task 14.5 - sense of the question?

Hi guys!

I am working on 14.5.

I get the idea of the challenge itself I think:

- make the both loopbacks of R6 and R5 (each in a different vrf) talk to each other (right?)

- I get the idea that one route-leaks those two router between the vrfs with a different route-target than the default route-target, because if one would do so then ALL routes between the vrfs are leaked. (right?).

 

So far so good but when I get bidirectional reachability between those two loopbacks in my eyes they have to be in the routing table of the vrfs right? I mean the SG says that the routes are imported?!

 

I dont get that....anyone has an idea?

 

TIA!

Regards!

Markus

Comments

  • Argh...posted it...thought about it again...and I think I got it :).

    Its because the routes are also leaked on the same router between the routing tables...right?

     

    Regards!

    Markus

  • I sat here analyzed this as well and after labbing it up twice, i think I understand what's happening... It' not because the routes are leaked on the same router between the routing tables. It's because you are telling the vrf VPN_A on R5 and vrf VPN_B on R6 what routes you want to be imported /recieved from the other side via the import commands under the vrf process.

    If you look at the solution, on R5 under vrf VPN_A, you are telling it to import aka "allow in the routes" with a route target of 100:1 (as it was originally setup to do) AND any routes with a route-target of 100:66 attached (which is the Lo102 network from R6). The same is done on R6 with the added import 100:55 command, which is telling R6 to import aka "allow in" routes with a route-target of 100:1 (which is was origianlly setup to do) AND routes with the route-targte of 100:55 attached (which is the Lo1 network from R5).

    Because of the importing of 100:66 inside VPN_A and 100:55 inside VPN_B, this allows VPN_A to have reachability to Lo102 inside VPN_B and VPN_B to have reachability to Lo101 which is in VPN_A.

    That's just what i got from it. I hope that helps...

  • for what it is worth -

    I think the key to understand the filtering and reachability of this particular task is the third bullet

    - Configure the network to provide bi-directional connectivity between the two new subnets

    The first read through, many months ago it just didnt make for very good reading. This is much more than a filtering task, it also includes extended community manipulation, and leaking between VRF's.

    I just read through this today, and while it still reads the same - you sort of have to expand your definition of filtering in the sense of "what can I do with a route-map when I filter on a prefix".  In this case I can change the natural RT of the task, and make it unique on the opposite end - allowing for greater control of the selected prefix.  

    The fouth bullet on the first read did not seem to imply chaning the RT or leaking between VRF's - but combined, bullets 3 and 4 sure do.  

    For context I am pasting the tasks as it read today in the event the tasks change in the future:

    • Create a new Loopback 101 interface in R5’s VRF VPN_A with the IP address of 172.16.5.5/24.
    • Create a new Loopback 102 interface in R6’s VRF VPN_B with the IP address of 192.168.6.6/24.
    • Configure the network to provide bi-directional connectivity between the two new subnets.
    • Make sure R6’s VPN_A does not see the prefix 172.16.5.0/24 and R5’s VPN_B does not see the prefix 192.168.6.0/24.
    Solution:

     R5:

    interface Loopback101

    ip vrf forwarding VPN_A

    ip address 172.16.5.5 255.255.255.0

    !

    ip prefix-list LO101 permit 172.16.5.0/24

    !

    route-map VPN_A_EXPORT permit 10

    match ip address prefix-list LO101

    set extcommunity rt 100:55

    !

    route-map VPN_A_EXPORT permit 20

    set extcommunity rt 100:1

    !

    ip vrf VPN_A

    export map VPN_A_EXPORT

    route-target import 100:66

     R6:

    interface Loopback102

    ip vrf forwarding VPN_B

    ip address 192.168.6.6 255.255.255.0

    !

    ip prefix-list LO102 permit 192.168.6.0/24

    !

    route-map VPN_B_EXPORT permit 10

    match ip address prefix-list LO102

    set extcommunity rt 100:66

    !

    route-map VPN_B_EXPORT permit 20

    set extcommunity rt 100:2

    !

    ip vrf VPN_B

    export map VPN_B_EXPORT

    route-target import 100:55



    r/w

     

     

Sign In or Register to comment.