VRF Route Leaking Configuration

Generally speaking, multiple VRFs maintain separate routing tables that are independent of each other. But there are scenarios where a specific destination is only reachable from a specific VRF. For example, a DHCP server in one VRF can only be accessible to hosts in that VRF. If clients in other VRFs want to access this DHCP server, we need to have a mechanism where we can have a route in one VRF for which the destination next-hop address is located in a different VRF. 

                                                                   Figure 1. VRF Route Leaking Example

As shown in Figure 1, if hosts attached to R1 in VRF1 wants to access resources located in VRF2 and accessible through R3, we will need to enable route leaking between VRF1 and VRF2. From the topology above, R1 has two interfaces, one each in VRF1 and VRF2. For resources in VRF2 to be accessible to hosts in VRF1, routes in VRF2 needs to be leaked into VRF1. 

Leaked routes once configured on a device can be distributed to neighboring devices through either BGP or OSPF. If a leaked route is a BGP route then it will be dynamically replicated from source to destination VRF by BGP. If the route to be leaked is a non-BGP route, then that route first needs to be redistributed into BGP before it can be leaked to the destination VRF.

Route leaking can be used to reach directly connected hosts in the source VRF as well as reach remote destinations accessible through the source VRF. In Figure 1, the leak will be configured on R1. For the loopback interface 1.1.1.1 on R2 in VRF1, to ping loopback interface 3.3.3.3 on R3 in VRF2, R1 device will need two routes in both VRF1 and VRF2. On R1, the route to reach 3.3.3.3 in VRF2 is 3.3.3.3/32 next-hop 40.92.0.1. Similarly, to reach 1.1.1.1 the route in VRF2 will be 1.1.1.1 next-hop 40.91.0.2 next-hop vrf vrf1. VRF2 does not have a route for loopback 1.1.1.1 in VRF2 hence apart from specifying the next-hop address of 40.91.0.1, the route must also specify the next-hop VRF which in this case is VRF1. Similarly, there are also two routes in VRF1. The two routes in VRF1 on R1 are, 1.1.1.1/32 next-hop 40.91.0.1 and 3.3.3.3/32 next-hop 40.92.0.1 next-hop vrf vrf2.

In PICOS, there is no restriction on leaking routes to and from the default VRF. Routes can be leaked from the default VRF into any user defined VRF and vice versa.



Route Leaking Limitation

  1.  Directly connected subnets or hosts are not allowed to be leaked from one VRF into another. In Figure 1, for example, subnet 40.92.0.0/24 in VRF 2 cannot be leaked into VRF 1 on R1.
  2.  On R3 switch, all routes in VRF2 can be leaked into VRF1 by configuring route leaking on R1 except the subnets directly connected with R1, for example in this case, subnet 40.92.0.0/24 cannot be leaked into VRF1.
  3.  Overlapping addresses in two VRFs are not allowed when enabling route leaking between these two VRFs. It is thus strongly recommended to use non-overlapping addresses in different VRFs before implementing route leaking.
  4.  VRF route leaking doesn't work in case of VXLAN routing. The routes cannot be leaked to a VRF corresponding to an VXLAN instance.

Copyright © 2024 Pica8 Inc. All Rights Reserved.