Multiple VRFs from provider, IP addressing
Hugo Slabbert
hugo at slabnet.com
Fri Apr 29 03:28:04 UTC 2016
On Thu 2016-Apr-28 05:22:26 +0000, Craig Rivenburg <crivenburg at gmail.com> wrote:
>Hi Nanog...looking for some advice. I have a customer who has a large
>network...approximately 130 sites across the US. Each site is fed via two
>providers, via two Separate CE Routers. It's a L3-VPN service. Each
>provider currently provides connectivity for 6 VRFs, each over a single
>service multiplexed UNI. Ie...there are 6 dot1q interfaces facing each
>provider, each sub-interface is in its own VRF.
>
>The network is going through a redesign, and one of my tasks is to
>consolidate and "streamline" IP addressing.
>
>Looking for a sanity check...I have this idea to make every dot1q
>sub-interface facing the provider the same point-to-point subnet.
>Specifically, facing a single provider, I want to use the same /30 subnet
>for all 6 VRFs. I'd use a separate /30 for each of the CE routers per
>site, so I could go from 12 /30s to 2 per site. I should note, PE-CE
>protocol is BGP, and behind the CE routers is a small iBGP network.
>
>I know it's technically possible to configure the OPs this way and under
>normal circumstances its fine. But, in this case, there is a whole lot of
>route leaking / cross target exchanges happening between VRFs. I still
>think it's okay...but can anyone think of a a failure mode that I may not
>have? Is what I'm thinking common practice? Is there a best practice for
>this sort of thing?
6 VRFs per site, across the board, with extensive leaking between VRFs. At
the risk of second-guessing a design with very little insight into whatever
requirements are going on behind the curtain: what's the point of all of
those VRFs, especially if you're leaking routes back and forth fairly
frequently/commonly? Are you using routing policy to split security zones
or something?
For the IP addressing "streamlining": I fail to see the benefit of having
the same /30 across each dot1q sub-interface. If anything, this seems to
confuse things and complicate troubleshooting (`ping no-resolve
<PE-IP-for-this-site> routing-instance <VR1? or 2? erm...which one was it
again?>`). If you're dealing with apparently complex route leaking between
VRFs, I could see the fun of fat fingering your exports/imports and having
the shared touchdown /30 of the local or remote sites leak into the wrong
VRF(s).
What problem are you trying to solve? Are you short on IPs for these
touchdowns? Are they at a position in the topology where you could just
swing them over to RFC1918 space? Or drop them to /31s (since they are ptp
on dot1q sub-interfaces anyway) and half your IP allocation requirement for
the touchdowns if that's the issue?
>Thanks!
--
Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160428/53c41b52/attachment.sig>
More information about the NANOG
mailing list