For several years I’ve been using VRFs for all management functions. This greatly improves security since all management functions can be locked down to a certain interface, and also recover-ability in the even of routing problems. The downside I keep finding is certain things either don’t work, or require special work-rounds. Case in point: DNS resolution.
Per Cisco, VRF-aware DNS functionality has been supported for quite a while. However, I’m completely stumped on how to actually use it. Sample config on an 2921 router running IOS 15.5(3)M4:
ip vrf Mgmt-intf rd 12345:123 ! ip domain-lookup ip domain list vrf Mgmt-intf mydomain.com ip name-server vrf Mgmt-intf 10.20.30.40 ! interface Port-channel1.123 encapsulation dot1Q 123 ip vrf forwarding Mgmt-intf ip address 10.20.30.100 255.255.255.0 ! ip domain-lookup vrf Mgmt-intf source-interface po1.123
Still no joy. Really seems there was a goof here in enabling this feature. I’ll complain to Cisco and hopefully it will be fixed by the time I die.