nanog mailing list archives
RE: internet routing table in a vrf
From: Matt Newsom <matt.newsom () RACKSPACE COM>
Date: Fri, 8 Mar 2013 16:40:01 +0000
Internet in a vrf is doable on most platforms and definitely adds a lot of flexibility.
1) control plane (route reflectors )
This is really dependent on your platform and whether you are doing multiple RD's or not. If you divide your
transit into regions and filter based upon RT you can tier your route-reflectors to get plenty of scalability.
2) forward plane (recursive lookup issues)
Most platforms program prefix's with associated labels slower so your base convergence will suffer. In
addition if you want to run PIC you will likely be left with a bit of custom engineering to make it work. VPN's hide
the next hop behind the loopback of the PE so next hop failure awareness of an edge tie will be lost. If you can
stomach the double lookup you can run per-vrf labels (per prefix isn't feasible on most platforms) and weight up your
edge ties and force a bounce back to another PE, otherwise you will be stuck with bgp control plane based convergence
with per-ce labels.
3) Operational
It's definitely harder to train operation people on how to look in a vrf.
4) DDOS
It's actually much easier to design a DDOS filtering system if everything is in VRF's. If you create separate
vrf's for transit and subscription your can have extreme flexibility in DDOS filtering. The import export flexibility
allows for injection of /32 or /128's into your transit vrf and you can simply hang your DDOS mitigation seems between
the transit and subscription VRF's.
5) BCP and RFC that would break eg "BGP-SEC does not support in todays draft to check prefixs within the VPN"
We haven't found any significant functionality we would want to use other than PIC that it would break, and
there was a work around with that.
6) Vendor specifics
You are probably ok with most vendors but a few still have issues with table carving, and a few don't support 6VPE.
-----Original Message-----
From: beavis daniels [mailto:beavis.daniels () gmail com]
Sent: Thursday, March 07, 2013 2:23 PM
To: nanog () nanog org
Subject: internet routing table in a vrf
hi
I would to enquire about the cons/pros of running a full internet routing table in a vrf and the potential challenges
of operating it in a VPN cross a large network that does peering and provide transit.
I not a fan to support running it in a vrf.
I am looking for a list of operational and technical challenges
specifically around
1) control plane (route reflectors )
2) forward plane (recursive lookup issues)
3) Operational
4) DDOS
5) BCP and RFC that would break eg "BGP-SEC does not support in todays draft to check prefixs within the VPN"
6) Vendor specifics
Current thread:
- internet routing table in a vrf beavis daniels (Mar 07)
- Re: internet routing table in a vrf Dan White (Mar 07)
- Re: internet routing table in a vrf PC (Mar 07)
- RE: internet routing table in a vrf Adam Vitkovsky (Mar 08)
- RE: internet routing table in a vrf Matt Newsom (Mar 08)
- Re: internet routing table in a vrf Saku Ytti (Mar 08)
- RE: internet routing table in a vrf Matt Newsom (Mar 08)
- Re: internet routing table in a vrf Saku Ytti (Mar 08)
- Re: internet routing table in a vrf Phil Bedard (Mar 08)
- RE: internet routing table in a vrf Adam Vitkovsky (Mar 08)
- Re: internet routing table in a vrf Saku Ytti (Mar 08)
- Re: internet routing table in a vrf Dan White (Mar 07)