Welcome to part-2 of the NSX VRF series. Part 1 of this series discussed VRF architecture, and part 2 demonstrated data plane isolation between the VRF instances.

In this post, I will demonstrate how to establish communication between 2 VRFs using VRF Route Leaking.

If you are not following along, I encourage you to read the earlier parts of this series from the links below:

1: NSX VRF Gateway – Architecture & Configuration

2: VRF Config Validation & Traffic Flows

By default, the data plane traffic between VRF instances is isolated in NSX. You can exchange traffic between 2 VRFs by configuring VRF Route Leaking. In this technique, static routes are configured on the VRF gateways to steer traffic towards other VRF gateways.

There are 2 supported topologies for VRF route leaking:

• Local VRF-to-VRF route leaking
• Northbound VRF leaking

Note: A multi-tier routing architecture is required for traffic to be exchanged in a VRF leaking topology, as static routes pointing to Tier-1 distributed router (DR) uplinks are necessary.

To find the IP address of the Tier-1 DR uplinks, you can use the network topology view tool in the NSX UI.

Alternatively, you can collect the IP details by going into a VRF in the edge nodes and using the command “get interfaces”

Based on this information, let’s recollect the networking configuration from the lab.

The goal here is to allow traffic between the 40.x and 50.x networks attached to VRF-Red-T1 and VRF-Blue-T1, respectively.

We have collected the following network information so far:

To establish connectivity between the Red and the Blue VRF, the following static routes need to be programmed on the VRF Tier-0 gateways:

• T0-VRF-Blue: 192.168.50.0/24 next-hop 100.64.0.7
• T0-VRF-Red: 192.168.40.0/24 next-hop 100.64.0.5

Edit the VRF Tier-0 gateway and add a static route under Routing.

Click Add Static Routes and specify the VRF-T1 network you want to reach. Click Set to define the next hop for this traffic.

Set the Tier-1 DR uplink IP and limit the scope to the VRF you want to reach.

Repeat the steps for the other VRF gateway. 

Note: If you configure a static route on only one VRF gateway, you won’t be able to reach the other VRF network. 

Validation

1: Login to the Red and Blue VM and ping the destination networks and validate that you are getting a result. 

1.1: The red VM can ping the blue VM. 

1.2: The blue VM can ping the red VM.

2: Validate that the configured static route appears in the VRF gateway’s SR component.

2.1: Red VRF Routing Table

2.2: Blue VRF Routing Table

And that’s it for this post. In the next post, I will discuss Inter-VRF routing.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.