Inter-VRF static routes

Swapnendu was trying to implement inter-VRF route leaking in multi-VRF environment without using route targets. He decided to use inter-VRF static routes, but got concerned after reading the following paragraph from Cisco’s documentation:

You can not configure two static routes to advertise each prefix between the VRFs, because this method is not supported. Packets will not be routed by the router. To achieve route leaking between VRFs, you must use the import functionality of route-target and enable Border Gateway Protocol (BGP) on the router. No BGP neighbor is required

There is no reason why inter-VRF static routes on point-to-point interfaces would not work. However … if Cisco's documentation states something is not supported, that's exactly what it is: not supported. It might work for you, it might not work on specific platforms and it might be broken in a future software release (like MPLS VPN on 1800 routers). You're using it at your own risk and if it stops working you can't even complain to the TAC (because they'll tell you it's unsupported).

8 comments:

  1. thanks for sharing this with everyone..

    in summary i can say the following -

    Routing between two VRFs on the same router is not allowed officially (though method exists to bypass this) using any static route combination for Ethernet/SVI/other multipoint interface types. MP-BGP must be used to achieve this. MP-BGP can be used without any neighbors, just redistribute connected routes into MP-BGP and set the route-targets correctly.

    To bypass this restriction on P2P links :
    If VPN1 and VPN2 are connected via a point-to-point interface e.g. serial link, static routes can be used to communicate between the VRFs *WITHOUT* using MPBGP. This doesn’t work for multiaccess interfaces like VLAN or Ethernet interface.

    ip route vrf VRF1 destination-other-VRF2-subnet mask other-VRF2-local-interface-P2P

    If added on a interfaces like Ethernet or SVI – error
    % For VPN routes, must specify a next hop IP address if not a point-to-point interface

    cheers
    Swapnendu
    CCIE#19804 :)

    finally the comments worked!

    ReplyDelete
  2. Ivan Pepelnjak21 July, 2009 16:04

    You can also use static routes over multiaccess interfaces, but you have to specify the next-hop address in the other VRF.

    Inter-VRF static route pointing to a multiaccess interface has never been allowed (this limitation goes back to 12.0T).

    ReplyDelete
  3. Quick question. When using MP-BGP why must one import yourself in order to perform route leaking?

    ip vrf test1
    rd 100:1
    route-target import 100:1
    route-target export 100:1
    route-target import 200:1

    ip vrf test2
    rd 200:1
    route-target import 200:1
    route-target export 200:1
    route-target import 100:1

    ReplyDelete
  4. Ivan Pepelnjak27 March, 2010 07:08

    I haven't tested this for years, but a while ago you had to import your own routes due to a bug (well, implementation detail :) ) in Cisco IOS.

    ReplyDelete
  5. Thanks Ivan. I have tested that it isn't necessary on recent code. Appreciate you response.

    ReplyDelete
  6. 8-) :( =-X :-P

    ReplyDelete
  7. Hello

    >You can also use static routes over multiaccess interfaces, but you have to specify the next-hop address >in the other VRF.

    I tried static inter-vrf routing with vlan and nexthop address on a 6500 VSS with 12.2(33)SXI6 but it does not work! But I heard it worked on older releases (12.2.17SXB???).

    CEF Debug:
    18:13:58 10.1.1.1 18322: *Jun 6 16:09:58.294: CEF-Drop: Packet from 172.24.193.10 (Vl400) to 192.168.0.252, Neighbor resolution req

    Any hints?
    Thanks!



    CEF-Drop: Packet from 172.24.193.10 (Vl400) to 192.168.0.252, Neighbor resolution req

    ReplyDelete
  8. Ivan Pepelnjak06 June, 2011 18:18

    Inter-VRF static routes definitely work (I guess we also used them on a 6500). If there's nothing obviously wrong with your setup (make sure the next hop does belong to the IP subnet of the target interface), it's probably best to open a case with TAC.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.