[c-nsp] VRF and BGP ?

JH Cockburn ccie15385 at gmail.com
Tue Feb 10 01:29:45 EST 2009


Hi All,
We had a similar situation where we had to create an "internet" vrf and
"leak/connect" that to the global routing table.
So we had a couple of interfaces belonging to the internet vrf of which one
connected back to the same device on an interface in the global network. We
had ospf as IGP to exchange infrastructure/loopback addresses and BGP for
Internet addresses. The problem was that OSPF did come up at first, so the
problem on the 6500's/7600's is that they use the same MAC address for all
L3 interfaces. Change the one side's MAC to a MAC of your choice and up
comes OSPF and after that BGP can do its thing.
So when we implemented this on our GSRs/7206's it still didn't work... So
after a bit of ol debugging I came to the conclusion that the following
happens:
The router (either VRF of global) wants to connect to the (OSPF) neighbor,
needs to do a arp for the address but then sees it already has an attached
interface with that IP/MAC pair so it never sends the arp and goes into a
loop of sorts. (Maybe some real propeller head can give the real reasons..)
So the OSPF never comes up. I added static arp entries (see below) and
jippeee, OSPF comes up etc...

-----
arp 10.241.0.66 001f.26e0.d419 ARPA
arp vrf internet 10.241.0.65 001f.26e0.d41a ARPA
-----

I hope this helps and gives you some idea what to look for when you need
this..

Cheers
JC

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen
Sent: Tuesday, February 10, 2009 12:45 AM
To: Jeff Fitzwater
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VRF and BGP ?

I use VRF's quite a bit on 7600 and other platforms with internal OSPF
neighbors.  So long as the interfaces you are connecting with (dot1q
vlan's in my case most of the time) are associated with that vrf, you
should be able to do so, although, I've never tried to leak routes from
the global routing table into a VRF, or use BGP (in OSPF there is a vrf
tag you must use if I remember correctly).  Using VRF's will give you a
seperate routing table isolated from your global routing table however. 
I'm not an expert on this subject so if anyone has corrections, please
chime in.

Jeff Fitzwater wrote:
> I am running 12.2.SXI on a 6500 with sup-720
>
>
> I currently have 3 full BGP peers with two on I1 and one on I2.
>
> I now need a fourth peer with ESNet (gov ISP) but only allow  two /22
> net from Princeton U. access to ESNet.
>
> My dilemma is how to only let the two nets see the additional ESNet
> routes so that no other host on campus will try and use the ESNET
> routes and fail.
>
> I have not used the VRF feature yet, but it appears that it might do
> the trick if I can create a separate routing domain with just ESNet
> routes, and then point only the two nets to the VRF so they check the
> ESNet table first and if not present fall thru to the global table.  
> I should be able to use a ROUTE-MAP to accomplish this.
>
> From the doc it states that I can create a VRF and import routes from
> the global table but that means everybody will still see the routes to
> ESNet ( I would guess anyway).
>
>  Can I peer directly with the VRF without doing an import from the
> global table so only it has the ESNet routes?
>
> Does anybody have any suggestions on this issue?
>
>
> Thanks for any help.
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list