:1
 route-target import 100:1
!
interface Serial1/0
 ip vrf forwarding vpn1
 ip address 10.1.2.5 255.255.255.252
 no ip directed-broadcast
!
interface Serial2/0
 ip vrf forwarding vpn2
 ip address 10.0.2.1 255.255.255.0
 no ip directed-broadcast
router bgp 1
!
address-family ipv4 vrf vpn2
 redistribute connected
 !
address-family ipv4 vrf vpn1
 redistribute connected
!

Verify

This section provides information to troubleshoot your configuration.

Certain show commands allows you to view an analysis of show command output.

  • show ip bgp vpnv4 all—Displays all VPNv4 prefixes that are learned via BGP.

PE-4# show ip bgp vpnv4 all

BGP table version is 13, local router ID is 7.0.0.4
Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf vpn1)
*> 10.0.2.0/24 0.0.0.0 0 32768 ?
*> 10.1.2.4/30 0.0.0.0 0 32768 ?
Route Distinguisher: 200:1 (default for vrf vpn2)
*> 10.0.2.0/24 0.0.0.0 0 32768 ?
*> 10.1.2.4/30 0.0.0.0 0 32768 ?

Note: The other way of leaking routes between VRFs is to connect together two Ethernet interfaces on the PE-4 router and associate each Ethernet interface with one of the VRFs. You also must configure static ARP entries in the VRF tables for the respective next hop addresses. However, this is not a recommended solution for route leaking between VRFs; the previously described BGP technique is the recommended solution.

Troubleshooting IP Routing

There is currently no specific troubleshooting information available for this configuration.