Leaking Global Routes to VRF and vice versa

So today I was doing some crypto map configurations and noticed that the IKEv2 session would not come up if the proxy acl address was in the global table where the physical interface towards the peer was in a VRF. I will provide further documentation related to my testing in upcoming posts.

For now, I just want to describe what’s needed in order to get the leaking to work.

interface Loopback0
 description Simulated Internal Networks
 ip address 10.103.0.1 255.255.0.0
end

interface GigabitEthernet1
 vrf forwarding INTERNET
 ip address 203.0.113.130 255.255.255.192
 negotiation auto
 crypto map CM2
end 

First, we need to create prefix-lists to match each networks we wish to leak.

! Define prefix-list for VRF routes (in this case, everything since it's facing the internet)
ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0

! Define prefix-list for global routes.
ip prefix-list LOOPBACK0 seq 5 permit 10.103.0.0/16

Next, we need route-maps to match these prefix-lists so we can reference them later with Import/Export maps.

! Create route-map to match on VRF routes
route-map VRF_TO_GLOBAL permit 10
 match ip address prefix-list DEFAULT
 
! Create route-map to match on global routes  
route-map IMPORT_TO_VRF permit 10
 match ip address prefix-list LOOPBACK0

Since VRF Import and Export maps require routes to be in the BGP table in order to be used, we need to setup a local BGP session.

router bgp 65000
 bgp log-neighbor-changes
 !
 address-family ipv4
  network 10.103.0.0 mask 255.255.0.0
 exit-address-family
 !
 address-family ipv4 vrf INTERNET
  network 0.0.0.0
 exit-address-family

Finally, we can add the import and export maps to the VRF we wish to leak to/from.

! Add the import and export maps under the VRF
vrf definition INTERNET
 rd 100:100
 route-target export 100:100
 route-target import 100:100
 !
 address-family ipv4
  import ipv4 unicast map IMPORT_TO_VRF
  export ipv4 unicast map VRF_TO_GLOBAL
 exit-address-family
 !
 address-family ipv6
 exit-address-family

Now we can verify that everything works.

BR3-CSR#sh run int lo0

interface Loopback0
 ip address 10.103.0.1 255.255.0.0
end

BR3-CSR#sh run int gig1

interface GigabitEthernet1
 vrf forwarding INTERNET
 ip address 203.0.113.130 255.255.255.192
 negotiation auto
 crypto map CM2
end

BR3-CSR#sh ip route     
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 203.0.113.129 to network 0.0.0.0

B*    0.0.0.0/0 [20/0] via 203.0.113.129, 00:05:35
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.103.0.0/16 is directly connected, Loopback0
L        10.103.0.1/32 is directly connected, Loopback0
BR3-CSR#sh ip ro vrf INTERNET

Routing Table: INTERNET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 203.0.113.129 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 203.0.113.129
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B        10.103.0.0/16 is directly connected, 00:09:21, Loopback0
L        10.103.0.1/32 is directly connected, Loopback0
      203.0.113.0/24 is variably subnetted, 2 subnets, 2 masks
C        203.0.113.128/26 is directly connected, GigabitEthernet1
L        203.0.113.130/32 is directly connected, GigabitEthernet1 



As expected, our crypto map now works without issues.

BR3-CSR#sh cry ikev2 sa detail
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
2         203.0.113.130/500     198.51.100.2/500      INTERNET/INTERNET    READY  
      Encr: AES-CBC, keysize: 192, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/811 sec
      CE id: 1009, Session-id: 4
      Status Description: Negotiation done
      Local spi: 3296DBAB3A580B65       Remote spi: B8A4CE2723A46438
      Local id: 203.0.113.130
      Remote id: 198.51.100.2
      Local req msg id:  0              Remote req msg id:  2         
      Local next msg id: 0              Remote next msg id: 2         
      Local req queued:  0              Remote req queued:  2         
      Local window:      5              Remote window:      5         
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

 IPv6 Crypto IKEv2  SA 

Hope this helps someone other than myself. I will update the post soon to make it pretty.

This entry was posted in Crypto, CSR1000V, Security. Bookmark the permalink.