VRF-Lite

Posted on February 2, 2009 by blongh

VRF-Lite is a simple solution for segregating traffic from different networks across the backbone.  It creates individual routing tables for each VRF we create, keeping them out of the global routing table.  Virtualization in this manner is very handy in large networks where we may want to separate traffic from our sales and logistics organizations.  We may also want to turn up a guest VRF to allow visitors access to the internet without mingling through our enterprise routing table!

The following is a tutorial on a simple VRF-Lite configuration using OSPF.  To begin with, you can download the the topology we will be working with from here:

http://rapidshare.com/files/193141474/VRF-Lite.zip

Our network consists of four routers, SG1 – SG4, all running OSPF 1.  Since we are only using a single physical interface between each device, we till set up the trunks and configure layer 3 connectivity via SVI’s. Here are a few extra notes on the topology and device configurations.  These will help us turn up SG5 and SG6 and verify connectivity across the backbone.

  • 1. Loopbacks 0 are in OSPF 1
  • 2. Loopbacks 2 are in OSPF 2 vrf Guest
  • 3. SG1 f0/0 is an access port assigned to VLAN 51
  • 4. SG4 f0/0 is an access port assigned to VLAN 46
  • 5. SG5 f0/0 is a routed port
  • 6. SG5 f0/0 is a routed port
  • 7. Static zero routes between SG5-SG1 and SG4-SG6

On SG1 set the vtp mode to transparent and create the VLANs:

>enable

#vlan database
(vlan)#vtp transparent
(vlan)#vlan 12
(vlan)#vlan 13
(vlan)#vlan 51
(vlan)#vlan 112
(vlan)#vlan 113
(vlan)#exit

Set trunking on physical interface:

#configure terminal
(config)#interface FastEthernet 0/2
(config-if)#switchport mode trunk
(config-if)#exit
(config)#interface FastEthernet 0/3
(config-if)#switchport mode trunk
(config-if)#exit
(config)#end
#copy running-config startup-config (or write memory)

Create the loopback addresses

#configure terminal
(config)#interface loopback0
(config-if)#ip address 1.1.1.1 255.255.255.255
(config-if)#exit
(config)#interface loopback2
(config-if)#ip address 11.11.11.11 255.255.255.255
(config-if)#exit
(config)#end
#copy running-config startup-config (or write memory)

Configure OSPF

#configure terminal
(config)#router ospf 1
(config-router)#router-id 1.1.1.1
(config-router)#network 1.1.1.1 0.0.0.0 area 0
(config-router)#network 10.1.0.0 0.0.63.255 area 0
(config-if)#exit
(config)#end
#copy running-config startup-config (or write memory)

Perform the same steps on the other four routers using the information from the drawing.  Note that OSPF process 1 is in yellow and the VLANs are not the same.  Once you have that set up, verify your connectivity from SG1 – SG4 by pinging the loopbacks and looking at the routing tables.

SG1#sh ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/2] via 10.1.12.2, 00:00:09, Vlan12
3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/2] via 10.1.13.2, 00:00:09, Vlan13
4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/3] via 10.1.13.2, 00:00:09, Vlan13
10.0.0.0/30 is subnetted, 4 subnets
C       10.1.13.0 is directly connected, Vlan13
C       10.1.12.0 is directly connected, Vlan12
O       10.1.24.0 [110/2] via 10.1.12.2, 00:00:09, Vlan12
O       10.1.34.0 [110/2] via 10.1.13.2, 00:00:09, Vlan13

SG1#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/96/120 ms

Now that we have our enterprise network (albeit small with only 4 routers) let’s build a VRF that will separate the traffic from SG5 and SG6 from the global routing table.  The first thing we need to do is build the VRF.  The VRF name can be any alphanumeric value but it needs a unique route distinguisher which has two values separated by a colon, value1:value2.  The values are arbitrary and must be numerical; you can assign an IP address to value 1 if desired.  Since we are not using BGP, redistribution, or MPLS tagging, (hence VRF-Lite!) this VRF must be built on all interconnecting routers where you want the traffic to travel.

#configure terminal
(config)#ip vrf Guest
(config-vrf)#rd 2:100
(config-vrf)# route-target export 2:100
(config-vrf)# route-target import 2:100
(config-vrf)#exit
(config)#exit

Now we need to identify the interfaces that are going to participate in the VRF.  In order to add them to the VRF and separate them from participating in the global routing table, we need to apply the ip vrf forwarding <vrf-name> command to the interface.  On SG1, it looks like this:

NOTE: Adding the ip vrf forwarding <vrf-name> command to the interface will automatically remove any IP address assigned to the interface.  In that case we will have to reassign the IP address.

#configure terminal
(config)#interface FastEthernet 0/0
(config-if)#ip vrf forwarding Guest
(config-if)#ip address 10.2.51.1 255.255.255.252
(config-if)#exit
(config)#exit

Using the topology drawing, add the remaining interfaces to the VRF on all routers.

Now we will create the routing process for our VRF using OSPF.  The configurations are identical to our global OSPF process with one exception.  In order to designate the OSPF process for the VRF we need to add the VRF name: router ospf 2 vrf Guest.  Here is the configuration on SG1:

#configure terminal
(config)#router ospf 2 vrf Guest
(config-router)#router-id 11.11.11.11
(config-router)#network 10.2.0.0 0.0.127.255 area 0
(config-router)#network 11.11.11.11 0.0.0.0 area 0
(config-router)#exit
(config)#exit

Again, apply this configuration to SG2, SG3, and SG4 using the corresponding address assignments.  In order to view the VRF routing table and ping across or virtualized private network, we again add the VRF name at the end of the statement:

#show ip route vrf Guest
#ping vrf Guest 44.44.44.44

Verify your connectivity from SG1 – SG4 by pinging the loopbacks and looking at the routing tables.

SG1#show ip route vrf Guest

Routing Table: Guest
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

33.0.0.0/32 is subnetted, 1 subnets
O       33.33.33.33 [110/2] via 10.2.113.2, 00:37:33, Vlan113
22.0.0.0/32 is subnetted, 1 subnets
O       22.22.22.22 [110/2] via 10.2.112.2, 00:37:33, Vlan112
10.0.0.0/30 is subnetted, 5 subnets
O       10.2.46.0 [110/3] via 10.2.112.2, 00:37:33, Vlan112
C       10.2.51.0 is directly connected, Vlan51
O       10.2.124.0 [110/2] via 10.2.112.2, 00:37:33, Vlan112
C       10.2.112.0 is directly connected, Vlan112
C       10.2.113.0 is directly connected, Vlan113
11.0.0.0/32 is subnetted, 1 subnets
C       11.11.11.11 is directly connected, Loopback2
44.0.0.0/32 is subnetted, 1 subnets
O       44.44.44.44 [110/3] via 10.2.112.2, 00:37:33, Vlan112

SG1#ping vrf Guest 44.44.44.44

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/132/228 ms

Viola!  We know transport is good across our backbone.

Once we have applied these configurations we should have connectivity between SG5 and SG6.

SG5#ping 10.2.46.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.46.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/284/404 ms

SG6#ping 10.2.51.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.51.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/250/288 ms

Please post comments or questions.  Have fun!

Filed under: Uncategorized

« »

One Response

  1. balder, on May 8th, 2009 at 9:17 pm Said:

    thanks for the post most usefull

    Reply

Leave a Reply