Hello everybody,
today I dived into some MPLS and I stumbled upon VRF Import map and VRF Export map
I was a bit confused by Keith's explanation (INE MPLS class) when he implemented VRF Export map.
He created a route-map to add specific Route-Target to a matching route and then said then an empty route-map entry needs to be created so that other updates (without modifying RT will be permitted to be exported as well)
However, when I labbed it up, it worked even without that permit any entry in the route-map
So I digged deeper and here is what I found out
when I want to control what is going to be imported into VRF I have 2 options
route-target import AS:NN and optionally import map NAME
-> when using only the route-target import AS:NN, all routes that have the extended community set to AS:NN will be imported
-> when using only import map NAME, nothing get imported
-> when using both, only the routes that have the extended community set to AS:NN AND are allowed in the route-map will be imported
this is what Cisco material says as well (http://www.cisco.com/en/US/docs/ios/mpl ... #wp1012826)
when I want to control what is going to be exported out of VRF I have 2 options
route-target export AS:NN and optionally export map NAME
-> when using only the route-target export AS:NN, all routes being exported will have the extended community set to AS:NN
-> when using only the export map NAME, only routes allowed in the route map will have the extended community set and will be exported
-> when using both, all routes will be exported, no matter how restrictive the export map might be
so apparently if a export map is marking only some routes with the same extended community value and route-target export is marking all with the same extended community value routes, in the end all routes will be marked, even the ones that were denied by the selective route-map
which basically matches what Cisco says here (http://www.cisco.com/en/US/docs/ios/mpl ... #wp1012602)
so with this facts confirmed, let's have a situation like this
we have 4 routes that we are exporting
all 4 routes are have an extended community set to 10:43
all 4 routes are have an extended community set to 10:44
one of these 4 routes has an extended community set to 10:45
I confirmed this in my GNS3 topology
Sooo to sum it up
By default every route-map ends with an implicit deny any and this case is no exception
there is no need to add a permit any statement to the route-map
export map does not filter the routes being exported (unlike the import map), it only manipulates RT information associated to certain routes
I am sorry for such a long post
It took me some time to write it and to verify my assumptions and come to conclusions mentioned above.
I learned a lot while labbing it up and actually writing this.
The questions is, why did Keith add that permit any statement to the end of the route map?
I tried adding it while running debug ip routing and no new routes were added (the reason why is mentioned above in those 3 statements associated with an export map)
It certainly did not break anything but in my opinion it is not necessary / needed
Did this behavior change in a recent IOS version (I am runnign12.4(15)T13 advanced enterprise services) or did Keith add it just because of a habit (it is certainly required when doing route filtering when redistributing)
If you actually read it till here, please reply and say what you think about it
//edit:
this topic here (http://www.sadikhov.com/forum/index.php ... xport-map/) also says that an export map is used to manipulate RT and not to do the filtering (unlike the import map)
today I dived into some MPLS and I stumbled upon VRF Import map and VRF Export map
I was a bit confused by Keith's explanation (INE MPLS class) when he implemented VRF Export map.
He created a route-map to add specific Route-Target to a matching route and then said then an empty route-map entry needs to be created so that other updates (without modifying RT will be permitted to be exported as well)
However, when I labbed it up, it worked even without that permit any entry in the route-map
So I digged deeper and here is what I found out
when I want to control what is going to be imported into VRF I have 2 options
route-target import AS:NN and optionally import map NAME
-> when using only the route-target import AS:NN, all routes that have the extended community set to AS:NN will be imported
-> when using only import map NAME, nothing get imported
-> when using both, only the routes that have the extended community set to AS:NN AND are allowed in the route-map will be imported
this is what Cisco material says as well (http://www.cisco.com/en/US/docs/ios/mpl ... #wp1012826)
when I want to control what is going to be exported out of VRF I have 2 options
route-target export AS:NN and optionally export map NAME
-> when using only the route-target export AS:NN, all routes being exported will have the extended community set to AS:NN
-> when using only the export map NAME, only routes allowed in the route map will have the extended community set and will be exported
-> when using both, all routes will be exported, no matter how restrictive the export map might be
so apparently if a export map is marking only some routes with the same extended community value and route-target export is marking all with the same extended community value routes, in the end all routes will be marked, even the ones that were denied by the selective route-map
which basically matches what Cisco says here (http://www.cisco.com/en/US/docs/ios/mpl ... #wp1012602)
so with this facts confirmed, let's have a situation like this
we have 4 routes that we are exporting
Code:
route-target export 10:43
route target export 10:44
export map ADD_45
route-map ADD_45 permit 10
match ip address prefix-list <IP PREFIX-LIST THAT MATCHES ONLY 1 ROUTE>
set extcommunity rt 10:45 additive
route target export 10:44
export map ADD_45
route-map ADD_45 permit 10
match ip address prefix-list <IP PREFIX-LIST THAT MATCHES ONLY 1 ROUTE>
set extcommunity rt 10:45 additive
all 4 routes are have an extended community set to 10:43
all 4 routes are have an extended community set to 10:44
one of these 4 routes has an extended community set to 10:45
I confirmed this in my GNS3 topology
Sooo to sum it up
By default every route-map ends with an implicit deny any and this case is no exception
there is no need to add a permit any statement to the route-map
export map does not filter the routes being exported (unlike the import map), it only manipulates RT information associated to certain routes
I am sorry for such a long post
It took me some time to write it and to verify my assumptions and come to conclusions mentioned above.
I learned a lot while labbing it up and actually writing this.
The questions is, why did Keith add that permit any statement to the end of the route map?
I tried adding it while running debug ip routing and no new routes were added (the reason why is mentioned above in those 3 statements associated with an export map)
It certainly did not break anything but in my opinion it is not necessary / needed
Did this behavior change in a recent IOS version (I am runnign12.4(15)T13 advanced enterprise services) or did Keith add it just because of a habit (it is certainly required when doing route filtering when redistributing)
If you actually read it till here, please reply and say what you think about it
//edit:
this topic here (http://www.sadikhov.com/forum/index.php ... xport-map/) also says that an export map is used to manipulate RT and not to do the filtering (unlike the import map)