Internet in a vrf is doable on most platforms and definitely adds a lot of
flexibility.
1) control plane (route reflectors )
This is really dependent on your platform and whether you are doing
multiple RD's or not. If you divide your transit into regions and filter based
upon RT you can tier your route-reflectors to get plenty of scalability.
2) forward plane (recursive lookup issues)
Most platforms program prefix's with associated labels slower so your
base convergence will suffer. In addition if you want to run PIC you will
likely be left with a bit of custom engineering to make it work. VPN's hide
the next hop behind the loopback of the PE so next hop failure awareness of an
edge tie will be lost. If you can stomach the double lookup you can run per-vrf
labels (per prefix isn't feasible on most platforms) and weight up your edge
ties and force a bounce back to another PE, otherwise you will be stuck with
bgp control plane based convergence with per-ce labels.
3) Operational
It's definitely harder to train operation people on how to look in a vrf.
4) DDOS
It's actually much easier to design a DDOS filtering system if
everything is in VRF's. If you create separate vrf's for transit and
subscription your can have extreme flexibility in DDOS filtering. The import
export flexibility allows for injection of /32 or /128's into your transit vrf
and you can simply hang your DDOS mitigation seems between the transit and
subscription VRF's.
5) BCP and RFC that would break eg "BGP-SEC does not support in todays draft
to check prefixs within the VPN"
We haven't found any significant functionality we would want to use
other than PIC that it would break, and there was a work around with that.
6) Vendor specifics
You are probably ok with most vendors but a few still have issues with
table carving, and a few don't support 6VPE.
-----Original Message-----
From: beavis daniels [mailto:beavis.dani...@gmail.com]
Sent: Thursday, March 07, 2013 2:23 PM
To: nanog@nanog.org
Subject: internet routing table in a vrf
hi
I would to enquire about the cons/pros of running a full internet routing table
in a vrf and the potential challenges of operating it in a VPN cross a large
network that does peering and provide transit.
I not a fan to support running it in a vrf.
I am looking for a list of operational and technical challenges
specifically around
1) control plane (route reflectors )
2) forward plane (recursive lookup issues)
3) Operational
4) DDOS
5) BCP and RFC that would break eg "BGP-SEC does not support in todays draft
to check prefixs within the VPN"
6) Vendor specifics
