[nsp] Protecting border routers
Carlson Per
per.carlson at banetele.com
Wed Dec 3 09:05:51 EST 2003
> > To comment on the "management VRF" matter, we've found it doesn't
> > presently work (static vrf-lite tested on c3550 & c7600/sup720
> > platforms) on current software. Setting service 'source-interface's
> > to the Loopback interface inside the VRF causes no connectivity. Is
> > anyone aware of a way to make this work, or is this feature in the
> > pipeline?
>
> It's possible to make it work by making the "management"
> space the global table, and putting "Internet" in it's own
> VRF(-lite). Like mine, your brain is probably screaming at
> the wrongness of this, but it *does* work around the problem
> of which management bits do/don't work inside a VRF.
Another possible solution is to put the Loopback interface into
global space in the CPE. Then point the route to the management
system (or a default route) to the interface with the mgmt VRF.
For example:
int Loopback0
ip address 1.1.1.1 255.255.255.255
int Serial0
ip vrf forwarding Mgmt
ip address 2.2.2.2 255.255.255.252
ip route 0.0.0.0 0.0.0.0 Serial0
This will leak the global route into the VRF. Of course, you
still have to use 'source-interface' commands.
Per
More information about the cisco-nsp
mailing list