VRFs–Basic concepts Cisc sco o Design I OS OS on 26 This entry was posted in Ci on 26 October 2013 by 2013 by admin admin
A basic understanding of VRFs is necessary in order to move then ISP services like MPLS VPNs VRFs is also used in situation !here "#P and MPLS are not used$ the method is called VRF%Lite
What is a VRF ? VRF stands for Virtual Virtual Routing and For!arding$ For!arding$ the goal of a VRF is to build se&arate se&arate routing routing tabl tablee that that is inde inde&e &end nden entt of the the main main one one VRFs VRFs are are the the same ame meth method odss of net! net!or ork k isolation'virtuali(ation as VLANs$ VLANs VLANs are used at the L) and VRFs are L* tools A VRF is called different !ays across the different vendors and sometimes even in the same vendor +isco calls this VRF$ ,ua!ei',P',*+ call this v&n routing routing and -uni&er -uni&er often refers to this as routing instances In any case the conce&t is al!ays the same . /e !an to create another routing table !hich is inde&endent from the main one and also from the other virtual routing table 0ventually$ VRFs are used to obtain the virtualisation of L* net!orks$ very much like this .
1here is t!o main modes of im&lementation$ the first one is called VRF%Lite and the second one is used for MPLS VPN technologies VRF%Lite is the &rocess of linking a VLAN to a VRF$ this is most commonly used on L* s!itches !here you need to reach the SVI interface to be routed In this case !e 2ust move the SVIs into the VRFs !e !ant to enter 1his is re&rensented like this .
For more advanced scenarii$ most L* &rotocols 3VRF a!are4$ this means they can run inside a VRF and only for one
Scenario ,ere !e 2ust !ant to simulate the basic usage of VRFs Let5s say the net!ork is divided into de&artment that have strong security concerns$ they do not !ant to be able to see each other and they have colliding IP address s&ace ,ere is the to&ology
First !e5ll do the basic addressing on R6 and R) that !e5ll name VRF7R6 and VRF7R) 1hen !e*5ll create t!o VRFs on R* !ith each interface tied to the corres&onding VRF
8n R6$
interface ip duplex speed end interface ip end
address
192.168.1.1
address
1.1.1.1
FastEthernet0/0 255.255.255.0 auto auto Loopback0 255.255.255.0
8n R)$
interface ip duplex speed end interface ip end
address
192.168.1.2
address
2.2.2.2
FastEthernet0/0 255.255.255.0 auto auto Loopback0 255.255.255.0
No! it5s time to configure R* As you already kno!$ t!o layer * interfaces of a router cannot be addressed in the same IP s&ace "ut !ith VRFs the fact is9 it5s not the same IP address s&ace So first !e configure the VRFs VRFs are identified by a name In some Im&lementation of the I8S you also need to define a R: !hich is a Route :istinguisher ;!e !ill see more on this !ith MPLS VPN< . 8n R*
ip rd % ip rd 2$2
rf
!"F#"1 1$1
rf
!"F#"2
1his is ho! VRFs are created and !e can use the sho! i& route vrf VRF7NAM0 to see it .
"&'sho( ip route rf !"F#"1 "outin) *able$ !"F#"1 +odes$ + , connected- , static- " , "- , obile- 3 , 34 , E4"- E , E4" external- 7 , 7F- , 7F inter area 1 , 7F external t:pe 1- 2 , 7F external t:pe 2
E1 , 7F external t:pe 1- E2 , 7F external t:pe 2 i , ;- su , ; suar:- L1 , ; leel;1- L2 , ; leel;2 ia , ; inter area- < , candidate default- = , per;user static route o , 7"- , periodic do(nloaded static route 4ate(a: of last resort is not set No! !e need to move interfaces into the VRFs$ this means that any L* configuration that !ill be done on one interface is only going to affect the VRF it belongs Most interfaces can be moved into a VRFs ;0thernet$ Loo&back$ 1unnels9< 8n R*$
interface ip no shutdo(n duplex speed % interface ip no shutdo(n duplex speed auto
rf
for(ardin) ip
FastEthernet0/0 !"F#"1 address auto auto
rf
for(ardin) ip
FastEthernet0/1 !"F#"2 address auto
No! !e can make the L* configuration on these interfaces and it doesn5t matter is this is overla&&ing . 8n R*$
interface ip ip shutdo(n duplex speed % interface ip ip shutdo(n duplex
rf address
for(ardin) 192.168.1.&
FastEthernet0/0 !"F#"1 255.255.255.0 auto auto
rf address
for(ardin) 192.168.1.&
FastEthernet0/1 !"F#"2 255.255.255.0 auto
speed %
auto
No! if !e check the routing table of each VRF$ !e !ill see information for each one$ take a look at the interfaces .
"&'sho( ip route rf !"F#"1 "outin) *able$ !"F#"1 +odes$ + , connected- , static- " , "- , obile- 3 , 34 , E4"- E , E4" external- 7 , 7F- , 7F inter area 1 , 7F external t:pe 1- 2 , 7F external t:pe 2 E1 , 7F external t:pe 1- E2 , 7F external t:pe 2 i , ;- su , ; suar:- L1 , ; leel;1- L2 , ; leel;2 ia , ; inter area- < , candidate default- = , per;user static route o , 7"- , periodic do(nloaded static route 4ate(a: of last resort is not set + 192.168.1.0/2> is directl: connected- FastEthernet0/0 "&'sho( ip route rf !"F#"2 "outin) *able$ !"F#"2 +odes$ + , connected- , static- " , "- , obile- 3 , 34 , E4"- E , E4" external- 7 , 7F- , 7F inter area 1 , 7F external t:pe 1- 2 , 7F external t:pe 2 E1 , 7F external t:pe 1- E2 , 7F external t:pe 2 i , ;- su , ; suar:- L1 , ; leel;1- L2 , ; leel;2 ia , ; inter area- < , candidate default- = , per;user static route o , 7"- , periodic do(nloaded static route 4ate(a: of last resort is not set + 192.168.1.0/2> is directl: connected- FastEthernet0/1 0ach de&artment is able to &ing R* .
"1'pin) 192.168.1.& *:pe escape se?uence to abort. endin) 5- 100;b:te + Echos to 192.168.1.&- tieout is 2 seconds$ .%%%% uccess rate is 80 percent @>/5A- round;trip in/a)/ax B 20/25/&2 s "2'pin) 192.168.1.& *:pe escape se?uence to abort. endin) 5- 100;b:te + Echos to 192.168.1.&- tieout is 2 seconds$ .%%%%
uccess rate is 80 percent @>/5A- round;trip in/a)/ax B 20/25/&6 s
No! to &ing from R* to R6 or R) !e need to s&ecify on !hich VRF !e are located .
"&'pin) rf !"F#"1 192.168.1.1 *:pe escape se?uence to abort. endin) 5- 100;b:te + Echos to 192.168.1.1- tieout is 2 seconds$ %%%%% uccess rate is 100 percent @5/5A- round;trip in/a)/ax B 12/20/28 s "&'pin) rf !"F#"2 192.168.1.2 *:pe escape se?uence to abort. endin) 5- 100;b:te + Echos to 192.168.1.2- tieout is 2 seconds$ %%%%% uccess rate is 100 percent @5/5A- round;trip in/a)/ax B 20/2C/&6 s 1o route inside a VRF$ you need to s&ecify the VRF !here you !ant to add L* information 1o test this$ !e need to create a route on R* to reach the Loo&back on R6 and R) from !ithin their res&ective VRFs .
"&@conD)A'ip route rf !"F#"1 1.1.1.1 255.255.255.255 192.168.1.1 "&@conD)A'ip route rf !"F#"2 2.2.2.2 255.255.255.255 192.168.1.2 "&'pin) rf !"F#"1 1.1.1.1 *:pe escape se?uence to abort. endin) 5- 100;b:te + Echos to 1.1.1.1- tieout is 2 seconds$ %%%%% uccess rate is 100 percent @5/5A- round;trip in/a)/ax B 20/28/>> s "&'pin) rf !"F#"2 2.2.2.2 *:pe escape se?uence to abort. endin) 5- 100;b:te + Echos to 2.2.2.2- tieout is 2 seconds$ %%%%% uccess rate is 100 percent @5/5A- round;trip in/a)/ax B 16/&0/>> s So for everything you !ant to do inside a VRFs you need to s&ecify the VRF in !hich you !ant to !ork No! let5s &ush the scenario a little further /hat if the net!ork 666=')> on R6 and the net!ork )))=')> !ants to communicate together des&ite of the fact they aren5t in the same VRFs ?
1echnically there is one !ay to do this inside R* to have inter%VRFs communication but the goal of the VRFs is to enforce the isolation /e need to route through another L* device to do so and if !e !ant to enforce security at this &oint$ the L* device doing the routing should be a fire!all R> is going to take the role of the fire!all here$ !e !ant to validate the conce&t of inter%VRF routing
InterVRF Routing If !e !ant to do t!o subinterfaces$ !e need to route outside of R* to R> by using subinterfaces on R* 1hese subinterfaces !ill belong to their res&ective VRFs on R* ho!ever there !ill be no VRFs configured on R> so that traffic can enter one subinterface on R> and go out the other one linked to the destination VRFs Let5s take a look at this . 8n R*$ !e define t!o subinterfaces going to R> 0ach one !ill be doing tagging in a different VLAN and &laced in a VRF VLAN tagging is used to discriminate at Layer ) bet!een one interface or the other
interface encapsulation dot1 ip rf for(ardin) ip address 100.1.1.& % interface encapsulation dot1 ip rf for(ardin) ip address 100.2.2.& 255.255.255.0 R> is also configured !ith subinterfaces but no VRFs .
interface FastEthernet0/0 no ip address speed 100 full;duplex % interface FastEthernet0/0.10 encapsulation dot1 10 ip address 100.1.1.> 255.255.255.0 % interface FastEthernet0/0.20 encapsulation dot1 20 ip address 100.2.2.> 255.255.255.0
FastEthernet1/0.10 10 !"F#"1 255.255.255.0 FastEthernet1/0.20 20 !"F#"2
No! the routing needs to be configured$ R6 and R) !ill have their default gate!ay &ointing to R* As they are not a!are of the VRF$ the route are only configured in the global routing table . 8n R6 and R)$
ip route 0.0.0.0 0.0.0.0 192.168.1.& 8n R* !e also need to configure the default route e@ce&t here R* is VRF a!are so !e need to s&ecify the ne@t ho& in each VRF to the correct subinterface on R> 8n R*$
ip route rf !"F#"1 0.0.0.0 ip route rf !"F#"2 0.0.0.0 0.0.0.0 100.2.2.>
0.0.0.0
100.1.1.>
Last but not least$ R> needs to indicate the routes for 666=')> and )))=')> 8n R>$
ip route 1.1.1.0 255.255.255.0 ip route 2.2.2.0 255.255.255.0 100.2.2.&
100.1.1.&
No! let5s test the interVRF routing .
"1'pin) 2.2.2.2 so lo0 *:pe escape se?uence to abort. endin) 5- 100;b:te + Echos to 2.2.2.2- tieout is 2 seconds$ acket sent (ith a source address of 1.1.1.1 %%%%% uccess rate is 100 percent @5/5A- round;trip in/a)/ax B C6/88/108 s Let5s take a look at the traceroute to see the &acket &ath .
"1'traceroute 2.2.2.2 source lo0 *:pe escape se?uence *racin) the route to 2.2.2.2 1 192.168.1.& 28 sec 20 2 100.1.1.> &6 sec >0 & 100.2.2.& 68 sec 52 > 192.168.1.2 92 sec < 92 sec
to sec sec sec
abort. 20 >0 6>
sec sec sec
1he &acket goes through R* to go out of the VRF by R> and back to R* in the other VRF No! if !e !ant to have the overla&&ing net!orks to communicate$ !e need to use VRF A!are NA1 0ach of the VRF !ill be ma&&ed to another address that could be taken from a &ool or an interface First !e need to configure t!o &ools for each VRF .
8n R*$
ip nat pool !"F1 11.11.11.0 11.11.11.25> netask 255.255.255.0 ip nat pool !"F2 22.22.22.0 22.22.22.25> netask 255.255.255.0 Ne@t !e need to define !hich interfaces are going to be &art of the NA1$ on R* !e have F='=$ F='6$ F6'=6= and F6'=)= . 8n R*$
interface ran)e f0/0 - f0/1 - f1/0.10 - f1/0.20 ip nat end
enable
As in standard NA1 !e can define an A+L that !ill select !hich traffic can be NA1ed or not . 8n R*$
ip access;list standard perit 192.168.1.0 ip access;list standard perit 192.168.1.0 0.0.0.255
!"F#"1 0.0.0.255 !"F#"2
:efine t!o NA1 rules$ there rules need to be VRF a!are .
ip nat source list !"F#"1 pool !"F1 ip nat source list !"F#"2 pool !"F2 rf !"F#"2
rf
!"F#"1
R> should have the routes to the NA1ed destination .
ip route 11.11.11.0 255.255.255.0 ip route 22.22.22.0 255.255.255.0 100.2.2.&
100.1.1.&
And no! you can 2oin the loo&back by using the &ing source from the 6)6BC6@ net!ork in each VRFs .
"1'pin) 2.2.2.2 *:pe escape se?uence to abort. endin) 5- 100;b:te + Echos to 2.2.2.2- tieout is 2 seconds$ %%%%% uccess rate is 100 percent @5/5A- round;trip in/a)/ax B >0/>C/C2 s "2' <ar 1 01$16$26.155$ +$ echo repl: sent- src 2.2.2.2- dst 11.11.11.1 <ar 1 01$16$26.22C$ +$ echo repl: sent- src 2.2.2.2- dst 11.11.11.1
<ar 1 01$16$26.2>C$ +$ echo repl: sent- src 2.2.2.2- dst 11.11.11.1 <ar 1 01$16$26.28C$ +$ echo repl: sent- src 2.2.2.2- dst 11.11.11.1 <ar 1 01$16$26.&&1$ +$ echo repl: sent- src 2.2.2.2- dst 11.11.11.1 "&'sh ip nat ni translations rf !"F#"1 ro ource )lobal ource local estin local estin )lobal icp 2.2.2.2$19 2.2.2.2$19 11.11.11.2$19 192.168.1.1$19 icp 11.11.11.2$19 192.168.1.1$19 2.2.2.2$19 2.2.2.2$19 11.11.11.2 192.168.1.1 8f course if you !ant to 2oin the loo&back from the outside you need to make a static NA1 entry$ this is a common scenario !hen hosting services on site 0n2oy D