[c-nsp] Large scale "central services" VRF, best practice?
Per Carlson
pelle at hemmop.com
Fri Mar 18 12:25:01 EDT 2011
Hi Peter.
> Is there any "smart" way configure an MPLS VPN network for a "central
> services" VRF for all (or many) other VRFs?
<snip/>
> An SP from which we buy last-mile in a couple of VRFs have their
> management prefixes leaked out into every VRF and we're looking for
> something similar.
>
> Does anybody know of a smart(er) way of doing this? Are anybody on this
> list using it large scale and are willing to share some experience?
Just leaking management prefixes in/out of VRFs is quite simple.
Designing a large scale shared/central services network, with
security, is way harder.
Here are our recipes for management leaking:
PE-router connected to management network:
-----
ip vrf MGMT
rd 1:1
route-target export 1:1
route-target import 1:2
!
interface gi0
ip vrf forwarding MGMT
ip address <mgmt lan> <netmask>
!
router bgp 1
address-family ipv4 vrf MGMT
network <mgmt lan> mask <netmask>
!
All PE-routers:
-----
ip vrf A
rd 1:100
route-target both 1:100
route-target import 1:1
export map mgmt_leaking
!
ip vrf B
rd 1:101
route-target both 1:101
route-target import 1:1
export map mgmt_leaking
!
ip prefix-list mgmt_prefixes permit <prefix/len> ge 32
!
route-map mgmt_leaking permit 10
match ip address prefix-list mgmt_prefixes
set extcommunity rt 1:2 [ additive ]
This way it's *only* the management LAN prefix (RT 1:1) which is
imported into vrf A and B. In fact vrf A does not import the
management prefix used in vrf B (RT 1:2), and vice versa.
If it's important to see the management prefixes used in a vrf A on
*all* PE-nodes with vrf A, use the "additive" option in the
mgmt_leaking route-map. Without "additive" the management prefixes are
"moved" from vrf A to vrf MGMT (which I do prefer).
--
Pelle
RFC1925, truth 11:
Every old idea will be proposed again with a different name and
a different presentation, regardless of whether it works.
More information about the cisco-nsp
mailing list