Leak routes between a VRF and the global routing table...
Typically, a VRF is used to isolate traffic and keep it out of the global routing table or other VRF routing tables. In this scenario, we are going to assume:
1) We have a "Guest" VRF used to isolate guest traffic from the private side of the network.
2) This "Guest" VRF / Network has it's own internet connection, separate from the private network.
3) The Guest network needs to be completely isolated, but does require access to a couple of internal resources (say it needs to get to a DHCP server and AD for authentication).
Here are the details:
On router R3 we need to define the GUEST VRF, assign fa 0/0 and f2/0 to that VRF, and then re-apply the IP addresses to those interfaces. Also be sure to remove the advertisements in OSPF for interfaces fa0/0 and fa 2/0 if they are already in there.
R3(config)#ip vrf GUEST
R3(config-vrf)# rd 12345:678
!
R3(config-vrf)#interface FastEthernet0/0
R3(config-if)# ip vrf forwarding GUEST
R3(config-if)# ip address 192.168.23.3 255.255.255.0
!
R3(config-vrf)#interface FastEthernet2/0
R3(config-if)# ip vrf forwarding GUEST
R3(config-if)# ip address 192.168.36.3 255.255.255.0
Next on R3 we are going to create an ospf routing process under the VRF "GUEST", establish an adjacency with R2, and advertise a default route:
R3(config)#router ospf 2 vrf GUEST
R3(config-router)# network 192.168.23.0 0.0.0.255 area 0
R3(config-router)# default-information originate
R3(config)# ip route vrf GUEST 0.0.0.0 0.0.0.0 192.168.36.6 <-- (this is because there is no OSPF between R3 and ISP 2 router)
!
R3#sh ip ospf 2 neighbor
Neighbor ID Pri State Dead Time Address Interface
22.22.22.22 1 FULL/DR 00:00:31 192.168.23.2 FastEthernet0/0
Now comes the "leaking" part... On R3 you need a way to tell the global routing table to allow routes from the VRF "GUEST" into the global routing table... To do this you need to add the command "ip vrf receive GUEST" to inter fa 1/0, but it also requires some PBR to be configured first.
R3(config-if)#ip vrf receive GUEST
% Need to enable Policy Based Routing on the interface first
So, with the above error message being displayed we create a simple route map, and add PBR to the interface first, then add the "ip vrf receive GUEST command"
(Note: I found in my lab that the route map may not need to actually be configured, you just need the PBR statement on the interface, but we're going to configure it correctly anyway)
R3(config)#route-map LEAK permit 10
R3(config-route-map)#set global
!
R3(config)#inter fas 1/0
R3(config-if)#ip policy route-map LEAK
R3(config-if)#ip vrf receive GUEST
Now we just need to add a few statics between the 2 VRF's and interfaces.
These 2 routes create a path from the global (default) VRF to R2's Lo 2 - 2.2.2.2, and R2's Fa 0/0 - 192.168.23.2
R3(config)#ip route 2.2.2.0 255.255.255.0 FastEthernet0/0
R3(config)#ip route 192.168.23.0 255.255.255.0 FastEthernet0/0
These 2 routes create a path from the GUEST VRF to the DHCP server and the AD server on the private network (7.7.7.7 and 77.77.77.77)
R3(config)#ip route vrf GUEST 7.7.7.0 255.255.255.0 10.10.34.4
R3(config)#ip route vrf GUEST 77.77.77.0 255.255.255.0 10.10.34.4
Now look at the routing tables for both the VRF's...
The global (default) VRF shows static routes to the 2.2.2.2 network and the next-hop network 192.168.23.0. You'll also notice that the default-route still points to R5 (as it should), and there is no route to 22.22.22.22 because we never added it, but could if we wanted to.
R3#sh ip route
Gateway of last resort is 10.10.34.4 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.10.34.4, 01:42:34, FastEthernet1/0
2.0.0.0/24 is subnetted, 1 subnets
S 2.2.2.0 is directly connected, FastEthernet0/0
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 3.3.3.0/24 is directly connected, Loopback3
L 3.3.3.3/32 is directly connected, Loopback3
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/2] via 10.10.34.4, 01:42:34, FastEthernet1/0
7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/3] via 10.10.34.4, 01:42:34, FastEthernet1/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.34.0/24 is directly connected, FastEthernet1/0
L 10.10.34.3/32 is directly connected, FastEthernet1/0
O 10.10.45.0/24 [110/2] via 10.10.34.4, 01:42:34, FastEthernet1/0
O 10.10.47.0/24 [110/2] via 10.10.34.4, 01:42:34, FastEthernet1/0
33.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 33.33.33.0/24 is directly connected, Loopback33
L 33.33.33.33/32 is directly connected, Loopback33
44.0.0.0/32 is subnetted, 1 subnets
O 44.44.44.44 [110/2] via 10.10.34.4, 01:42:34, FastEthernet1/0
77.0.0.0/32 is subnetted, 1 subnets
O 77.77.77.77 [110/3] via 10.10.34.4, 01:42:34, FastEthernet1/0
S 192.168.23.0/24 is directly connected, FastEthernet0/0
R3#
The GUEST VRF shows routes to 7.7.7.7 and 77.77.77.77. It also still has it's default route to the Inter net via R6, and does not have any routes to anything in the 10.10.x.x network except for 10.10.34.3 which was necessary in order to get the route leaking.
R3#sh ip route vrf GUEST
Routing Table: GUEST
Gateway of last resort is 192.168.36.6 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.36.6
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 192.168.23.2, 01:41:03, FastEthernet0/0
7.0.0.0/24 is subnetted, 1 subnets
S 7.7.7.0 [1/0] via 10.10.34.4
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.34.0/24 is directly connected, FastEthernet1/0
L 10.10.34.3/32 is directly connected, FastEthernet1/0
22.0.0.0/32 is subnetted, 1 subnets
O 22.22.22.22 [110/2] via 192.168.23.2, 01:40:53, FastEthernet0/0
77.0.0.0/24 is subnetted, 1 subnets
S 77.77.77.0 [1/0] via 10.10.34.4
192.168.23.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.23.0/24 is directly connected, FastEthernet0/0
L 192.168.23.3/32 is directly connected, FastEthernet0/0
192.168.36.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.36.0/24 is directly connected, FastEthernet2/0
L 192.168.36.3/32 is directly connected, FastEthernet2/0
R3#
Now check connectivity by pinging from R2 to R7
R2#ping 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/95/148 ms
R2#ping 77.77.77.77
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 77.77.77.77, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/105/140 ms
R2#
And connectivity from R7 to R2
Remember 22.22.22.22 was never added to the route leaking
R7#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/104/148 ms
R7#ping 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
Last, but not least, add an ACL on R3 to permit only the traffic from 2.2.2.2 to 7.7.7.7 and 77.77.77.77 and deny everything else.
R3(config)#access-list 101 permit ip host 2.2.2.2 host 7.7.7.7
R3(config)#access-list 101 permit ip host 2.2.2.2 host 77.77.77.77
R3(config)#inter fas 1/0
R3(config-if)#ip access-group 101 out
!
R3(config)#access-list 102 permit ip host 7.7.7.7 host 2.2.2.2
R3(config)#access-list 102 permit ip host 77.77.77.77 host 2.2.2.2
R3(config)#access-list 102 deny ip any host 2.2.2.2
R3(config)#access-list 102 deny ip any 192.168.0.0 0.0.255.255
R3(config)#access-list 102 permit ip any any
R3(config)#inter fas 1/0
R3(config-if)#ip access-group 102 in
Check from R2
R2#ping 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
R2#ping 10.10.47.7 sou lo 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.47.7, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)
R2#ping 7.7.7.7 source lo 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/86/100 ms
R2#ping 7.7.7.8 source lo 2 <-- Secondary IP on R7 Lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.8, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
UUUUU
Success rate is 0 percent (0/5)
R2#ping 7.7.7.9 source lo 2 <-- Another Secondary IP on R7 Lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.9, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
UUUUU
Success rate is 0 percent (0/5)
R2#
Check from R7
R7#ping 2.2.2.2 <-- sourced from it's Fa interface
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
R7#ping 2.2.2.2 sou lo 7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/81/100 ms
R7#ping 2.2.2.2 sou lo 77
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 77.77.77.77
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/89/124 ms
R7#
- R2 is in the "Guest" VRF and will access the Internet via R3 & R6.
- R2 needs connectivity to (and from) the DHCP server at 7.7.7.7 and to the AD server at 77.77.77.77, but no other access to the private network is permitted.
- Only R3 is going to be VRF "aware" in this scenario, with fa 0/0 and fa 2/0 in VRF GUEST, and fa 1/0 left in the regular global (default) VRF.
- IP addressing is as shown.
- OSPF will be our routing protocol and all interfaces will be advertised, except for those connecting to ISP 1 and ISP 2.
- OSPF command "default-information originate" will be used on R3 and R4 to propagate the statically assigned default route from those routers.
- ISP 1 (R5) and ISP 2 (R6) are not participating on OSPF and only have static routes pointing pointing back into the network.
On router R3 we need to define the GUEST VRF, assign fa 0/0 and f2/0 to that VRF, and then re-apply the IP addresses to those interfaces. Also be sure to remove the advertisements in OSPF for interfaces fa0/0 and fa 2/0 if they are already in there.
R3(config)#ip vrf GUEST
R3(config-vrf)# rd 12345:678
!
R3(config-vrf)#interface FastEthernet0/0
R3(config-if)# ip vrf forwarding GUEST
R3(config-if)# ip address 192.168.23.3 255.255.255.0
!
R3(config-vrf)#interface FastEthernet2/0
R3(config-if)# ip vrf forwarding GUEST
R3(config-if)# ip address 192.168.36.3 255.255.255.0
Next on R3 we are going to create an ospf routing process under the VRF "GUEST", establish an adjacency with R2, and advertise a default route:
R3(config)#router ospf 2 vrf GUEST
R3(config-router)# network 192.168.23.0 0.0.0.255 area 0
R3(config-router)# default-information originate
R3(config)# ip route vrf GUEST 0.0.0.0 0.0.0.0 192.168.36.6 <-- (this is because there is no OSPF between R3 and ISP 2 router)
!
R3#sh ip ospf 2 neighbor
Neighbor ID Pri State Dead Time Address Interface
22.22.22.22 1 FULL/DR 00:00:31 192.168.23.2 FastEthernet0/0
Now comes the "leaking" part... On R3 you need a way to tell the global routing table to allow routes from the VRF "GUEST" into the global routing table... To do this you need to add the command "ip vrf receive GUEST" to inter fa 1/0, but it also requires some PBR to be configured first.
R3(config-if)#ip vrf receive GUEST
% Need to enable Policy Based Routing on the interface first
So, with the above error message being displayed we create a simple route map, and add PBR to the interface first, then add the "ip vrf receive GUEST command"
(Note: I found in my lab that the route map may not need to actually be configured, you just need the PBR statement on the interface, but we're going to configure it correctly anyway)
R3(config)#route-map LEAK permit 10
R3(config-route-map)#set global
!
R3(config)#inter fas 1/0
R3(config-if)#ip policy route-map LEAK
R3(config-if)#ip vrf receive GUEST
Now we just need to add a few statics between the 2 VRF's and interfaces.
These 2 routes create a path from the global (default) VRF to R2's Lo 2 - 2.2.2.2, and R2's Fa 0/0 - 192.168.23.2
R3(config)#ip route 2.2.2.0 255.255.255.0 FastEthernet0/0
R3(config)#ip route 192.168.23.0 255.255.255.0 FastEthernet0/0
These 2 routes create a path from the GUEST VRF to the DHCP server and the AD server on the private network (7.7.7.7 and 77.77.77.77)
R3(config)#ip route vrf GUEST 7.7.7.0 255.255.255.0 10.10.34.4
R3(config)#ip route vrf GUEST 77.77.77.0 255.255.255.0 10.10.34.4
Now look at the routing tables for both the VRF's...
The global (default) VRF shows static routes to the 2.2.2.2 network and the next-hop network 192.168.23.0. You'll also notice that the default-route still points to R5 (as it should), and there is no route to 22.22.22.22 because we never added it, but could if we wanted to.
R3#sh ip route
Gateway of last resort is 10.10.34.4 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.10.34.4, 01:42:34, FastEthernet1/0
2.0.0.0/24 is subnetted, 1 subnets
S 2.2.2.0 is directly connected, FastEthernet0/0
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 3.3.3.0/24 is directly connected, Loopback3
L 3.3.3.3/32 is directly connected, Loopback3
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/2] via 10.10.34.4, 01:42:34, FastEthernet1/0
7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/3] via 10.10.34.4, 01:42:34, FastEthernet1/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.34.0/24 is directly connected, FastEthernet1/0
L 10.10.34.3/32 is directly connected, FastEthernet1/0
O 10.10.45.0/24 [110/2] via 10.10.34.4, 01:42:34, FastEthernet1/0
O 10.10.47.0/24 [110/2] via 10.10.34.4, 01:42:34, FastEthernet1/0
33.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 33.33.33.0/24 is directly connected, Loopback33
L 33.33.33.33/32 is directly connected, Loopback33
44.0.0.0/32 is subnetted, 1 subnets
O 44.44.44.44 [110/2] via 10.10.34.4, 01:42:34, FastEthernet1/0
77.0.0.0/32 is subnetted, 1 subnets
O 77.77.77.77 [110/3] via 10.10.34.4, 01:42:34, FastEthernet1/0
S 192.168.23.0/24 is directly connected, FastEthernet0/0
R3#
The GUEST VRF shows routes to 7.7.7.7 and 77.77.77.77. It also still has it's default route to the Inter net via R6, and does not have any routes to anything in the 10.10.x.x network except for 10.10.34.3 which was necessary in order to get the route leaking.
R3#sh ip route vrf GUEST
Routing Table: GUEST
Gateway of last resort is 192.168.36.6 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.36.6
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 192.168.23.2, 01:41:03, FastEthernet0/0
7.0.0.0/24 is subnetted, 1 subnets
S 7.7.7.0 [1/0] via 10.10.34.4
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.34.0/24 is directly connected, FastEthernet1/0
L 10.10.34.3/32 is directly connected, FastEthernet1/0
22.0.0.0/32 is subnetted, 1 subnets
O 22.22.22.22 [110/2] via 192.168.23.2, 01:40:53, FastEthernet0/0
77.0.0.0/24 is subnetted, 1 subnets
S 77.77.77.0 [1/0] via 10.10.34.4
192.168.23.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.23.0/24 is directly connected, FastEthernet0/0
L 192.168.23.3/32 is directly connected, FastEthernet0/0
192.168.36.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.36.0/24 is directly connected, FastEthernet2/0
L 192.168.36.3/32 is directly connected, FastEthernet2/0
R3#
Now check connectivity by pinging from R2 to R7
R2#ping 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/95/148 ms
R2#ping 77.77.77.77
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 77.77.77.77, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/105/140 ms
R2#
And connectivity from R7 to R2
Remember 22.22.22.22 was never added to the route leaking
R7#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/104/148 ms
R7#ping 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
Last, but not least, add an ACL on R3 to permit only the traffic from 2.2.2.2 to 7.7.7.7 and 77.77.77.77 and deny everything else.
R3(config)#access-list 101 permit ip host 2.2.2.2 host 7.7.7.7
R3(config)#access-list 101 permit ip host 2.2.2.2 host 77.77.77.77
R3(config)#inter fas 1/0
R3(config-if)#ip access-group 101 out
!
R3(config)#access-list 102 permit ip host 7.7.7.7 host 2.2.2.2
R3(config)#access-list 102 permit ip host 77.77.77.77 host 2.2.2.2
R3(config)#access-list 102 deny ip any host 2.2.2.2
R3(config)#access-list 102 deny ip any 192.168.0.0 0.0.255.255
R3(config)#access-list 102 permit ip any any
R3(config)#inter fas 1/0
R3(config-if)#ip access-group 102 in
Check from R2
R2#ping 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
R2#ping 10.10.47.7 sou lo 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.47.7, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)
R2#ping 7.7.7.7 source lo 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/86/100 ms
R2#ping 7.7.7.8 source lo 2 <-- Secondary IP on R7 Lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.8, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
UUUUU
Success rate is 0 percent (0/5)
R2#ping 7.7.7.9 source lo 2 <-- Another Secondary IP on R7 Lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.9, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
UUUUU
Success rate is 0 percent (0/5)
R2#
Check from R7
R7#ping 2.2.2.2 <-- sourced from it's Fa interface
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
R7#ping 2.2.2.2 sou lo 7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/81/100 ms
R7#ping 2.2.2.2 sou lo 77
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 77.77.77.77
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/89/124 ms
R7#