# VRF to Global Internet Access (IOS-XR) Load **vpnv4.inet.access.init.cfg** ``` #IOS-XE config replace flash:vpnv4.inet.access.init.cfg #IOS-XR configure load bootflash:vpnv4.inet.access.init.cfg commit replace y ```

L3VPN is fully setup. BGP is established with R1 and XR2 in the default table. Allow R7 and R8 to have access to the internet via XR1. * They should both be able to ping 20.20.20.20. * Do not use NAT to accomplish this. ## Answer ``` #R3 router bgp 100 add vpnv4 neighbor 19.19.19.19 activate neighbor 19.19.19.19 inherit peer-policy IBGP #XR1 route-policy VPN_LOOPBACKS if destination in (7.7.7.7/32, 8.8.8.8/32) then pass endif end-policy ! vrf VPN_A address-family ipv4 unicast import from default-vrf route-policy PASS import route-target 100:1 ! export to default-vrf route-policy VPN_LOOPBACKS export route-target 100:1 ! router static vrf VPN_A address-family ipv4 unicast 0.0.0.0/0 null0 ! router bgp 100 address-family vpnv4 unicast ! neighbor 3.3.3.3 address-family vpnv4 unicast ! vrf VPN_A rd 100:1 address-family ipv4 unicast network 0.0.0.0/0 ``` ## Explanation Route leaking between a VRF and the global table is done under the VRF config using the “import/export to” statement. My first thought was to try to use a static route between the global table and VRF table to leak routes, but this didn’t work. There is no “global” keyword for VRF static routes on IOS-XR like we have on IOS-XE. Instead, we leak routes under the VRF config itself. The configuration leaks the VPN loopbacks (7.7.7.7/32 and 8.8.8.8/32) into the default/global table, and leaks all routes (PASS policy) into the VRF. ``` route-policy VPN_LOOPBACKS if destination in (7.7.7.7/32, 8.8.8.8/32) then pass endif end-policy ! vrf VPN_A address-family ipv4 unicast import from default-vrf route-policy PASS import route-target 100:1 ! export to default-vrf route-policy VPN_LOOPBACKS export route-target 100:1 ``` The global table now has the CE loopbacks. The route contains the service label from the VPN route.

The VRF table also has the individual routes of the global table:

Now XR1 just needs to originate a default route into the VRF in order to draw internet traffic: ``` router static vrf VPN_A address-family ipv4 unicast 0.0.0.0/0 null0 ! router bgp 100 vrf VPN_A rd 100:1 address-family ipv4 unicast network 0.0.0.0/0 ``` CE7 and CE8 can ping 20.20.20.20:

Note that for this to work, XR1 must run BGP for the default and VRF tables. The import and export policies work by exporting BGP routes between the tables. Therefore, at a minimum, you need to run BGP and advertise the routes even if you have no BGP neighbors. ## Further Reading --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ccie-sp.gitbook.io/ccie-spv5.1-labs/labs/intra-as-l3vpn/vrf-to-global-internet-access-ios-xr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.