VRF to Global Internet Access (IOS-XR)

Load vpnv4.inet.access.init.cfg

#IOS-XE
config replace flash:vpnv4.inet.access.init.cfg

#IOS-XR
configure
load bootflash:vpnv4.inet.access.init.cfg
commit replace
y

L3VPN is fully setup. BGP is established with R1 and XR2 in the default table.

Allow R7 and R8 to have access to the internet via XR1.

  • They should both be able to ping 20.20.20.20.

  • Do not use NAT to accomplish this.

Answer

#R3
router bgp 100
 add vpnv4
  neighbor 19.19.19.19 activate
  neighbor 19.19.19.19 inherit peer-policy IBGP

#XR1
route-policy VPN_LOOPBACKS
 if destination in (7.7.7.7/32, 8.8.8.8/32) then pass endif
end-policy
!
vrf VPN_A
 address-family ipv4 unicast
  import from default-vrf route-policy PASS
  import route-target
   100:1
  !
  export to default-vrf route-policy VPN_LOOPBACKS
  export route-target
   100:1
!
router static
 vrf VPN_A
  address-family ipv4 unicast
   0.0.0.0/0 null0
!
router bgp 100
 address-family vpnv4 unicast
 !
 neighbor 3.3.3.3
  address-family vpnv4 unicast
 !
 vrf VPN_A
  rd 100:1
  address-family ipv4 unicast
   network 0.0.0.0/0

Explanation

Route leaking between a VRF and the global table is done under the VRF config using the “import/export to” statement.

My first thought was to try to use a static route between the global table and VRF table to leak routes, but this didn’t work. There is no “global” keyword for VRF static routes on IOS-XR like we have on IOS-XE.

Instead, we leak routes under the VRF config itself. The configuration leaks the VPN loopbacks (7.7.7.7/32 and 8.8.8.8/32) into the default/global table, and leaks all routes (PASS policy) into the VRF.

route-policy VPN_LOOPBACKS
 if destination in (7.7.7.7/32, 8.8.8.8/32) then pass endif
end-policy
!
vrf VPN_A
 address-family ipv4 unicast
  import from default-vrf route-policy PASS
  import route-target
   100:1
  !
  export to default-vrf route-policy VPN_LOOPBACKS
  export route-target
   100:1

The global table now has the CE loopbacks. The route contains the service label from the VPN route.

The VRF table also has the individual routes of the global table:

Now XR1 just needs to originate a default route into the VRF in order to draw internet traffic:

router static
 vrf VPN_A
  address-family ipv4 unicast
   0.0.0.0/0 null0
!
router bgp 100
 vrf VPN_A
  rd 100:1
  address-family ipv4 unicast
   network 0.0.0.0/0

CE7 and CE8 can ping 20.20.20.20:

Note that for this to work, XR1 must run BGP for the default and VRF tables. The import and export policies work by exporting BGP routes between the tables. Therefore, at a minimum, you need to run BGP and advertise the routes even if you have no BGP neighbors.

Further Reading

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xr-software/218336-configure-route-leak-between-grt-and-vrf.html

PreviousVRF to Global Internet Access (IOS-XE)NextInter-AS L3VPN

Last updated