On 02/09/18 14:42 -0500, Donald Sharp wrote:
Since properly configuring a VRF has become a point of contention, I've started a wiki on how to properly configure VRF's so that you can use them properly with FRRouting:
https://github.com/FRRouting/frr/wiki/Configuring-a-VRF-to-work-properly-for...
Thank you Donald. This is very useful. My background is with Netiron, IOS, and JunOS and I have a couple of comments on VRF leaking, which is not discussed in the above that I that I've seen, but is in discussion on dev. The Tutorial suggests installing a default route with low priority in your VRF as a basic step. In a route leaking context this can and will lead to disaster in a production environment. I can recall an uncomfortable discussion with a bank after leaking a default route into their mpls vrf, from within another common (voice) vrf I was configuring. I generally stay away from static routes altogether. You can mitigate that risk with import/export lists. Some implementations do leaking much better than others, and the primary area of issue that I have is how do you leak connected routes - that is how do you leak a local interface/subnet, such as 'int ve 1000', into another local vrf, that is not learned through a dynamic routing protocol. Cisco does this the moment you configure: ip bgp vpnv4 <vrf> and Netiron requires requires ugly route_maps to accomplish the same thing.