[c-nsp] Inserting a default route into a MPLS/VPN pointing out of the VRF

Justin Shore justin at justinshore.com
Tue Oct 20 16:31:13 EDT 2009 

Phil Bedard wrote:
> If you are already using a VRF to carry the default table you should  be 
> able to import a default route from that vrf into your customer vrf.  
> You can use an import-map to select only the default.  The only time 
> I've implemented something similar to this I've used external firewalls 
> which have their own trusted sub-int into the customer network and their 
> untrust side connected to an Internet router.  Similar to what you say 
> you are doing on the datacenter side.  You could do the same thing 
> without a firewall, just need a dedicated trunk so you can bridge 
> between the default VRF/global table and the customer VRF.  Then just 
> static routes out that interface.

Thanks to all the replies.  I didn't word my initial message very well. 
  My Internet tables are in the default VRF (ie, the global VRF).  I 
don't carry around Inet tables in dedicated VRFs (though I've been told 
by some that this is a good idea).

My FWSMs provided me the same functionality as your external FWs. 
Unfortunately this is for raw, unfiltered and unprotected customer 
Internet access.  I suppose a different technique would be to take these 
special customers and use routing to push traffic destined for the 
special peering network into that dedicated VRF and keep all their other 
traffic in the default VRF.  While I can say that I can't envision a way 
to accomplish that.  I think it's easier to start in the dedicated VRF 
and leak traffic out of it.

I thought of a couple possible solutions last night.  One was the use of 
the 'global' statement in the default route inside the VRF.  It has the 
same problems as the static route to an interface.  I want the core Ps 
to make a routing decision on the upstream exit point which I can't do 
if I'm setting the next-hop to be an IP on an upstream router or an 
interface facing an upstream router.  The other option I thought of was 
to not inject the default on the core Ps but instead do it on PE1, the 
peering router to this special network.  Ultimately PE1 will be 
dual-homed to P1 and P2.  I could then set the next-hop for the default 
in the VRF on PE1 to be a FHRP floater on P1 and P2 and use that as the 
global IP.  I think that would work too but haven't tried it.

Another c-nsp reader gave me what I think will most likely be my 
solution.  His suggestion was to use an import map on the VRD, a 
route-map and prefix-list to import a default route into the VRF that 
way.  I'm sure that will work.  I'm intrigued by the tunnel solutions 
too.  PE1 will be replaced with an ASR in a few months so I may give 
that a try as well.  It's good to know all the various ways to 
accomplish the goal in case I have to implement something different someday.

Thanks for all the suggestions
  Justin

More information about the cisco-nsp mailing list