Traffic Leaking from VPRN to GRT
This chapter provides information about Traffic Leaking from VPRN to GRT.
Topics in this chapter include:
Applicability
The information and configuration in this chapter were originally based on SR OS Release 14.0 R4. The CLI in the current edition corresponds to SR OS Release 22.2.R2.
Overview
RFC 4364, BGP/MPLS IP Virtual Private Networks (VPNs), describes a method of distributing routing information using BGP and MPLS forwarding data to provide a Layer 3 VPN service to end users. Each Virtual Private Routed Network (VPRN) consists of a set of customer sites connected to one or more PE routers. Each associated PE router maintains a separate IP forwarding table for each VPRN. Additionally, the PE routers exchange the routing information configured or learned from all customer sites via Multi-Protocol Border Gateway Protocol (MP-BGP) peering. Each route exchanged via the MP-BGP protocol includes a route distinguisher (RD), which identifies the VPRN association and resolves any IP address overlap.
It has always been possible to exchange traffic from one VPRN to another, using scenarios such as "extranet", "hub and spoke" and so on, using the vrf-import and vrf-export policies for BGP VPN-IPv4 route distribution.
Traffic leaking to the Global Route Table (GRT) allows service providers to offer VPRN and Internet services over a single virtual routing and forwarding VRF interface. Packets entering a VRF interface can have route processing results derived from the VRF or the GRT. The leaking and preferred lookup settings are configured on a per-VPRN basis.
To allow data flowing from a VPRN to the base router, routing information from the base router must be made available for lookup by the VPRN. The GRT lookup can be general (for example, any lookup miss in the Virtual Routing and Forwarding (VRF) table can be resolved in the GRT), or specific (for example, specific routes should only be searched for in the GRT and ignored by the VPRN).
To enable the GRT lookup from the VPRN, the enable-grt command is used. This only provides part of the solution, because packets can now be forwarded from the VPRN to the GRT, but not in the opposite direction. The GRT needs to learn specific destination prefixes from the VPRN and this is achieved by route leaking from the VPRN to the GRT, using policies (export-grt command). The maximum number of routes leaked from a VPRN to the GRT is five by default, but this maximum can be modified or even removed. Prefixes should be globally unique within the service provider network and if these are propagated outside the provider's network, they must be from the public IP space and globally unique.
The method described in this chapter allows the network administrator to leak specific or all routes that are inside a VPRN to the GRT. Route leaking from VPRN to GRT is protocol-independent and can be applied for BGP, OSPF(v3), IS-IS, static, local routes, and so on. For BGP routes, there is an improved route leaking mechanism that allows leaking routes preserving all BGP attributes; see chapter BGP Route Leaking.
Configuration
Example topology with IPv4 addresses shows the example topology used in this chapter, including the IPv4 addresses. The interfaces also have IPv6 addresses, which will be shown in Example topology with IPv6 addresses.
Initial configuration
The nodes in the example topology have the following initial configuration:
Cards, MDAs, ports
Router interfaces
IGP (IS-IS or OSPF) between the PEs
LDP between the PEs
VPRN "VPRN 1" on PE-1
BGP (IBGP between the PEs; EBGP between PE-1 and CE-11)
On PE-1, BGP is configured in the base router and in VPRN 1.
Loopback addresses on CE-11, such as 192.168.110.2/32.
Export policies on CE-11 to export routes from direct with certain prefixes.
Protocol-independent IPv4 route leaking from VPRN to GRT
IPv4 VPRN to GRT route leaking for IS-IS shows the topology with the IP addresses for this example. Route leaking from VPRN to GRT is protocol independent and in this example, VPRN "VPRN 1" on PE-1 will leak local routes, static routes, and imported BGP routes to the GRT. IS-IS or OSPF routes can also be leaked, but that is not shown here.
GRT-leak is by default disabled. The routing table for VPRN 1 on PE-1 contains local routes, static routes, and BGP routes that are learned from CE-11, as follows:
*A:PE-1# show router 1 route-table
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.16.1.1/32 Local Local 00h01m14s 0
system 0
172.16.111.0/30 Local Local 00h01m14s 0
int-PE-1-CE-11 0
192.168.110.2/32 Remote BGP 00h00m12s 170
172.16.111.2 0
192.168.110.3/32 Remote BGP 00h00m12s 170
172.16.111.2 0
192.168.110.4/32 Remote BGP 00h00m12s 170
172.16.111.2 0
192.168.120.0/24 Remote Static 00h01m14s 5
172.16.111.2 1
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
By default, the GRT is not learning the VPRN routes, as follows:
*A:PE-1# show router route-table
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
192.0.2.1/32 Local Local 00h01m14s 0
system 0
192.0.2.2/32 Remote ISIS 00h01m03s 15
192.168.12.2 10
192.0.2.3/32 Remote ISIS 00h00m51s 15
192.168.13.2 10
192.168.12.0/30 Local Local 00h01m14s 0
int-PE-1-PE-2 0
192.168.13.0/30 Local Local 00h01m14s 0
int-PE-1-P-3 0
192.168.23.0/30 Remote ISIS 00h01m03s 15
192.168.12.2 20
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
To enable VPRN to GRT leaking, the following route policy is configured on PE-1 and applied in VPRN 1:
# on PE-1:
configure
router Base
policy-options
begin
policy-statement "LeakVPRNtoGRT_pref8"
entry 10
action accept
preference 8
exit
exit
exit
commit
exit
exit
service
vprn "VPRN 1"
grt-lookup
enable-grt
exit
export-grt "LeakVPRNtoGRT_pref8"
exit
exit
This policy allows leaking all routes from a VPRN to the base router, without any match criteria. However, when routes are leaked from VPRNs to the GRT, they need to be unique and only routes that need to be known in the GRT should be leaked. By default, the preference for a leaked route is 180. The preference can be manually configured to a lower value, such as 8, to avoid network inconsistencies between the IGP and the RT on the router where the routes are leaked.
When enable-grt is configured, any lookup miss in the VRF table will be resolved in the GRT, if available. This only works from VPRN to GRT and does not require route leaking. However, the base router needs to be able to route packets back to the VPRN and it cannot perform a lookup in the routing table of the VPRN. Therefore, route leaking from VPRN to GRT is required, and export-grt is configured. Prefixes in the VPRN must be leaked to the GRT through a policy. Prefixes leaked from any VPRN should never conflict with prefixes leaked from any other VPRN or existing prefixes in the GRT.
This configuration is protocol-independent. Route leaking from VPRN to GRT is applicable for all kinds of learned routes, such as static routes, local routes, IS-IS, OSPF, BGP, and so on.
After routes are leaked from the VPRN to the GRT, the routing table of the base router includes the leaked routes, with protocol "VPN Leak". For PE-1, the routing table contains the following routes:
*A:PE-1# show router route-table
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.16.1.1/32 Remote VPN Leak 00h00m20s 8
system 0
172.16.111.0/30 Remote VPN Leak 00h00m20s 8
int-PE-1-CE-11 0
192.0.2.1/32 Local Local 00h03m06s 0
system 0
192.0.2.2/32 Remote ISIS 00h02m49s 15
192.168.12.2 10
192.0.2.3/32 Remote ISIS 00h02m41s 15
192.168.13.2 10
192.168.12.0/30 Local Local 00h03m06s 0
int-PE-1-PE-2 0
192.168.13.0/30 Local Local 00h03m06s 0
int-PE-1-P-3 0
192.168.23.0/30 Remote ISIS 00h02m49s 15
192.168.12.2 20
192.168.110.3/32 Remote VPN Leak 00h00m20s 8
172.16.111.2 0
192.168.110.4/32 Remote VPN Leak 00h00m20s 8
172.16.111.2 0
192.168.120.0/24 Remote VPN Leak 00h00m20s 8
172.16.111.2 0
-------------------------------------------------------------------------------
No. of Routes: 11
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
Regardless the preference of the original routes in VPRN 1, all the leaked routes in the GRT have preference 8, as configured. By default, a maximum of five routes are leaked. This export limit can be overruled, as follows:
# on PE-1:
configure
service
vprn "VPRN 1"
grt-lookup
export-limit 10
The following command shows only the routes leaked from any VPRN to GRT on PE-1:
*A:PE-1# show router route-table protocol vpn-leak all
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Active Metric
-------------------------------------------------------------------------------
172.16.1.1/32 Remote VPN Leak 00h00m05s 8
system Y 0
172.16.111.0/30 Remote VPN Leak 00h00m05s 8
int-PE-1-CE-11 Y 0
192.168.110.2/32 Remote VPN Leak 00h00m05s 8
172.16.111.2 Y 0
192.168.110.3/32 Remote VPN Leak 00h00m05s 8
172.16.111.2 Y 0
192.168.110.4/32 Remote VPN Leak 00h00m05s 8
172.16.111.2 Y 0
192.168.120.0/24 Remote VPN Leak 00h00m05s 8
172.16.111.2 Y 0
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
E = Inactive best-external BGP route
===============================================================================
Different types of routes are leaked to the GRT with protocol type "VPN Leak" and all of them get the same preference, configured or default. The detailed output for any leaked route in the preceding list for PE-1 shows protocol VPN_LEAK and preference 8, as follows:
*A:PE-1# show router route-table protocol vpn-leak 192.168.110.2/32 extensive
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix : 192.168.110.2/32
Protocol : VPN_LEAK
Age : 00h00m24s
Preference : 8
Next-Hop : 172.16.111.2
Interface : int-PE-1-CE-11 (VPRN 1)
QoS : Priority=n/c, FC=n/c
Source-Class : 0
Dest-Class : 0
Metric : 0
ECMP-Weight : N/A
-------------------------------------------------------------------------------
No. of Destinations: 1
===============================================================================
Export IPv4 VPN-leak routes to routing protocols
Until now, the VPN-leak routes are leaked locally to the GRT, but they are not advertised in IS-IS, OSPF, or BGP. Router P-3 has not learned any of the leaked routes, as follows:
*A:P-3# show router route-table
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
192.0.2.1/32 Remote ISIS 00h03m44s 15
192.168.13.1 10
192.0.2.2/32 Remote ISIS 00h03m44s 15
192.168.23.1 10
192.0.2.3/32 Local Local 00h03m51s 0
system 0
192.168.12.0/30 Remote ISIS 00h03m44s 15
192.168.13.1 20
192.168.13.0/30 Local Local 00h03m51s 0
int-P-3-PE-1 0
192.168.23.0/30 Local Local 00h03m51s 0
int-P-3-PE-2 0
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
To reduce the number of routes to be exported on PE-1, a match criterion is added for the routes to be leaked, as follows:
# on PE-1:
configure
router Base
policy-options
begin
prefix-list "192.168.110.0"
prefix 192.168.110.0/24 longer
exit
policy-statement "LeakVPRNtoGRT_pref8_110"
entry 10
from
prefix-list "192.168.110.0"
exit
action accept
preference 8
exit
exit
exit
commit
exit
exit
service
vprn "VPRN 1"
grt-lookup
enable-grt
exit
export-grt "LeakVPRNtoGRT_pref8_110"
exit
VPN-leak routes can be exported to any routing protocol. Prefix lists can be used to filter routes, but that is not configured in this example. The following export policy is configured on PE-1 to export the VPN-leak routes:
# on PE-1:
configure
router Base
policy-options
begin
policy-statement "export-vpn-leak"
entry 10
from
protocol vpn-leak
exit
action accept
exit
exit
exit
commit
The same export policy will be used for export to IS-IS, OSPF, and BGP.
Export IPv4 VPN-leak routes to IS-IS
The export policy is applied in the IS-IS context on PE-1, as follows:
# on PE-1:
configure
router Base
isis 0
export "export-vpn-leak"
exit
The leaked routes are now advertised via IS-IS and appear as IS-IS routes with default preference for IS-IS routes on PE-2 and P-3. The route table on P-3 looks as follows:
*A:P-3# show router route-table
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
192.0.2.1/32 Remote ISIS 00h04m39s 15
192.168.13.1 10
192.0.2.2/32 Remote ISIS 00h04m39s 15
192.168.23.1 10
192.0.2.3/32 Local Local 00h04m46s 0
system 0
192.168.12.0/30 Remote ISIS 00h04m39s 15
192.168.13.1 20
192.168.13.0/30 Local Local 00h04m46s 0
int-P-3-PE-1 0
192.168.23.0/30 Local Local 00h04m46s 0
int-P-3-PE-2 0
192.168.110.2/32 Remote ISIS 00h00m21s 15
192.168.13.1 10
192.168.110.3/32 Remote ISIS 00h00m21s 15
192.168.13.1 10
192.168.110.4/32 Remote ISIS 00h00m21s 15
192.168.13.1 10
-------------------------------------------------------------------------------
No. of Routes: 9
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The export policy is removed from the IS-IS context on PE-1, as follows:
# on PE-1:
configure
router Base
isis 0
no export
Export IPv4 VPN-leak routes to OSPF
When OSPF is used instead of IS-IS, the behavior is similar. The export policy is applied in the OSPF context on PE-1, as follows:
# on PE-1:
configure
router Base
ospf 0
export "export-vpn-leak"
To export routes into OSPF using a policy, the router must be configured as ASBR, as follows:
# on PE-1:
configure
router Base
ospf 0
asbr
The routes with protocol VPN-leak on PE-1 are now exported in OSPF to PE-2 and P-3. The default preference for external OSPF routes is 150. On P-3, the routing table contains the following OSPF routes:
*A:P-3# show router route-table protocol ospf
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
192.0.2.1/32 Remote OSPF 00h00m44s 10
192.168.13.1 10
192.0.2.2/32 Remote OSPF 00h00m44s 10
192.168.23.1 10
192.168.12.0/30 Remote OSPF 00h00m44s 10
192.168.13.1 20
192.168.110.2/32 Remote OSPF 00h00m14s 150
192.168.13.1 1
192.168.110.3/32 Remote OSPF 00h00m14s 150
192.168.13.1 1
192.168.110.4/32 Remote OSPF 00h00m14s 150
192.168.13.1 1
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The export policy is removed from the OSPF context on PE-1 as follows:
# on PE-1:
configure
router Base
ospf
no export
Export IPv4 VPN-leak routes to BGP
The export policy is applied in the general bgp context of PE-1, as follows:
# on PE-1:
configure
router Base
bgp
export "export-vpn-leak"
The VPN-leak routes from PE-1 will be advertised as BGP routes to BGP neighbors PE-2 and P-3, and the routing tables will contain BGP routes with preference 170. P-3 has the following BGP routes:
*A:P-3# show router route-table protocol bgp
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
192.168.110.2/32 Remote BGP 00h00m16s 170
192.168.13.1 10
192.168.110.3/32 Remote BGP 00h00m16s 170
192.168.13.1 10
192.168.110.4/32 Remote BGP 00h00m16s 170
192.168.13.1 10
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
If it is required to preserve the BGP path attributes in the leaking process, you must use the BGP Route Leaking process described in chapter BGP Route Leaking. However, with this protocol-independent route leaking mechanism, it is possible to leak non-BGP routes to the GRT that will be advertised as BGP routes.
The export policy is removed from the bgp context, as follows:
# on PE-1:
configure
router Base
bgp
no export
Protocol-independent IPv6 route leaking from VPRN to GRT
Example topology with IPv6 addresses shows the topology and the IP addresses used for IPv6. CE-11 exports routes such as 2001:db8:110::2/128 to VPRN 1on PE-1. On PE-1, local routes, static routes, and BGP routes will be leaked to the GRT.
The IPv6 routing table for VPRN 1 on PE-1 includes local addresses, a static route, and three BGP routes exported by CE-11, as follows:
*A:PE-1# show router 1 route-table ipv6
===============================================================================
IPv6 Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
2001:db8::1:1/128 Local Local 00h08m49s 0
system 0
2001:db8:110::2/128 Remote BGP 00h07m49s 170
2001:db8:111::1 0
2001:db8:110::3/128 Remote BGP 00h07m49s 170
2001:db8:111::1 0
2001:db8:110::4/128 Remote BGP 00h07m49s 170
2001:db8:111::1 0
2001:db8:111::/127 Local Local 00h08m48s 0
int-PE-1-CE-11 0
2001:db8:120::/120 Remote Static 00h08m48s 5
2001:db8:111::1 1
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
By default, route leaking is disabled and the IPv6 GRT on PE-1 does not contain any of the IPv6 routes in VPRN 1, as follows:
*A:PE-1# show router route-table ipv6
===============================================================================
IPv6 Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
2001:db8::1/128 Local Local 00h08m50s 0
system 0
2001:db8::2/128 Remote OSPF3 00h08m38s 10
fe80::14:1ff:fe01:1-"int-PE-1-PE-2" 10
2001:db8::3/128 Remote OSPF3 00h08m26s 10
fe80::18:1ff:fe01:2-"int-PE-1-P-3" 10
2001:db8:12::/126 Local Local 00h08m49s 0
int-PE-1-PE-2 0
2001:db8:13::/126 Local Local 00h08m49s 0
int-PE-1-P-3 0
2001:db8:23::/126 Remote OSPF3 00h08m22s 10
fe80::18:1ff:fe01:2-"int-PE-1-P-3" 20
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The VPN-leak route policy is the same as for IPv4 routes, and is applied in the vprn context in the same way as for IPv4 routes, as follows:
# on PE-1:
configure
router Base
policy-options
begin
policy-statement "LeakVPRNtoGRT_pref8"
entry 10
action accept
preference 8
exit
exit
exit
commit
exit
exit
service
vprn "VPRN 1"
grt-lookup
enable-grt
exit
export-grt "LeakVPRNtoGRT_pref8"
exit
On PE-1, the IPv6 routing table for VPRN 1 contains six routes, but by default, a maximum of five routes are leaked, as follows:
*A:PE-1# show router route-table ipv6 protocol vpn-leak all
===============================================================================
IPv6 Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Active Metric
-------------------------------------------------------------------------------
2001:db8::1:1/128 Remote VPN Leak 00h00m12s 8
system Y 0
2001:db8:110::2/128 Remote VPN Leak 00h00m12s 8
2001:db8:111::1 Y 0
2001:db8:110::4/128 Remote VPN Leak 00h00m12s 8
2001:db8:111::1 Y 0
2001:db8:111::/127 Remote VPN Leak 00h00m12s 8
int-PE-1-CE-11 Y 0
2001:db8:120::/120 Remote VPN Leak 00h00m12s 8
2001:db8:111::1 Y 0
-------------------------------------------------------------------------------
No. of Routes: 5
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
E = Inactive best-external BGP route
===============================================================================
The export limit for IPv6 routes is removed, as follows:
# on PE-1:
configure
service
vprn "VPRN 1"
grt-lookup
export-v6-limit 0
As a result, there is no limit to the number of leaked IPv6 routes, and all six IPv6 routes are leaked from VPRN 1 to the GRT with the configured preference 8, as follows:
*A:PE-1# show router route-table ipv6 protocol vpn-leak all
===============================================================================
IPv6 Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Active Metric
-------------------------------------------------------------------------------
2001:db8::1:1/128 Remote VPN Leak 00h00m05s 8
system Y 0
2001:db8:110::2/128 Remote VPN Leak 00h00m05s 8
2001:db8:111::1 Y 0
2001:db8:110::3/128 Remote VPN Leak 00h00m05s 8
2001:db8:111::1 Y 0
2001:db8:110::4/128 Remote VPN Leak 00h00m05s 8
2001:db8:111::1 Y 0
2001:db8:111::/127 Remote VPN Leak 00h00m05s 8
int-PE-1-CE-11 Y 0
2001:db8:120::/120 Remote VPN Leak 00h00m05s 8
2001:db8:111::1 Y 0
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
E = Inactive best-external BGP route
===============================================================================
The details for any of the routes shows that the protocol is VPN-leak and the preference is 8, as follows:
*A:PE-1# show router route-table protocol vpn-leak 2001:db8:110::2/128 extensive
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix : 2001:db8:110::2/128
Protocol : VPN_LEAK
Age : 00h00m26s
Preference : 8
Next-Hop : 2001:db8:111::1
Interface : int-PE-1-CE-11 (VPRN 1)
QoS : Priority=n/c, FC=n/c
Source-Class : 0
Dest-Class : 0
Metric : 0
ECMP-Weight : N/A
-------------------------------------------------------------------------------
No. of Destinations: 1
===============================================================================
Export IPv6 VPN-leak routes to routing protocols
Until now, the IPv6 VPN-leak routes are leaked locally to the GRT, but they are not advertised in IS-IS, OSPFv3, or BGP. Router P-3 has not learned any of the leaked IPv6 routes, as follows:
*A:P-3# show router route-table ipv6
===============================================================================
IPv6 Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
2001:db8::1/128 Remote OSPF3 00h10m51s 10
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 10
2001:db8::2/128 Remote OSPF3 00h10m46s 10
fe80::14:1ff:fe01:2-"int-P-3-PE-2" 10
2001:db8::3/128 Local Local 00h10m52s 0
system 0
2001:db8:12::/126 Remote OSPF3 00h10m51s 10
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 20
2001:db8:13::/126 Local Local 00h10m51s 0
int-P-3-PE-1 0
2001:db8:23::/126 Local Local 00h10m51s 0
int-P-3-PE-2 0
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
To reduce the number of VPN-leak routes, a match criterion is added to the route policy on PE-1, as follows:
# on PE-1:
configure
router Base
policy-options
begin
prefix-list "2001:db8:110::"
prefix 2001:db8:110::/125 longer
exit
policy-statement "LeakVPRNtoGRT_pref8_110"
entry 20
from
prefix-list "2001:db8:110::"
exit
action accept
preference 8
exit
exit
exit
commit
exit
exit
service
vprn "VPRN 1"
grt-lookup
enable-grt
exit
export-grt "LeakVPRNtoGRT_pref8_110"
exit
The following IPv6 routes are leaked from VPRN 1 to GRT on PE-1:
*A:PE-1# show router route-table ipv6 protocol vpn-leak
===============================================================================
IPv6 Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
2001:db8:110::2/128 Remote VPN Leak 00h00m21s 8
2001:db8:111::1 0
2001:db8:110::3/128 Remote VPN Leak 00h00m21s 8
2001:db8:111::1 0
2001:db8:110::4/128 Remote VPN Leak 00h00m21s 8
2001:db8:111::1 0
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
IPv6 VPN-leak routes can be exported to routing protocols IS-IS, OSPFv3, and BGP.
The export policy on PE-1 is the same as in all the preceding examples for IPv4, as follows:
# on PE-1:
configure
router Base
policy-options
begin
policy-statement "export-vpn-leak"
entry 10
from
protocol vpn-leak
exit
action accept
exit
exit
exit
commit
Export IPv6 VPN-leak routes to IS-IS
The export policy for IPv6 routes of protocol VPN-leak is applied for IS-IS, as follows:
# on PE-1:
configure
router Base
isis 0
export "export-vpn-leak"
The three IPv6 VPN-leak routes from PE-1 are now advertised by IS-IS to PE-2 and P-3. The routing table on P-3 contains the following IPv6 IS-IS routes:
*A:P-3# show router route-table ipv6 protocol isis
===============================================================================
IPv6 Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
2001:db8::1/128 Remote ISIS 00h11m54s 15
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 10
2001:db8::2/128 Remote ISIS 00h11m54s 15
fe80::14:1ff:fe01:2-"int-P-3-PE-2" 10
2001:db8:12::/126 Remote ISIS 00h11m54s 15
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 20
2001:db8:110::2/128 Remote ISIS 00h00m15s 15
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 10
2001:db8:110::3/128 Remote ISIS 00h00m15s 15
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 10
2001:db8:110::4/128 Remote ISIS 00h00m15s 15
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 10
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The export policy is removed for IS-IS, as follows:
# on PE-1:
configure
router Base
isis 0
no export
Export IPv6 VPN-leak routes to OSPFv3
The export policy for IPv6 routes of protocol VPN-leak is applied for OSPFv3, as follows:
# on PE-1:
configure
router Base
ospf3
export "export-vpn-leak"
Routes can only be exported to OSPFv3 if the router is configured as ASBR, as follows:
# on PE-1:
configure
router Base
ospf3
asbr
The IPv6 VPN-leak routes from PE-1 are now advertised by OSPFv3 to PE-2 and P-3. The preference for remote OSPFv3 routes is by default 150. The routing table on P-3 contains the following IPv6 OSPFv3 routes:
*A:P-3# show router route-table ipv6 protocol ospf3
===============================================================================
IPv6 Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
2001:db8::1/128 Remote OSPF3 00h00m48s 10
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 10
2001:db8::2/128 Remote OSPF3 00h00m48s 10
fe80::14:1ff:fe01:2-"int-P-3-PE-2" 10
2001:db8:12::/126 Remote OSPF3 00h00m48s 10
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 20
2001:db8:110::2/128 Remote OSPF3 00h00m22s 150
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 1
2001:db8:110::3/128 Remote OSPF3 00h00m22s 150
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 1
2001:db8:110::4/128 Remote OSPF3 00h00m22s 150
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 1
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The export policy is removed for OSPFv3, as follows:
# on PE-1:
configure
router Base
ospf3
no export
Export IPv6 VPN-leak routes to BGP
The export policy for IPv6 routes of protocol VPN-leak is applied for BGP, as follows:
# on PE-1:
configure
router Base
bgp
export "export-vpn-leak"
The three IPv6 VPN-leak routes from PE-1 are now advertised by BGP to PE-2 and P-3. The routing table on P-3 contains the following IPv6 BGP routes:
*A:P-3# show router route-table ipv6 protocol bgp
===============================================================================
IPv6 Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
2001:db8:110::2/128 Remote BGP 00h00m15s 170
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 10
2001:db8:110::3/128 Remote BGP 00h00m15s 170
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 10
2001:db8:110::4/128 Remote BGP 00h00m15s 170
fe80::10:1ff:fe01:1-"int-P-3-PE-1" 10
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The export policy is removed for BGP, as follows:
# on PE-1:
configure
router Base
bgp
no export
In this example, BGP leaked IPv6 routes are advertised by BGP. For scenarios with only BGP routes, a dedicated BGP route leaking mechanism that preserves all attributes is preferred, as described in chapter BGP Route Leaking. However, with the same configuration as in this chapter, it is possible to leak non-BGP routes and advertise them using BGP.
Conclusion
Routes learned in a VPRN can be leaked to the base router and advertised using routing protocols. The mechanism described in this chapter is protocol-independent: all kinds of routes can be leaked from a VRF to the GRT: local, static, IS-IS, OSPF, BGP routes, and so on. In some cases, it might be useful to leak the routes from a VPRN to the entire network using the routing protocol, in order to access the resources defined inside the VRF. Routes that are leaked from VPRNs to the GRT must be unique in the network where they will be advertised.
For BGP routes, the protocol-independent route leaking mechanism described here does not preserve the attributes, unlike the dedicated BGP route leaking feature.