Internet in a vrf is doable on most platforms and definitely adds a lot of 
flexibility. 

1) control plane  (route reflectors )
          This is really dependent on your platform and whether you are doing 
multiple RD's or not. If you divide your transit into regions and filter based 
upon RT you can tier your route-reflectors to get plenty   of scalability.

2) forward plane (recursive lookup issues)
          Most platforms program prefix's with associated labels slower so your 
base convergence will suffer. In addition if you want to run PIC you will 
likely be left with a bit of custom engineering to make it    work. VPN's hide 
the next hop behind the loopback of the PE so next hop failure awareness of an 
edge tie will be lost. If you can stomach the double lookup you can run per-vrf 
labels (per prefix isn't feasible on most platforms) and weight up your edge 
ties and force a bounce back to another PE, otherwise you will be stuck with 
bgp control plane based convergence with per-ce labels.

3) Operational
       It's definitely harder to train operation people on how to look in a vrf.

4) DDOS
       It's actually much easier to design a DDOS filtering system if 
everything is in VRF's. If you create separate vrf's for transit and 
subscription your can have extreme flexibility in DDOS filtering. The import 
export flexibility allows for injection of /32 or /128's into your transit vrf 
and you can simply hang your DDOS mitigation seems between the transit and 
subscription VRF's.

5) BCP and RFC that would break  eg "BGP-SEC does not support in todays draft 
to check prefixs within the VPN"
       We haven't found any significant functionality we would want to use 
other than PIC that it would break, and there was a work around with that.

6) Vendor specifics
    You are probably ok with most vendors but a few still have issues with 
table carving, and a few don't support 6VPE.

            



-----Original Message-----
From: beavis daniels [mailto:beavis.dani...@gmail.com] 
Sent: Thursday, March 07, 2013 2:23 PM
To: nanog@nanog.org
Subject: internet routing table in a vrf

hi

I would to enquire about the cons/pros of running a full internet routing table 
in a vrf and the potential challenges of operating it in a VPN cross a large 
network that does peering and provide transit.

I not a fan to support running it in a vrf.

I am looking for a list of operational and technical challenges

specifically around
1) control plane  (route reflectors )
2) forward plane (recursive lookup issues)
3) Operational
4) DDOS
5) BCP and RFC that would break  eg "BGP-SEC does not support in todays draft 
to check prefixs within the VPN"
6) Vendor specifics

Reply via email to