[nsp] Protecting border routers

atticus at satanic.org atticus at satanic.org
Sun Nov 30 21:42:10 EST 2003

> To comment on the "management VRF" matter, we've found it doesn't
> presently work (static vrf-lite tested on c3550 & c7600/sup720
> platforms) on current software.

AFAIK, 7600 only supports VRF instances on OSM's, which may have
complicated your test (have wanted to try myself, but a GE-WAN for this is
a bit pricey...). Haven't tried at all on 3550's yet (had seen VRF-Lite
show up for 12.1EW, didn't know 12.1EA got it as well).

On the traditional router platforms, I found working within the management
VRF annoying (atleast in late 12.2T) -- SNMP within VRF was broken at one
point, you can't specify a vrf in 'copy tftp', etc.. What I ended up doing
was actually make the management "VRF" the main routing table, then have a
'ip vrf internet' -- this has worked out very nicely.

Personally, I'd love to see some (or work w/ someone on) documentation for
using vrf's to create an independent control plane. As-is, it takes a
giant MPLS-sifter to get the useful tidbits..

Free clue: "capability vrf-lite" for a vrf ospf process.

More information about the cisco-nsp mailing list