If full Internet routes are available on the PE-router, then it's also possible to perform an additional lookup in the global routing table if a destination prefix is not available within the local VRF. The consequence of this is that a default route cannot be present within the VRF. However, with this feature, there is not necessarily the need for a default route within the PE configuration or for the association of the global routing table with a VRF. An example of this type of connectivity is shown in Figure 12-31.
Figure 12-31 shows that any traffic sent toward the SuperCom San Jose PE-router will be initially routed based on the content of the VRF that is associated with the attached customer. If this lookup fails, then an additional lookup will be performed within the global routing table of the PE-router.
Additional lookup can present a security risk in an MPLS/VPN network. For example, the packet sent from the San Jose FastFoods site toward the Lyon FastFoods site might escape into the global Internet if the Lyon FastFoods site is not reachable in the FastFoods VRF (for example, because of link failure between Paris and Lyon). In the worst case, the packets will be propagated beyond the boundaries of the SuperCom network and can be intercepted by an intruder beyond the domain of the SuperCom network. The same issue also exists when using a static global default. This is a general issue that should be fully understood if default routing or additional lookup is to be deployed.
This feature can be enabled through use of the ip vrf forwarding name [fallback global] configuration command.