Easy Virtual Network (EVN) was a technology Cisco came up with back in the days to make it easier to implement VRFs without the pain of running VRF lite or the complexity of running a full MPLS + BGP network. It was actually a pretty cool technology but never became mainstream. However, as part of this technology, Cisco also made it easier to replicate, or in other words leak, routes between VRFs. You don’t need the rest of EVN to do this and this simplified way of replicating routes have kind of been forgotten by the industry. I thought I would share with you the ease of replicating routes with this feature even without BGP.

We have a straight forward topology like the one below:

The USERS switch is a L2 switch and all the L3 configuration is in the CORE router. We have implemented segmentation in the network so we have a USERS VRF and then we have a SERVICES VRF for shared services such as DNS and DHCP. Because these services are in a separate VRF, we will not have reachability to them from the USERS VRF. This lab will use the following IP addresses:

User – 10.0.0.10

DNS – 172.16.0.10

DHCP – 172.16.0.20

The Core has a very basic configuration for now:

CORE#sh run vrf USERS
Building configuration...

Current configuration : 209 bytes
vrf definition USERS
 !
 address-family ipv4
 exit-address-family
!
!
interface GigabitEthernet2
 vrf forwarding USERS
 ip address 10.0.0.1 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
!
end

CORE#sh run vrf SERVICES
Building configuration...

Current configuration : 299 bytes
vrf definition SERVICES
 !
 address-family ipv4
 exit-address-family
!
!
interface GigabitEthernet1
 vrf forwarding SERVICES
 ip address 192.168.0.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 negotiation auto
 no mop enabled
 no mop sysid
!
router ospf 1 vrf SERVICES
!
!
end

The Core is running OSPF towards the SERVICES router to learn the routes for the DHCP server and DNS server. These are really just two loopbacks on the SERVICES router.

The user can reach the CORE but not the servers:

USER:~$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: seq=0 ttl=42 time=3.370 ms
64 bytes from 10.0.0.1: seq=1 ttl=42 time=2.723 ms
64 bytes from 10.0.0.1: seq=2 ttl=42 time=2.962 ms
^C
--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.723/3.018/3.370 ms
USER:~$ ping 172.16.0.10
PING 172.16.0.10 (172.16.0.10): 56 data bytes
^C
--- 172.16.0.10 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

This is of course expected as the USERS vrf in the CORE does not have any routes for these servers:

CORE#sh ip route vrf USERS

Routing Table: USERS
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/24 is directly connected, GigabitEthernet2
L        10.0.0.1/32 is directly connected, GigabitEthernet2

We need to get routes from the SERVICES VRF into the USERS VRF. This is where the route-replicate command can help us.

CORE(config)#vrf definition USERS
CORE(config-vrf)#address-family ipv4
CORE(config-vrf-af)#route-replicate from vrf SERVICES unicast ospf 1 

Now, let’s take another look at the routing table for VRF USERS:

CORE#show ip route vrf USERS

Routing Table: USERS
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/24 is directly connected, GigabitEthernet2
L        10.0.0.1/32 is directly connected, GigabitEthernet2
      172.16.0.0/32 is subnetted, 2 subnets
O   +    172.16.0.10 
           [110/2] via 192.168.0.2 (SERVICES), 00:16:43, GigabitEthernet1
O   +    172.16.0.20 
           [110/2] via 192.168.0.2 (SERVICES), 00:16:26, GigabitEthernet1

Notice that we now have routes to 172.16.0.10 and 172.16.0.20 via the VRF SERVICES and the next-hop is 192.168.0.2 which is the IP of the SERVICES router on that interface. The plus sign before the route shows that it is a replicated route. We can also see more details if we check a specific route:

CORE#show ip route vrf USERS 172.16.0.10

Routing Table: USERS
Routing entry for 172.16.0.10/32
  Known via "ospf 1", distance 110, metric 2, type intra area, 
   replicated from topology(SERVICES)
  Last update from 192.168.0.2 on GigabitEthernet1, 00:22:00 ago
  Routing Descriptor Blocks:
  * 192.168.0.2 (SERVICES), from 192.168.0.2, 00:22:00 ago, via GigabitEthernet1
      Route metric is 2, traffic share count is 1

The other thing that we need to do, and I forgot that at first, is to replicate in the other direction. Otherwise the SERVICES VRF will not have any routes back to the USERS VRF. Let’s configure that:

CORE(config)#vrf definition SERVICES
CORE(config-vrf)#address-family ipv4
CORE(config-vrf-af)#route-replicate from vrf USERS unicast all

Let’s see what routes we have now in the VRF:

CORE#show ip route vrf SERVICES

Routing Table: SERVICES
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C   +    10.0.0.0/24 is directly connected, GigabitEthernet2
L   &    10.0.0.1/32 is directly connected, GigabitEthernet2
      172.16.0.0/32 is subnetted, 2 subnets
O        172.16.0.10 [110/2] via 192.168.0.2, 00:24:12, GigabitEthernet1
O        172.16.0.20 [110/2] via 192.168.0.2, 00:23:55, GigabitEthernet1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet1
L        192.168.0.1/32 is directly connected, GigabitEthernet1

Notice the 10.0.0.0/24 route with a plus sign that says directly connected. We can see more details below:

CORE#show ip route vrf SERVICES 10.0.0.0 255.255.255.0

Routing Table: SERVICES
Routing entry for 10.0.0.0/24
  Known via "connected", distance 0, metric 0 (connected, via interface), 
   replicated from topology(USERS)
  Routing Descriptor Blocks:
  * directly connected, via GigabitEthernet2
      Route metric is 0, traffic share count is 1

That should be all that we need. Hopefully… Can we ping the servers from the user now?

USER:~$ ping 172.16.0.10
PING 172.16.0.10 (172.16.0.10): 56 data bytes
64 bytes from 172.16.0.10: seq=0 ttl=42 time=3.531 ms
64 bytes from 172.16.0.10: seq=1 ttl=42 time=4.678 ms
64 bytes from 172.16.0.10: seq=2 ttl=42 time=4.166 ms
^C
--- 172.16.0.10 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3.531/4.125/4.678 ms
USER:~$ ping 172.16.0.20
PING 172.16.0.20 (172.16.0.20): 56 data bytes
64 bytes from 172.16.0.20: seq=0 ttl=42 time=3.126 ms
64 bytes from 172.16.0.20: seq=1 ttl=42 time=6.193 ms
64 bytes from 172.16.0.20: seq=2 ttl=42 time=4.053 ms
^C
--- 172.16.0.20 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3.126/4.457/6.193 ms

And there you have it! We successfully configured route replication, or in another name, route leaking, without having to use BGP! That is pretty powerful. Let me know what you think and see you next time.

Route Replication the Easy Way
Tagged on:             

9 thoughts on “Route Replication the Easy Way

  • September 17, 2021 at 9:41 am
    Permalink

    Thats so cool! Do you see EVN deployments much in the wild Daniel or is it superseded with the typical MP-BGP deployments?

    Reply
    • September 17, 2021 at 12:47 pm
      Permalink

      To be honest I’ve never seen one myself but some people on Twitter mentioned they had used it so it’s not unheard of. Most run VRF lite until it becomes painful and then move onto MPLS + BGP if supported.

      Reply
    • September 18, 2021 at 7:27 pm
      Permalink

      Way cool. I’m really glad I happened upon this Blog
      Thank you for that.

      Reply
  • September 17, 2021 at 2:57 pm
    Permalink

    Thank you for sharing this, a very useful and clear technical demonstration on how to configure this. My thoughts was though on potential use cases for this? Most orgs or networks making use of VRFs are for segmentation purposes. Would it be possible as well to only use the route-replicate command for a single prefix or route advertisement?

    Thanks as always for the useful blogs

    Reply
    • September 20, 2021 at 7:44 am
      Permalink

      Hi Nathan!

      When you have segmented a network you still need access to other services. Commonly these are services such as DHCP, DNS, network management, Syslog, Active Directory, and so on. You then have to fuse the networks somewhere. This could be a router or perhaps more commonly a firewall.

      Some of the designs I have seen are companies that sell some kind of service and have multiple customers coming in on a router. They then need to provide routing towards a shared environment and that’s the perfect scenario for route leaking.

      You can filter routes in two ways with the route-replicate command. You can filter from what protocols you want to replicate routes and you can also optionally attach a route-map. Like in the example below:

      vrf definition green
      !
      address-family ipv4
      route-replicate from vrf blue unicast all route-map blue-map
      !
      route-map blue-map permit 10
      match ip address prefix-list server-prefix

      Reply
  • September 18, 2021 at 11:12 pm
    Permalink

    Cool, thank you Daniel!
    yes, love to hear your answer on Nathan’s question – Would it be possible as well to only use the route-replicate command for a single prefix or route advertisement? – that would be more practical.

    Reply
  • September 24, 2021 at 9:39 am
    Permalink

    Thans – this is very usefull!

    Reply
  • September 24, 2021 at 11:05 pm
    Permalink

    Now if only this worked with global (or if I had the foresight to build everything into VRFs).

    Reply
    • October 1, 2021 at 5:03 am
      Permalink

      It does work with global as well 🙂

      Never too late to start doing some more segmentation.

      Reply

Leave a Reply

Your email address will not be published.