[c-nsp] VRF BGP Instance over GRE Tunnel

Loopback EZ loopback at ezxyz.com
Mon May 26 21:56:19 EDT 2008 

Have a strange situation that I need input on a viable design.  The 
proposed network (Network Z) will be using an transit provider ( 
Provider A)whom has direct peer connection to Quest, Level 3 and ATT all 
via the same BGP peering router, this provider also has direct links to 
Research and Education networks, in this network all traffic has a BGP 
community tag indicating its source.   The network that is being 
designed will provide access for general internet and R&E traffic.  The 
goal is to be able to meter and rate limit all general internet access 
but not touch the R & E traffic.  The rate limiting design should be 
effective in outgoing and incoming general internet traffic.  Network Z 
members will establish an EBGP peering connection with the closest 
Network Z BGP border router.  It is NOT an option to establish a direct 
connection to ATT, Level 3 etc at this time.

One possible design would be to use two VRF  entities in Network Z 
border BGP routers, VRF-1 would establish an EBGP peer with  Provider  
A's  nearest border BGP router  (A-1) and accept all R & E networks via 
a filter on the community, VRF-2 would establish an EBGP peer with 
Provider A's BGP router (A-2) that has the Peer Connection with Quest, 
ATT and Level 3 over a GRE tunnel.  This connection would accept all 
routes other than R  & E networks via the community filter.

Members would then establish an EBGP session with both VRF entities.  
Using the GRE tunnel should ensure that all "general internet" traffic 
would leave our network via the GRE tunnel and be handed off my Provider 
A directly to ATT, Level 3 and Quest  at Router A-2 since the route will 
have the most efficient path for the Network Z members.  General R & E 
traffic will use Router A-1 as the most efficient.  Return traffic from 
the internet should also follow this path since it will come via 
Providers A connections and be directly  inserted into the GRE tunnel at 
Router A-2

General R&E traffic should all follow the other path since it will 
following private peering points between the R & E networks and not 
transit the general internet.

An option would be to use Multi-Hop EBGP instead of the GRE tunnel but 
since the traffic would have to follow Provider A's IGP to actually 
forward the traffic it is unclear whether return traffic would be 
forwarded out the correct VRF  since Network Z's prefix would be present

Please give me your comments, alternate suggestions, and thoughts.  This 
is a very hacked up idea but not sure of any method that will accomplish 
the goal given that a direct ISP connection is not viable at this time.

More information about the cisco-nsp mailing list