VRF - Exporting and Importing

Question:

I’m working with MP-BGP.Cisco 3560X  I am trying to import and export routes to and from 3 vrf's within the same Cisco 4948 switch.

Essentially i have 3 vrf's : UAT-VRF , GLOBAL-VRF and INFRA-VRF

Route leaking is configured between the following: UAT-VRF-> GLOBAL-VRF <-INFRA-VRF

I also have filter lists which permit certain routes into UAT and INFRA.

ip vrf INFRA-VRF

rd 65201:3

import IPv4 Unicast map INFRA-VRF-IMPORT

route-target export 65201:3

route-target import 65201:1

route-target import 65201:3

!

ip vrf GLOBAL-VRF

rd 65201:1

route-target export 65201:1

route-target import 65201:3

route-target import 65201:1

route-target import 65201:6

!

ip vrf UAT-VRF

rd 65201:6

import IPv4 Unicast map UAT-VRF-IMPORT

route-target export 65201:6

route-target import 65201:6

route-target import 65201:1

!

Note - the import filters are based around prefix lists which do match the exact route's required.

interface Vlan1130

ip vrf forwarding UAT-VRF

ip address 10.11.130.253 255.255.255.0

standby 130 ip 10.11.130.254

standby 130 priority 150

standby 130 preempt

standby 130 authentication md5 key-string

interface Vlan1067

ip vrf forwarding INFRA-VRF

ip address 10.11.67.253 255.255.255.0

standby 67 ip 10.11.67.254

standby 67 priority 150

standby 67 preempt

standby 67 authentication md5 key-string

interface Vlan2508

ip vrf forwarding GLOBAL-VRF

ip address 10.31.8.253 255.255.255.0

standby 8 ip 10.31.8.254

standby 8 priority 150

standby 8 preempt

standby 8 authentication md5 key-string

router bgp 65201

address-family ipv4 vrf UAT-VRF

  redistribute connected

no synchronization

exit-address-family

address-family ipv4 vrf GLOBAL-VRF

  neighbor 10.31.8.252 remote-as 65201

  neighbor 10.31.8.252 activate

  neighbor 10.31.8.252 send-community both

  no synchronization

exit-address-family

address-family ipv4 vrf INFRA-VRF

  redistribute connected

  no synchronization

exit-address-family

!

Network 10.11.130.0/24 originated in BGP from the UAT VRF (UAT-VRF) with a redistribute connected (as shown above in the BGP configuration). As you can see below the GLOBAL-VRF VRF has the imported route successfully. Now we need to leak the best route out into the INFRA-VRF VRF.

SWITCH#sh ip bgp vpnv4 vrf GLOBAL-VRF 10.11.130.0

BGP routing table entry for 65201:1:10.11.130.0/24, version 1485372

Paths: (2 available, best #2, table GLOBAL-VRF)

Advertised to update-groups:

     1         2         3         4

Local

   10.31.8.252 from 10.31.8.252 (10.21.101.248)

     Origin incomplete, metric 0, localpref 100, valid, internal

     Extended Community: RT:65201:1

Local, imported path from 65201:6:10.11.130.0/24, imported path from 65201:6:10.11.130.0/24

   0.0.0.0 from 0.0.0.0 (10.21.101.249)

     Origin incomplete, metric 0, localpref 100, weight 32768, valid, external, best

     Extended Community: RT:65201:6

     mpls labels in/out nolabel/nolabel(GLOBAL-VRF)

Is this technically possible? Or is this not working as expected due to a loop prevention mechanism?

It seems we cannot export an already imported prefix.

Any comments would be appreciated.

Answer:

I think its not possible because by the command route-target export you are only exporting the routes which are locally originated.

Not the one whicha re imported from other vrfs. If it is possible with otut leaking the rt at the needed vrf, Catalyst 3560 Price then it can be a security issue also...