[c-nsp] Inserting a default route into a MPLS/VPN pointing out of the VRF

Phil Bedard philxor at gmail.com
Mon Oct 19 20:16:36 EDT 2009 

If you are already using a VRF to carry the default table you should   
be able to import a default route from that vrf into your customer  
vrf.  You can use an import-map to select only the default.  The only  
time I've implemented something similar to this I've used external  
firewalls which have their own trusted sub-int into the customer  
network and their untrust side connected to an Internet router.   
Similar to what you say you are doing on the datacenter side.  You  
could do the same thing without a firewall, just need a dedicated  
trunk so you can bridge between the default VRF/global table and the  
customer VRF.  Then just static routes out that interface.

Phil


On Oct 19, 2009, at 5:49 PM, Justin Shore wrote:

> I'm having to rush a MPLS/VPN into service this week.  Certain  
> customers will connect into this MPLS/VPN on PEs facing L2 switches  
> with sub-ints in the correct VRF, MLPPP bundles, direct connect to  
> PEs, etc (lots of variety down the road).  Simple so far.  The  
> majority of the traffic will exit our network out another PE at a  
> peering point across our network, exiting out another interface also  
> assigned to the same VRF. Still simple.  I'm doing similar things  
> today to support our data center and some other L3VPNs.  Easy stuff.
>
> The problem that I'm faced with is figuring out how to insert a  
> default route into that MPLS/VPN.  I do this today with the data  
> center VRFs with the assistance of a FWSM in our core.  I insert a  
> default route pointed to the backside of the customer's context on  
> the FWSM; that route is a static in the VRF.  The FWSM bridges the  
> gap between my MPLS/VPN and my default VRF quite nicely.  However in  
> this situation I can't use the FWSMs.  I need to extract traffic  
> from the VRF for the private network and out into the default VRF on  
> my core where I keep my Internet routes.  Longest-match will take  
> care of the MPLS/VPN routes to properly route traffic to my peer.   
> Everything else needs to get out of the VRF and to the Internet.
>
> At my main POP I'm planning on inserting 2 default routes, 1 from  
> each core router with different weights.  My daul core routers are  
> homed to both of my border routers.  Here's the simplified topology:
>
>
> BR1   BR2
> |  \/  |
> |  /\  |
> | /  \ |
> P1----P2----PE1--Peer
> |      |
> |      |
> PE2     PE3
> |      |
> CE1    CE2
>
> There are more Ps and PEs but this gets the general idea across.
>
> I've come across route-leaking examples but they all require me to  
> point traffic to an outward-facing interface.  Ie, I can't just  
> point the default route to a specific upstream-facing interface.  Is  
> there another way?  I can't see a solution with importing routes at  
> the route-target level.  Can I point it to a loopback outside of the  
> VRF?
>
> http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
>
> This is probably a simple process but I haven't had to do it before  
> without the FWSM which made it trivially easy.  What simple solution  
> have I overlooked and will kick myself for missing later?
>
> Thanks
> Justin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list