An In-Depth Look at RD and RT, Pt. 4

In this final part, we will use RTs to provide shared services to multiple customer VPNs.

By importing and exporting multiple RTs into a VRF, we can share routes between VRFs to easily provide the same routes to multiple customer VPNS. This exercise will help you understand exactly how import and export RTs work.

In this lab, we will provide internet access to the CUSTOMER_A and CUSTOMER_B VRFs by importing a 0/0 route from our INTERNET VRF into the customer VPNs. The customers will need to source NAT their own traffic from a public /32 IP that we give them, and we’ll need to import their public /32s into the internet VRF.

Lab

We’ll re-use the existing topology from part 3, but now PE4 connects to an internet transit peer. 20.20.20.0/30 is used for BGP peering, and there is a loopback, 8.8.8.8 on the peer which we will use to verify internet connectivity. PE4 advertises 100.1.1.0/24 to the peer, which is the service provider’s own address space which it will hand out to customers.

The CUSTOMER_A and CUSTOMER_B VRFs use the same RD and RTs values of 123:100 and 123:200, respectively, as in the previous lab.

Here’s the PE4 and Internet peer configuration:

#PE4
vrf INTERNET
 address-family ipv4 unicast
  import route-target 123:1000
  export route-target 123:1000
!
int gi0/0/0/1
 vrf INTERNET
 ip address 20.20.20.2/30
!
router bgp 123
 vrf INTERNET
  rd 123:1000
  address-family ipv4 unicast
    network 100.1.1.0/24
  neighbor 20.20.20.1
   remote-as 456
   address-family ipv4 unicast
    route-policy DEFAULT_ROUTE in
    route-policy PEERING_OUTBOUND out
!
route-policy DEFAULT_ROUTE
 if destination in ( 0.0.0.0/0 ) then
  pass
 endif
end-policy
!
prefix-set INTERNET_PREFIXES
 100.1.1.0/24
 end-set
!
route-policy PEERING_OUTBOUND
 if destination in INTERNET_PREFIXES then
  pass
 endif
!
router static vrf INTERNET address-family ipv4 unicast
 100.1.1.0/24 null0
end-policy

#Internet_peer
int Gi1
 ip address 20.20.20.1 255.255.255.252
!
int lo0
 ip address 8.8.8.8 255.255.255.255
!
router bgp 456
 neighbor 20.20.20.2 remote-as 123
 neighbor 20.20.20.2 default-originate

As you can see, we’re running the internet routing table as a VRF. This allows us to easily import/export routes to and from this INTERNET VRF into customer VRFs.

We’ll allocate public IP address for the CEs as follows:

CE Number	Public IP
CE1	100.1.1.1/32
CE2	100.1.1.2/32
CE3	100.1.1.3/32
CE4	100.1.1.4/32

IOS-XR

The public IPs will be added as a loopback (Lo100) on the CEs. On PE2 we’ll add static routes with a next-hop-vrf of the Customer VRF, with the next-hop-address as the MPLS transit IP for that CE.

#CE3
int lo100
 ip address 100.1.1.3 255.255.255.255

#CE4
int lo100
 ip address 100.1.1.4 255.255.255.255

#PE2
vrf INTERNET
 address-family ipv4 unicast
  import route-target 123:1000
  export route-target 123:1000
!
router bgp 123 vrf INTERNET
 rd 123:1000
 address-family ipv4 unicast
  redistribute static
!
router static vrf INTERNET address-family ipv4 unicast
 100.1.1.3/32 vrf CUSTOMER_A 100.64.1.6
 100.1.1.4/32 vrf CUSTOMER_B 100.64.2.6
!

Because PE2 redistributes those statics into the BGP table for the INTERNET VRF, PE4 has learned the routes to 100.1.1.3 and 100.1.1.4. But CE3 and CE4 do not have a default route to the internet yet.

RP/0/0/CPU0:PE4#show route vrf INTERNET | beg Gateway
Sat Jul 23 18:26:00.926 UTC
Gateway of last resort is 20.20.20.1 to network 0.0.0.0

B*   0.0.0.0/0 [20/0] via 20.20.20.1, 14:20:18
C    20.20.20.0/30 is directly connected, 14:23:28, GigabitEthernet0/0/0/1
L    20.20.20.2/32 is directly connected, 14:23:28, GigabitEthernet0/0/0/1
S    100.1.1.0/24 is directly connected, 03:17:56, Null0
B    100.1.1.3/32 [200/0] via 2.2.2.2 (nexthop in vrf default), 03:20:41
B    100.1.1.4/32 [200/0] via 2.2.2.2 (nexthop in vrf default), 00:00:07


CE3#show bgp ipv4 uni | beg Network
     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.0.0.0/24      100.64.1.5                             0 123 65000 i
 *>   10.0.1.0/24      0.0.0.0                  0         32768 i
 *>   10.10.10.0/24    100.64.1.5                             0 123 65000 i
 *>   10.20.0.0/16     100.64.1.5                             0 123 65000 i

CE4#show bgp ipv4 uni | beg Network
     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.0.0.0/24      100.64.2.5                             0 123 65000 i
 *>   10.0.1.0/24      0.0.0.0                  0         32768 i
 *>   10.10.10.0/24    0.0.0.0                  0         32768 i

In order to inject the 0/0 route from the INTERNET VRF, we’ll simply import the route-target that the INTERNET VRF exports, which is 123:1000. We cannot just advertise a default route to the customers under BGP in the Customer VRFs (such as default-originate). This is because we need the default route to actually be from the INTERNET VRF, and to point to PE4 in the INTERNET VRF.

vrf CUSTOMER_A
 address-family ipv4 unicast
  import route-target 123:1000
!
vrf CUSTOMER_B
 address-family ipv4 unicast
  import route-target 123:1000

We’re getting the full INTERNET VRF routing table on the CEs now, which is not what we want. We want just a default route to be injected from the INTERNET VRF into the Customer VRFs.

CE3#show bgp ipv4 uni | beg Network
     Network          Next Hop            Metric LocPrf Weight Path
 *>   0.0.0.0          100.64.1.5                             0 123 456 i
 *>   10.0.0.0/24      100.64.1.5                             0 123 65000 i
 *>   10.0.1.0/24      0.0.0.0                  0         32768 i
 *>   10.10.10.0/24    100.64.1.5                             0 123 65000 i
 *>   10.20.0.0/16     100.64.1.5                             0 123 65000 i
 *>   100.1.1.0/24     100.64.1.5                             0 123 i
 r>   100.1.1.3/32     100.64.1.5                             0 123 ?
 *>   100.1.1.4/32     100.64.1.5                             0 123 ?

We’ll add a route-policy to the import of all routes into the VRF in order to control which routes we are actually importing into the Customer VRFs. This will let us block everything except for the 0/0 coming from the INTERNET VRF.

#PE2
route-policy DEFAULT_ROUTE
 if destination in ( 0.0.0.0/0 ) then
  pass
 endif
end-policy
!
vrf CUSTOMER_A
 address-family ipv4 unicast
  import route-policy DEFAULT_ROUTE
!
vrf CUSTOMER_B
 address-family ipv4 unicast
  import route-policy DEFAULT_ROUTE

Oops, we have just our 0/0 from the INTERNET VRF now, but we lost all of our customer routes on the CEs as well!

CE3#show bgp ipv4 uni | beg Network
     Network          Next Hop            Metric LocPrf Weight Path
 *>   0.0.0.0          100.64.1.5                             0 123 456 i
 *>   10.0.1.0/24      0.0.0.0                  0         32768 i

We’ll need to change our route-policy to pass along any RFC1918 prefixes. Feel free to try alternative methods, such as matching the RT value and filtering traffic based on that.

#PE2
prefix-set RFC1918
 10.0.0.0/8 le 32, 172.16.0.0/12 le 32, 192.168.0.0/16 le 32
end-set
!
route-policy DEFAULT_PLUS_RFC1918
 if destination in RFC1918 then
  pass
 endif
 if destination in ( 0.0.0.0/0 ) then
  pass
 endif
end-policy
!
vrf CUSTOMER_A
 address-family ipv4 unicast
  import route-policy DEFAULT_PLUS_RFC1918
!
vrf CUSTOMER_B
 address-family ipv4 unicast
  import route-policy DEFAULT_PLUS_RFC1918

Perfect, we now have our customer routes plus the 0/0 from the INTERNET VRF.

CE3#show bgp ipv4 uni | beg Network
     Network          Next Hop            Metric LocPrf Weight Path
 *>   0.0.0.0          100.64.1.5                             0 123 456 i
 *>   10.0.0.0/24      100.64.1.5                             0 123 65000 i
 *>   10.0.1.0/24      0.0.0.0                  0         32768 i
 *>   10.10.10.0/24    100.64.1.5                             0 123 65000 i
 *>   10.20.0.0/16     100.64.1.5                             0 123 65000 i

The CEs see the 0/0 route as just another prefix advertised by the PE. The CEs have no idea that this actually came from another VRF.

On PE2, the 0/0 route in the Customer VRFs points to PE4. PE2 will put the VPN label on traffic matching this route before forwarding it to PE4, just as if the 0/0 route was another route in the customer VRF itself. Once you import the prefix into the customer VRF, there is really no difference between routes imported from the same VRF on another PE, or a different VRF. Meaning, on PE2, it doesn’t have the nexthop in the INTERNET VRF, and then that nexthop in the default VRF. Looking at the RIB, you have no idea which routes came from RT 123:100 and which from RT 123:1000. The PE simply matches prefixes with RT vales that match the import statement and puts those into the VRF.

RP/0/0/CPU0:PE2#show route vrf CUSTOMER_A | beg Gateway
Sat Jul 23 18:41:09.071 UTC
Gateway of last resort is 4.4.4.4 to network 0.0.0.0

B*   0.0.0.0/0 [200/0] via 4.4.4.4 (nexthop in vrf default), 00:12:08
B    10.0.0.0/24 [200/0] via 1.1.1.1 (nexthop in vrf default), 00:02:13
B    10.0.1.0/24 [20/0] via 100.64.1.6, 1d12h
B    10.10.10.0/24 [200/0] via 1.1.1.1 (nexthop in vrf default), 00:02:13
B    10.20.0.0/16 [200/0] via 1.1.1.1 (nexthop in vrf default), 00:02:13
C    100.64.1.4/30 is directly connected, 5d18h, GigabitEthernet0/0/0/1
L    100.64.1.5/32 is directly connected, 5d18h, GigabitEthernet0/0/0/1

Success! CE3 and CE4 can ping 8.8.8.8 from Lo100.

CE3#ping 8.8.8.8 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 100.1.1.3 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/11 ms


CE4#ping 8.8.8.8 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 100.1.1.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/11 ms

Remember that PE2 is redistributing the static routes into BGP in the INTERNET VRF. This is how PE4 has a route back to Lo100 of CE3 and CE4.

RP/0/0/CPU0:PE4#show bgp vrf INTERNET ipv4 uni | beg Network
Sat Jul 23 18:43:42.573 UTC
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 123:1000 (default for vrf INTERNET)
*> 0.0.0.0/0          20.20.20.1                             0 456 i
*> 100.1.1.0/24       0.0.0.0                  0         32768 i
*>i100.1.1.3/32       2.2.2.2                  0    100      0 ?
*>i100.1.1.4/32       2.2.2.2                  0    100      0 ?

IOS-XE

On IOS-XE there is not a one-line command to set a static route in a VRF to use a next-hop in another VRF. Instead, the CE1 and CE2 will advertise their Lo100 to the PE, and PE4 will import these routes into the INTERNET VRF.

We’ll use an import map which is the IOS-XE version of the import route-policy we used on PE2. This will filter routes from the INTERNET VRF so that we only get a 0/0 from the INTERNET VRF plus the RFC1918 prefixes from the customer VRFs.

#PE1
vrf definition INTERNET
 rd 123:1000
 address-family ipv4 unicast
  route-target import 123:1000
  route-target export 123:1000
!
vrf definition CUSTOMER_A
 route-target import 123:1000
 address-family ipv4 unicast
  import map DEFAULT_PLUS_RFC1918
  
!
vrf definition CUSTOMER_B
 route-target import 123:1000
 address-family ipv4 unicast
  import map DEFAULT_PLUS_RFC1918
!
ip prefix-list RFC1918 permit 10.0.0.0/8 le 32
ip prefix-list RFC1918 permit 172.16.0.0/12 le 32
ip prefix-list RFC1918 permit 192.168.0.0/16 le 32
!
ip prefix-list DEFAULT permit 0.0.0.0/0
!
route-map DEFAULT_PLUS_RFC1918 permit 10
 match ip address prefix-list RFC1918 DEFAULT

#CE1
int lo100
 ip address 100.1.1.1 255.255.255.255
!
router bgp 65000
 network 100.1.1.1 mask 255.255.255.255

#CE2
int lo100
 ip address 100.1.1.2 255.255.255.255
!
router bgp 65000
 network 100.1.1.2 mask 255.255.255.255

PE4 does not have the two Customer VRFs defined, so it is automatically filtering out the vpnv4 routes from the CUSTOMER_A and CUSTOMER_B VRF.

RP/0/0/CPU0:PE4#show bgp vpnv4 uni | beg Network
Sat Jul 23 19:16:27.579 UTC
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 123:1000 (default for vrf INTERNET)
*> 0.0.0.0/0          20.20.20.1                             0 456 i
*> 100.1.1.0/24       0.0.0.0                  0         32768 i
*>i100.1.1.3/32       2.2.2.2                  0    100      0 ?
*>i100.1.1.4/32       2.2.2.2                  0    100      0 ?

However, when we import the RTs that these Customer VRFs are exporting into the INTERNET VRF, PE4 will stop filtering those prefixes automatically.

#PE4
vrf INTERNET
 address-family ipv4 unicast
  import route-target 123:100
  import route-target 123:200
  import route-policy INTERNET_PREFIXES_ONLY
!
route-policy INTERNET_PREFIXES_ONLY
 if destination in ( 100.1.1.0/24 le 32 ) then pass endif
end-policy

We now have the public IPs of CE1 and CE2 in the RIB

RP/0/0/CPU0:PE4(config)#do sho route vrf INTERNET | beg Gateway
Sat Jul 23 19:20:31.902 UTC
Gateway of last resort is 20.20.20.1 to network 0.0.0.0

B*   0.0.0.0/0 [20/0] via 20.20.20.1, 15:14:49
C    20.20.20.0/30 is directly connected, 15:17:59, GigabitEthernet0/0/0/1
L    20.20.20.2/32 is directly connected, 15:17:59, GigabitEthernet0/0/0/1
S    100.1.1.0/24 is directly connected, 04:12:27, Null0
B    100.1.1.1/32 [200/0] via 1.1.1.1 (nexthop in vrf default), 00:00:29
B    100.1.1.2/32 [200/0] via 1.1.1.1 (nexthop in vrf default), 00:00:29
B    100.1.1.3/32 [200/0] via 2.2.2.2 (nexthop in vrf default), 00:00:29
B    100.1.1.4/32 [200/0] via 2.2.2.2 (nexthop in vrf default), 00:00:29

Success! Both CE1 and CE2 can ping 8.8.8.8

CE1#ping 8.8.8.8 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 100.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/12/34 ms

CE2#ping 8.8.8.8 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 100.1.1.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms

The CEs can also ping each other.

CE2#ping 100.1.1.1 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 100.1.1.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/11/13 ms

CE2#ping 100.1.1.3 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 100.1.1.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/14/15 ms

Conclusion

The purpose of this article was to give you a real-world example of importing and exporting multiple RT values in order to offer shared services to customer VPNs. In order to accomplish this we had to rely on quite a few extra features, such as the import map and static routes using a different next-hop VRF. Along the way we defined prefix-sets and route-policies which, while taking away some attention from the overall goal of this article, is still great practice in terms of learning the exam topics.

I hope that you feel extremely confident with RDs and RTs now.

To sum it up, RDs distinguish routes to make them unique in the global vpnv4 (or vpnv6) table. You can use the same RD for the same VRF among multiple PEs, or you can use a unique RD per PE for the same VRF. As we saw in part 3, this technique can be used to facilitate multipathing.

RTs are used to import prefixes into a VRF. A VRF can have multiple import RTs and/or multiple export RTs. Normally you will see a single import RT and export RT on a VRF, and this will often be the same value as the RD. But now you’ve seen how you can import/export multiple RT values in order to provide shared services to multiple customer VPNs, as we did in this article (part 4).