We're in the planning process for a better way to get multiple VRFs
meshed into a common 'internet' gateway, preferably without
unintentional cross-leakage between them.
There are brute-force methods (run them all to the edge) but we really
do need to have some leakage across certain VRFs.
For "full" leakage we just import/export RDs at the PE.
We have a temporary workaround with an ASA taking a tagged vlan from
each VRF as a separate logical interface, but this is a little messy.
Takes lots of static routes, and anything we do leak across has to
bounce out the the ASA and back again.
It would appear that a FWSM in the PE could do this. Has anyone been
down this road that would be willing to share some
notes/pointers/warnings/war stories?
Thanks in advance,
Jeff
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/