[c-nsp] VRF, then fall through to main / global route table ?
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Apr 12 02:03:36 EDT 2006
Mark Zipp <> wrote on Wednesday, April 12, 2006 2:43 AM:
> Is it possible to have a Cisco router look at a interface specific
> VRF, and then if there isn't a matching route, fall through to looking
> at the main or global route table on the router ?
No, you need to explicitly add a default-route pointing to a global
next-hop, i.e.
ip route vrf sink_hole 0.0.0.0 0.0.0.0 <next-hop> global
the next-hop must be a different router, doesn't need to be adjacent.
> I think it would be
> useful to have a generic, customer facing VRF that null / sink routes
> the various martian addresses (RFC1918 etc.), and then falls through
> to the main route table for further route lookup.
So instead of putting the Internet customers into the global context,
you'd put them into this VRF?
Hmm, not sure about this design approach. You'd need to route between
those customers in the VRF, but you also need visibility of the
customers' networks in the global table, which limits the routing you
can use with the customers (basically only static routing)
> Customer facing ACLs would of course be an alternative, however I
> think sink routes in a VRF would be a bit simpler and easier to
> maintain, and would probably be slightly faster for the router to
> process.
I agree, ACLs are possibly more of an overhead (both processing- and
maintenance-wise), but since you should always use an ACL to protect
your own infrastructure, the overhead might not be that large.
The VRF approach increases the complexity troubleshooting-wise, and has
limits, for example if you want to connect an eBGP customer and need
send them the complete table (which you'd need to import into the VRF).
oli
More information about the cisco-nsp
mailing list