Hello guys!
So basically I'm relatively new to the ISP networking models and technologies, and I just came across something that is confusing me. I have a solid comprehension of MPBGP, L3 VPN, MPLS (at least I believe so :p) and the respective deployments. However this thing is not making sense to me.
Concretely, to cut it short and precise, I was trying to get two Data center subnets (2 separate VRFs ~ let's say A and B) to communicate through one of our Firewalls (so removing their old direct communication ~ through RD imports). The Firewall has its own VRFs (VRF C for "inbound" traffic and VRF D for "outbound" traffic). So VRF A imports VRF D (consequently gets Route to B with the Firewall as next-hop) and VRF B imports VRF C (consequently gets Route to A with the Firewall as next-hop).
Everything seems fine and all necessary routes are perfectly distributed.
VRF A: 172.24.60.0/24
VRF B: 172.24.2.0/24
However when trying out the communication A to B or vice-versa, the subnets still communicate directly to each-other (I made sure that they have no direct RD imports). The output of "show ip route" for each VRF shows the respective destination prefixes to use the Firewall as next-hop (as intended), but if I use the aforementioned command with a host IP (not subnet) I get the following:
- sh ip route vrf A 172.24.2.14
172.24.2.14/32, ubest/mbest: 1/0 time, attached
*via 172.24.2.14%B, VlanX, [250/0], attached-export
This is the part that is confusing me. Where did this route come from? Because the VRF's best route is via the Firewall, but this is the actual route that is still being used. Additionally, these direct /32 routes are not in the BGP VPNV4 table either for both VRFs...
Please enlighten me guys I'm kinda lost here :D.
Thanks!
No comments:
Post a Comment