[c-nsp] VRF->Global route leaking in multi-VRF CE installation

Ross Vandegrift ross at kallisti.us
Wed Jan 6 09:28:06 EST 2010 

Hi everyone,

I have a multi-VRF CE setup that is used to provide a different
forwarding path for two groups of VLANs (one group has a layer 2
firewall in front of it, the other does not).

Each VRF has a physical interface uplinking to the global table and a
default pointing out of that interface.  The global table uplinks to
the rest of the network and carries a full BGP view.  All three tables
have an OSPF instance.  I'm trying to move these routes out of OSPF
into iBGP, and IOS seems intent on foiling me.

1) There doesn't appear to be any BGP way to get a VRF route into the
global table as an IPv4 route.  This makes some sense, as that's
basically asking to redistribute between address families - which
doesn't make any sense in most cases.

2) I've tried redistributing from a VRF OSPF instance into ipv4
BGP, but IOS says no:
	lab-6506.dc3(config)#router bgp 65000
	lab-6506.dc3(config-router)#redistribute ospf 2 
	%VRF specified does not match this router
	lab-6506.dc3(config-router)#redistribute ospf 2 vrf shared
	%VRF specified does not match this router
Similar for other cross-VRF redistributions.

3) I've lab'd a config where I move everything into a VRF from the
global table, and then use PE-CEish eBGP to get the routes to the rest
of the network.  This works, but the AS_PATH is wrong.  I could use
as-override to fix this, but that isn't supported on the 6500 core
routers.

4) I tried to come up with a way to get the global table's OSPF
instance cut down appropriately, but most of the LSAs are type 5 since
we redistribute static routes.  This prevents the goal of getting the
routes out of OSPF.

5) Manually duplicate every VRF static/connected route in the global
table and just do the usual redistribution of statics.  This seems
like a very difficult config to keep in sync - about 3k prefixes with
occasional additions or updates.  But it does actually work.

Have I missed any options?  #5 seems like the only thing that has any
hope of being correct, but man, that's a pain.  I might be able to
live with #3, but I need to make sure that all of our tools will live
with the incorrect AS_PATH.

Thanks,
Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100106/17cea66b/attachment.bin>

More information about the cisco-nsp mailing list