[c-nsp] VRF customers (ISP plus IP VPN)

nachocheeze at gmail.com nachocheeze at gmail.com
Mon Oct 6 14:51:02 EDT 2008 

I'm in the process of deploying a small SP network that will provide
*regular* Internet connectivity, as well as provide L3 VPNs for a
multitude of services.  In our design, we're thinking to keep the
global internet in the "master" routing instance (i.e. non-VRF), just
using plain BGP routing, and having separate connectivity (intranets,
private and semi-private services) in VRFs and using route-target
import/exports.

Small example; Cust-A connects to PE1, Cust-B connects to PE2, both
with dot1Q tagged sub-interfaces.  In addition to this connection,
they both have another logical connection to the same PE routers
across the same interface on a different VLAN thats in the "master"
instance for regular Internet.  In the case of their VRF
sub-interface, here's how we do the forwarding:

PE1
===
ip vrf Cust-A
 rd 65001:100
 route-target export 65001:100
 route-target import 65001:100
 route-target import 65001:200

interface FastEthernet2/1.10
 description Cust-A Internet
 encapsulation dot1Q 10
 ip address x.x..x.x 255.255.255.252

interface FastEthernet2/1.20
 description Cust-A VPN
 encapsulation dot1Q 20
 ip vrf forwarding Cust-A
 ip address x.x..x.x 255.255.255.252


PE2
===
ip vrf Cust-B
 rd 65001:200
 route-target export 65001:200
 route-target import 65001:200
 route-target import 65001:100

interface FastEthernet2/1.10
 description Cust-B Internet
 encapsulation dot1Q 10
 ip address x.x..x.x 255.255.255.252

interface FastEthernet2/1.20
 description Cust-B VPN
 encapsulation dot1Q 20
 ip vrf forwarding Cust-B
 ip address x.x..x.x 255.255.255.252

In this case, both customers run BGP (as they're multihomed to other
ISPs), and are advertising their Arin-assigned network to both the
"Internet" link in the regular BGP unicast address family and to the
VRF links on the BGP VRF address family.  Because of this, they are
both learning each others' networks across the *regular* BGP link as
well as the VRF BGP link.  For political and billing reasons, this may
not be ideal, mainly because they are "paying" for connectivity to the
Internet service, but the VRF/VPN connectivity is 'free', so they want
to be sure that forwarding between each other chooses the VPN path.

I haven't been able to find any "best practice" that addresses this
issue.  What do people normally do in this setup?  Send MED on the
customer routes across the Internet peering so they will prefer the
"intranet" path?   Use a combo of tags/communities to filter the CE
routes on the Internet peering?  I can think of a couple of ways to do
it, but I'm looking for some recommendations.

More information about the cisco-nsp mailing list