Multiple VRFs from provider, IP addressing

Hugo Slabbert hugo at
Fri Apr 29 03:28:04 UTC 2016

On Thu 2016-Apr-28 05:22:26 +0000, Craig Rivenburg <crivenburg at> wrote:

>Hi Nanog...looking for some advice.  I have a customer who has a large
>network...approximately 130 sites across the US.  Each site is fed via two
>providers, via two Separate CE Routers.  It's a  L3-VPN service.  Each
>provider currently provides connectivity for 6 VRFs, each over a single
>service multiplexed UNI.  Ie...there are 6 dot1q interfaces facing each
>provider, each sub-interface is in its own VRF.
>The network is going through a redesign, and one of my tasks is to
>consolidate and "streamline" IP addressing.
>Looking for a sanity check...I have this idea to make every dot1q
>sub-interface facing the provider the same point-to-point subnet.
>Specifically, facing a single provider, I want to use the same /30 subnet
>for all 6 VRFs.  I'd use a separate /30 for each of the CE routers per
>site, so I could go from 12 /30s to 2 per site.  I should note, PE-CE
>protocol is BGP, and behind the CE routers is a small iBGP network.
>I know it's technically possible to configure the OPs this way and under
>normal circumstances its fine.  But, in this case, there is a whole lot of
>route leaking / cross target exchanges happening between VRFs.  I still
>think it's okay...but can anyone think of a a failure mode that I may not
>have?  Is what I'm thinking common practice?  Is there a best practice for
>this sort of thing?

6 VRFs per site, across the board, with extensive leaking between VRFs.  At 
the risk of second-guessing a design with very little insight into whatever 
requirements are going on behind the curtain: what's the point of all of 
those VRFs, especially if you're leaking routes back and forth fairly 
frequently/commonly?  Are you using routing policy to split security zones 
or something?

For the IP addressing "streamlining": I fail to see the benefit of having 
the same /30 across each dot1q sub-interface.  If anything, this seems to 
confuse things and complicate troubleshooting (`ping no-resolve 
<PE-IP-for-this-site> routing-instance <VR1? or 2? erm...which one was it 
again?>`).  If you're dealing with apparently complex route leaking between 
VRFs, I could see the fun of fat fingering your exports/imports and having 
the shared touchdown /30 of the local or remote sites leak into the wrong 

What problem are you trying to solve?  Are you short on IPs for these 
touchdowns?  Are they at a position in the topology where you could just 
swing them over to RFC1918 space?  Or drop them to /31s (since they are ptp 
on dot1q sub-interfaces anyway) and half your IP allocation requirement for 
the touchdowns if that's the issue?


Hugo Slabbert       | email, xmpp/jabber: hugo at
pgp key: B178313E   | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list