Get Unlimited Access to our 785 Cisco Lessons Now Get $1 Trial
You are here: Home » MPLS

MPLS VPN VRF Import Map

With the route-target command for VRFs, the RT (Route Target) is added for all VPN routes. If you don’t want this, you can select which routes you want to import or export using a route-map. In the MPLS VPN VRF export map lesson, I explained how the export map works. This time we’ll take a look at the import map.

Let’s take a look at the following topology:

Mpls Vpn Pe Ce Two Loopbacks

This is a standard MPLS VPN PE CE topology with a customer that uses OSPF on two sites. Each CE router has two loopback interfaces. Here is the VRF configuration from PE1 and PE2:

PE1#show running-config | begin ip vrf
ip vrf CUSTOMER
 rd 1:1
 route-target export 1:1
 route-target import 2:2
PE2#show running-config | begin ip vrf
ip vrf CUSTOMER
 rd 1:1
 route-target export 2:2
 route-target import 1:1

VPN routes on PE1 are exported with RT 1:1 and PE2 exports its VPN routes with RT 2:2.

With the route-target export command, all VPN routes are exported. There is no way to filter anything. This means that CE1 and CE2 will learn about each other’s routes that they advertise:

CE1#show ip route ospf

      5.0.0.0/32 is subnetted, 1 subnets
O IA     5.5.5.5 [110/3] via 192.168.12.2, 00:02:26, GigabitEthernet0/1
      55.0.0.0/32 is subnetted, 1 subnets
O IA     55.55.55.55 [110/3] via 192.168.12.2, 00:02:26, GigabitEthernet0/1
O IA  192.168.45.0/24 [110/2] via 192.168.12.2, 00:02:26, GigabitEthernet0/1
CE2#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/3] via 192.168.45.4, 00:02:46, GigabitEthernet0/1
      11.0.0.0/32 is subnetted, 1 subnets
O IA     11.11.11.11 [110/3] via 192.168.45.4, 00:02:46, GigabitEthernet0/1
O IA  192.168.12.0/24 [110/2] via 192.168.45.4, 00:02:46, GigabitEthernet0/1

Let’s take a closer look at PE2, and see which VPN routes it has received from PE1:

PE2#show ip bgp vpnv4 all 1.1.1.1/32 | include Extended
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200 
PE2#show ip bgp vpnv4 all 11.11.11.11/32 | include Extended
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200 
PE2#show ip bgp vpnv4 all 192.168.12.0/24 | include Extended 
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200

These VPN routes are installed in the VRF of our customer:

PE2#show ip route vrf CUSTOMER bgp

      1.0.0.0/32 is subnetted, 1 subnets
B        1.1.1.1 [200/2] via 2.2.2.2, 00:02:39
      11.0.0.0/32 is subnetted, 1 subnets
B        11.11.11.11 [200/2] via 2.2.2.2, 00:00:26
B     192.168.12.0/24 [200/0] via 2.2.2.2, 00:00:26

If you want to restrict the routes that PE2 installs in the VRF then you could use an export-map on PE1. However, what if I want to control this from PE2?

That’s when the import map becomes useful…

Configuration

I’ll use the topology that I just showed you.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

CE1

hostname CE1
!
ip cef
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 0
 network 11.11.11.11 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 0
!
end

CE2

hostname CE2
!
ip cef
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface Loopback1
 ip address 55.55.55.55 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.45.5 255.255.255.0
!
router ospf 1
 network 5.5.5.5 0.0.0.0 area 0
 network 55.55.55.55 0.0.0.0 area 0
 network 192.168.45.0 0.0.0.255 area 0
!
end

P

hostname P
!
ip cef
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.23.3 255.255.255.0
 mpls ip
!
interface GigabitEthernet0/2
 ip address 192.168.34.3 255.255.255.0
 mpls ip
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.23.0 0.0.0.255 area 0
 network 192.168.34.0 0.0.0.255 area 0
!
end

PE1

hostname PE1
!
ip vrf CUSTOMER
 rd 1:1
 route-target export 1:1
 route-target import 2:2
!
ip cef
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER
 ip address 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
 ip address 192.168.23.2 255.255.255.0
!
router ospf 2 vrf CUSTOMER
 redistribute bgp 234 subnets
 network 192.168.12.0 0.0.0.255 area 0
!
router ospf 1
 mpls ldp autoconfig
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.23.0 0.0.0.255 area 0
!
router bgp 234
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 234
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family ipv4
  no neighbor 4.4.4.4 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER
  redistribute ospf 2
 exit-address-family
!
end

PE2

hostname PE2
!
ip vrf CUSTOMER
 rd 1:1
 route-target export 2:2
 route-target import 1:1
!
ip cef
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER
 ip address 192.168.45.4 255.255.255.0
!
interface GigabitEthernet0/2
 ip address 192.168.34.4 255.255.255.0
!
router ospf 2 vrf CUSTOMER
 redistribute bgp 234 subnets
 network 192.168.45.0 0.0.0.255 area 0
!
router ospf 1
 mpls ldp autoconfig
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.34.0 0.0.0.255 area 0
!
router bgp 234
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 234
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family ipv4
  no neighbor 2.2.2.2 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER
  redistribute ospf 2
 exit-address-family
!
end


Let’s configure PE2 so that CE2 only learns 1.1.1.1/32. The other two routes should be filtered.

I can do this with a prefix-list and a route-map:

PE2(config)#ip prefix-list CE1_L0 permit 1.1.1.1/32

PE2(config)#route-map IMPORT_MAP permit 10
PE2(config-route-map)#match ip address prefix-list CE1_L0

The route-map has a single permit and only matches 1.1.1.1/32. Let’s activate it:

PE2(config)#ip vrf CUSTOMER
PE2(config-vrf)#import map IMPORT_MAP

Let’s see how this influences PE2:

PE2#show ip bgp vpnv4 all 1.1.1.1/32 | include Extended
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200 
PE2#show ip bgp vpnv4 all 11.11.11.11/32 | include Extended
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200 
PE2#show ip bgp vpnv4 all 192.168.12.0/24 | include Extended
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200

The VPN routes are still there…nothing changes. However, what does change is the routing table for our VRF:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 785 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

Give Membership a try - it's just $1 ►

1835 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hello,

    I lab a big scenario with almost everything explained in MPLS section. There are two customer each one with two sites. So my intention was to test Import and export maps, and Ì thought in this situation:

    So my first failed attemp I tried t

    ... Continue reading in our forum

  2. Hello Ignacio,

    In export-map, when you used it, it make other route-target in configuration statement useless.

    That sounds correct, I noticed the same behavior in my MPLS VPN export map example.

    In import-maps both the import map and the route target are needed to work properly.

    That sounds right too. Even with the import-map, you still see the VPN routes. The import map influences the VPN routes you import into the VRF.

    Is there any other way to make this simpler? because I think there is no scalability in adding RT labels more and more.

    Hmm I don’t thin

    ... Continue reading in our forum

  3. Hello,

    Really interesting topics i’ve been through recently regarding an internet infrastructure/vpn. We had issue during operation in which our PE didn’t import the prefix with let say local pref defined. This operation was made to improve flow repartition (outbound) from multiple datacenter.
    As we didn’t understand what was happening a first place, we decided to rollback. Then I reproduced the whole infrastructure and figured out that there was (don’t know exactly why) but multiple PE with same RD for this specific VPN (internet). When I wanted to manipulate

    ... Continue reading in our forum

  4. Hello Yoann

    Thanks for sharing your experience and the procedure you followed to investigate further. It’s always a good idea to troubleshoot by reproducing your topology in a lab environment. If you need any more specific help with your troubleshooting process on this or any other topic, please let us know!

    Laz

  5. Hi Laz,

    1. Is this possible that PE1 can have two same VPNv4 route? here same vpnv4
      route means ip prefix and RD will be the same, How?
    2. We can also do all thing with import map which we did during export map?

3 more replies! Ask a question or join the discussion by visiting our Community Forum