Not entirely sure why would you want to do this unless you wanted traffic
to loop through the firewall, route-targets might do it anyway. However,
what you want to do does work.
I tried it with two routers back-to-back, with R2 simulating the
"firewall". Using OSPF so the peers can see each other.
R2:
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.2.2 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 10.2.2.0 0.0.0.255 area 0
!
Now for R1:
First set up your VRFs. RTs not strictly necessary, perhaps:
!
ip vrf BLUE
rd 2:1
route-target export 2:1
route-target import 2:1
!
ip vrf RED
rd 1:1
route-target export 1:1
route-target import 1:1
!
A pair of loopbacks for router-ids and the interfaces places inside the
VRFs:
!
interface Loopback1
ip vrf forwarding RED
ip address 1.1.1.1 255.255.255.255
!
interface Loopback2
ip vrf forwarding BLUE
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding BLUE
ip address 10.2.2.1 255.255.255.0
duplex auto
speed auto
!
Set up OSPF for each VRF so they can see the peering BGP interfaces. I am
peering with the pysical interfaces, but you could use the loopbacks too.
Just watch the ebgp-multihop TTL.
!
router ospf 1 vrf RED
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
!
router ospf 2 vrf BLUE
log-adjacency-changes
network 10.2.2.0 0.0.0.255 area 0
!
Now for the BGP. As there is no loopback outside the VRFs, you will need
to imput a bogus router-id under the process or have a loopback not in a
VRF. The next important part is to use the "bgp router-id vrf" command. I
used the auto-assign keyword so each would pick their own loopback. The
BGP AS is 1, but I am going to assign each family it own "fake" AS. This
command is only in the 12.4 T and Service Provider trains, not mainline
12.4. Not sure if it is in 15.x. Without this command, you can't assign
unique RIDs for the VRFs, and they would see duplicate RIDs and not peer.
router bgp 1
bgp router-id 1.0.0.1
bgp router-id vrf auto-assign
no bgp default ipv4-unicast
bgp log-neighbor-changes
!
Now for the address-families. VRF RED is going to be AS3, BLUE AS2, both
"fake". If you want to exchange routes, you will need to use the
"no-prepend replace-as" keywords. no-prepend willl drop the local AS being
sent and replace-as will replace th overall BGP AS with the local-as. This
is important if you want to exchange routes between them, otherwise each
VRF will see its own AS in the path and drop the prefix.
address-family ipv4 vrf RED
neighbor 10.2.2.1 remote-as 2
neighbor 10.2.2.1 local-as 3 no-prepend replace-as
neighbor 10.2.2.1 ebgp-multihop 3
neighbor 10.2.2.1 activate
no synchronization
network 1.1.1.1 mask 255.255.255.255
exit-address-family
!
address-family ipv4 vrf BLUE
neighbor 10.1.1.1 remote-as 3
neighbor 10.1.1.1 local-as 2 no-prepend replace-as
neighbor 10.1.1.1 ebgp-multihop 3
neighbor 10.1.1.1 activate
no synchronization
network 2.2.2.2 mask 255.255.255.255
exit-address-family
Et voila. You will see the peering:
R1# sho ip bgp vpnv4 vrf RED summary
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 10, main routing table version 10
2 network entries using 312 bytes of memory
2 path entries using 136 bytes of memory
7/4 BGP path/bestpath attribute entries using 1176 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP extended community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 2 (at peak 2) using 64 bytes of memory
BGP using 1784 total bytes of memory
BGP activity 4/0 prefixes, 5/1 paths, scan interval 15 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
10.2.2.1 4 2 39 46 10 0 0
00:18:02 1
R1# sho ip bgp vpnv4 vrf BLUE summ
BGP router identifier 2.2.2.2, local AS number 1
BGP table version is 10, main routing table version 10
2 network entries using 312 bytes of memory
2 path entries using 136 bytes of memory
7/4 BGP path/bestpath attribute entries using 1176 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP extended community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 2 (at peak 2) using 64 bytes of memory
BGP using 1784 total bytes of memory
BGP activity 4/0 prefixes, 5/1 paths, scan interval 15 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
10.1.1.1 4 3 43 43 10 0 0
00:18:31 1
And in this case, you can see that each VRF sees the routes I am injecting
in their own tables with the correct path:
R1#sho ip bgp vpnv4 all
BGP table version is 10, local router ID is 1.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf RED) VRF Router ID 1.1.1.1
*> 1.1.1.1/32 0.0.0.0 0 32768 i
*> 2.2.2.2/32 10.2.2.1 0 0 2 i
Route Distinguisher: 2:1 (default for vrf BLUE) VRF Router ID 2.2.2.2
*> 1.1.1.1/32 10.1.1.1 0 0 3 i
*> 2.2.2.2/32 0.0.0.0 0 32768 i
and in the route table
R1#sho ip route vrf RED
Routing Table: RED
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
<snip>
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback1
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 10.2.2.1, 00:18:28
10.0.0.0/24 is subnetted, 2 subnets
O 10.2.2.0 [110/2] via 10.1.1.2, 00:28:00, FastEthernet0/0
C 10.1.1.0 is directly connected, FastEthernet0/0
R1#sho ip route vrf BLUE
Routing Table: BLUE
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
<snip>
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [20/0] via 10.1.1.1, 00:20:42
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback2
10.0.0.0/24 is subnetted, 2 subnets
C 10.2.2.0 is directly connected, FastEthernet0/1
O 10.1.1.0 [110/2] via 10.2.2.2, 00:28:46, FastEthernet0/1
Pings won't work yet as R2 has no visibility of the routes I am injecting,
but that I am leaving as an exercise for the reader. Too tired now.
Of course, if you now start exporting via route-targets it might get
complicated.... :)
Let me know if this is useful. I was intrigued by the concept, and it was
a learning experience.
M.
On Fri, Nov 25, 2011 at 2:56 PM, Amir Khalili <[email protected]> wrote:
> Thanks for your responses - however this is what I am trying to acheive:
>
> using a single router - single BGP process - peering the vrfs using in vrf
> bgp router id feature. This is possible when you use ibgp
>
> however, in some cases, you will need to use ebgp -
>
> ip vrf red
> rd 1:1
>
> ip vrf blue
> rd 1:2
>
> int l1
> ip vrf forw red
> ip address 1.1.1.1 255.255.255.255
>
> int l2
> ip vrf forw blue
> ip address 2.2.2.2 255.255.255.255
>
> router bgp 1.
>
> address-f ipv4 vrf red
> bgp router-id 1.1.1.1
> neib 2.2.2.2 remote-as 2
>
> address-f ipv4 vrf blue
> bgp router-id 2.2.2.2
> neib 1.1.1.1 remote-as 3
>
> in the above you will need to fake the as and send it to the peer!! is
> it possible in cisco?
>
> Cheers
> Amir
>
>
>
>
>
>
>
> On Thu, Nov 24, 2011 at 4:57 PM, Matthew Mengel
> <[email protected]>wrote:
>
>> Assuming that the attached image is what you are trying to do, sure.
>>
>> R1:
>>
>> ip vrf BLUE
>> rd 1:1
>> !
>> ip vrf RED
>> rd 101:1
>> !
>> !
>> interface Loopback0
>> ip address 1.1.1.1 255.255.255.0
>> !
>> interface FastEthernet0/0
>> ip vrf forwarding BLUE
>> ip address 10.2.2.1 255.255.255.0
>> !
>> interface FastEthernet0/1
>> ip vrf forwarding RED
>> ip address 10.3.3.1 255.255.255.0
>> !
>> !
>> router bgp 1
>> no bgp default ipv4-unicast
>> bgp log-neighbor-changes
>> !
>> address-family ipv4 vrf RED
>> neighbor 10.3.3.3 remote-as 3
>> neighbor 10.3.3.3 local-as 101
>> neighbor 10.3.3.3 activate
>> no synchronization
>> exit-address-family
>> !
>> address-family ipv4 vrf BLUE
>> neighbor 10.2.2.2 remote-as 2
>> neighbor 10.2.2.2 activate
>> no synchronization
>> exit-address-family
>> !
>>
>> R2:
>>
>> !
>> interface Loopback0
>> ip address 2.2.2.2 255.255.255.255
>> !
>> interface FastEthernet0/0
>> ip address 10.2.2.2 255.255.255.0
>>
>> !
>> router bgp 2
>> no synchronization
>> bgp log-neighbor-changes
>> network 2.2.2.2 mask 255.255.255.255
>> neighbor 10.2.2.1 remote-as 1
>> no auto-summary
>> !
>>
>>
>> R3:
>>
>> !
>> interface Loopback0
>> ip address 3.3.3.3 255.255.255.255
>> !
>> interface FastEthernet0/1
>> ip address 10.3.3.3 255.255.255.0
>> !
>> router bgp 3
>> no synchronization
>> bgp log-neighbor-changes
>> network 3.3.3.3 mask 255.255.255.255
>> neighbor 10.3.3.1 remote-as 101
>> no auto-summary
>> !
>>
>> You see the routes in the VRFs and in the VPV4 address-family:
>>
>> R1#sho ip bgp vpnv4 all
>> BGP table version is 5, local router ID is 1.1.1.1
>> Status codes: s suppressed, d damped, h history, * valid, > best, i -
>> internal,
>> r RIB-failure, S Stale
>> Origin codes: i - IGP, e - EGP, ? - incomplete
>>
>> Network Next Hop Metric LocPrf Weight Path
>> Route Distinguisher: 1:1 (default for vrf BLUE)
>> *> 2.2.2.2/32 10.2.2.2 0 0 2 i
>> Route Distinguisher: 101:1 (default for vrf RED)
>> *> 3.3.3.3/32 10.3.3.3 0 0 101 3 i
>>
>>
>> Note that the route in the RED VRF includes the AS for the local-as in
>> the path.
>>
>> Matthew
>>
>>
>>
>>
>>
>>
>> On Fri, Nov 25, 2011 at 10:08 AM, Amir Khalili <[email protected]>wrote:
>>
>>> Thanks guys. I am using address family under the same process.
>>> Trying to peer using a diff AS number. Kind of eBGP approach. Would
>>> local AS serve the purpose?
>>>
>>> On 11/24/11, Matthew Mengel <[email protected]> wrote:
>>> > Not sure if the firewall or the VRF are really important (just as to
>>> > whether you are needing to use address-family or not).
>>> >
>>> > Also, not exactly sure what you mean by "fake" an AS. However, if
>>> what you
>>> > mean is that you have a situation where RouterB is expecting to peer
>>> with
>>> > AS 5, but you are running AS 1:
>>> >
>>> > RouterB#sho run | sec bgp
>>> > router bgp 2
>>> > no synchronization
>>> > bgp log-neighbor-changes
>>> > neighbor 10.0.0.1 remote-as 5
>>> > no auto-summary
>>> >
>>> > You can masquerade as AS 5 while remaining configured as AS 1 using the
>>> > "local-as" command:
>>> >
>>> > RouterA#sho run | sec bgp
>>> > router bgp 1
>>> > no synchronization
>>> > bgp log-neighbor-changes
>>> > neighbor 10.0.0.2 remote-as 2
>>> > neighbor 10.0.0.2 local-as 5
>>> > no auto-summary
>>> >
>>> > If, however, you mean that you have two VRFs on the same router,
>>> hairpinned
>>> > through a firewall, then I think you are sunk, as this uses
>>> > address-families under the bgp process, and unless I am mistaken, it
>>> is one
>>> > process with one AS per router.
>>> >
>>> > M.
>>> >
>>> >
>>> >
>>> > On Fri, Nov 25, 2011 at 8:09 AM, Amir Khalili <[email protected]>
>>> wrote:
>>> >
>>> >> Hello
>>> >>
>>> >> How can we fake AS # for a bgp neighbor to make ebgp peer? This is
>>> using
>>> >> in vrf bgp router id in a vrf.
>>> >>
>>> >> BGP vrf A -> FW -> BGP vrf B ( ebg peer )
>>> >>
>>> >> Cheers
>>> >> Amir
>>> >> _______________________________________________
>>> >> For more information regarding industry leading CCIE Lab training,
>>> please
>>> >> visit www.ipexpert.com
>>> >>
>>> >> Are you a CCNP or CCIE and looking for a job? Check out
>>> >> www.PlatinumPlacement.com
>>> >>
>>> >> To Unsubscribe from this list please visit the following link and
>>> follow
>>> >> the directions to unsubscribe.
>>> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Matthew Mengel
>>> > [email protected]
>>> >
>>>
>>> --
>>> Sent from my mobile device
>>>
>>
>>
>>
>> --
>> Matthew Mengel
>> [email protected]
>>
>>
>>
>>
>
--
Matthew Mengel
[email protected]
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
To Unsubscribe from this list please visit the following link and follow the
directions to unsubscribe. http://onlinestudylist.com/mailman/listinfo/ccie_rs
