[c-nsp] VRF and BGP ?

schilling schilling2006 at gmail.com
Tue Feb 10 10:22:36 EST 2009


You could have a vrf for esnet, esnet routes could be in a headend/hub/pilot
router, your specific /22 would be in esnet vrf. You could inject a default
with ospf from your headend to other esnet vrf CEs.  In the headend, have a
staifc default to your loopback connection global side as JC described. So
all traffic in your /22 esnet vrf will go to esnet route if it exists,
otherwise, it goes to your global routing table.

The other way to the loopback cable is to use a routed VFW instance without
the ARP caveat. You could point your esnet vrf default to the VFW inside,
outside is connected to your global routing table. Basically, inside vlan
one end is in vrf esnet, the other is allocated to VFW as inside. The
outside vlan one end is in global routing table, the other is allocated to
VFW as outside. Some static routing configuration needed in the VFW since
multi context FWSM only support static route.

Schilling

On Tue, Feb 10, 2009 at 1:29 AM, JH Cockburn <ccie15385 at gmail.com> wrote:

> Hi All,
> We had a similar situation where we had to create an "internet" vrf and
> "leak/connect" that to the global routing table.
> So we had a couple of interfaces belonging to the internet vrf of which one
> connected back to the same device on an interface in the global network. We
> had ospf as IGP to exchange infrastructure/loopback addresses and BGP for
> Internet addresses. The problem was that OSPF did come up at first, so the
> problem on the 6500's/7600's is that they use the same MAC address for all
> L3 interfaces. Change the one side's MAC to a MAC of your choice and up
> comes OSPF and after that BGP can do its thing.
> So when we implemented this on our GSRs/7206's it still didn't work... So
> after a bit of ol debugging I came to the conclusion that the following
> happens:
> The router (either VRF of global) wants to connect to the (OSPF) neighbor,
> needs to do a arp for the address but then sees it already has an attached
> interface with that IP/MAC pair so it never sends the arp and goes into a
> loop of sorts. (Maybe some real propeller head can give the real reasons..)
> So the OSPF never comes up. I added static arp entries (see below) and
> jippeee, OSPF comes up etc...
>
> -----
> arp 10.241.0.66 001f.26e0.d419 ARPA
> arp vrf internet 10.241.0.65 001f.26e0.d41a ARPA
> -----
>
> I hope this helps and gives you some idea what to look for when you need
> this..
>
> Cheers
> JC
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen
> Sent: Tuesday, February 10, 2009 12:45 AM
> To: Jeff Fitzwater
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] VRF and BGP ?
>
> I use VRF's quite a bit on 7600 and other platforms with internal OSPF
> neighbors.  So long as the interfaces you are connecting with (dot1q
> vlan's in my case most of the time) are associated with that vrf, you
> should be able to do so, although, I've never tried to leak routes from
> the global routing table into a VRF, or use BGP (in OSPF there is a vrf
> tag you must use if I remember correctly).  Using VRF's will give you a
> seperate routing table isolated from your global routing table however.
> I'm not an expert on this subject so if anyone has corrections, please
> chime in.
>
> Jeff Fitzwater wrote:
> > I am running 12.2.SXI on a 6500 with sup-720
> >
> >
> > I currently have 3 full BGP peers with two on I1 and one on I2.
> >
> > I now need a fourth peer with ESNet (gov ISP) but only allow  two /22
> > net from Princeton U. access to ESNet.
> >
> > My dilemma is how to only let the two nets see the additional ESNet
> > routes so that no other host on campus will try and use the ESNET
> > routes and fail.
> >
> > I have not used the VRF feature yet, but it appears that it might do
> > the trick if I can create a separate routing domain with just ESNet
> > routes, and then point only the two nets to the VRF so they check the
> > ESNet table first and if not present fall thru to the global table.
> > I should be able to use a ROUTE-MAP to accomplish this.
> >
> > From the doc it states that I can create a VRF and import routes from
> > the global table but that means everybody will still see the routes to
> > ESNet ( I would guess anyway).
> >
> >  Can I peer directly with the VRF without doing an import from the
> > global table so only it has the ESNet routes?
> >
> > Does anybody have any suggestions on this issue?
> >
> >
> > Thanks for any help.
> >
> >
> >
> > Jeff Fitzwater
> > OIT Network Systems
> > Princeton University
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list