Route map configuration

[ScottF]

Hi,

Hoping someone can shed some light on a problem we are facing.

We are building a new network that consists of a number of VRF's, There are some import/exports between the VRF's

Each of these vrf's has a BGP peering with our firewall and the firewall is propogating default down to the vrf's. (note, the firewall has no concept of these vrf's, just a peering with different linknets)

The problem we are facing is that due to the import/export the default from other vrf's is being sent around the vrf's and some are prefering default from another vrf over the one they are being sent from the firewall.

We have been looking into route maps / prefix lists to deny default and permit other routes, but when we implement these is seems to just stop all routes being imported. Has anyone had to do something similar to this?

Thanks in advance. 

[dlots]

What kind of firewall?

IMO your best option would be a transparent FW.

You could also do multiple contexts if it's a small enough number of VRFs

The closest I have come to dealing with this issue was an ASA that you VPNed into multiple contexts, we tied the VPN to the sub-interface that was attached to the VRF in question.  We then had static-routes tied to the interface. (the syntax here will suck as I have not way to check it currently)

Code Select Expand


ip route vrf-3000 10.128.0.0 255.255.0.0 192.168.0.1
ip route vrf-3001 10.128.0.0 255.255.0.0 192.168.0.2

[routerdork]

Can you post the relevant config?

This link might also have something to go on https://supportforums.cisco.com/discussion/10499076/vrf-importexport-how-filter-routes

[ScottF]

It's a Juniper SRX3600.

config below for 2 of the vrf's

Code Select Expand


vrf definition hpc
rd 65000:50
route-target export 65000:50
route-target import 65000:50
route-target import 65000:70
!
vrf definition services
rd 65000:70
route-target export 65000:70
route-target import 65000:70
route-target import 65000:50
!
interface Vlan405
description HPC-VRF-Link
vrf forwarding hpc
ip address 10.254.253.26 255.255.255.252
ipv6 address 2001:630:A5:FFFE::1B/126
!
interface Vlan407
description Services-VRF-Link 
vrf forwarding services
ip address 10.254.253.34 255.255.255.252
ipv6 address 2001:630:A5:FFFE::22/126
!
address-family ipv4 vrf hpc
  redistribute connected
  redistribute static
  neighbor 10.254.253.25 remote-as 64561
!
address-family ipv4 vrf services
  redistribute connected
  redistribute static
  neighbor 10.254.253.33 remote-as 64561


So from what I understand the two vrf definitions are allowing the import/export of routes into each other, we then have two interface vlans that are used for the BGP peering between the firewall and the switch. and the bottom two sections are the bgp neighbour.

the problem we have is through the peerings, the firewall sends default to each vrf and then these vrf's import/export routes with each other, which means you get a default route via vrf 'hpc' in vrf 'services' table and visa versa.

I have seen that link and I believe that was tested and it works, however what we are trying to do it deny default, and when we use a prefix list to deny 0.0.0.0 from being imported, it seems to stop importing any routes from the vrf.

Thanks
Scott

[wintermute000]

Post your filtering config. Did you misconfigure your prefix list? (e.g. 0.0.0.0/0 le 32 vs 0.0.0.0/0)

[ScottF]

Hi,

I managed to get this working with a standard acl. I had been thinking I would have to use a prefix list, and when trying I've probably messed up the logic. but this works so it's all good.

Thanks

Code Select Expand

ip vrf vrf2
rd 20:20
import map DD
route-target export 20:20
route-target import 20:20
route-target import 10:10
!
access-list 99 deny   0.0.0.0
access-list 99 permit any
!
route-map DD permit 10
match ip address 99