A comparison of running the Internet in a VRF versus the Global Routing Table (GRT).

The comparison is split into two tables. The first covers core distinctions rooted in protocol behavior and network design — these are largely inherent to each approach, though new RFCs and mechanisms (for example, a mass-withdrawal mechanism for L3VPN) could shift some of them over time. The second covers current vendor implementation status — feature support that is vendor- and platform-dependent and may improve over time.

Core distinctions (protocol and network design)

Property/IssueInternet in VRFInternet in GRTSummary
Service BGP-free coreOut of the boxRequires MPLS and /30–/32 MPLS label allocationVRF is better. Less effort required.
Prefix visibility at the PEUnique RD per PE, or BGP ADD-PATH for VPNv4 and/or VPNv6 (rarely supported by vendors)BGP ADD-PATH, or BGP RR Optimal Route Reflection or BGP Full-Mesh/Partial MeshVRF is slightly better. Unique RD works out of the box; GRT needs ADD-PATH or ORR.
Optimal path selection regardless of RR hierarchyUnique RD per PE, or BGP ADD-PATH for VPNv4 and/or VPNv6 (rarely supported by vendors)BGP ADD-PATH, or BGP RR Optimal Route Reflection or BGP Full-Mesh/Partial MeshVRF is slightly better. Unique RD works out of the box (higher RIB cost); GRT needs ADD-PATH or ORR. ORR works on both and avoids the RIB cost.
Route oscillation issueUnique RD per PEBGP ADD-PATH together with Advertise the Group Best PathsVRF is better. No additional features required.
Flexible, simple way to distinguish End-users, Transit, IXPs and OthersBuilt in via RT import/export policyNot availableVRF is better.
Selective / partial prefix advertisement (full view / local / IXP)Built in via RT import/export policy and BGP communitiesBGP-ORF (prefix-list or BGP community, Nokia only), or complex BGP community policiesVRF is better. RT and communities give a simple, flexible way to advertise routes partially; GRT needs BGP-ORF (significant configuration overhead) or complex community policies.
Traffic diversion for DDoS mitigationEasy to divert traffic via RD and RT manipulation. BGP Flowspec is also an option.Requires BGP Flowspec and other techniques using protocols such as BGP-LUIt depends. Traffic diversion by RT is less granular than BGP Flowspec.
Customer isolationBuilt inPossible via ACLs or complex DCU/SCU policiesVRF is better. GRT requires ACLs or complex DCU/SCU policies to achieve the same isolation.
Egress prefix filtering per BGP peerRTC/RTF. Filtering can be performed on the RR.BGP-ORF based on prefix-list policy on each PERTC/RTF is the better approach, but the PE must support the relevant BGP AFI/SAFI.
Low-spec PE: default route + partial full viewRTC/RTF and different RTsBGP-ORF based on prefix-list on each PEVRF is better. BGP-ORF introduces significant configuration overhead.
Strong demarcation between ISP infrastructure and public Internet serviceClear separation — infrastructure stays in GRT, Internet service lives in its own VRFUsually mixes infrastructure and Internet service routes in the same tableVRF is better. Clean, built-in separation of infrastructure from service.
Building virtual topologiesBuilt in — RT import/export shapes per-service topologies without touching the physical/BGP topologyRequires adjusting the BGP topology or applying complex filteringVRF is better. RT makes virtual topologies simple and decoupled from the underlay.
IPv6 Internet6VPE (VPNv6 AFI/SAFI). Simple.6PE (complex BGP-LU configuration) and an additional label in the MPLS stackVRF is better. It provides a unified approach for both IPv4 and IPv6.
Network fast convergence (data plane)BGP PIC Edge works only if the entire ASBR goes down. If only the link to the peer fails, there is no mass-withdrawal trigger, so the ASBR may form a forwarding loop until BGP fully converges.BGP-LU can create /32 routes to the eBGP next hop, providing a trigger to invalidate all routes from that peer (combined with BGP PIC Edge / ADD-PATH and BGP FRR). Fast reroute works for both link and node failure.GRT is better. In VRF, fast convergence is limited to full-ASBR failure; partial (link) failures risk transient forwarding loops until BGP converges.
Next-hop resolutionMore controlled NH resolution via auxiliary tables / tunnel-RIBsResolution may be confused by an IP routing table populated by multiple protocols; no unified way to control which routes are eligible for eBGP NH resolutionVRF is better. It provides a cleaner, more deterministic NH resolution process.
BGP convergence (time and triggering events)Driven by BGP events only (may not be fast enough); RTC/RTF affects convergence timeDriven by BGP and IGP events (if the next-hop is propagated via IGP); since GRT is a single shared table, BGP-LU can also trigger convergence for IPv4/IPv6 unicast. BGP-ORF can affect convergence time.GRT is slightly better. It triggers convergence on port-down / eBGP-down; VRF relies on BGP events only.

Current vendor implementation status (may change over time)

Property/IssueInternet in VRFInternet in GRTSummary
RIB consumption+8%, plus ~80% per full-view VRF; actual overhead is vendor-specificNo extra RIB memory consumptionGRT is better. Extra RIB consumption in VRF is vendor-dependent.
FIB consumptionSome vendors may (or may not) need extra FIB space to store VRF entriesNo extra FIB space neededGRT is better. No extra FIB resource consumption.
BGP security featuresBGP RPKI, BGP Flowspec and other BGP security features may not be available in VRFMost BGP security features work in GRTCurrently GRT is better. BGP security features are ~99% implemented in GRT.
Security feature maturitySome security features may not work in VRF, as most vendors focus their implementation on Internet in GRTSecurity features are typically implemented and validated in GRT firstGRT is better. Vendor focus on GRT means more mature, better-tested security features.
Monitoring and telemetry (BMP, streaming telemetry)BMP streaming and streaming telemetry may have limited support for VRFFull support for BMP and streaming telemetryGRT is better. VRF monitoring/telemetry support may be limited or vendor-dependent.
Looking Glass toolingOpen-source Looking Glasses use GRT by default; VRF support may require customizationWorks out of the boxGRT is better. VRF needs extra tooling customization.
Traffic diversion (BGP Flowspec for VRF)BGP Flowspec for VRF may not be supported by some vendorsSupportedGRT is better today, where Flowspec for VRF is unavailable.
VPNv4 over IPv6 next hop (RFC 8950)Support is patchy across vendors, so an IPv6-only core under the VRF can be hard to pull offSame idea for plain IPv4, and far more widely supportedGRT is the safer bet today.
BGP feature setVendors may offer a limited BGP feature set in VRFMost BGP features work in GRTCurrently GRT is better.
MPLS label allocationPer prefix — not enough MPLS labels; per NH/CE — label count depends on NH/CE count; per PE in VRF — an additional IP lookup is needed on the PEPer prefix — not enough MPLS labels; per NH/interface — label count depends on the number of NHs/interfacesPlatform-dependent. Different vendors use different approaches. Per-NH/CE MPLS label allocation works well for both options.

Note: BGP ADD-PATH increases RIB consumption for both options (VRF and GRT), since each PE holds multiple paths per prefix instead of one.

Glossary

TermMeaning
VRFVirtual Routing and Forwarding — an independent routing/forwarding instance on a router
GRTGlobal Routing Table — the router’s default (non-VRF) routing table
BGPBorder Gateway Protocol — the routing protocol used between autonomous systems
PEProvider Edge — the SP router that connects to customers/peers
CECustomer Edge — the customer router facing the PE
RRRoute Reflector — a BGP router that re-advertises routes to avoid full iBGP mesh
RDRoute Distinguisher — value prepended to a prefix to make VPN routes unique
RTRoute Target — BGP extended community controlling VPN route import/export
RTC / RTFRoute Target Constraint / Filtering — limits VPN routes sent to a PE to only those it needs
RIBRouting Information Base — the control-plane routing table
FIBForwarding Information Base — the data-plane (hardware) forwarding table
MPLSMultiprotocol Label Switching — label-based forwarding in the core
BGP-LUBGP Labeled Unicast — distributes MPLS labels with IPv4/IPv6 prefixes via BGP
NHNext Hop — the next router toward a destination
ASBRAutonomous System Boundary Router — the router peering with another AS (eBGP edge)
ADD-PATHBGP extension allowing advertisement of multiple paths for the same prefix (RFC 7911)
ORRBGP Optimal Route Reflection — lets an RR pick the best path from a client’s perspective
BGP-ORFBGP Outbound Route Filtering — a peer signals which prefixes it wants to receive
FlowspecBGP Flow Specification — distributes traffic-filtering/diversion rules via BGP
RPKIResource Public Key Infrastructure — cryptographic validation of route origin
BMPBGP Monitoring Protocol — streams BGP RIB state and updates to a monitoring station
PICPrefix Independent Convergence — fast reroute scheme (PIC Core / PIC Edge)
FRRFast Reroute — pre-computed backup paths for sub-second failover
AFI / SAFIAddress Family Identifier / Subsequent AFI — defines the address type a BGP session carries
VPNv4 / VPNv6BGP address families carrying IPv4/IPv6 VPN (RD-qualified) routes
6PE / 6VPEIPv6 over MPLS in the GRT (6PE) / in a VRF (6VPE)
IXPInternet Exchange Point — shared peering fabric between networks
IGPInterior Gateway Protocol — intra-AS routing protocol (e.g. OSPF, IS-IS)
DDoSDistributed Denial of Service — attack flooding a target with traffic
ACLAccess Control List — packet filter matching on header fields
DCU / SCUDestination / Source Class Usage — Juniper feature classifying traffic by destination/source prefix for filtering and accounting
NLRINetwork Layer Reachability Information — the prefix(es) carried in a BGP update
Full viewThe complete Internet BGP routing table

Further reading

References

  1. Advertisement of Multiple Paths in BGP
  2. BGP Optimal Route Reflection
  3. Border Gateway Protocol Persistent Route Oscillation Condition
  4. Advertise the Group Best Paths
  5. Internet Traffic 2009 2019
  6. Is it safe to run Internet in a VRF?
  7. RFC 8950 - Advertising IPv4 NLRI with an IPv6 Next Hop