Hi Alex

Thanks for the feedback. Is it on the roadmap for a future release?

cheers,

michel

Hi Michel,

There have been some discussions about HDVRF on XR, but I don’t know details. You’d better to ask your cisco account representative for this.

Regards,

/A

Is HDVRF supported in IOS-XR now ?

Hi Rob

Still no support for this IOS-XR, and the last time i asked about this it wasnt planned for any future release either.

Regards Peter

correct, hdvrf was a trick to support a common point for LI tapping back years ago we did it in IOS (for 6400), it carried forward on later to nexgen BNG platforms like c10k and eventually a1k had to have it also. For the XR bng implementation we did LI support directly on subscribers.

for non BNG, the LI capability was already there on any type of (sub) interface and type.

So there was no need to carry HDVRF forward in xR for that reason other then possible legacy and migration scenarios.

If moving traffic between directions in a different vrf is a must, a trick with aBF can be done by setting the interface in one vrf (for downstream) and using ABF with a nexthop in a different vrf for upstream.

cheers!

xander

So what do us lowly MPLS shops do with IOS XR missing HD-VRF if we need to push default route (or any potential customer overlap) routes towards customers on ex shared firewall?

Like: 1 firewall, 100 customers VRFs on different devices in MPLS environment.

Super easy to solve with connecting firewall to router NIC with HD_VRF and then advertising upstream/downstream routes separately to customer VRFs. Traffic is then routed to directly firewall for intra area processing where we can deny or accept connections between customers (always disabled in our scenarios).

<I deleted a long blurt here on options we have looked at, text was a bit hasty and may be easy to misunderstand>

Bottom line, how can we solve this scenario when mpls path has no interface to apply PBR. We would have the risk/problem of recursive route-lookups on service VRF causing customer traffic to route directly from service vrf between customers and bypassing firewall.

And yeah, for the love of everything unholy, pretty please with sugar ontop add HD_VRF support to IOS XR or find some acceptable solution for this scenario.

Have you tried ePBR? It should work on packets with single MPLS label. 

Hey thanks for quick reply.

We have shared services on multiple PE devices each with multiple MPLS paths (physical, te, tunnels, etc) to eachother/core, multiple firewall devices (each with multiple virtual FWs) linked up towards hundreds of customer VRFs or inter-connections between services.

So doing this based on IPv4 source/destination in single header and policy pushed inbound on MPLS paths on all PE boxes that have shared services and keeping that policy sane through the ages? Doesn't seem like it's a very scalable/safe way to manage the environment. Seems like similar overhead and craziness to just collecting customer traffic on local PE 'shared VRFs' and imposing ACL control there.

HD_VRF approach solves all that pretty **bleep** perfectly creating hub VRFs that deliver traffic to firewall NIC for proper stateful processing and segment the spokes perfectly without need for distributed policy with maintenance overhead. Intended as hack or not.. it's pretty much the most awesome feature we have in good old IOS to simplify customer/service inter-connects and bring down config overhead. We love it.

But if you could make ePBR work for our environment I'd love to see some config examples and scalability concerns addressed, also we would have no problems paying for such consultation and support.

In such environment it would be indeed difficult to make ePBR scale. I'll try to see what can be done about half duplex VRFs. Can you send me via private message your account team contacts at Cisco? 

In such environment it would be indeed difficult to make ePBR scale. I'll try to see what can be done about half duplex VRFs. Can you send me via private message your account team contacts at Cisco?