Introduction to VRFs - Part 1 (IPv4-Only VRFs)

    Table of Contents:


    • Overview
    • Initial Configuration
    • Static Routing
    • Verification
    • Extra show Commands


    Overview

     

    This document only serves to show the basic functionality and configuration of Single-Protocol, IPv4-Only VRFs. Multiprotocol VRFs are covered in the second part of this series.


    Based on what you've learned from your CCNA, all routes whether it be connected, static, IGP or BGP learned are all put into the global routing table by default. Based on the routing table, the router selects the best path where to forward packets. However, there are specific scenarios where in one routing table isn't sufficient. This is quite common specially on Service Providers such as depicted in the figure below.

     

     

    There are two issues with the setup above:

     

    1.) Both customers have an overlapping address scheme of 10.10.10.0/24.

    2.) It poses a security concern for both customers since they share the same network. For example, users from CX-B will be able to reach those in CY-B. Sure, ACLs can be implemented to block unwanted traffic that will traverse between them. But that won't scale well and will induce more management overhead on the ISP end.

     

    In order to support the customers' networks and completely isolate traffic between them, Virtual Routing and Forwarding instances or VRFs can be used. This enables the router to have multiple virtual routing table instances in addition to the global routing table. Each VRF instance is unique and isolated from one another. Hence, we can create a separate routing table for each customer.

     

    The basic configuration of a VRF only requires two steps:

     

    1.) Create the VRF - (config)# ip vrf <vrf name>


    Note: Instance names are case sensitive.


    2.) Associate the VRF to the appropriate interface(s) - (config-if)# ip vrf forwarding <vrf name>

       

    Note: By default, all interfaces belong to the global IP routing table. When the ip vrf forwarding command is entered, the interface will be moved from the global routing table into the specific VRF instance defined in the command and the IPv4 address previously configured on the interface will be deleted.


    VRFs are heavily used on MPLS VPNs. Deployment of VRFs without any MPLS configuration involved is called VRF-Lite.

     

    Initial Configuration


    Here's how the SP's global routing table looks like. As a side note, I'm using IOS 15 which is why I'm excluding the Local routes to minimize the entries in each output.


    SP#show ip route | exclude L

     

    Gateway of last resort is not set

     

          10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks

    C        10.110.1.0/30 is directly connected, FastEthernet0/0

    C        10.120.1.0/30 is directly connected, FastEthernet0/1

    C        10.130.1.0/30 is directly connected, FastEthernet1/0

    C        10.140.1.0/30 is directly connected, FastEthernet1/1

     

    All customer routers have a default route pointing to the SP. Here is the routing table for one of them.


    CX-A#show ip route | exclude L

     

    Gateway of last resort is 10.110.1.1 to network 0.0.0.0

    S*    0.0.0.0/0 [1/0] via 10.110.1.1

          10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks

    C        10.110.1.0/30 is directly connected, FastEthernet0/0

     

    Now, let's create the VRFs for each customer.


    ISP(config)#ip vrf CUST-X

    ISP(config-vrf)#exit

    ISP(config)#ip vrf CUST-Y

    ISP(config-vrf)#exit

    ISP(config)#interface range FastEthernet 0/0 - 1

    ISP(config-if-range)#ip vrf forwarding CUST-X

    % Interface FastEthernet0/0 IPv4 disabled and address(es) removed due to disabling VRF CUST-X

    % Interface FastEthernet0/1 IPv4 disabled and address(es) removed due to disabling VRF CUST-X

    ISP(config-if-range)#interface range FastEthernet 1/0 - 1

    ISP(config-if-range)#ip vrf forwarding CUST-Y

    % Interface FastEthernet1/0 IPv4 disabled and address(es) removed due to disabling VRF CUST-Y

    % Interface FastEthernet1/1 IPv4 disabled and address(es) removed due to disabling VRF CUST-Y

     

    ISP#show ip interface brief

    Interface                  IP-Address      OK? Method Status                Protocol

    FastEthernet0/0            unassigned      YES manual up                    up

    FastEthernet0/1            unassigned      YES manual up                    up

    FastEthernet1/0            unassigned      YES manual up                    up

    FastEthernet1/1            unassigned      YES manual up                    up


    ISP#show ip route

    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

          D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

          E1 - OSPF external type 1, E2 - OSPF external type 2

          i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

          ia - IS-IS inter area, * - candidate default, U - per-user static route

          o - ODR, P - periodic downloaded static route, + - replicated route

    Gateway of last resort is not set

    ISP#


    Notice the messages regarding the deletion of the IPv4 address on each interface where a VRF was associated. Since we've moved all interfaces to the respective VRFs, the global routing table of the SP router is now empty. All those addresses have been deleted and must be recreated again.

     

    Now, with the creation of VRFs, normal verification commands become "VRF Aware". This means that each verification or testing syntax whether it be ping, traceroute, telnet, show, etc., that pertains to a specific VRF must include the vrf <vrf name> keyword.


    The addresses have now been reconfigured to the appropriate interfaces to populate each table. Shown below are the routing tables of each customer.


    ISP#show ip route vrf CUST-X | exclude L

     

    Routing Table: CUST-X


    Gateway of last resort is not set

     

          10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

    C        10.110.1.0/30 is directly connected, FastEthernet0/0

    C        10.120.1.0/30 is directly connected, FastEthernet0/1

     

    ISP#show ip route vrf CUST-Y | exclude L

     

    Routing Table: CUST-Y


    Gateway of last resort is not set

     

          10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

    C        10.130.1.0/30 is directly connected, FastEthernet1/0

    C        10.140.1.0/30 is directly connected, FastEthernet1/1

     

    Static Routing


    The SP can't reach each customers' LAN at the moment. Since the setup only requires static routes, lets go ahead and create them.


    ISP(config)#ip route vrf CUST-X 10.10.10.0 255.255.255.0 10.110.1.2

    ISP(config)#ip route vrf CUST-X 10.20.20.0 255.255.255.0 10.120.1.2

    ISP(config)#ip route vrf CUST-Y 10.10.10.0 255.255.255.0 10.130.1.2

    ISP(config)#ip route vrf CUST-Y 10.30.30.0 255.255.255.0 10.140.1.2

     

    Lets look at those tables again. Notice the static entries, specially the ones for 10.10.10.0/24 for each customer. If those were in the same routing table, those would show as the traffic will be load balanced between the next-hops.


    ISP#show ip route vrf CUST-X | exclude L

     

    Routing Table: CUST-X

     

    Gateway of last resort is not set

     

          10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks

    S        10.10.10.0/24 [1/0] via 10.110.1.2

    S        10.20.20.0/24 [1/0] via 10.120.1.2

    C        10.110.1.0/30 is directly connected, FastEthernet0/0

    C        10.120.1.0/30 is directly connected, FastEthernet0/1

     

    ISP#show ip route vrf CUST-Y | exclude L

     

    Routing Table: CUST-Y

     

    Gateway of last resort is not set

     

          10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks

    S        10.10.10.0/24 [1/0] via 10.130.1.2

    S        10.30.30.0/24 [1/0] via 10.140.1.2

    C        10.130.1.0/30 is directly connected, FastEthernet1/0

    C        10.140.1.0/30 is directly connected, FastEthernet1/1


    Verification


    As mentioned previously, when testing or verifying anything related to a specific VRF, the normal commands become VRF Aware. Hence, commands that don't specify a VRF will make the router refer to the global IP routing table, which is currently empty in this case.


    ISP#ping 10.10.10.1

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

    .....

    Success rate is 0 percent (0/5)

     

    ISP#ping 10.20.20.1

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:

    .....

    Success rate is 0 percent (0/5)

     

    ISP#ping 10.30.30.1

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.30.30.1, timeout is 2 seconds:

    .....

    Success rate is 0 percent (0/5)

     

    Shown below are pings to addresses within each customers' VRF. Also shown below is the TCL shell to achieve the same.


    ISP#ping vrf CUST-X 10.10.10.1

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

    !!!!!


    ISP#ping vrf CUST-X 10.20.20.1

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:

    !!!!!

     

    ISP#ping vrf CUST-Y 10.10.10.1

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

    !!!!!


    ISP#ping vrf CUST-Y 10.30.30.1

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.30.30.1, timeout is 2 seconds:

    !!!!!


     

    ISP#tclsh

    ISP(tcl)#foreach IP {

    +>10.10.10.1

    +>10.20.20.1

    +>} {puts "[exec ping vrf CUST-X $IP]"}

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 52/156/252 ms

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 4/156/348 ms

     

    ISP#tclsh

    ISP(tcl)#foreach IP {

    +>10.10.10.1

    +>10.30.30.1

    +>} {puts "[exec ping vrf CUST-Y $IP]"}

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 140/168/244 ms

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.30.30.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 4/102/220 ms


    Finally, let's test the connectivity between the customers.


    CX-A#tclsh

    CX-A(tcl)#foreach IP {

    +>10.120.1.2

    +>10.20.20.1

    +>10.130.1.2

    +>10.140.1.2

    +>10.30.30.1

    +>} {ping $IP}

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.120.1.2, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 116/188/268 ms

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 88/179/328 ms

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.130.1.2, timeout is 2 seconds:

    UUUUU

    Success rate is 0 percent (0/5)

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.140.1.2, timeout is 2 seconds:

    UUUUU

    Success rate is 0 percent (0/5)

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.30.30.1, timeout is 2 seconds:

    UUUUU

    Success rate is 0 percent (0/5)

     

     

    CY-A#tclsh

    CY-A(tcl)#foreach IP {

    +>10.140.1.2

    +>10.30.30.1

    +>10.110.1.2

    +>10.120.1.2

    +>10.20.20.1

    +>} {ping $IP}

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.140.1.2, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 56/169/256 ms

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.30.30.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 140/196/288 ms

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.110.1.2, timeout is 2 seconds:

    UUUUU

    Success rate is 0 percent (0/5)

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.120.1.2, timeout is 2 seconds:

    UUUUU

    Success rate is 0 percent (0/5)

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:

    UUUUU

    Success rate is 0 percent (0/5)


    Evidently, the SP router is sending host unreachable messages for traffic sourced from one customer that is destined to another customer's premise showing that traffic is isolated on each VRF.


    Extra show Commands


    Now, what if we have several VRFs? Do we have to memorize each name to check each routing table? Apparently, you can view all routing tables for each VRF at the same time. The syntax is show ip route vrf * such as shown below.


    ISP#show ip route vrf *

    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

          D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

          E1 - OSPF external type 1, E2 - OSPF external type 2

          i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

          ia - IS-IS inter area, * - candidate default, U - per-user static route

          o - ODR, P - periodic downloaded static route, + - replicated route

     

    Gateway of last resort is not set

     

     

    Routing Table: CUST-X

    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

          D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

          E1 - OSPF external type 1, E2 - OSPF external type 2

          i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

          ia - IS-IS inter area, * - candidate default, U - per-user static route

          o - ODR, P - periodic downloaded static route, + - replicated route

     

    Gateway of last resort is not set

     

          10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks

    S        10.10.10.0/24 [1/0] via 10.110.1.2

    S        10.20.20.0/24 [1/0] via 10.120.1.2

    C        10.110.1.0/30 is directly connected, FastEthernet0/0

    L        10.110.1.1/32 is directly connected, FastEthernet0/0

    C        10.120.1.0/30 is directly connected, FastEthernet0/1

    L        10.120.1.1/32 is directly connected, FastEthernet0/1

     

    Routing Table: CUST-Y

    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

          D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

          E1 - OSPF external type 1, E2 - OSPF external type 2

          i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

          ia - IS-IS inter area, * - candidate default, U - per-user static route

          o - ODR, P - periodic downloaded static route, + - replicated route

     

    Gateway of last resort is not set

     

          10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks

    S        10.10.10.0/24 [1/0] via 10.130.1.2

    S        10.30.30.0/24 [1/0] via 10.140.1.2

    C        10.130.1.0/30 is directly connected, FastEthernet1/0

    L        10.130.1.1/32 is directly connected, FastEthernet1/0

    C        10.140.1.0/30 is directly connected, FastEthernet1/1

    L        10.140.1.1/32 is directly connected, FastEthernet1/1

     

    What if we want to quickly check the configuration entered in a VRF? You can do a show run vrf <vrf name> to view the configuration on a specific VRF or just plain show run vrf to display relevant configuration for all VRFs.


    ISP#show run vrf

    Building configuration...

     

    Current configuration : 749 bytes

    ip vrf CUST-X

    !

    !

    interface FastEthernet0/0

    ip vrf forwarding CUST-X

    ip address 10.110.1.1 255.255.255.252

    !

    !

    interface FastEthernet0/1

    ip vrf forwarding CUST-X

    ip address 10.120.1.1 255.255.255.252

    !

    !

    ip route vrf CUST-X 10.10.10.0 255.255.255.0 10.110.1.2

    ip route vrf CUST-X 10.20.20.0 255.255.255.0 10.120.1.2

    !

    ip vrf CUST-Y

    !

    !

    interface FastEthernet1/0

    ip vrf forwarding CUST-Y

    ip address 10.130.1.1 255.255.255.252

    !

    !

    interface FastEthernet1/1

    ip vrf forwarding CUST-Y

    ip address 10.140.1.1 255.255.255.252

    !

    !

    ip route vrf CUST-Y 10.10.10.0 255.255.255.0 10.130.1.2

    ip route vrf CUST-Y 10.30.30.0 255.255.255.0 10.140.1.2

    !

    end