[c-nsp] Large scale "central services" VRF, best practice?

marc williams marcuk at me.com
Fri Mar 18 10:18:37 EDT 2011


Have you looked at doing vrf-nat?

On 18 Mar 2011, at 13:04, Peter Rathlev wrote:

> Is there any "smart" way configure an MPLS VPN network for a "central
> services" VRF for all (or many) other VRFs?
> 
> I see three possible ways:
> 
> 1)  Use import & export on the central services VRF, no configuration
>     on the other VRFs:
> 
>     ip vrf A
>      rd 1:1
>      route-target both 1:1
>     !
>     ip vrf B
>      rd 1:2
>      route-target both 1:2
>     !
>     ip vrf Central_Services
>      rd 1:3
>      route-target both 1:1
>      route-target both 1:2
>      route-target both 1:3
>     !
> 
> 2)  Use import & export on each VRF that needs to access the central
>     services VRF.
> 
>     ip vrf A
>      rd 1:1
>      route-target both 1:1
>      route-target both 1:3
>     !
>     ip vrf B
>      rd 1:2
>      route-target both 1:2
>      route-target both 1:3
>     !
>     ip vrf Central_Services
>      rd 1:3
>      route-target both 1:1
>     !
> 
> 3)  Use an empty (permit anything) import map on the central services
>     VRF and an export map on the other VRFs:
> 
>     route-map CS_EXPORT_MAP permit 10
>      set extcommunity rt 1:3 additive
>     !
>     route-map CS_IMPORT_MAP permit 10
>     !
>     ip vrf A
>      rd 1:1
>      route-target both 1:1
>      export map CS_EXPORT_MAP
>     !
>     ip vrf B
>      rd 1:2
>      route-target both 1:2
>      export map CS_EXPORT_MAP
>     !
>     ip vrf Central_Services
>      rd 1:3
>      route-target both 1:3
>      import map CS_IMPORT_MAP
>     !
> 
> In my eyes all approaches seem like a lot of work, but I'm leaning
> towards solution 2 because it seems easier to not make mistakes.
> 
> An SP from which we buy last-mile in a couple of VRFs have their
> management prefixes leaked out into every VRF and we're looking for
> something similar.
> 
> Does anybody know of a smart(er) way of doing this? Are anybody on this
> list using it large scale and are willing to share some experience? 
> 
> -- 
> Peter
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list