task 14.5 - sense of the question?

Hi guys!

I am working on 14.5.

I get the idea of the challenge itself I think:

- make the both loopbacks of R6 and R5 (each in a different vrf) talk to each other (right?)

- I get the idea that one route-leaks those two router between the vrfs with a different route-target than the default route-target, because if one would do so then ALL routes between the vrfs are leaked. (right?).


So far so good but when I get bidirectional reachability between those two loopbacks in my eyes they have to be in the routing table of the vrfs right? I mean the SG says that the routes are imported?!


I dont get that....anyone has an idea?






  • Argh...posted it...thought about it again...and I think I got it :).

    Its because the routes are also leaked on the same router between the routing tables...right?




  • I sat here analyzed this as well and after labbing it up twice, i think I understand what's happening... It' not because the routes are leaked on the same router between the routing tables. It's because you are telling the vrf VPN_A on R5 and vrf VPN_B on R6 what routes you want to be imported /recieved from the other side via the import commands under the vrf process.

    If you look at the solution, on R5 under vrf VPN_A, you are telling it to import aka "allow in the routes" with a route target of 100:1 (as it was originally setup to do) AND any routes with a route-target of 100:66 attached (which is the Lo102 network from R6). The same is done on R6 with the added import 100:55 command, which is telling R6 to import aka "allow in" routes with a route-target of 100:1 (which is was origianlly setup to do) AND routes with the route-targte of 100:55 attached (which is the Lo1 network from R5).

    Because of the importing of 100:66 inside VPN_A and 100:55 inside VPN_B, this allows VPN_A to have reachability to Lo102 inside VPN_B and VPN_B to have reachability to Lo101 which is in VPN_A.

    That's just what i got from it. I hope that helps...

  • for what it is worth -

    I think the key to understand the filtering and reachability of this particular task is the third bullet

    - Configure the network to provide bi-directional connectivity between the two new subnets

    The first read through, many months ago it just didnt make for very good reading. This is much more than a filtering task, it also includes extended community manipulation, and leaking between VRF's.

    I just read through this today, and while it still reads the same - you sort of have to expand your definition of filtering in the sense of "what can I do with a route-map when I filter on a prefix".  In this case I can change the natural RT of the task, and make it unique on the opposite end - allowing for greater control of the selected prefix.  

    The fouth bullet on the first read did not seem to imply chaning the RT or leaking between VRF's - but combined, bullets 3 and 4 sure do.  

    For context I am pasting the tasks as it read today in the event the tasks change in the future:

    • Create a new Loopback 101 interface in R5’s VRF VPN_A with the IP address of
    • Create a new Loopback 102 interface in R6’s VRF VPN_B with the IP address of
    • Configure the network to provide bi-directional connectivity between the two new subnets.
    • Make sure R6’s VPN_A does not see the prefix and R5’s VPN_B does not see the prefix


    interface Loopback101

    ip vrf forwarding VPN_A

    ip address


    ip prefix-list LO101 permit


    route-map VPN_A_EXPORT permit 10

    match ip address prefix-list LO101

    set extcommunity rt 100:55


    route-map VPN_A_EXPORT permit 20

    set extcommunity rt 100:1


    ip vrf VPN_A

    export map VPN_A_EXPORT

    route-target import 100:66


    interface Loopback102

    ip vrf forwarding VPN_B

    ip address


    ip prefix-list LO102 permit


    route-map VPN_B_EXPORT permit 10

    match ip address prefix-list LO102

    set extcommunity rt 100:66


    route-map VPN_B_EXPORT permit 20

    set extcommunity rt 100:2


    ip vrf VPN_B

    export map VPN_B_EXPORT

    route-target import 100:55




Sign In or Register to comment.