VRF-lite route leaking

September 13, 2010

The purpose of VRF-lite is to extend the logical separation of two different networks from a MPLS network down to a single CE router, connected to both these networks. It’s called VRF-lite because it is done without running MPLS (LDP/TDP) or MP-BGP between the PE and CE. Traffic is mapped to the VRF assigned to the ingress interface on the CE router.

But VRF-lite could be used without connecting to a MPLS network entirely! Consider what a VRF is?

A VRF is a mechanism used to provide logical separation between routing tables on the same router. It is locally significant to the router. Each interface on a router can only be assigned to one VRF, but a VRF can have multiple interfaces.

So VRF-lite could be used to separate multiple networks using the same equipment. (Not exactly something you should ever plan in a design, but it could be useful to know)

Once you have the separation you needed, you might need a way to selectively bridge that separation to allow communication between the VRF’s.

Assume the following scenario:

Router1 runs VRF-lite with two interfaces, one connecting to VPN5 and the other to VPN7. The is a CE device connected in VPN5 with an IP address of, and another CE device in VPN7 with an IP address of

Originally the intent might have been to keep the two networks entirely separate. But lets assume the need arises to allow routing between VPN5 and VPN7 but only between the ranges and Not the rest! How can it be done?

As always there are options! Make use of Route-Targets (RTs), or Take the lazy approach with static routes. Direct redistribution between VRF-aware IGP’s on the same router, does not work as you would expect. On most the IOS codes that I have seen, IOS does not allow this.

Option 1 – Using RTs

The technique that might jump to mind is route-target import/export. But what is a route-target and its purpose?

A RD is a 64-bit identifier prepended to a 32-bit IPv4 address which turns a non-unique IPv4 prefix  into a unique 96-bit VPNv4 prefix. A RD is the most basic requirement to activate the VRF and create the VRF tables.

A RT or route-target  on the other hand is a BGP extended community which gets attached when a prefix is exported from the VRF RIB table into the VRF-aware BGP table to identify VPN membership. The confusing part is that the RT import/export function in Cisco IOS is defined under the VRF configuration section and not under the BGP section. Thus to use RTs BGP is required. This means without BGP enabled on Router1, the RT import/export would yield no result.

So for this option to work the following must be considered: The BGP process is required for the creation of the VRF-aware BGP tables. BGP neighbors are not necessary. From the source VRF the required range must be redistributed into the VRF specific BGP table where the export RT is attached. The destination VRF should then import this exported range, based on the attached RT. And vice versa for bidirectional communication.Lastly since BGP is used the BGP next-hop must be reachable, else the imported routes will not be considered for route-selection. Here is the config to complete the first option:

ip vrf VPN5
 rd 100:5
 import map V5-MAP
 route-target export 1:5
 route-target import 1:5
 route-target import 1:7
ip vrf VPN7
 rd 100:7
 import map V7-MAP
 route-target export 1:7
 route-target import 1:7
 route-target import 1:5
ip extcommunity-list standard V5 permit rt 1:5
ip extcommunity-list standard V7 permit rt 1:7
ip prefix-list IMPORT-5 seq 5 permit
ip prefix-list IMPORT-5 seq 15 permit
ip prefix-list IMPORT-7 seq 5 permit
ip prefix-list IMPORT-7 seq 15 permit
route-map V5-MAP permit 10
 match ip address prefix-list IMPORT-5
route-map V5-MAP permit 20
 match extcommunity V5
route-map V7-MAP permit 10
 match ip address prefix-list IMPORT-7
route-map V7-MAP permit 20
 match extcommunity V7
router eigrp 1
 address-family ipv4 vrf VPN7
  redistribute bgp 1 metric 1500 10 255 2 1500
  autonomous-system 7
 address-family ipv4 vrf VPN5
  redistribute bgp 1 metric 1500 10 255 2 1500
  autonomous-system 5
router bgp 1
 address-family ipv4 vrf VPN7
  redistribute connected
  redistribute eigrp 7
 address-family ipv4 vrf VPN5
  redistribute connected
  redistribute eigrp 5

The output should yield the following:

Option 2 – Static Routes

Another, perhaps easier option would be to use static routes within each VRF and in the global VRF. This method will route traffic out the source VRF to the global table and back in the destination VRF. The obvious other bonus is that this method does not need the BGP process to be enabled.

So to test should be allowed to ping but no other 55.5 range.

This is done by using the command “ip route vrf NAME x.x.x.x s.s.s.s nh.nh.nh.nh global”.
The global keyword specifies that the next-hop is reachable via the global routing table instead of the VRF table.

The global table would obviously need a route to each required next-hop in each VRF. For this two routes are needed in the global RIB for the next-hop IPs of VPN5 and VPN7:

interface FastEthernet0/0
 ip vrf forwarding VPN5
 ip address
interface FastEthernet0/1
 ip vrf forwarding VPN7
 ip address
ip route FastEthernet0/0
ip route FastEthernet0/1

Then to add the static routes within the respective VRFs are the easy part:

ip route vrf VPN5 global
ip route vrf VPN7 global

Let me explain, the first line says: For VPN5 to reach the destination (in VPN7) go to the next-hop of which is in the global table. The global table will route traffic to that next-hop into the VPN7 table, as per the first set of static routes.
The second line takes care of the return traffic.

Here is the test to confirm:


  1. Option3 – Multi-VRF Selection Using Policy Based Routing (PBR)


    • The only problem is VRF Select is supported only in Service Provider (-p-) images.
      This might not always be a option on site routers, but very good solution :)

      • Very useful and concise overview for me coming from an enterprise R&S background. Thank you.
        Would you be able to add the VRF select option to satisfy my curiosity :-) ?

  2. Great work, I wanted to implement route leak (static route) on one router. I hope this solution will work.


    Bilal Hansrod

  3. which interface/router / is assigned to?

    • Those would next-hop interface IP on the CE type devices connected downstream .
      I.e. would be connected downstream to FastEthernet0/0 etc…

      hth :)

      • The page format has somehow lost half of the post.
        I’ll correct that shortly :(

    • Oh the post is displaying all info now.. :)

  4. I guess there is one or two options more to consider …
    1- VRF selection source.
    2- Policy routing.

  5. In the RT approach above,

    Why are you importing the same RT that you are exporting? Is this needed?
    You have the following consecutive lines:
    Route-target export 1:5
    Route-target import 1:5

    I would have thought export is enough since all other prefixes must anyway be in the VRF with rd 100:5

    • Ick,

      This is because of an old bug, it is not necessary to do this nowdays.

      BR Tommy

  6. Can the same be done with Rip v2 instead of eigrp

  7. Hi,
    Shouldn’t you be matching extcommunity list V7 in the below line

    route-map V5-MAP permit 20
    match extcommunity V5

    And V5 in the Below line…
    route-map V7-MAP permit 20
    match extcommunity V7

    I am asking because import-map V5-MAP is importing RT 1:7 and V7-Map is importing RT 1:5

Please leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 1,587 other followers

%d bloggers like this: