Moving routes between a VRF and the global (default) RIB – Part 1 – Cisco IOS

Part 1 – Cisco IOS
Part 2 – Brocade Netiron
Part 3 – Juniper Junos

I don’t think there is a standard name for the initial route-table on a router. Junos calls it inet.0, Netiron has no name, and it’s also the no name VRF in IOS. I’ll simple be calling it the ‘global’ table for these and all future posts.

It’s easy to share routes between VRFs by manipulating route-targets. It’s not so easy when you try to do this with the global table as there are no route-targets associated with the global RIB. While there is a standard for moving routes between named VRFs, there is no such standard for moving routes in and out of the global table in this way.

As there is no standard, all three vendors take different approaches to doing this.

You can do this via static routes, but this is less than ideal. What happens if the CE device is multihomed to two different PE devices? I want to be able to import/export dynamic routes.

Let’s take the following diagram as an example:

R6 is a CE device. It is multihomed to two PE routers, R4 and R5. R1 is acting as a server connected to R2. This server is not in a vrf. i.e. all routers in the core are able to get to R1 as it’s simply an address in the global IGP table.

This particular server is running a service that the customer needs to get to. They should only be able to get to R1 via 6.6.6.6, it’s loopback address. Essentially we need the PE’s to leak the dynamically learned 6.6.6.6/32 from the VRF into the global table. At the same time we need to leak R1’s address into the VRF.

Copying global routes to VRF

First, let’s check the VRF route-table on R4 to make sure we don’t have any global routes in the vrf yet. R1’s address is 10.0.12.1/24:

R4#sh ip route vrf CUS1 | beg Gate
Gateway of last resort is not set

      6.0.0.0/32 is subnetted, 1 subnets
B        6.6.6.6 [20/0] via 10.0.46.6, 00:00:31
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.46.0/24 is directly connected, FastEthernet1/1
L        10.0.46.4/32 is directly connected, FastEthernet1/1

You’ve been able to do this on IOS for some time. Under your vrf definition, type import map ipv4 unicast route-map:

ip prefix-list ISP_SERVER seq 5 permit 10.0.12.0/24
!
route-map MAP_ISP_SERVER permit 10
 match ip address prefix-list ISP_SERVER
!
vrf definition CUS1
 !
 address-family ipv4
  import ipv4 unicast map MAP_ISP_SERVER

Do we see the routes in the VRF?

R4#sh ip route vrf CUS1 10.0.12.0

Routing Table: CUS1
% Subnet not in table

No. Why not? Well if you read the command reference, the import map calls this the ‘BGP Support for IP Prefix Import from Global Table into a VRF Table feature’ – R1’s address is not currently a BGP route, its an internal IGP route. We need to ensure the PEs see this route as a BGP route. Note that the BGP route itself doesn’t need to be active, it just needs to be in the BGP table and valid. On R2 I’m running regular ipv4 unicast BGP and will advertise that subnet into BGP:

R2#sh run | sec router bgp
router bgp 100
!
 address-family ipv4
  network 10.0.12.0 mask 255.255.255.0

That global route should now be imported into the vrf:

R4#sh ip route vrf CUS1 10.0.12.0

Routing Table: CUS1
Routing entry for 10.0.12.0/24
  Known via "bgp 100", distance 200, metric 0, type internal
  Last update from 2.2.2.2 00:00:35 ago
  Routing Descriptor Blocks:
  * 2.2.2.2 (default), from 2.2.2.2, 00:00:35 ago
      Route metric is 0, traffic share count is 1
      AS Hops 0
      MPLS label: none

Note that this command has been with us since IOS release 12.0(5)T

Copying VRF routes to global

Copying routes this way was a LOT more tricky, until very recently. Cisco has finally given us the export ipv4 unicast map command. This command has only existed from IOS release 15.2(4)S – A very recent release. Odd since the import command has existed for many years.

The use of this command is very similar to the import. Let’s match R6’s loopback via a prefix-list, match that in a route-map, and export from the vrf to the global through the vrf defination:

ip prefix-list CUS1_PREFIX seq 5 permit 6.6.6.6/32
!
route-map MAP_CUS1_PREFIX permit 10
 match ip address prefix-list CUS1_PREFIX
!
vrf definition CUS1
 !
 address-family ipv4
  export ipv4 unicast map MAP_CUS1_PREFIX

Just like the import command, this command export the route into the global BGP table. This means I could either redistribute the BGP route into my IGP, or use the existing BGP session I have with R2. Let’s check on R2 to see if I have R6’s loopback:

R2#sh ip route 6.6.6.6
% Network not in table

It’s not there. But is it in my BGP table?

R2#show ip bgp 6.6.6.6
BGP routing table entry for 6.6.6.6/32, version 6
Paths: (1 available, no best path)
  Not advertised to any peer
  Refresh Epoch 1
  6
    10.0.46.6 (inaccessible) from 4.4.4.4 (4.4.4.4)
      Origin IGP, metric 0, localpref 100, valid, internal
      rx pathid: 0, tx pathid: 0

It’s there, but the next-hop is inaccessible. R4 is treating this as a regular eBGP update and so does not change the next-hop to itself as it would with a VPNv4 route. This can be easily fixed:

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#router bgp 100
R4(config-router)#address-family ipv4 unicast
R4(config-router-af)#neighbor 2.2.2.2 next-hop-self

We should now see the valid route on R2:

R2#show ip bgp 6.6.6.6
BGP routing table entry for 6.6.6.6/32, version 7
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 1
  6
    4.4.4.4 (metric 3) from 4.4.4.4 (4.4.4.4)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      rx pathid: 0, tx pathid: 0x0

Verification

So at the end of all of this, R6 should be able to ping R1’s interface, but only if it sources the ping from 6.6.6.6. Let’s confirm this:

CUSTOMER#ping 10.0.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CUSTOMER#ping 10.0.12.1 source 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.12.1, timeout is 2 seconds:
Packet sent with a source address of 6.6.6.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/93/112 ms

Which is exactly what we see.

Final Notes

With IOS, in order to move routes between the global and vrf tables, you need to invoke the import [ipv6|ipv4] unicast command. There is another import map command under the vrf, but that command does NOT move routes between the vrf and global. That command is there to have finer control of which vrf routes are imported/exported between MP-BGP and the vrf.

The export ipv4/ipv6 unicast command is only a very recent command, but at least supports both address families. The import command has been around for years, yet oddly does not support ipv6:

R4#sh ver | include IOS
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S2, RELEASE SOFTWARE

R4(config-vrf)#address-family ipv4

R4(config-vrf-af)#export ?
  ipv4  Address family based VRF export
  map   Route-map based VRF export

R4(config-vrf-af)#import ?
  ipv4  Address family based VRF import
  map   Route-map based VRF import


R4(config-vrf-af)#address-family ipv6
R4(config-vrf-af)#export ?
  ipv6  Address family based VRF export
  map   Route-map based VRF export

R4(config-vrf-af)#import ?
  map  Route-map based VRF import

18 Replies to “Moving routes between a VRF and the global (default) RIB – Part 1 – Cisco IOS”

  1. Hi,

    I tried the same in Cisco 3745 ,Version 12.4(15)T13 .But the router doesnt support vrf definition so I configured it under the ip vrf command .

    ip vrf A
    import ipv4 unicast map please

    R1#show route-map please
    route-map please, permit, sequence 10
    Match clauses:
    ip address prefix-lists: server
    Set clauses:
    Policy routing matches: 0 packets, 0 bytes

    R1#sh ip prefix-list server
    ip prefix-list server: 1 entries
    seq 5 permit 40.40.40.40/32

    R1#sh ip bgp
    BGP table version is 2, local router ID is 14.14.14.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
    r RIB-failure, S Stale
    Origin codes: i – IGP, e – EGP, ? – incomplete

    Network Next Hop Metric LocPrf Weight Path
    *>i40.40.40.40/32 14.14.14.2 0 100 0 i

    However the route doesnt get imported

    R1#sh ip route vrf A

    Routing Table: A
    Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
    D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
    N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
    E1 – OSPF external type 1, E2 – OSPF external type 2
    i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
    ia – IS-IS inter area, * – candidate default, U – per-user static route
    o – ODR, P – periodic downloaded static route

    Gateway of last resort is not set

    12.0.0.0/24 is subnetted, 1 subnets
    C 12.12.12.0 is directly connected, FastEthernet0/1

    Can you please suggest why ?

  2. What is the older more difficult way to export routes from VRFs to the global table? I’ve only seen how to export to other VRFs. Cisco’s Feature Navigator says that IOS only supports this new command for 3900 platform and I’m trying to accomplish this on a 1900.

  3. Greg. 1900 and 3900 use the same code so I would be surprised if it doesn’t work on both. Features are usually software specific. Exactly what model have you got?

  4. I have the export issue because I am running an older IOS version: (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRE8

    PE1(config)#ip prefix-list solar_to_global_export seq 5 permit 10.200.200.0/24
    PE1(config)#route-map solar_export_global
    PE1(config-route-map)#match ip address prefix-list solar_to_global_export
    PE1(config-route-map)#end
    PE1#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    PE1(config)#ip vrf solar
    PE1(config-vrf)#export ipv4 unicast map solar_export_global
    ^
    % Invalid input detected at ‘^’ marker.

    PE1(config-vrf)#export ?
    map Route-map based VRF export

    Is there another way I can export routes from vrf to grt?

    Import works fine using ipv4 unicast map command.

    Any help would be appreciated.

  5. I am wondering why I am still not importing the default route I am receiving, despite all the prerequisites. May I please ask your help, Darren?

    !Cisco IOS is 15.2(4)+
    R2(config)#do sho ver | i IOS
    Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)M9, RELEASE SOFTWARE (fc2)

    !We have a valid/best 0.0.0.0 route from the VRF
    R2(config-router-af)#do sho ip bgp vpnv4 vrf VRF-X 0.0.0.0
    BGP routing table entry for 65432:1:0.0.0.0/0, version 7
    Paths: (2 available, best #1, table VRF-X)
    Multipath: eiBGP
    Advertised to update-groups:
    1
    Refresh Epoch 2
    65000
    152.169.32.73 from 152.169.32.73 (1.1.1.1)
    Origin IGP, localpref 100, valid, external, multipath, best
    Extended Community: RT:65432:1
    Refresh Epoch 1
    65000
    68.139.25.25 from 10.1.0.1 (192.168.0.2)
    Origin IGP, metric 0, localpref 100, valid, internal, multipath(oldest)
    Extended Community: RT:65432:1

    !VRF export to Global configured:
    R2(config-router-af)#do sho run | s vrf def
    vrf definition VRF-X
    rd 65432:1
    !
    address-family ipv4
    export map DEFAULT-TO-GLOBAL
    route-target export 65432:1
    route-target import 65432:1
    exit-address-family

    !Route-maps and Prefix-Lists are in-tact.
    R2(config-router-af)#do sho route-map DEFAULT-TO-GLOBAL
    route-map DEFAULT-TO-GLOBAL, permit, sequence 10
    Match clauses:
    ip address prefix-lists: DEFAULT
    Set clauses:
    Policy routing matches: 0 packets, 0 bytes

    R2(config-router-af)#do sho ip prefix-list DEFAULT
    ip prefix-list DEFAULT: 1 entries
    seq 5 permit 0.0.0.0/0

    I am lost. Please help give me a guiding light.

  6. John,
    Welcome to my world – Schmisco at their finest “Undocumented caveats”. The answer for me is that you need to specify a matching IPv4 Address Family “container”, so that the “export ipv4 unicast map” kicks in and does it’s magic to port the “bgp -> ipv4 address family XYZ” over to the Global Routing Table “bgp” configuration.

    So I’d suggest you need to add the following to your BGP config:

    conf t
    router bgp 65432
    address-family ipv4 vrf VRF-X
    network 0.0.0.0
    exit-address-family
    end

    That fixed it for me trying to do an export (VRF -> Global Routing Table) at any rate. Prior to that, I was pulling my hair out trying to work out why my prefix-list had no matches (sh ip prefix-list det) and the VRF route wasn’t being installed in the Global Routing Table.

    This blog helped: https://rekrowten.wordpress.com/2014/02/21/route-leak-between-global-ipv4-table-and-vrf/

  7. Do you recall what the route looked like on R2 in the global or bgp tables? I’m trying to accomplish something similar but on the same device without using a static route to get the VRF route in the global table. My import of the dynamic default route is working but exporting the prefix out of the VRF doesn’t seem to work at least on the version of IOS i’m on.

  8. Hi;

    I was wonderig if you can provide some documentation on how to route over a WAN link from site that has not VRF configuration to another site that is configured with VRF.

    We are in the processing of moving our datacenter to a cloud, the data center in the cloud will be configured with VRFs to segrate the traffic, the remote sites will have a small core to provide connectivity to remote users and servers, but no VRF will be configured but there will be some users from the same branch accessing different VRF at the cloud.

    Any information or documentation that you may provide will be greatly appreciated.

    Thanks;

    Juan

  9. I found I also needed “route-target export 1:1” to get my routes exporting from the VRF.
    Here’s my vrf config:
    !
    vrf definition MPLS
    rd 1:1
    !
    address-family ipv4
    import ipv4 unicast map LEAK_GLOBAL_TO_MPLS
    export ipv4 unicast map LEAK_MPLS_TO_GLOBAL
    route-target export 1:1
    exit-address-family
    !
    Another thing I noticed was you must use “vrf definition MPLS” and not “ip vrf MPLS”. I guess because “vrf definintion MPLS” is address-family aware.

    Thx,
    Vin
    CCIE 26989

  10. Vin, your comment regarding “route-target export” was very valuable. I was missing that part in my vrf to global export.

    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *