One of my readers sent me interesting feedback after reading my explanation of why I’d try not to use OSPF as a routing protocol between hosts and ToR switches. He said:

Unfortunately we can’t use BGP because IBM mainframes support only OSPF or RIP, so we decided to use VRFs instead.

Here’s what they did:

They run data center network infrastructure in global routing table and all customer services in VRFs;

Mainframe is in a separate VRF;

ToR switches run OSPF with the mainframe and advertise default route to the mainframe;

Routes collected in the mainframe VRF are imported into other VRFs (alternative: exported with proper route targets) using strict prefix lists and route maps.

End result:

Misconfigured OSPF routing on the mainframe doesn’t impact any other device in the network (apart from CPU on ToR switches);

Even if the mainframe becomes a transit router, no traffic ever passes through it (because the transit routes are not leaked into other VRFs);

Whatever routes the mainframe announces is irrelevant to anyone else – they get installed into the mainframe VRF and only the expected subset is leaked into other VRFs.

You would get similar results by running a separate OSPF process with the mainframe and redistributing routes from that process into the core routing protocol (be it BGP or OSPF), but as you’d be using a single routing table the incorrect prefixes advertised by the mainframe could still impact the packet forwarding for all devices connected to the ToR switch (unless, of course, the ToR switch supports filters between OSPF SPF results and RIB/FIB like Cisco IOS does with the distance 255 command).

Interested in this solution but having no idea what I’m talking about or where to start? Watch the Enterprise MPLS/VPN webinar; I’m also available for short consulting sessions (that you can now bundle with the subscription to make it easier to get an approval from your boss).