Multiple VRFs from provider, IP addressing
Hi Nanog...looking for some advice. I have a customer who has a large network...approximately 130 sites across the US. Each site is fed via two providers, via two Separate CE Routers. It's a L3-VPN service. Each provider currently provides connectivity for 6 VRFs, each over a single service multiplexed UNI. Ie...there are 6 dot1q interfaces facing each provider, each sub-interface is in its own VRF. The network is going through a redesign, and one of my tasks is to consolidate and "streamline" IP addressing. Looking for a sanity check...I have this idea to make every dot1q sub-interface facing the provider the same point-to-point subnet. Specifically, facing a single provider, I want to use the same /30 subnet for all 6 VRFs. I'd use a separate /30 for each of the CE routers per site, so I could go from 12 /30s to 2 per site. I should note, PE-CE protocol is BGP, and behind the CE routers is a small iBGP network. I know it's technically possible to configure the OPs this way and under normal circumstances its fine. But, in this case, there is a whole lot of route leaking / cross target exchanges happening between VRFs. I still think it's okay...but can anyone think of a a failure mode that I may not have? Is what I'm thinking common practice? Is there a best practice for this sort of thing? Thanks!
On Thu 2016-Apr-28 05:22:26 +0000, Craig Rivenburg <crivenburg@gmail.com> wrote:
Hi Nanog...looking for some advice. I have a customer who has a large network...approximately 130 sites across the US. Each site is fed via two providers, via two Separate CE Routers. It's a L3-VPN service. Each provider currently provides connectivity for 6 VRFs, each over a single service multiplexed UNI. Ie...there are 6 dot1q interfaces facing each provider, each sub-interface is in its own VRF.
The network is going through a redesign, and one of my tasks is to consolidate and "streamline" IP addressing.
Looking for a sanity check...I have this idea to make every dot1q sub-interface facing the provider the same point-to-point subnet. Specifically, facing a single provider, I want to use the same /30 subnet for all 6 VRFs. I'd use a separate /30 for each of the CE routers per site, so I could go from 12 /30s to 2 per site. I should note, PE-CE protocol is BGP, and behind the CE routers is a small iBGP network.
I know it's technically possible to configure the OPs this way and under normal circumstances its fine. But, in this case, there is a whole lot of route leaking / cross target exchanges happening between VRFs. I still think it's okay...but can anyone think of a a failure mode that I may not have? Is what I'm thinking common practice? Is there a best practice for this sort of thing?
6 VRFs per site, across the board, with extensive leaking between VRFs. At the risk of second-guessing a design with very little insight into whatever requirements are going on behind the curtain: what's the point of all of those VRFs, especially if you're leaking routes back and forth fairly frequently/commonly? Are you using routing policy to split security zones or something? For the IP addressing "streamlining": I fail to see the benefit of having the same /30 across each dot1q sub-interface. If anything, this seems to confuse things and complicate troubleshooting (`ping no-resolve <PE-IP-for-this-site> routing-instance <VR1? or 2? erm...which one was it again?>`). If you're dealing with apparently complex route leaking between VRFs, I could see the fun of fat fingering your exports/imports and having the shared touchdown /30 of the local or remote sites leak into the wrong VRF(s). What problem are you trying to solve? Are you short on IPs for these touchdowns? Are they at a position in the topology where you could just swing them over to RFC1918 space? Or drop them to /31s (since they are ptp on dot1q sub-interfaces anyway) and half your IP allocation requirement for the touchdowns if that's the issue?
Thanks!
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
participants (2)
-
Craig Rivenburg
-
Hugo Slabbert