[nsp] Protecting border routers

Carlson Per per.carlson at banetele.com
Wed Dec 3 09:05:51 EST 2003


> > To comment on the "management VRF" matter, we've found it doesn't
> > presently work (static vrf-lite tested on c3550 & c7600/sup720
> > platforms) on current software.  Setting service 'source-interface's
> > to the Loopback interface inside the VRF causes no connectivity.  Is
> > anyone aware of a way to make this work, or is this feature in the
> > pipeline? 
> 
> It's possible to make it work by making the "management" 
> space the global table, and putting "Internet" in it's own 
> VRF(-lite).  Like mine, your brain is probably screaming at 
> the wrongness of this, but it *does* work around the problem 
> of which management bits do/don't work inside a VRF.

Another possible solution is to put the Loopback interface into
global space in the CPE. Then point the route to the management
system (or a default route) to the interface with the mgmt VRF.

For example:
int Loopback0
  ip address 1.1.1.1 255.255.255.255

int Serial0
  ip vrf forwarding Mgmt
  ip address 2.2.2.2 255.255.255.252

ip route 0.0.0.0 0.0.0.0 Serial0

This will leak the global route into the VRF. Of course, you
still have to use 'source-interface' commands.

Per


More information about the cisco-nsp mailing list