13 Replies Latest reply: Aug 23, 2017 3:46 AM by Osvaldo Kapalo RSS

    what is VRF

    Ganesh

      please tell me what is VRF and why it is used please provide neccessary documents.

        • 1. Re: what is VRF
          Conwyn

          Hi Ganesh

           

          VRF allows you to have seperate route tables. So an ISP can keep its customers seperate on a common infrastructure.

          VRF-Lite allows router to have different routes for a group of interfaces so department X can not route to department Y on the same router  but both departments can share the connection to the cloud.

           

          Regards Conwyn

          • 2. Re: what is VRF
            Mohamed Sobair

            Hi,

             

            VRF:  is a VPN routing and forwarding instance that have set of routes and policies required by each organization.

             

             

            Each VRF has the following tables:

             

            1- a set of routes and policies for that vrf.

            2- a cef table asscociated with it

             

             

            In short: VRF is used to seperate/isolate between Networks and to make each vrf instance seperate entity.

             

             

             

            HTH

            Mohamed

            • 3. Re: what is VRF
              Jayram Deshpande

              VRF essentially provides a Layer 3 sand box on/within the router so that you can limit visibility of one lan from other when both routed by the same layer 3 device.

              • 4. Re: what is VRF
                billpremo

                Because VRF acts like a logical router and it segments traffic, VRFs can be used to increase network security while not necessarily needing encryption and authentication to keep the traffic separate.

                • 5. Re: what is VRF
                  carlos - CCNP, CCSI, CCNA Security

                  So basically VRF is like a way to create like a vlan on the router?

                  • 6. Re: what is VRF
                    DelVonte

                    Yes and no. A VRF is a logical entity like a vlan, but unlike a vlan, it is a completely separate logical device, in this case a logical router with a different routing table.

                    • 7. Re: what is VRF
                      Bryan

                      Does that mean that vrf can create separated lan segments/broadcast domains while keeping L3 routing tables?

                      • 8. Re: what is VRF
                        Gustav

                        So is a VRF basically a Vlan for routers?

                        • 9. Re: what is VRF
                          DelVonte

                          It is more complicated than that, but they do have similarities in scope and purpose. So in essence a vlan is a separate logical network, whereas a vrf is a separate routing instance. I guess of you were comparing a type of vlan, private vlans would be a better comparison, but ultimately you're talking about Layer 3 and Layer 2, which is hard to compare.

                           

                          I apologize for typos, posting from a mobile device.

                          • 10. Re: what is VRF
                            CCNA Learner

                            VLAN's creation separated broadcast domains and inter VALN routing was needed for hosts between VLAN's to talk.

                            What does VRF routing table separation for  in real time scenario ? Does anyone has a use case,  since we still perform route leaking.

                            • 11. Re: what is VRF
                              Kishwor

                              Read this article :

                              Key Concept–Each VRF instance is a separate route table.

                              The Challenge–

                              The image below contains three routers. Both routers need to be able to reach their respective sub interface and loopback on R1. R2 and R3 do not need to access one another. Both R2 and R3 must use 192.168.1.1 as a default gateway. R2 and R3 must be in separate VLANs.

                              I hope I’ve written the challenge in a way that VRFs are the only solution. Based on the requirements, I believe we need two VRFs. We should be able to accomplish this by implementing the diagram below.

                               

                              VRF configuration is fairly straightforward, so let’s go ahead and get started.
                              //create the two VRFs

                              R1(config)#ip vrf red
                              R1(config)#ip vrf blue

                              //create each sub interface and place them into the appropriate VRF
                              //notice that we configure the IP address after configuring the VRF
                              //otherwise the router will remove the IP address

                              R1(config-subif)#int fa0/0.10
                              R1(config-subif)#encapsulation dot1Q 10            
                              R1(config-subif)#ip vrf forwarding red             
                              R1(config-subif)#ip address 192.168.1.1 255.255.255.0

                              R1(config-subif)#int fa0/0.20
                              R1(config-subif)#encapsulation dot1Q 20            
                              R1(config-subif)#ip vrf forwarding blue            
                              R1(config-subif)#ip address 192.168.1.1 255.255.255.0

                              //notice that the router accepted the same IP address on both interfaces
                              //this is because they are in separate VRF instances

                              Now let’s test our reachability to R2 and R3.
                              //notice we now have to clue R1 into the fact that we want
                              //to use a VRF as opposed to the global routing table.

                              //ping R2
                              R1#ping vrf red 192.168.1.2

                              Type escape sequence to abort.
                              Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
                              !!!!!
                              Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

                              //ping R3
                              R1#ping vrf blue 192.168.1.2

                              Type escape sequence to abort.
                              Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
                              !!!!!
                              Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
                              R1#

                              Even though 192.168.1.1 is directly connected to Fa0/0.10 and Fa0/0.20, it does not show up with a “show ip route”. Remember, “show ip route” shows the global routing table.
                              R1#show ip route
                              Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
                                     D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                                     N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                                     E1 - OSPF external type 1, E2 - OSPF external type 2
                                     i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                                     ia - IS-IS inter area, * - candidate default, U - per-user static route
                                     o - ODR, P - periodic downloaded static route

                              Gateway of last resort is not set

                              R1#

                              To see the routes associated with a VRF, we have to add the “vrf vrfname” parameter.
                              R1#show ip route vrf red

                              Routing Table: red
                              Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
                                     D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                                     N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                                     E1 - OSPF external type 1, E2 - OSPF external type 2
                                     i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                                     ia - IS-IS inter area, * - candidate default, U - per-user static route
                                     o - ODR, P - periodic downloaded static route

                              Gateway of last resort is not set

                              C    192.168.1.0/24 is directly connected, FastEthernet0/0.10

                              R1#show ip route vrf blue

                              Routing Table: blue
                              Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
                                     D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                                     N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                                     E1 - OSPF external type 1, E2 - OSPF external type 2
                                     i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                                     ia - IS-IS inter area, * - candidate default, U - per-user static route
                                     o - ODR, P - periodic downloaded static route

                              Gateway of last resort is not set

                              C    192.168.1.0/24 is directly connected, FastEthernet0/0.20
                              R1#

                              Now let’s add our loopback interfaces into the appropriate VRFs.
                              R1(config)#int loop 10
                              R1(config-if)$ip vrf forwarding red
                              R1(config-if)#ip address 10.10.10.10 255.255.255.0
                              R1(config-if)#int loop 20
                              R1(config-if)$ip vrf forwarding blue
                              R1(config-if)#ip address 20.20.20.20 255.255.255.0
                              R1(config-if)#exit

                              Finally, we can test from R2 and R3. In a multi tenant environment, you might not have access to these. However in this lab we do and can therefor use them to confirm the functionality.

                              R2 (should be able to reach 10.10.10.10, but not 20.20.20.20)
                              R2(config)#do ping 10.10.10.10

                              Type escape sequence to abort.
                              Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
                              !!!!!
                              Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
                              R2(config)#do ping 20.20.20.20

                              Type escape sequence to abort.
                              Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
                              U.U.U
                              Success rate is 0 percent (0/5)

                              R3 (should not be able to reach 10.10.10.10, but should have access to 20.20.20.20)
                              R3(config)#do ping 10.10.10.10

                              Type escape sequence to abort.
                              Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
                              U.U.U
                              Success rate is 0 percent (0/5)
                              R3(config)#do ping 20.20.20.20

                              Type escape sequence to abort.
                              Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
                              !!!!!
                              Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
                              R3(config)#

                              While solving our challenge, this article has demonstrated the simplest form of VRFs on a single router. VRFs are a foundational building block that has given network designers great flexibility when designing MPLS networks. In future articles, we will build on this example and demonstrate methods for jumping between VRFs and utilizing NAT in a multi tenant environment.

                              • 12. Re: what is VRF
                                Arsenio

                                Awsome!

                                • 13. Re: what is VRF
                                  Osvaldo Kapalo

                                  Excellent !