[c-nsp] Virtualization in an enterprise

Phil Mayers p.mayers at imperial.ac.uk
Wed Sep 24 05:51:32 EDT 2008 

Higham, Josh wrote:
> I am currently investigating using vrf-lite within our company to
> support some research requests.  I have some hesitation about
> maintaining it, though, especially in a smaller enterprise environment
> (4 network techs, ~10 branches).
> 
> I am comfortable with the technology, but don't want to increase the
> complexity of the network without significant advantages.  More
> importantly, I don't want to limit the applicant pool if we need to hire
> someone down the road.
> 
> Does anyone here have input on support and maintenance of this within an
> enterprise environment?

Yes. What specifically are you asking about?

We ran a large-ish VRF-lite core for a year or more before finally 
converting to L3VPN. My experience was:

  * vrf lite is basically just >1 routing table; instead of having 1 p2p 
between routers, you have 1 per VRF using subints/vlans

  * running the multiple OSPF processes was tedious but easy to understand

  * vrf lite was supported on 3550/3750

  * it's easy to understand - my personal opinion is that if someone 
can't grasp putting "vrf XXX" into some IOS commands, you shouldn't be 
hiring them anyway!

  * You do a *lot* of typing to get a VRF setup - e.g. on our 3550/6500 
network you'd have to do:

ip vrf NEW
   rd fake:value
   description blah
int LoopbackN
   ip vrf forwarding NEW
   ip address <loop>
router ospf N vrf NEW
   router-id <loop>
   network <assign a /23 for loopbacks & p2ps>
   redistribute connected
   redistribute static
# for each neighbouring router
vlan XXXX
   name p2p-router-Y
int VlanXXXX
   ip vrf forwarding NEW
   ip address blah
   ip ospf network point-to-point

...etc etc. When you have >10 VRFs and >20 routers, you start to have 
all kinds of irritating problems like how many subints/vlan tags you 
burnt just for p2p, how much address space you're burning for loopback 
and p2p interfaces, and so on

Eventually we moved to L3VPN meaning a new VRF is:

ip vrf NEW
   rd loop:N
   route-target as:nn both
   description blah
router bgp 65000
   address-family ipv4 vrf NEW
     redistribute connected
     redistribute static

The initial cost of the L3VPN setup is higher (have to enable BGP with 
vpnv4, LDP, MPLS, get the MTUs right, possibly get MVPN setup if you 
need multicast) and it's obviously a system with more components but my 
feeling is that the layering is actually conceptually *easier* to 
understand.

In short: I'm sure you'd have no problems with the vrf-lite solution and 
it served us well initially, but I would at least investigate the L3VPN 
solution

> 
> We have sites connected by MPLS (BGP with the provider, but no other
> MPLS or vrf type features) with redundancy through an IPSEC VPN over our
> internet links.
> 
> Thanks for any input that you can provide.
> 
> Josh
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list