VRF Route Target

MPLS VPN implementation requires VRF and also exporting and importing routes for that VRF. I mentioned on my previous posts about VRF that the VRF name is locally significant and even the RD number. What counts is what you import and export. Importing and exporting route targets use the same syntax as the RD and it is ASN:NN as shown by the example below.


!
ip vrf ALL-VRF
rd 123:4
route-target export 123:4
route-target import 123:1
route-target import 123:2
route-target import 123:3

By definition the routes that you "export" are only the routes you advertise on the vrf address family in BGP. The routes that you import are the cummulative routes with the same label that were exported from the other routers participating in the MPLS VPN. Remember that you don't export what you have learned through importation. Check the diagram below and the scenario we need to accomplish in this lab.


Scenario Conditions:

1. EMEA should have full ip reachability to APAC and AMERICAS but APAC and AMERICAS should not see each other.
2. RR should only see the all the routes but will not be seen by the routers.

I have setup everything and configured MPLS as well. I have configured the clients on the RR on both ipv4 and vpnv4 address-families. The command "show ip bgp vpnv4 all sum" on the RR should show that its learning prefixes from the clients.

RR#sh ip bgp vpnv4 all sum
BGP router identifier 123.123.123.4, local AS number 123
BGP table version is 13, main routing table version 13
12 network entries using 1644 bytes of memory
12 path entries using 816 bytes of memory
4/3 BGP path/bestpath attribute entries using 496 bytes of memory
3 BGP extended community entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3028 total bytes of memory
BGP activity 12/0 prefixes, 12/0 paths, scan interval 15 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
123.123.123.1 4 123 52 57 13 0 0 00:40:41 2
123.123.123.2 4 123 53 61 13 0 0 00:41:26 2
123.123.123.3 4 123 43 44 13 0 0 00:36:44 2

We can clearly see that its learning prefixes in the vpnv4 but will not put those routes in the routing table until it has been imported in one of the VRF's. In our case, I have configured vrf ALL-VRF in RR and imported all the route-targets 123:1, 123:2 and 123:4. In a VRF you can export and import as many route-targets as needed. Lets see if RR can see the routes now

RR

!
ip vrf ALL-VRF
rd 123:4
route-target export 123:4
route-target import 123:1
route-target import 123:2
route-target import 123:3

RR#sh ip route vrf ALL-VRF

Routing Table: ALL-VRF
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [200/0] via 123.123.123.1, 00:46:26
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [200/0] via 123.123.123.2, 00:46:26
33.0.0.0/32 is subnetted, 1 subnets
B 33.33.33.33 [200/0] via 123.123.123.3, 00:46:26
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [200/0] via 123.123.123.3, 00:46:26
22.0.0.0/32 is subnetted, 1 subnets
B 22.22.22.22 [200/0] via 123.123.123.2, 00:46:26
11.0.0.0/32 is subnetted, 1 subnets
B 11.11.11.11 [200/0] via 123.123.123.1, 00:46:28
123.0.0.0/32 is subnetted, 1 subnets
C 123.123.123.14 is directly connected, Loopback40

Ok, we have meet the first condition. RR is now able to see the routes exported by the RR clients. They won't see the route advertised in RR because the clients are not even importing that route. Full reachability in MPLS VPN requires that one router's exported route-target should be imported by another and vice-versa, otherwise you can only see the route but you won't be able to reach it. The networks should be in the corresponding VRF routing table of the routers.

To illustrate this point, let's configure the second scenario. Below are the VRF configurations on the 3 clients.

APAC#

!
ip vrf APAC
rd 123:1
route-target export 123:1
route-target import 123:3

AMERICAS#

!
ip vrf AMERICAS
rd 123:2
route-target export 123:2
route-target import 123:2

EMEA#
!
ip vrf EMEA
rd 123:3
route-target export 123:3
route-target export 123:2
route-target import 123:1
route-target import 123:2

APAC is exporting route-target 123:1 and its importing 123:3 which is exported by EMEA. EMEA on the other hand is importing 123:1 and exporting 123:3. There should be full ip reachability between the two. By the way the route-target ID doesn't necessarily match with the RD. Normally for networks that should see each other in MPLS VPN both the export and import route target ID's are the same. It will get rid of any unnecessary confusion created by using different RT ID's. Take into consideration AMERICAS and EMEA routers. As you can see on the config above, AMERICAS is importing and exporting 123:2. One command can generate the both export and import and that is "route-target both 123:2". EMEA is importing and exporting also 123:2 which means they will reach each other. Let's test if we have accomplished the condition, we will show the routing table in APAC and AMERICAS and let's ping the networks in EMEA. The ping should be sourced on the loopback interfaces where we configured the VRF's.

APAC#sh ip route vrf APAC

Routing Table: APAC
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
33.0.0.0/32 is subnetted, 1 subnets
B 33.33.33.33 [200/0] via 123.123.123.3, 01:04:51
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [200/0] via 123.123.123.3, 01:04:51
11.0.0.0/32 is subnetted, 1 subnets
C 11.11.11.11 is directly connected, Loopback10

APAC#ping vrf APAC 3.3.3.3 source lo0


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 248/346/436 ms


AMERICAS#sh ip route vrf AMERICAS

Routing Table: AMERICAS
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
33.0.0.0/32 is subnetted, 1 subnets
B 33.33.33.33 [200/0] via 123.123.123.3, 00:56:20
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [200/0] via 123.123.123.3, 00:56:20
22.0.0.0/32 is subnetted, 1 subnets
C 22.22.22.22 is directly connected, Loopback10

AMERICAS#ping vrf AMERICAS 3.3.3.3 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/593/1020 ms


EMEA#sh ip route vrf EMEA

Routing Table: EMEA
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [200/0] via 123.123.123.1, 00:00:00
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [200/0] via 123.123.123.2, 01:07:06
33.0.0.0/32 is subnetted, 1 subnets
C 33.33.33.33 is directly connected, Loopback10
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
22.0.0.0/32 is subnetted, 1 subnets
B 22.22.22.22 [200/0] via 123.123.123.2, 01:07:06
11.0.0.0/32 is subnetted, 1 subnets
B 11.11.11.11 [200/0] via 123.123.123.1, 00:00:03

It will take a while to get used to VRF Route-target if you are just learning it but this should be pretty easy. Remember, you can't reach a network that you have imported unless it exported your network. In MPLS VRF, entries in your VRF routing table doesn't assure reachability, the router in the destination network should also have your network in its VRF routing table. Ok, we are done! :)

Comments

30 Responses to "VRF Route Target"

Anonymous said... August 16, 2009 at 9:33 PM

Very nice pete..... Thanks / BR...

Venkat said... March 14, 2010 at 4:36 AM

Nice one.. Thx.

Bileesh said... May 31, 2010 at 1:26 PM

Great pare..

Lee said... July 1, 2010 at 7:06 PM

Pardon my ignorance, but i can't make sense of the RT copnfigurations of the clients shown and explanation?

Pete said... July 1, 2010 at 8:02 PM

RT configurations will make sense if you try to do this on a lab exercise. Simply announce all loopbacks in BGP and configure IGP like OSPF for the serial links reachability.

Anonymous said... October 22, 2010 at 10:27 PM

Excellent explanation..Thanks...

Anonymous said... November 23, 2010 at 9:06 AM

Great tips. Can you post your full configurations? THANKS!

Anonymous said... January 10, 2011 at 11:42 PM

Thanks man. Clear and simple.

Anonymous said... January 31, 2011 at 8:56 PM

Hi, i'm agree with Lee comment. Can you review your configuration is in concordance with the explanation !

Many Thanks for your article !

Anonymous said... March 26, 2011 at 4:04 AM

thanks a lot! great job

Anonymous said... April 20, 2011 at 6:35 PM

at EMEA : is there a mistake of import 123:4, i cannot seem to trace that, is it supposed to be 123:1 instead?

APAC: should be import 123:3 rather than 123:2?
i am confused...

Pete said... April 25, 2011 at 1:38 PM

Made changes on the typos I had. Apparently this was only part of the self made lab I did and there were some configurations changed which is why we had 123:4 in there and some typos.

Anonymous said... May 5, 2011 at 6:01 PM

Thanks :)

Anonymous said... June 16, 2011 at 12:27 AM

Thank you for this GREAT artical !!
9/10

;)

Anonymous said... August 18, 2011 at 9:52 PM

First person that I found that could explain this in a way that everyone understood it.. Thanks

Anonymous said... November 17, 2011 at 5:06 PM

really gud explanation !!!

Anonymous said... January 12, 2012 at 5:50 PM

peter.. can you explain more what happened in router americas. Thanks

Anonymous said... March 1, 2012 at 4:24 AM

Good One Thanks

Anonymous said... April 9, 2012 at 11:54 AM

Thank You. Clearing the mist of route target - route distinguisher of what they really are and how they work.

Anonymous said... May 10, 2012 at 1:33 AM

all info about vrf is so clear thanks for explain us all this

Anonymous said... June 14, 2012 at 4:28 AM

OK, here's the part I'm confused by in the above configuration. Hopefully you're still watching and can help explain it to me.

Scenario 2 - RR can see everyone but not be seen by anyone. That makes sense because it imports RTs 123:1, 123:2, and 123:3. It exports 123:4, but since nobody is importing 123:4, nobody else can see what RR knows.

So far, so good.

Scenario 1 - Part of this doesn't make sense to me.

EMEA and APAC's relationship makes sense, because we're looking at the same setup as above, a pairing of import/exports of 123:1 and 123:3. Ok, so this one is good.

The EMEA and AMERICAS, however, I don't get. Looking at them, EMA is exporting 123:2 and importing 123:2. AMERICAS is exporting 123:2 and importing 123:2. Is this a matter of "a design that works but is confusing but I want you to see that it can work because RD and RT are locally significant?" Or am I missing something else?

Khiem Pham said... June 16, 2012 at 11:34 AM

Can you consider my following config? Is it the same as yours?

APAC#

!
ip vrf APAC
rd 123:1
route-target export 123:1
route-target import 123:3

AMERICAS#

!
ip vrf AMERICAS
rd 123:2
route-target export 123:2
route-target import 123:3

EMEA#
!
ip vrf EMEA
rd 123:3
route-target export 123:3
route-target import 123:1
route-target import 123:2

Anonymous said... July 25, 2012 at 1:58 AM

Sorry, but i'm confused...
Why does AMERICAS# import itself, and why does EMEA# export AMERICAS# rd?

Dev Hattikar said... November 20, 2012 at 8:47 PM

EMEA#
!
ip vrf EMEA
rd 123:3
route-target export 123:3
route-target export 123:2
route-target import 123:1
route-target import 123:2

1. EMEA should have full ip reachability to APAC and AMERICAS but APAC and AMERICAS should not see each other.
In the above scenario we couldn’t see route-target export 123:1 will EMEA and APAC have full reach ability?

Anonymous said... December 17, 2012 at 1:33 PM

Thanks Dude ... It was very well explained

Anonymous said... March 27, 2013 at 12:35 PM

Hi Peter, Hope you have completed your CCIE and Congrats for the same, I am reading your blog and VRF first time, i could understand EMEA and ASIAPAC, but believe between America and EMEA import & export should be export 2 Import 3 and Vice versa ( thinking logicaly) will try the config today on GNS 3 and check, Shree Ammu :-)

Anonymous said... August 12, 2013 at 11:09 AM

Excelent Post !!! Thank you

AAIYAASH BABA said... March 5, 2014 at 2:26 PM

sr , tel me commnd 4 find total user in own bng.. plz

Atif Siddiqui said... April 15, 2014 at 2:18 PM

nice one. i was trying to understand RD and RT and difference between them since last night. brain went pear shaped after reading some explanation. But, this article really helped. keep posting good stuff. May God reward you for this good work

David said... September 3, 2014 at 6:42 PM

Hi,

can you post the interface configuration?? With OSPF is the same config?? Thanks!!

Post a Comment

Certifications

Certifications

The Dreamer

A fun loving person who enjoys learning new things. Currently working as a Network Engineer supporting the global network of a Fortune 500 company. This blog serves as my notes for the labs I created for my CCIE journey. I can guarantee there are errors in my posts. If you spot them, please let me know.

Join my Facebook Page I WANT TO BE A CCIE

Donate to the Cause

My aim is to create materials for free and possibly a free lab. If you wish to help out, please send any amount. Thanks.

Join my Bandwagon

Blogs that I Read