[c-nsp] Large scale "central services" VRF, best practice?

[Per Carlson]

Hi Peter.

> Is there any "smart" way configure an MPLS VPN network for a "central
> services" VRF for all (or many) other VRFs?

<snip/>

> An SP from which we buy last-mile in a couple of VRFs have their
> management prefixes leaked out into every VRF and we're looking for
> something similar.
>
> Does anybody know of a smart(er) way of doing this? Are anybody on this
> list using it large scale and are willing to share some experience?

Just leaking management prefixes in/out of VRFs is quite simple.
Designing a large scale shared/central services network, with
security, is way harder.

Here are our recipes for management leaking:

PE-router connected to management network:
-----
ip vrf MGMT
  rd 1:1
  route-target export 1:1
  route-target import 1:2
!
interface gi0
  ip vrf forwarding MGMT
  ip address <mgmt lan> <netmask>
!
router bgp 1
  address-family ipv4 vrf MGMT
    network <mgmt lan> mask <netmask>
!


All PE-routers:
-----
ip vrf A
  rd 1:100
  route-target both 1:100
  route-target import 1:1
  export map mgmt_leaking
!
ip vrf B
  rd 1:101
  route-target both 1:101
  route-target import 1:1
  export map mgmt_leaking
!
ip prefix-list mgmt_prefixes permit <prefix/len> ge 32
!
route-map mgmt_leaking permit 10
  match ip address prefix-list mgmt_prefixes
  set extcommunity rt 1:2 [ additive ]


This way it's *only* the management LAN prefix (RT 1:1) which is
imported into vrf A and B. In fact vrf A does not import the
management prefix used in vrf B (RT 1:2), and vice versa.

If it's important to see the management prefixes used in a vrf A on
*all* PE-nodes with vrf A, use the "additive" option in the
mgmt_leaking route-map. Without "additive" the management prefixes are
"moved" from vrf A to vrf MGMT (which I do prefer).

-- 
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.