VRF Import and Export Maps Filter MPLS VPN Shared Services
Table of Contents
- What is a shared service in MPLS L3VPN? ‹
- Configuring Route Target VRF import-map ‹
- Configuring Route Target VRF export-map ‹
- Packet capture BGP VPNv4 with two RT values ‹
- Download section ‹
Configuring Route Target VRF import-map
In the following example topology Site 1 and Site 2 use VRF Gold and connect to an MPLS Layer-3 VPN Service Provider. The two sites belong to the same customer, and have access to shared service resources located in the Datacenter. The servers located in the Datacenter are shared between numerous customers configured with different VRFs.
Route Target import/export rules are configured on PE R2, PE R5 and PE R10 that allow access for VRF Gold to the shared services. Access is restricted to specific shared resources by configuring a VRF import map on PE R2. A prefix-list filters for particular routes that are permitted into VRF Gold on PE R2. As a result, Site 1 only has access to Site 2 and to the Server1 in the Datacenter. Site 1 cannot access Server2 or Server3.
Configuration:
R2 (PE)
R2#show run all | sec ^mpls ip__ mpls ip R2#show run | sec ^mpls mpls label range 200 299 mpls ldp router-id Loopback10 force R2#show run int Lo10 | sec int interface Loopback10 ip address 2.2.2.2 255.255.255.255 R2#show run | sec ^vrf vrf definition Gold rd 65010:1 ! address-family ipv4 import map RM-IMPORT-MAP route-target export 65010:1 route-target import 65010:2 route-target import 65010:3 exit-address-family R2#show run | sec ^route-map route-map RM-IMPORT-MAP permit 10 match ip address prefix-list PL-IMPORT-MAP route-map RM-IMPORT-MAP deny 20 R2#show run | sec ^ip prefix ip prefix-list PL-IMPORT-MAP seq 5 permit 172.16.1.0/24 ip prefix-list PL-IMPORT-MAP seq 10 permit 192.168.2.0/24 ip prefix-list PL-IMPORT-MAP seq 15 deny 0.0.0.0/0 le 32 R2#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R1 ** no ip address duplex auto speed auto media-type rj45 R2#show run int Gi0/0.10 | sec int interface GigabitEthernet0/0.10 description ** to CE R1 in VRF Gold ** encapsulation dot1Q 10 vrf forwarding Gold ip address 10.0.1.1 255.255.255.252 R2#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R3 ** ip address 10.1.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R2#show run | sec ^router router isis net 49.0010.0000.0000.0002.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 2.2.2.2 bgp log-neighbor-changes bgp scan-time 5 neighbor 8.8.8.8 remote-as 65010 neighbor 8.8.8.8 update-source Loopback10 ! address-family vpnv4 neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community both exit-address-family ! address-family ipv4 vrf Gold network 10.0.1.0 mask 255.255.255.252 neighbor 10.0.1.2 remote-as 65001 neighbor 10.0.1.2 activate exit-address-family
R5 (PE)
R5#show run all | sec ^mpls ip__ mpls ip R5#show run | sec ^mpls mpls label range 500 599 mpls ldp router-id Loopback10 force R5#show run int Lo10 | sec int interface Loopback10 ip address 5.5.5.5 255.255.255.255 R5#show run | sec ^vrf vrf definition Gold rd 65010:2 ! address-family ipv4 route-target export 65010:2 route-target import 65010:1 route-target import 65010:3 exit-address-family R5#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R6 ** no ip address duplex auto speed auto media-type rj45 R5#show run int Gi0/0.10 | sec int interface GigabitEthernet0/0.10 description ** to CE R6 in VRF Gold ** encapsulation dot1Q 10 vrf forwarding Gold ip address 10.0.2.1 255.255.255.252 R5#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R4 ** ip address 10.3.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R5#show run | sec ^router router isis net 49.0010.0000.0000.0005.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 5.5.5.5 bgp log-neighbor-changes neighbor 8.8.8.8 remote-as 65010 neighbor 8.8.8.8 update-source Loopback10 ! address-family vpnv4 neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community both exit-address-family ! address-family ipv4 vrf Gold network 10.0.2.0 mask 255.255.255.252 neighbor 10.0.2.2 remote-as 65002 neighbor 10.0.2.2 activate exit-address-family
R10 (PE)
R10#show run all | sec ^mpls ip__ mpls ip R10#show run | sec ^mpls mpls label range 1000 1099 mpls ldp router-id Loopback10 force R10#show run int Lo10 | sec int interface Loopback10 ip address 10.10.10.10 255.255.255.255 R10#show run | sec ^vrf vrf definition SharedService rd 65010:3 ! address-family ipv4 route-target export 65010:3 route-target import 65010:1 route-target import 65010:2 exit-address-family R10#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R11 (Shared Service) ** no ip address ip virtual-reassembly in duplex auto speed auto media-type rj45 R10#show run int Gi0/0.10 | sec int interface GigabitEthernet0/0.10 description ** to CE R11 in VRF SharedService ** encapsulation dot1Q 10 vrf forwarding SharedService ip address 10.0.3.1 255.255.255.252 R10#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R9 ** ip address 10.7.0.1 255.255.255.252 ip router isis ip virtual-reassembly in duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R10#show run | sec ^router router isis net 49.0010.0000.0000.0010.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 10.10.10.10 bgp log-neighbor-changes neighbor 8.8.8.8 remote-as 65010 neighbor 8.8.8.8 update-source Loopback10 ! address-family vpnv4 neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community extended exit-address-family ! address-family ipv4 vrf SharedService network 10.0.3.0 mask 255.255.255.252 neighbor 10.0.3.2 remote-as 65003 neighbor 10.0.3.2 activate exit-address-family
R1 (CE)
R1#show run | sec ^vrf vrf definition Gold rd 1:1 ! address-family ipv4 exit-address-family R1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host1 ** no ip address duplex auto speed auto media-type rj45 R1#show run int Gi0/0.1 | sec int interface GigabitEthernet0/0.1 description ** to Host1 in VRF Gold (VLAN 1) ** encapsulation dot1Q 1 native vrf forwarding Gold ip address 192.168.1.2 255.255.255.0 R1#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to PE R2 ** no ip address duplex auto speed auto media-type rj45 R1#show run int Gi0/1.10 | sec int interface GigabitEthernet0/1.10 description ** to PE R2 in VRF Gold ** encapsulation dot1Q 10 vrf forwarding Gold ip address 10.0.1.2 255.255.255.252 R1#show run | sec ^router router bgp 65001 bgp router-id 1.1.1.1 bgp log-neighbor-changes ! address-family ipv4 vrf Gold network 192.168.1.0 neighbor 10.0.1.1 remote-as 65010 neighbor 10.0.1.1 activate exit-address-family
R6 (CE)
R6#show run | sec ^vrf vrf definition Gold rd 1:1 ! address-family ipv4 exit-address-family R6#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host2 ** no ip address duplex auto speed auto media-type rj45 R6#show run int Gi0/0.1 | sec int interface GigabitEthernet0/0.1 description ** to Host2 in VRF Gold (VLAN 1) ** encapsulation dot1Q 1 native vrf forwarding Gold ip address 192.168.2.2 255.255.255.0 R6#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to PE R5 ** no ip address duplex auto speed auto media-type rj45 R6#show run int Gi0/1.10 | sec int interface GigabitEthernet0/1.10 description ** to PE R5 in VRF Gold ** encapsulation dot1Q 10 vrf forwarding Gold ip address 10.0.2.2 255.255.255.252 R6#show run | sec ^router router bgp 65002 bgp router-id 6.6.6.6 bgp log-neighbor-changes ! address-family ipv4 vrf Gold network 192.168.2.0 neighbor 10.0.2.1 remote-as 65010 neighbor 10.0.2.1 activate exit-address-family
R11 (CE)
R11#show run | sec ^vrf vrf definition SharedService rd 1:1 ! address-family ipv4 exit-address-family R11#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to PE R10 ** no ip address duplex auto speed auto media-type rj45 R11#show run int Gi0/0.10 | sec int interface GigabitEthernet0/0.10 description ** to PE R10 in VRF SharedService ** encapsulation dot1Q 10 vrf forwarding SharedService ip address 10.0.3.2 255.255.255.252 R11#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to Server1 ** vrf forwarding SharedService ip address 172.16.1.2 255.255.255.0 duplex auto speed auto R11#show run int Gi0/2 | sec int interface GigabitEthernet0/2 description ** to Server2 ** vrf forwarding SharedService ip address 172.16.2.2 255.255.255.0 duplex auto speed auto media-type rj45 R11#show run int Gi0/3 | sec int interface GigabitEthernet0/3 description ** to Server3 ** vrf forwarding SharedService ip address 172.16.3.2 255.255.255.0 duplex auto speed auto media-type rj45 R11#show run | sec ^router router bgp 65003 bgp router-id 10.1.1.1 bgp log-neighbor-changes ! address-family ipv4 vrf SharedService network 172.16.1.0 mask 255.255.255.0 network 172.16.2.0 mask 255.255.255.0 network 172.16.3.0 mask 255.255.255.0 neighbor 10.0.3.1 remote-as 65010 neighbor 10.0.3.1 activate exit-address-family
R8 (BGP RR)
R8#show run int Lo10 | sec int interface Loopback10 ip address 8.8.8.8 255.255.255.255 R8#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to R7 ** ip address 10.5.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point R8#show run | sec ^router router isis net 49.0010.0000.0000.0008.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 8.8.8.8 bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 65010 neighbor 2.2.2.2 update-source Loopback10 neighbor 5.5.5.5 remote-as 65010 neighbor 5.5.5.5 update-source Loopback10 neighbor 10.10.10.10 remote-as 65010 neighbor 10.10.10.10 update-source Loopback10 ! address-family vpnv4 neighbor 2.2.2.2 activate neighbor 2.2.2.2 send-community extended neighbor 2.2.2.2 route-reflector-client neighbor 5.5.5.5 activate neighbor 5.5.5.5 send-community extended neighbor 5.5.5.5 route-reflector-client neighbor 10.10.10.10 activate neighbor 10.10.10.10 send-community extended neighbor 10.10.10.10 route-reflector-client exit-address-family
R7
R7#show run all | sec ^mpls ip__ mpls ip R7#show run | sec ^mpls mpls label range 700 799 mpls ldp router-id Loopback10 force R7#show run int Lo10 | sec int interface Loopback10 ip address 7.7.7.7 255.255.255.255 R7#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to RR R8 ** ip address 10.5.0.2 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point R7#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R4 ** ip address 10.4.0.2 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R7#show run int Gi0/2 | sec int interface GigabitEthernet0/2 description ** to R9 ** ip address 10.6.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R7#show run | sec ^router router isis net 49.0010.0000.0000.0007.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10
Host1
Host1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R1 ** ip address 192.168.1.1 255.255.255.0 duplex auto speed auto media-type rj45 Host1#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
Server1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 ip address 172.16.1.1 255.255.255.0 duplex auto speed auto media-type rj45 Server1#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 172.16.1.2
R2#show ip bgp vpnv4 vrf Gold | beg Ne Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65010:1 (default for vrf Gold) *> 10.0.1.0/30 0.0.0.0 0 32768 i *>i 172.16.1.0/24 10.10.10.10 2 100 0 65003 ? « PE R2 VRF Gold receives Server1 IP address *> 192.168.1.0 10.0.1.2 0 0 65001 i *>i 192.168.2.0 5.5.5.5 0 100 0 65002 i « PE R2 VRF Gold receives Site 2 IP address R1#show ip route vrf Gold bgp | beg Ga Gateway of last resort is not set 172.16.0.0/24 is subnetted, 1 subnets B 172.16.1.0 [20/0] via 10.0.1.1, 01:57:18 « The CE router R1 receives routes from PE R2 based on import map B 192.168.2.0/24 [20/0] via 10.0.1.1, 01:57:18 Host1#ping 192.168.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 50/50/50 ms « Host1 can reach Host2 in Site 2 Host1#trace 192.168.2.1 probe 1 Type escape sequence to abort. Tracing the route to 192.168.2.1 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.2 1 msec 2 10.0.1.1 23 msec 3 10.1.0.2 [MPLS: Labels 307/509 Exp 0] 47 msec 4 10.2.0.2 [MPLS: Labels 408/509 Exp 0] 46 msec 5 10.0.2.1 [MPLS: Label 509 Exp 0] 27 msec « PE R5 assigns VPN Service Label 509 6 10.0.2.2 48 msec 7 192.168.2.1 49 msec Host1#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 51/53/56 ms « Host1 can reach Server1 in the Datacenter Host1#trace 172.16.1.1 probe 1 Type escape sequence to abort. Tracing the route to 172.16.1.1 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.2 1 msec 2 10.0.1.1 23 msec 3 10.1.0.2 [MPLS: Labels 305/1008 Exp 0] 48 msec 4 10.2.0.2 [MPLS: Labels 405/1008 Exp 0] 50 msec 5 10.4.0.2 [MPLS: Labels 705/1008 Exp 0] 49 msec 6 10.6.0.2 [MPLS: Labels 904/1008 Exp 0] 50 msec 7 10.0.3.1 [MPLS: Label 1008 Exp 0] 28 msec « PE R10 assigns VPN Service Label 1008 8 10.0.3.2 50 msec 9 172.16.0.2 52 msec 10 172.16.1.1 58 msec Host1#ping 172.16.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) « Host1 cannot reach Server2 Host1#ping 172.16.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) « Host1 cannot reach Server3
Note that the import map is only configured on PE R2, and on PE R5 these restrictions are not configured. The following output is taken from the PE router R5 and CE R6 to show the received prefixes without the import map VRF filtering.
R5#show ip bgp vpnv4 vrf Gold | beg Ne Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65010:2 (default for vrf Gold) *>i 10.0.1.0/30 2.2.2.2 0 100 0 i *> 10.0.2.0/30 0.0.0.0 0 32768 i *>i 10.0.3.0/30 10.10.10.10 0 100 0 i *>i 172.16.1.0/24 10.10.10.10 2 100 0 65003 ? « Server1 *>i 172.16.2.0/24 10.10.10.10 2 100 0 65003 ? « Server2 *>i 172.16.3.0/24 10.10.10.10 2 100 0 65003 ? « Server3 *>i 192.168.1.0 2.2.2.2 0 100 0 65001 i *> 192.168.2.0 10.0.2.2 0 0 65002 i R6#show ip route vrf Gold bgp | beg Ga Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks B 10.0.1.0/30 [20/0] via 10.0.2.1, 02:05:01 B 10.0.3.0/30 [20/0] via 10.0.2.1, 02:05:01 172.16.0.0/24 is subnetted, 3 subnets B 172.16.1.0 [20/0] via 10.0.2.1, 02:05:01 B 172.16.2.0 [20/0] via 10.0.2.1, 02:05:01 B 172.16.3.0 [20/0] via 10.0.2.1, 02:05:01 B 192.168.1.0/24 [20/0] via 10.0.2.1, 02:04:54
Configuring Route Target VRF export-map
In the following example topology, PE router R10 uses a VRF export map to add an extra Route Target value to the IP subnet address of Server1 (172.16.1.0/24). This means, PE R10 actually advertises two Route Target values with the prefix 172.16.1.0/24. The PE router R2 receives these values but only imports the Route Target 65010:300. As a result, only the IP subnet of Server1 is imported to VRF Gold on PE R2.
Host1 can now only access Server1 in the Datacenter shared service, and Host1 cannot access Server2 or Server3. Note that the route-map on PE R10 is configured with the command set extcommunity rt 65010:300 additive. The "additive" keyword is important because it ensures that the RT 65010:3 is not replaced with 65010:300, but instead the two RT communities are both attached to the VPNv4 prefix.
Configuration:
R10 (PE)
R10#show run all | sec ^mpls ip__ mpls ip R10#show run | sec ^mpls mpls label range 1000 1099 mpls ldp router-id Loopback10 force R10#show run int Lo10 | sec int interface Loopback10 ip address 10.10.10.10 255.255.255.255 R10#show run | sec ^vrf vrf definition SharedService rd 65010:3 ! address-family ipv4 export map RM-EXPORT-MAP route-target export 65010:3 route-target import 65010:1 route-target import 65010:2 exit-address-family R10#show run | sec ^route-map route-map RM-EXPORT-MAP permit 10 match ip address prefix-list PL-EXPORT-MAP set extcommunity rt 65010:300 additive R10#show run | sec ^ip prefix ip prefix-list PL-EXPORT-MAP seq 5 permit 172.16.1.0/24 ip prefix-list PL-EXPORT-MAP seq 10 deny 0.0.0.0/0 le 32 R10#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R11 (Shared Service) ** no ip address ip virtual-reassembly in duplex auto speed auto media-type rj45 R10#show run int Gi0/0.10 | sec int interface GigabitEthernet0/0.10 description ** to CE R11 in VRF SharedService ** encapsulation dot1Q 10 vrf forwarding SharedService ip address 10.0.3.1 255.255.255.252 R10#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R9 ** ip address 10.7.0.1 255.255.255.252 ip router isis ip virtual-reassembly in duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R10#show run | sec ^router router isis net 49.0010.0000.0000.0010.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 10.10.10.10 bgp log-neighbor-changes neighbor 8.8.8.8 remote-as 65010 neighbor 8.8.8.8 update-source Loopback10 ! address-family vpnv4 neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community extended exit-address-family ! address-family ipv4 vrf SharedService network 10.0.3.0 mask 255.255.255.252 neighbor 10.0.3.2 remote-as 65003 neighbor 10.0.3.2 activate exit-address-family
R2 (PE)
R2#show run all | sec ^mpls ip__ mpls ip R2#show run | sec ^mpls mpls label range 200 299 mpls ldp router-id Loopback10 force R2#show run int Lo10 | sec int interface Loopback10 ip address 2.2.2.2 255.255.255.255 R2#show run | sec ^vrf vrf definition Gold rd 65010:1 ! address-family ipv4 route-target export 65010:1 route-target import 65010:2 route-target import 65010:300 exit-address-family R2#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R1 ** no ip address duplex auto speed auto media-type rj45 R2#show run int Gi0/0.10 | sec int interface GigabitEthernet0/0.10 description ** to CE R1 in VRF Gold ** encapsulation dot1Q 10 vrf forwarding Gold ip address 10.0.1.1 255.255.255.252 R2#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R3 ** ip address 10.1.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R2#show run | sec ^router router isis net 49.0010.0000.0000.0002.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 2.2.2.2 bgp log-neighbor-changes bgp scan-time 5 neighbor 8.8.8.8 remote-as 65010 neighbor 8.8.8.8 update-source Loopback10 ! address-family vpnv4 neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community both exit-address-family ! address-family ipv4 vrf Gold network 10.0.1.0 mask 255.255.255.252 neighbor 10.0.1.2 remote-as 65001 neighbor 10.0.1.2 activate exit-address-family
R5 (PE)
R5#show run all | sec ^mpls ip__ mpls ip R5#show run | sec ^mpls mpls label range 500 599 mpls ldp router-id Loopback10 force R5#show run int Lo10 | sec int interface Loopback10 ip address 5.5.5.5 255.255.255.255 R5#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R6 ** no ip address duplex auto speed auto media-type rj45 R5#show run int Gi0/0.10 | sec int interface GigabitEthernet0/0.10 description ** to CE R6 in VRF Gold ** encapsulation dot1Q 10 vrf forwarding Gold ip address 10.0.2.1 255.255.255.252 R5#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R4 ** ip address 10.3.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R5#show run | sec ^router router isis net 49.0010.0000.0000.0005.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 5.5.5.5 bgp log-neighbor-changes neighbor 8.8.8.8 remote-as 65010 neighbor 8.8.8.8 update-source Loopback10 ! address-family vpnv4 neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community both exit-address-family ! address-family ipv4 vrf Gold network 10.0.2.0 mask 255.255.255.252 neighbor 10.0.2.2 remote-as 65002 neighbor 10.0.2.2 activate exit-address-family
R2#show ip bgp vpnv4 vrf Gold | beg Ne Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65010:1 (default for vrf Gold) *> 10.0.1.0/30 0.0.0.0 0 32768 i *>i 10.0.2.0/30 5.5.5.5 0 100 0 i *>i 172.16.1.0/24 10.10.10.10 2 100 0 65003 ? « Only Server1 IP address is installed in VRF Gold on PE R2 *> 192.168.1.0 10.0.1.2 0 0 65001 i *>i 192.168.2.0 5.5.5.5 0 100 0 65002 i R2#show ip bgp vpnv4 rd 65010:3 172.16.1.0 BGP routing table entry for 65010:3:172.16.1.0/24, version 24 « Server1 VPNv4 prefix received on PE R2 Paths: (1 available, best #1, no table) Not advertised to any peer Refresh Epoch 4 65003 10.10.10.10 (metric 50) (via default) from 8.8.8.8 (8.8.8.8) Origin incomplete, metric 2, localpref 100, valid, internal, best Extended Community: RT:65010:3 RT:65010:300 « Two Route Target values are attached Originator: 10.10.10.10, Cluster list: 8.8.8.8 mpls labels in/out nolabel/1012 rx pathid: 0, tx pathid: 0x0 R1#show ip route vrf Gold bgp | beg Ga Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks B 10.0.2.0/30 [20/0] via 10.0.1.1, 00:55:20 172.16.0.0/24 is subnetted, 1 subnets B 172.16.1.0 [20/0] via 10.0.1.1, 00:33:38 « CE R1 only receives Server1 IP address from PE R2 B 192.168.2.0/24 [20/0] via 10.0.1.1, 03:03:36 Host1#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 53/54/57 ms « Host1 can reach Server1 in Datacenter Host1#ping 172.16.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) « Host1 cannot reach Server2 Host1#ping 172.16.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) « Host1 cannot reach Server3
Packet capture BGP VPNv4 with two RT values
The following packet capture shows a BGP VPNv4 Update message sent by PE router R10 to the BGP Route Reflector R8. The Update message carries a VPNv4 prefix with two Route Target values attached. Any PE router that receives this Update can decide which RT value it would like to match and import into the local VRF routing table. In this example scenario, the RT 65010:3 represents all three servers in the shared service Datacenter. However, the RT 65010:300 represents only Server1.
