<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Posts on Soap &amp; Bits</title><link>https://soapandbits.net/posts/</link><description>Recent content in Posts on Soap &amp; Bits</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Wed, 01 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://soapandbits.net/posts/index.xml" rel="self" type="application/rss+xml"/><item><title>Internet in VRF vs Internet in GRT</title><link>https://soapandbits.net/posts/internet-in-vrf-vs-internet-in-grt/</link><pubDate>Wed, 01 Jul 2026 00:00:00 +0000</pubDate><guid>https://soapandbits.net/posts/internet-in-vrf-vs-internet-in-grt/</guid><description>A side-by-side comparison of running the Internet in a VRF versus the Global Routing Table.</description><content:encoded><![CDATA[<p>A comparison of running the Internet in a VRF versus the Global Routing Table (GRT).</p>
<p>The comparison is split into two tables. The first covers <strong>core distinctions</strong> rooted in protocol behavior and network design — these are largely inherent to each approach, though new RFCs and mechanisms (for example, a mass-withdrawal mechanism for L3VPN) could shift some of them over time. The second covers <strong>current vendor implementation status</strong> — feature support that is vendor- and platform-dependent and may improve over time.</p>
<h2 id="core-distinctions-protocol-and-network-design">Core distinctions (protocol and network design)</h2>
<table>
	<thead>
			<tr>
					<th>Property/Issue</th>
					<th>Internet in VRF</th>
					<th>Internet in GRT</th>
					<th>Summary</th>
			</tr>
	</thead>
	<tbody>
			<tr>
					<td>Service BGP-free core</td>
					<td>Out of the box</td>
					<td>Requires MPLS and /30–/32 MPLS label allocation</td>
					<td>VRF is better. Less effort required.</td>
			</tr>
			<tr>
					<td>Prefix visibility at the PE</td>
					<td>Unique RD per PE, or BGP <a href="https://tools.ietf.org/html/rfc7911">ADD-PATH</a> for VPNv4 and/or VPNv6 (rarely supported by vendors)</td>
					<td>BGP <a href="https://tools.ietf.org/html/rfc7911">ADD-PATH</a>, or BGP RR <a href="https://tools.ietf.org/html/draft-ietf-idr-bgp-optimal-route-reflection-19">Optimal Route Reflection</a> or BGP Full-Mesh/Partial Mesh</td>
					<td>VRF is slightly better. Unique RD works out of the box; GRT needs ADD-PATH or ORR.</td>
			</tr>
			<tr>
					<td>Optimal path selection regardless of RR hierarchy</td>
					<td>Unique RD per PE, or BGP <a href="https://tools.ietf.org/html/rfc7911">ADD-PATH</a> for VPNv4 and/or VPNv6 (rarely supported by vendors)</td>
					<td>BGP <a href="https://tools.ietf.org/html/rfc7911">ADD-PATH</a>, or BGP RR <a href="https://tools.ietf.org/html/draft-ietf-idr-bgp-optimal-route-reflection-19">Optimal Route Reflection</a> or BGP Full-Mesh/Partial Mesh</td>
					<td>VRF is slightly better. Unique RD works out of the box (higher RIB cost); GRT needs ADD-PATH or ORR. ORR works on both and avoids the RIB cost.</td>
			</tr>
			<tr>
					<td><a href="https://tools.ietf.org/html/rfc3345">Route oscillation</a> issue</td>
					<td>Unique RD per PE</td>
					<td>BGP <a href="https://tools.ietf.org/html/rfc7911">ADD-PATH</a> together with <a href="https://tools.ietf.org/html/rfc7964#section-4">Advertise the Group Best Paths</a></td>
					<td>VRF is better. No additional features required.</td>
			</tr>
			<tr>
					<td>Flexible, simple way to distinguish End-users, Transit, IXPs and Others</td>
					<td>Built in via RT import/export policy</td>
					<td>Not available</td>
					<td>VRF is better.</td>
			</tr>
			<tr>
					<td>Selective / partial prefix advertisement (full view / local / IXP)</td>
					<td>Built in via RT import/export policy and BGP communities</td>
					<td>BGP-ORF (prefix-list or BGP community, Nokia only), or complex BGP community policies</td>
					<td>VRF is better. RT and communities give a simple, flexible way to advertise routes partially; GRT needs BGP-ORF (significant configuration overhead) or complex community policies.</td>
			</tr>
			<tr>
					<td>Traffic diversion for DDoS mitigation</td>
					<td>Easy to divert traffic via RD and RT manipulation. BGP Flowspec is also an option.</td>
					<td>Requires BGP Flowspec and other techniques using protocols such as BGP-LU</td>
					<td>It depends. Traffic diversion by RT is less granular than BGP Flowspec.</td>
			</tr>
			<tr>
					<td>Customer isolation</td>
					<td>Built in</td>
					<td>Possible via ACLs or complex DCU/SCU policies</td>
					<td>VRF is better. GRT requires ACLs or complex DCU/SCU policies to achieve the same isolation.</td>
			</tr>
			<tr>
					<td>Egress prefix filtering per BGP peer</td>
					<td>RTC/RTF. Filtering can be performed on the RR.</td>
					<td>BGP-ORF based on prefix-list policy on each PE</td>
					<td>RTC/RTF is the better approach, but the PE must support the relevant BGP AFI/SAFI.</td>
			</tr>
			<tr>
					<td>Low-spec PE: default route + partial full view</td>
					<td>RTC/RTF and different RTs</td>
					<td>BGP-ORF based on prefix-list on each PE</td>
					<td>VRF is better. BGP-ORF introduces significant configuration overhead.</td>
			</tr>
			<tr>
					<td>Strong demarcation between ISP infrastructure and public Internet service</td>
					<td>Clear separation — infrastructure stays in GRT, Internet service lives in its own VRF</td>
					<td>Usually mixes infrastructure and Internet service routes in the same table</td>
					<td>VRF is better. Clean, built-in separation of infrastructure from service.</td>
			</tr>
			<tr>
					<td>Building virtual topologies</td>
					<td>Built in — RT import/export shapes per-service topologies without touching the physical/BGP topology</td>
					<td>Requires adjusting the BGP topology or applying complex filtering</td>
					<td>VRF is better. RT makes virtual topologies simple and decoupled from the underlay.</td>
			</tr>
			<tr>
					<td>IPv6 Internet</td>
					<td>6VPE (VPNv6 AFI/SAFI). Simple.</td>
					<td>6PE (complex BGP-LU configuration) and an additional label in the MPLS stack</td>
					<td>VRF is better. It provides a unified approach for both IPv4 and IPv6.</td>
			</tr>
			<tr>
					<td>Network fast convergence (data plane)</td>
					<td>BGP PIC Edge works only if the entire ASBR goes down. If only the link to the peer fails, there is no mass-withdrawal trigger, so the ASBR may form a forwarding loop until BGP fully converges.</td>
					<td>BGP-LU can create /32 routes to the eBGP next hop, providing a trigger to invalidate all routes from that peer (combined with BGP PIC Edge / <a href="https://tools.ietf.org/html/rfc7911">ADD-PATH</a> and BGP FRR). Fast reroute works for both link and node failure.</td>
					<td>GRT is better. In VRF, fast convergence is limited to full-ASBR failure; partial (link) failures risk transient forwarding loops until BGP converges.</td>
			</tr>
			<tr>
					<td>Next-hop resolution</td>
					<td>More controlled NH resolution via auxiliary tables / tunnel-RIBs</td>
					<td>Resolution may be confused by an IP routing table populated by multiple protocols; no unified way to control which routes are eligible for eBGP NH resolution</td>
					<td>VRF is better. It provides a cleaner, more deterministic NH resolution process.</td>
			</tr>
			<tr>
					<td>BGP convergence (time and triggering events)</td>
					<td>Driven by BGP events only (may not be fast enough); RTC/RTF affects convergence time</td>
					<td>Driven by BGP and IGP events (if the next-hop is propagated via IGP); since GRT is a single shared table, BGP-LU can also trigger convergence for IPv4/IPv6 unicast. BGP-ORF can affect convergence time.</td>
					<td>GRT is slightly better. It triggers convergence on port-down / eBGP-down; VRF relies on BGP events only.</td>
			</tr>
	</tbody>
</table>
<h2 id="current-vendor-implementation-status-may-change-over-time">Current vendor implementation status (may change over time)</h2>
<table>
	<thead>
			<tr>
					<th>Property/Issue</th>
					<th>Internet in VRF</th>
					<th>Internet in GRT</th>
					<th>Summary</th>
			</tr>
	</thead>
	<tbody>
			<tr>
					<td>RIB consumption</td>
					<td>+8%, plus <a href="https://blog.ipspace.net/2012/07/is-it-safe-to-run-internet-in-vrf.html">~80% per full-view VRF</a>; actual overhead is vendor-specific</td>
					<td>No extra RIB memory consumption</td>
					<td>GRT is better. Extra RIB consumption in VRF is vendor-dependent.</td>
			</tr>
			<tr>
					<td>FIB consumption</td>
					<td>Some vendors may (or may not) need extra FIB space to store VRF entries</td>
					<td>No extra FIB space needed</td>
					<td>GRT is better. No extra FIB resource consumption.</td>
			</tr>
			<tr>
					<td>BGP security features</td>
					<td>BGP RPKI, BGP Flowspec and other BGP security features may not be available in VRF</td>
					<td>Most BGP security features work in GRT</td>
					<td>Currently GRT is better. BGP security features are ~99% implemented in GRT.</td>
			</tr>
			<tr>
					<td>Security feature maturity</td>
					<td>Some security features may not work in VRF, as most vendors focus their implementation on Internet in GRT</td>
					<td>Security features are typically implemented and validated in GRT first</td>
					<td>GRT is better. Vendor focus on GRT means more mature, better-tested security features.</td>
			</tr>
			<tr>
					<td>Monitoring and telemetry (BMP, streaming telemetry)</td>
					<td>BMP streaming and streaming telemetry may have limited support for VRF</td>
					<td>Full support for BMP and streaming telemetry</td>
					<td>GRT is better. VRF monitoring/telemetry support may be limited or vendor-dependent.</td>
			</tr>
			<tr>
					<td>Looking Glass tooling</td>
					<td>Open-source Looking Glasses use GRT by default; VRF support may require customization</td>
					<td>Works out of the box</td>
					<td>GRT is better. VRF needs extra tooling customization.</td>
			</tr>
			<tr>
					<td>Traffic diversion (BGP Flowspec for VRF)</td>
					<td>BGP Flowspec for VRF may not be supported by some vendors</td>
					<td>Supported</td>
					<td>GRT is better today, where Flowspec for VRF is unavailable.</td>
			</tr>
			<tr>
					<td>VPNv4 over IPv6 next hop (<a href="https://datatracker.ietf.org/doc/html/rfc8950">RFC 8950</a>)</td>
					<td>Support is patchy across vendors, so an IPv6-only core under the VRF can be hard to pull off</td>
					<td>Same idea for plain IPv4, and far more widely supported</td>
					<td>GRT is the safer bet today.</td>
			</tr>
			<tr>
					<td>BGP feature set</td>
					<td>Vendors may offer a limited BGP feature set in VRF</td>
					<td>Most BGP features work in GRT</td>
					<td>Currently GRT is better.</td>
			</tr>
			<tr>
					<td>MPLS label allocation</td>
					<td>Per prefix — not enough MPLS labels; per NH/CE — label count depends on NH/CE count; per PE in VRF — an additional IP lookup is needed on the PE</td>
					<td>Per prefix — not enough MPLS labels; per NH/interface — label count depends on the number of NHs/interfaces</td>
					<td>Platform-dependent. Different vendors use different approaches. Per-NH/CE MPLS label allocation works well for both options.</td>
			</tr>
	</tbody>
</table>
<blockquote>
<p><strong>Note:</strong> BGP ADD-PATH increases RIB consumption for both options (VRF and GRT), since each PE holds multiple paths per prefix instead of one.</p>
</blockquote>
<h2 id="glossary">Glossary</h2>
<table>
	<thead>
			<tr>
					<th>Term</th>
					<th>Meaning</th>
			</tr>
	</thead>
	<tbody>
			<tr>
					<td><strong>VRF</strong></td>
					<td>Virtual Routing and Forwarding — an independent routing/forwarding instance on a router</td>
			</tr>
			<tr>
					<td><strong>GRT</strong></td>
					<td>Global Routing Table — the router&rsquo;s default (non-VRF) routing table</td>
			</tr>
			<tr>
					<td><strong>BGP</strong></td>
					<td>Border Gateway Protocol — the routing protocol used between autonomous systems</td>
			</tr>
			<tr>
					<td><strong>PE</strong></td>
					<td>Provider Edge — the SP router that connects to customers/peers</td>
			</tr>
			<tr>
					<td><strong>CE</strong></td>
					<td>Customer Edge — the customer router facing the PE</td>
			</tr>
			<tr>
					<td><strong>RR</strong></td>
					<td>Route Reflector — a BGP router that re-advertises routes to avoid full iBGP mesh</td>
			</tr>
			<tr>
					<td><strong>RD</strong></td>
					<td>Route Distinguisher — value prepended to a prefix to make VPN routes unique</td>
			</tr>
			<tr>
					<td><strong>RT</strong></td>
					<td>Route Target — BGP extended community controlling VPN route import/export</td>
			</tr>
			<tr>
					<td><strong>RTC / RTF</strong></td>
					<td>Route Target Constraint / Filtering — limits VPN routes sent to a PE to only those it needs</td>
			</tr>
			<tr>
					<td><strong>RIB</strong></td>
					<td>Routing Information Base — the control-plane routing table</td>
			</tr>
			<tr>
					<td><strong>FIB</strong></td>
					<td>Forwarding Information Base — the data-plane (hardware) forwarding table</td>
			</tr>
			<tr>
					<td><strong>MPLS</strong></td>
					<td>Multiprotocol Label Switching — label-based forwarding in the core</td>
			</tr>
			<tr>
					<td><strong>BGP-LU</strong></td>
					<td>BGP Labeled Unicast — distributes MPLS labels with IPv4/IPv6 prefixes via BGP</td>
			</tr>
			<tr>
					<td><strong>NH</strong></td>
					<td>Next Hop — the next router toward a destination</td>
			</tr>
			<tr>
					<td><strong>ASBR</strong></td>
					<td>Autonomous System Boundary Router — the router peering with another AS (eBGP edge)</td>
			</tr>
			<tr>
					<td><strong>ADD-PATH</strong></td>
					<td>BGP extension allowing advertisement of multiple paths for the same prefix (<a href="https://tools.ietf.org/html/rfc7911">RFC 7911</a>)</td>
			</tr>
			<tr>
					<td><strong>ORR</strong></td>
					<td>BGP Optimal Route Reflection — lets an RR pick the best path from a client&rsquo;s perspective</td>
			</tr>
			<tr>
					<td><strong>BGP-ORF</strong></td>
					<td>BGP Outbound Route Filtering — a peer signals which prefixes it wants to receive</td>
			</tr>
			<tr>
					<td><strong>Flowspec</strong></td>
					<td>BGP Flow Specification — distributes traffic-filtering/diversion rules via BGP</td>
			</tr>
			<tr>
					<td><strong>RPKI</strong></td>
					<td>Resource Public Key Infrastructure — cryptographic validation of route origin</td>
			</tr>
			<tr>
					<td><strong>BMP</strong></td>
					<td>BGP Monitoring Protocol — streams BGP RIB state and updates to a monitoring station</td>
			</tr>
			<tr>
					<td><strong>PIC</strong></td>
					<td>Prefix Independent Convergence — fast reroute scheme (PIC Core / PIC Edge)</td>
			</tr>
			<tr>
					<td><strong>FRR</strong></td>
					<td>Fast Reroute — pre-computed backup paths for sub-second failover</td>
			</tr>
			<tr>
					<td><strong>AFI / SAFI</strong></td>
					<td>Address Family Identifier / Subsequent AFI — defines the address type a BGP session carries</td>
			</tr>
			<tr>
					<td><strong>VPNv4 / VPNv6</strong></td>
					<td>BGP address families carrying IPv4/IPv6 VPN (RD-qualified) routes</td>
			</tr>
			<tr>
					<td><strong>6PE / 6VPE</strong></td>
					<td>IPv6 over MPLS in the GRT (6PE) / in a VRF (6VPE)</td>
			</tr>
			<tr>
					<td><strong>IXP</strong></td>
					<td>Internet Exchange Point — shared peering fabric between networks</td>
			</tr>
			<tr>
					<td><strong>IGP</strong></td>
					<td>Interior Gateway Protocol — intra-AS routing protocol (e.g. OSPF, IS-IS)</td>
			</tr>
			<tr>
					<td><strong>DDoS</strong></td>
					<td>Distributed Denial of Service — attack flooding a target with traffic</td>
			</tr>
			<tr>
					<td><strong>ACL</strong></td>
					<td>Access Control List — packet filter matching on header fields</td>
			</tr>
			<tr>
					<td><strong>DCU / SCU</strong></td>
					<td>Destination / Source Class Usage — Juniper feature classifying traffic by destination/source prefix for filtering and accounting</td>
			</tr>
			<tr>
					<td><strong>NLRI</strong></td>
					<td>Network Layer Reachability Information — the prefix(es) carried in a BGP update</td>
			</tr>
			<tr>
					<td><strong>Full view</strong></td>
					<td>The complete Internet BGP routing table</td>
			</tr>
	</tbody>
</table>
<h2 id="further-reading">Further reading</h2>
<ul>
<li><a href="https://xrdocs.io/design/blogs/latest-peering-fabric-hld#security">Peering Fabric Design → Peering and Internet in a VRF</a></li>
<li><a href="https://seclists.org/nanog/2013/Mar/154">Internet routing table in a VRF</a></li>
<li><a href="https://www.reddit.com/r/networking/comments/5j8vg8/service_provider_network_architecture_internet_in/">Service Provider Network Architecture - Internet in a VRF</a></li>
</ul>
<h2 id="references">References</h2>
<ol>
<li><a href="https://tools.ietf.org/html/rfc7911">Advertisement of Multiple Paths in BGP</a></li>
<li><a href="https://tools.ietf.org/html/draft-ietf-idr-bgp-optimal-route-reflection-19">BGP Optimal Route Reflection</a></li>
<li><a href="https://tools.ietf.org/html/rfc3345">Border Gateway Protocol Persistent Route Oscillation Condition</a></li>
<li><a href="https://tools.ietf.org/html/rfc7964#section-4">Advertise the Group Best Paths</a></li>
<li><a href="https://www.youtube.com/watch?v=jGnVcCQUCdk">Internet Traffic 2009 2019</a></li>
<li><a href="https://blog.ipspace.net/2012/07/is-it-safe-to-run-internet-in-vrf.html">Is it safe to run Internet in a VRF?</a></li>
<li><a href="https://datatracker.ietf.org/doc/html/rfc8950">RFC 8950 - Advertising IPv4 NLRI with an IPv6 Next Hop</a></li>
</ol>
]]></content:encoded></item></channel></rss>