BGP Support for IP Prefix Import from Global Table into a VRF Table

Last Updated: April 13, 2012

The BGP Support for IP Prefix Import from Global Table into a VRF Table feature introduces the capability to import IPv4 unicast prefixes from the global routing table into a Virtual Private Network (VPN) routing/forwarding (VRF) instance table using an import route map.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for BGP Support for IP Prefix Import from Global Table into a VRF Table

  • Border Gateway Protocol (BGP) peering sessions are established.
  • CEF or dCEF (for distributed platforms) is enabled on all participating routers.

Restrictions for BGP Support for IP Prefix Import from Global Table into a VRF Table

  • Only IPv4 unicast and multicast prefixes can be imported into a VRF with this feature.
  • A maximum of five VRF instances per router can be created to import IPv4 prefixes from the global routing table.
  • IPv4 prefixes imported into a VRF using this feature cannot be imported into a VPNv4 VRF.

Information About BGP Support for IP Prefix Import from Global Table into a VRF Table

Importing IPv4 Prefixes into a VRF

The BGP Support for IP Prefix Import from Global Table into a VRF Table feature introduces the capability to import IPv4 unicast prefixes from the global routing table into a Virtual Private Network (VPN) routing/forwarding instance (VRF) table using an import route map. This feature extends the functionality of VRF import-map configuration to allow IPv4 prefixes to be imported into a VRF based on a standard community. Both IPv4 unicast and multicast prefixes are supported. No Multiprotocol Label Switching (MPLS) or route target (import/export) configuration is required.

IP prefixes are defined as match criteria for the import map through standard Cisco filtering mechanisms. For example, an IP access-list, an IP prefix-list, or an IP as-path filter is created to define an IP prefix or IP prefix range, and then the prefix or prefixes are processed through a match clause in a route map. Prefixes that pass through the route map are imported into the specified VRF per the import map configuration.

Black Hole Routing

The BGP Support for IP Prefix Import from Global Table into a VRF Table feature can be configured to support Black Hole Routing (BHR). BHR is a method that allows the administrator to block undesirable traffic, such as traffic from illegal sources or traffic generated by a Denial of Service (DoS) attack, by dynamically routing the traffic to a dead interface or to a host designed to collect information for investigation, mitigating the impact of the attack on the network. Prefixes are looked up, and packets that come from unauthorized sources are blackholed by the ASIC at line rate.

Classifying Global Traffic

The BGP Support for IP Prefix Import from Global Table into a VRF Table feature can be used to classify global IP traffic based on physical location or class of service. Traffic is classified based on administration policy and then imported into different VRFs. On a college campus, for example, network traffic could be divided into an academic network and residence network traffic, a student network and faculty network, or a dedicated network for multicast traffic. After the traffic is divided along administration policy, routing decisions can be configured with the MPLS VPN--VRF Selection Using Policy Based Routing feature or the MPLS VPN--VRF Selection Based on Source IP Address feature.

Unicast Reverse Path Forwarding

Unicast Reverse Path Forwarding (Unicast RPF) can be optionally configured with the BGP Support for IP Prefix Import from Global Table into a VRF Table feature. Unicast RPF is used to verify that the source address is in the Forwarding Information Base (FIB). The ip verify unicast vrf command is configured in interface configuration mode and is enabled for each VRF. This command has permit and denykeywords that are used to determine if the traffic is forwarded or dropped after Unicast RPF verification.

How to Import IP Prefixes from Global Table into a VRF Table

Defining IPv4 IP Prefixes to Import

IPv4 unicast or multicast prefixes are defined as match criteria for the import route map using standard Cisco filtering mechanisms. This task uses an IP access-list and an IP prefix-list.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    access-list access-list-number {deny | permit} source [source-wildcard] [log]

4.    ip prefix-list prefix-list-name [seq seq-value] {deny network / length | permit network / length} [ge ge-value] [le le-value]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
access-list access-list-number {deny | permit} source [source-wildcard] [log]


Example:

Router(config)# access-list 50 permit 10.1.1.0 0.0.0.255

 

Creates an access list and defines a range of IP prefixes to import into the VRF table.

  • The example creates a standard access list numbered 50. This filter will permit traffic from any host with an IP address in the 10.1.1.0/24 subnet.
 
Step 4
ip prefix-list prefix-list-name [seq seq-value] {deny network / length | permit network / length} [ge ge-value] [le le-value]


Example:

Router(config)# ip prefix-list COLORADO permit 10.24.240.0/22

 

Creates a prefix list and defines a range of IP prefixes to import into the VRF table.

  • The example creates an IP prefix list named COLORADO. This filter will permit traffic from any host with an IP address in the 10.24.240.0/22 subnet.
 

Creating the VRF and the Import Route Map

The IP prefixes that are defined for import are then processed through a match clause in a route map. IP prefixes that pass through the route map are imported into the VRF. A maximum of 5 VRFs per router can be configured to import IPv4 prefixes from the global routing table. 1000 prefixes per VRF are imported by default. You can manually configure from 1 to 2,147,483,647 prefixes for each VRF. We recommend that you use caution if you manually configure the prefix import limit. Configuring the router to import too many prefixes can interrupt normal router operation.

No MPLS or route target (import/export) configuration is required.

Import actions are triggered when a new routing update is received or when routes are withdrawn. During the initial BGP update period, the import action is postponed to allow BGP to convergence more quickly. Once BGP converges, incremental BGP updates are evaluated immediately and qualified prefixes are imported as they are received.

The following syslog message is introduced by the BGP Support for IP Prefix Import from Global Table into a VRF Table feature. It will be displayed when more prefixes are available for import than the user-defined limit:

00:00:33: %BGP-3-AFIMPORT_EXCEED: IPv4 Multicast prefixes imported to multicast vrf exceed the limit 2

You can either increase the prefix limit or fine-tune the import route map filter to reduce the number of candidate routes.


Note


  • Only IPv4 unicast and multicast prefixes can be imported into a VRF with this feature.
  • A maximum of five VRF instances per router can be created to import IPv4 prefixes from the global routing table.
  • IPv4 prefixes imported into a VRF using this feature cannot be imported into a VPNv4 VRF.
>
SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip vrf vrf-name

4.    rd route-distinguisher

5.    import ipv4 {unicast | multicast} [prefix-limit] map route-map

6.    exit

7.    route-map map-tag [permit | deny] [sequence-number]

8.    match ip address {acl-number [acl-number | acl-name] | acl-name [acl-name | acl-number] | prefix-list prefix-list-name [prefix-list-name]}

9.    end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ip vrf vrf-name


Example:

Router(config)# ip vrf GREEN

 

Creates a VRF routing table and specifies the VRF name (or tag).

  • The ip vrf vrf-name command creates a VRF routing table and a CEF table, and both are named using the vrf-name argument. Associated with these tables is the default route distinguisher value.
 
Step 4
rd route-distinguisher


Example:

Router(config-vrf)# rd 100:10

 

Creates routing and forwarding tables for the VRF instance.

  • There are two formats for configuring the route distinguisher argument. It can be configured in the as-number:network number (ASN:nn) format, as shown in the example, or it can be configured in the IP address:network number format (IP-address:nn).
 
Step 5
import ipv4 {unicast | multicast} [prefix-limit] map route-map


Example:

Router(config-vrf)# import ipv4 unicast 1000 map UNICAST

 

Creates an import map to import IPv4 prefixes from the global routing table to a VRF table.

  • Unicast or multicast prefixes are specified.
  • Up to a 1000 prefixes will be imported by default. The prefix-limit argument is used to specify a limit from 1 to 2,147,483,647 prefixes.
  • The route-map that defines the prefixes to import is specified after the map keyword is entered.
  • The example creates an import map that will import up to 1000 unicast prefixes that pass through the route map named UNICAST.
 
Step 6
exit


Example:

Router(config-vrf)# exit

 

Exits VRF configuration mode and enters global configuration mode.

 
Step 7
route-map map-tag [permit | deny] [sequence-number]


Example:

Router(config)# route-map UNICAST permit 10

 

Defines the conditions for redistributing routes from one routing protocol into another, or enables policy routing.

  • The route map name must match the route map specified in Step 5.
  • The example creates a route map named UNICAST.
 
Step 8
match ip address {acl-number [acl-number | acl-name] | acl-name [acl-name | acl-number] | prefix-list prefix-list-name [prefix-list-name]}


Example:

Router(config-route-map)# match ip address 50

 

Distributes any routes that have a destination network number address that is permitted by a standard or extended access list, and performs policy routing on matched packets.

  • Both IP access lists and IP prefix lists are supported.
  • The example configures the route map to use standard access list 50 to define match criteria.
 
Step 9
end


Example:

Router(config-route-map)# end

 

Exits route-map configuration mode and returns to privileged EXEC mode.

 

Filtering on the Ingress Interface

The BGP Support for IP Prefix Import from Global Table into a VRF Table feature can be configured globally or on a per-interface basis. We recommend that you apply it to ingress interfaces to maximize performance.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    interface type number [name-tag]

4.    ip policy route-map map-tag

5.    ip verify unicast vrf vrf-name {deny | permit}

6.    end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
interface type number [name-tag]


Example:

Router(config)# interface Ethernet0/0

 

Configures an interface and enters interface configuration mode.

 
Step 4
ip policy route-map map-tag


Example:

Router(config-if)# ip policy route-map UNICAST

 

Identifies a route map to use for policy routing on an interface.

  • The example attaches the route map named UNICAST to the interface.
 
Step 5
ip verify unicast vrf vrf-name {deny | permit}


Example:

Router(config-if)# ip verify unicast vrf GREEN permit

 

(Optional) Enables Unicast Reverse Path Forwarding verification for the specified VRF.

  • The example enables verification for the VRF named GREEN. Traffic that passes verification will be forwarded.
 
Step 6
end


Example:

Router(config-if)# end

 

Exits interface configuration mode and returns to privileged EXEC mode.

 

Verifying Global IP Prefix Import

Perform the steps in this task to display information about the VRFs that are configured with the BGP Support for IP Prefix Import from Global Table into a VRF Table feature and to verify that global IP prefixes are imported into the specified VRF table.

SUMMARY STEPS

1.    enable

2.    show ip bgp vpnv4 {all | rd route-distinguisher | vrf vrf-name}

3.    show ip vrf [brief | detail | interfaces | id] [vrf-name]


DETAILED STEPS
Step 1   enable

Enables privileged EXEC mode. Enter your password if prompted.



Example:
Router# enable
Step 2   show ip bgp vpnv4 {all | rd route-distinguisher | vrf vrf-name}

Displays VPN address information from the BGP table. The output displays the import route map, the traffic type (unicast or multicast), the default or user-defined prefix import limit, the actual number of prefixes that are imported, and individual import prefix entries.



Example:
Router# show ip bgp vpnv4 all
BGP table version is 15, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf academic)
Import Map: ACADEMIC, Address-Family: IPv4 Unicast, Pfx Count/Limit: 6/1000
*> 10.50.1.0/24     172.17.2.2                             0 2 3 ?
*> 10.50.2.0/24     172.17.2.2                             0 2 3 ?
*> 10.50.3.0/24     172.17.2.2                             0 2 3 ?
*> 10.60.1.0/24     172.17.2.2                             0 2 3 ?
*> 10.60.2.0/24     172.17.2.2                             0 2 3 ?
*> 10.60.3.0/24     172.17.2.2                             0 2 3 ?
Route Distinguisher: 200:1 (default for vrf residence)
Import Map: RESIDENCE, Address-Family: IPv4 Unicast, Pfx Count/Limit: 3/1000
*> 10.30.1.0/24     172.17.2.2                  0          0 2 i
*> 10.30.2.0/24     172.17.2.2                  0          0 2 i
*> 10.30.3.0/24     172.17.2.2                  0          0 2 i
Route Distinguisher: 300:1 (default for vrf BLACKHOLE)
Import Map: BLACKHOLE, Address-Family: IPv4 Unicast, Pfx Count/Limit: 3/1000
*> 10.40.1.0/24     172.17.2.2                  0          0 2 i
*> 10.40.2.0/24     172.17.2.2                  0          0 2 i
*> 10.40.3.0/24     172.17.2.2                  0          0 2 i
Route Distinguisher: 400:1 (default for vrf multicast)
Import Map: MCAST, Address-Family: IPv4 Multicast, Pfx Count/Limit: 2/2
*> 10.70.1.0/24     172.17.2.2                  0          0 2 i
*> 10.70.2.0/24     172.17.2.2                  0          0 2 i
Step 3   show ip vrf [brief | detail | interfaces | id] [vrf-name]

Displays defined VRFs and their associated interfaces. The output displays the import route map, the traffic type (unicast or multicast), and the default or user-defined prefix import limit. The following example output shows that the import route map named UNICAST is importing IPv4 unicast prefixes and that the prefix import limit is 1000.



Example:
Router# show ip vrf detail
VRF academic; default RD 100:10; default VPNID <not set>
VRF Table ID = 1
  No interfaces
  Connected addresses are not in global routing table
  Export VPN route-target communities
    RT:100:10 
  Import VPN route-target communities
    RT:100:10 
  Import route-map for ipv4 unicast: UNICAST (prefix limit: 1000)
  No export route-map

Configuration Examples for BGP Support for IP Prefix Import from Global Table into a VRF Table

Configuring Global IP Prefix Import Example

The following example imports unicast prefixes into the VRF named green using an IP prefix list and a route map:

This example starts in global configuration mode:

!
ip prefix-list COLORADO seq 5 permit 10.131.64.0/19
ip prefix-list COLORADO seq 10 permit 172.31.2.0/30
ip prefix-list COLORADO seq 15 permit 172.31.1.1/32
!
ip vrf green
 rd 200:1
 import ipv4 unicast map UNICAST
 route-target export 200:10
 route-target import 200:10
!
 exit
!
route-map UNICAST permit 10
 match ip address prefix-list COLORADO
!
 exit

Verifying Global IP Prefix Import Example

The show ip vrfcommand or the show ip bgp vpnv4 command can be used to verify that prefixes are imported from the global routing table to the VRF table.

The following example from the show ip vrf command shows the import route map named UNICAST is importing IPv4 unicast prefixes and the prefix import limit is 1000:

Router# show ip vrf detail
VRF green; default RD 200:1; default VPNID <not set>
  Interfaces:
    Se2/0                   
VRF Table ID = 1
  Export VPN route-target communities
    RT:200:10               
  Import VPN route-target communities
    RT:200:10               
  Import route-map for ipv4 unicast: UNICAST (prefix limit: 1000)
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix
VRF red; default RD 200:2; default VPNID <not set>
  Interfaces:
    Se3/0                   
VRF Table ID = 2
  Export VPN route-target communities
    RT:200:20               
  Import VPN route-target communities
    RT:200:20               
  No import route-map
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix

The following example from the show ip bgp vpnv4command shows the import route map names, the prefix import limit and the actual number of imported prefixes, and the individual import entries:

Router# show ip bgp vpnv4 all
 
BGP table version is 18, local router ID is 10.131.127.252
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 200:1 (default for vrf green)
Import Map: UNICAST, Address-Family: IPv4 Unicast, Pfx Count/Limit: 1/1000
*>i10.131.64.0/19   10.131.95.252            0    100      0 i
*> 172.16.1.1/32    172.16.2.1               0         32768 i
*> 172.16.2.0/30    0.0.0.0                  0         32768 i
*>i172.31.1.1/32    10.131.95.252            0    100      0 i
*>i172.31.2.0/30    10.131.95.252            0    100      0 i
Route Distinguisher: 200:2 (default for vrf red)
*> 172.16.1.1/32    172.16.2.1               0         32768 i
*> 172.16.2.0/30    0.0.0.0                  0         32768 i
*>i172.31.1.1/32    10.131.95.252            0    100      0 i
*>i172.31.2.0/30    10.131.95.252            0    100      0 i

Additional References

Related Documents

Related Topic

Document Title

BGP commands: complete command syntax, defaults, command mode, command history, usage guidelines, and examples

Cisco IOS IP Routing: BGP Command Reference

MPLS Layer 3 VPN configuration tasks

"Configuring MPLS Layer 3 VPNs"

VRF selection using policy based routing

"Directing MPLS VPN Traffic Using Policy-Based Routing"

VRF selection based on source IP address

"MPLS VPN-- VRF Selection Based on Source IP Address"

Standards

Standard

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIB

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

--

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for BGP Support for IP Prefix Import from Global Table into a VRF Table

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for BGP Support for IP Prefix Import from Global Table into a VRF Table

Feature Name

Releases

Feature Information

BGP Support for IP Prefix Import from Global Table into a VRF Table

12.0(29)S 12.2(25)S 12.2(27)SBC 12.2(33)SRA 12.2(33)SXH 12.3(14)T 15.0(1)S

The BGP Support for IP Prefix Import from Global Table into a VRF Table feature introduces the capability to import IPv4 unicast prefixes from the global routing table into a Virtual Private Network (VPN) routing/forwarding (VRF) instance table using an import route map.

The following commands were introduced or modified by this feature: debug ip bgp import, import ipv4, ip verify unicast vrf.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.