VPN import map & export map

TASK

  • import mapとexport mapを理解する

DIAGRAM

 

 

IMPORT MAP

CONFIG

R4#sh run | sec route-map
route-map IMPORT-MAP permit 10
 match ip address LAN-ROUTE
R4#
R4#sh run | sec access-list
ip access-list standard LAN-ROUTE
 permit 192.168.1.0 0.0.0.255
 permit 192.168.2.0 0.0.0.255
R4#
R4#sh run | sec vrf
vrf definition VPN-USER-X
 rd 65000:500
 route-target export 65000:500
 route-target import 65000:500
 route-target import 65000:100
 route-target import 65000:200
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
 vrf forwarding VPN-USER-X
 address-family ipv4 vrf VPN-USER-X
  redistribute connected
  neighbor 10.4.5.5 remote-as 65500
  neighbor 10.4.5.5 activate
R4#

VERIFY

  • 上記でimport でroute-targetを指定しただけなので、全ての経路を取り込む
R4#
R4#sh bgp vpnv4 uni all
BGP table version is 14, local router ID is 10.0.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65000:100
 *>i 10.0.0.1/32      10.0.0.3                 0    100      0 65100 i
 *>i 10.1.3.0/24      10.0.0.3                 0    100      0 ?
 *>i 192.168.1.0      10.0.0.3                 0    100      0 65100 i
Route Distinguisher: 65000:200
 *>i 10.0.0.2/32      10.0.0.3                 0    100      0 65200 i
 *>i 10.2.3.0/24      10.0.0.3                 0    100      0 ?
 *>i 192.168.2.0      10.0.0.3                 0    100      0 65200 i
Route Distinguisher: 65000:500 (default for vrf VPN-USER-X)
 *>i 10.0.0.1/32      10.0.0.3                 0    100      0 65100 i
 *>i 10.0.0.2/32      10.0.0.3                 0    100      0 65200 i
 *>i 10.1.3.0/24      10.0.0.3                 0    100      0 ?
 *>i 10.2.3.0/24      10.0.0.3                 0    100      0 ?
 *>  10.4.5.0/24      0.0.0.0                  0         32768 ?
     Network          Next Hop            Metric LocPrf Weight Path
 *>i 192.168.1.0      10.0.0.3                 0    100      0 65100 i
 *>i 192.168.2.0      10.0.0.3                 0    100      0 65200 i
R4#

 

  • VRFのipv4 配下で経路を指定するとroute-target importで指定したRTのうち、特定経路のみを取り込めるようになる
R4#
R4#conf t
R4(config)#vrf def VPN-USER-X
R4(config-vrf)#add ipv4
R4(config-vrf-af)#import map IMPORT-MAP
R4(config-vrf-af)#end
R4#
R4#
R4#sh bgp vpnv4 uni all
BGP table version is 18, local router ID is 10.0.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65000:100
 *>i 10.0.0.1/32      10.0.0.3                 0    100      0 65100 i
 *>i 10.1.3.0/24      10.0.0.3                 0    100      0 ?
 *>i 192.168.1.0      10.0.0.3                 0    100      0 65100 i
Route Distinguisher: 65000:200
 *>i 10.0.0.2/32      10.0.0.3                 0    100      0 65200 i
 *>i 10.2.3.0/24      10.0.0.3                 0    100      0 ?
 *>i 192.168.2.0      10.0.0.3                 0    100      0 65200 i
Route Distinguisher: 65000:500 (default for vrf VPN-USER-X)
 *>  10.4.5.0/24      0.0.0.0                  0         32768 ?
 *>i 192.168.1.0      10.0.0.3                 0    100      0 65100 i
 *>i 192.168.2.0      10.0.0.3                 0    100      0 65200 i
R4#

EXPORT MAP

CONFIG

  • import map 同様にVRFのIPv4配下で指定する。export map の場合はroute-targetを指定できるのでsetで付与。
R3#conf t
R3(config)#ip access-list stand LAN-ROUTE
R3(config-std-nacl)#permit 192.168.1.0 0.0.0.255
R3(config-std-nacl)#exit
R3(config)#
R3(config)#route-map EXPORT-MAP
R3(config-route-map)#match ip add LAN-ROUTE
R3(config-route-map)#set extcommunity rt 65000:200
R3(config-route-map)#exit
R3(config)#
R3(config)#vrf def VPN-USER-A
R3(config-vrf)#add ipv4
R3(config-vrf-af)#export map EXPORT-MAP
R3(config-vrf-af)#
R3(config-vrf-af)#end

VERIFY

  • route-target 65000:100を持つ192.168.1.0/24がexport map による付与により
    route-target が65000:200に変わっているために、import 65000:200しかない
    VRF VPN-USER-Bに取り込めている。
R3#sh run | sec vrf definition VPN-USER-B
vrf definition VPN-USER-B
 rd 65000:200
 route-target export 65000:200
 route-target import 65000:200
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
R3#
R3#
R3#sh bgp vpnv4 uni all
BGP table version is 13, local router ID is 10.0.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65000:100 (default for vrf VPN-USER-A)
 *>  10.0.0.1/32      10.1.3.1                 0             0 65100 i
 *>  10.1.3.0/24      0.0.0.0                  0         32768 ?
 *>  192.168.1.0      10.1.3.1                 0             0 65100 i
Route Distinguisher: 65000:200 (default for vrf VPN-USER-B)
 *>  10.0.0.2/32      10.2.3.2                 0             0 65200 i
 *>  10.2.3.0/24      0.0.0.0                  0         32768 ?
 *>  192.168.1.0      10.1.3.1                 0             0 65100 i
 *>  192.168.2.0      10.2.3.2                 0             0 65200 i
R3#

コメント