[c-nsp] VRF customers (ISP plus IP VPN)

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Tue Oct 7 01:54:56 EDT 2008


nachocheeze at gmail.com <> wrote on Monday, October 06, 2008 8:51 PM:

> I'm in the process of deploying a small SP network that will provide
> *regular* Internet connectivity, as well as provide L3 VPNs for a
> multitude of services.  In our design, we're thinking to keep the
> global internet in the "master" routing instance (i.e. non-VRF), just
> using plain BGP routing, and having separate connectivity (intranets,
> private and semi-private services) in VRFs and using route-target
> import/exports.
> 
[...]
> 
> PE1
> ===
> ip vrf Cust-A
>  rd 65001:100
>  route-target export 65001:100
>  route-target import 65001:100
>  route-target import 65001:200
> 
[...]
> ip vrf Cust-B
>  rd 65001:200
>  route-target export 65001:200
>  route-target import 65001:200
>  route-target import 65001:100
>
> 
> In this case, both customers run BGP (as they're multihomed to other
> ISPs), and are advertising their Arin-assigned network to both the
> "Internet" link in the regular BGP unicast address family and to the
> VRF links on the BGP VRF address family. Because of this, they are
> both learning each others' networks across the *regular* BGP link as
> well as the VRF BGP link.  For political and billing reasons, this may
> not be ideal, mainly because they are "paying" for connectivity to the
> Internet service, but the VRF/VPN connectivity is 'free', so they want
> to be sure that forwarding between each other chooses the VPN path.

What is the VPN connection for? Why do the two customers have to see
each other via the VPN link as well? You say you want to offer the
VPN/VRF for internal services.. Then I would expect a different
route-target import/export policy, i.e. something like a central
services VPN:

ip vrf Cust-A
 route-target export 65001:100
 route-target import 65001:100
 route-target import 65001:900

ip vrf Cust-B
 route-target export 65001:200
 route-target import 65001:200
 route-target import 65001:900

ip vrf services
 route-target export 65001:900
 route-target import 65001:900
 route-target import 65001:100
 route-target import 65001:200

so both customers can communicate with your "services", but they don't
see each other via the VPN..

> I haven't been able to find any "best practice" that addresses this
> issue.  What do people normally do in this setup?  Send MED on the
> customer routes across the Internet peering so they will prefer the
> "intranet" path?   Use a combo of tags/communities to filter the CE
> routes on the Internet peering?  I can think of a couple of ways to do
> it, but I'm looking for some recommendations.

I would question the overall VPN design. Why build a VPN where your
customers have full connectivity between each other? Why don't you just
let them communicate via the global routing table?

	oli


More information about the cisco-nsp mailing list