OSPF vs ISIS - Which do you prefer & why?
Baldur Norddahl
baldur.norddahl at gmail.com
Sat Nov 12 14:07:46 UTC 2016
Den 11/11/2016 kl. 11.20 skrev Mark Tinka:
>
>
> On 11/Nov/16 12:07, Baldur Norddahl wrote:
>
>> No filters. There are just no routes that will take a network packet that
>> arrive on an interface in VRF internet and move it to an interface in VRF
>> default without adding a MPLS header to mark the VRF. With the MPLS header
>> the packet type is no longer IPv4 but MPLS.
>>
>> Therefore there is no way you from the internet or from a customer link can
>> even attempt to inject packets that would be received by the OSPF process.
>> Since we use 10.0.0.0/8 and our vrf internet has no such route, you would
>> just get no route to host if you tried.
>
> Good for you.
>
> We don't run the whole "Internet in a VRF" architecture (too many
> moving parts), so not having our IGP being exposed to IP helps :-).
Internet in a VRF just works and it is not at all complicated. I will
recommend it for anyone which has the equipment that can do it. I do
realise that not everyone can do this however.
I have not studied OSPFv3 in detail but it appears that only IPv6 link
local addresses are used. Since that can not be routed, I do not think
OSPFv3 exposes anything to the Internet. I would probably go with OSPFv3
if I had to configure a network without VRF support.
If I was coding an OSPFv3 daemon I would make it bind only to link local
addresses on interfaces, which will guarantee that no traffic is
received from outsiders.
Regards,
Baldur
More information about the NANOG
mailing list