[c-nsp] VRF BGP Instance over GRE Tunnel
Loopback EZ
loopback at ezxyz.com
Mon May 26 21:56:19 EDT 2008
Have a strange situation that I need input on a viable design. The
proposed network (Network Z) will be using an transit provider (
Provider A)whom has direct peer connection to Quest, Level 3 and ATT all
via the same BGP peering router, this provider also has direct links to
Research and Education networks, in this network all traffic has a BGP
community tag indicating its source. The network that is being
designed will provide access for general internet and R&E traffic. The
goal is to be able to meter and rate limit all general internet access
but not touch the R & E traffic. The rate limiting design should be
effective in outgoing and incoming general internet traffic. Network Z
members will establish an EBGP peering connection with the closest
Network Z BGP border router. It is NOT an option to establish a direct
connection to ATT, Level 3 etc at this time.
One possible design would be to use two VRF entities in Network Z
border BGP routers, VRF-1 would establish an EBGP peer with Provider
A's nearest border BGP router (A-1) and accept all R & E networks via
a filter on the community, VRF-2 would establish an EBGP peer with
Provider A's BGP router (A-2) that has the Peer Connection with Quest,
ATT and Level 3 over a GRE tunnel. This connection would accept all
routes other than R & E networks via the community filter.
Members would then establish an EBGP session with both VRF entities.
Using the GRE tunnel should ensure that all "general internet" traffic
would leave our network via the GRE tunnel and be handed off my Provider
A directly to ATT, Level 3 and Quest at Router A-2 since the route will
have the most efficient path for the Network Z members. General R & E
traffic will use Router A-1 as the most efficient. Return traffic from
the internet should also follow this path since it will come via
Providers A connections and be directly inserted into the GRE tunnel at
Router A-2
General R&E traffic should all follow the other path since it will
following private peering points between the R & E networks and not
transit the general internet.
An option would be to use Multi-Hop EBGP instead of the GRE tunnel but
since the traffic would have to follow Provider A's IGP to actually
forward the traffic it is unclear whether return traffic would be
forwarded out the correct VRF since Network Z's prefix would be present
Please give me your comments, alternate suggestions, and thoughts. This
is a very hacked up idea but not sure of any method that will accomplish
the goal given that a direct ISP connection is not viable at this time.
More information about the cisco-nsp
mailing list