VRFing 101, Understing VRF Basics - PacketU PDF

5/10/2015
VRFing101,UnderstingVRFBasicsPacketU
PacketU
What'sonyourwire[s]?
VRFing101,UnderstingVRFBasics
PostedonJuly12,2012byPaulStewart,CCIE26009(Security)
WhenmostengineersthinkaboutVRF,theythinkaboutMPLS.VRF,shortforVirtualRoutingandForwarding,is
oneofthefeaturesthatenabledesignerstocreateflexibleMPLSnetworkdesigns.Howeverwearegoinggoingto
completely forget about MPLS and look at what this does to a single IOS based router. This article is very
simplifiedVRF101.
ThefirstthingthatIwanttomentionisthepronunciation.Inplural,somepeoplesimplycalltheseveeareeffs.
Otherpronouncethemasverforverfs(rhymingwithsurf).Icatchmyselfbeingconsistentlyinconsistentand
pronouncing them both ways. Unless you are my eight grade grammar teacher, what VRFs do for us is more
importantthanhowwepronouncethem.SowhatisaVRF?Howdoesitchangethebehaviorofarouter?What
doesabasicconfigurationlooklike?Thesearethetypesofquestionsthatwewillanswerinthisarticle.
SomepeoplethinkofVRFsasawaytodovirtualizationanddescribeitasVMWareforyourrouter.Eachareasof
isolation is thought of as a VMWare guest instance. I like to think VRFs as similar to VLANS, but at layer 3.
VLANsareobviouslyalayertwotopic,buttheycreatesimilarisolation.TogofromoneVLANtoanother,thereis
aneedtogothroughadevicethathasaccesstobothVLANs.VRFscreatethesametypeofisolationatlayer3.
Howeverthewaythatwejumpbetweenareasofisolationisalittledifferent.
So what are we isolating? The answer to that question is key to understanding the effect of VRF instances in a
http://www.packetu.com/2012/07/12/vrfing101understingvrfbasics/
1/21
5/10/2015
router. Lets go back to some routing fundamentals. Routers cannot typically share an IP subnet on multiple
interfaces.Therearesometypesofserialconnectionsthatbreakthisrule,butthegeneralusecaseisthatanIP
subnetisaccessiblethroughnomorethanonelocallyconnectedinterface.Youcertainlycouldnothavethesame
IPaddressonmultipleinterfaces.
R1(configif)#intloop1
R1(configif)#ipaddress192.168.1.1255.255.255.0
//let'strytoputthesameaddressonloopback2
R1(configif)#ipaddress
%192.168.1.0overlapswithLoopback1
What if I had a multitenant environment and really needed to configure two interfaces with 192.168.1.1. It
wouldcertainlysucktohavetobyanotherrouter.ThisiswhereVRFscomeintoplay.
VRF,whenusedinsideasinglerouter,iscalledVRFLite.EachVRFinstanceisaseparateroutetable.Theroute
tablethatweallknowandloveisshownbydoingashowiproute.Thisiscalledtheglobalroutetableanddoes
notshowanyroutesthatarespecifictoaVRF.Inaminute,wellseeaseparatecommandthatwillshowusthe
routes inside a VRF instance. By creating multiple route tables, we overcome the restrictions of multiple
overlappingaddressspaces.Wealsoprovideisolationtoeachtenantorareaofthenetwork.
KeyConceptEachVRFinstanceisaseparateroutetable.
TheChallenge
2/21
5/10/2015
Theimagebelowcontainsthreerouters.Bothroutersneedtobeabletoreachtheirrespectivesubinterfaceand
loopbackonR1.R2andR3donotneedtoaccessoneanother.BothR2andR3mustuse192.168.1.1asa
defaultgateway.R2andR3mustbeinseparateVLANs.
IhopeIvewrittenthechallengeinawaythatVRFsaretheonlysolution.Basedontherequirements,Ibelievewe
needtwoVRFs.Weshouldbeabletoaccomplishthisbyimplementingthediagrambelow.
3/21
5/10/2015
VRFconfigurationisfairlystraightforward,soletsgoaheadandgetstarted.
//createthetwoVRFs
4/21
5/10/2015
R1(config)#ipvrfred
R1(config)#ipvrfblue
//createeachsubinterfaceandplacethemintotheappropriateVRF
//noticethatweconfiguretheIPaddressafterconfiguringtheVRF
//otherwisetherouterwillremovetheIPaddress
R1(configsubif)#intfa0/0.10
R1(configsubif)#encapsulationdot1Q10
R1(configsubif)#ipvrfforwardingred
R1(configsubif)#ipaddress192.168.1.1255.255.255.0
R1(configsubif)#intfa0/0.20
R1(configsubif)#encapsulationdot1Q20
R1(configsubif)#ipvrfforwardingblue
R1(configsubif)#ipaddress192.168.1.1255.255.255.0
//noticethattherouteracceptedthesameIPaddressonbothinterfaces
//thisisbecausetheyareinseparateVRFinstances
NowletstestourreachabilitytoR2andR3.
//noticewenowhavetoclueR1intothefactthatwewant
//touseaVRFasopposedtotheglobalroutingtable.
//pingR2
R1#pingvrfred192.168.1.2
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto192.168.1.2,timeoutis2seconds:
!!!!!
5/21
5/10/2015
Successrateis100percent(5/5),roundtripmin/avg/max=1/2/4ms
//pingR3
R1#pingvrfblue192.168.1.2
!!!!!
R1#
Even though 192.168.1.1 is directly connected to Fa0/0.10 and Fa0/0.20, it does not show up with a show ip
route.Remember,showiprouteshowstheglobalroutingtable.
R1#showiproute
Codes:Cconnected,Sstatic,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2
iISIS,suISISsummary,L1ISISlevel1,L2ISISlevel2
iaISISinterarea,*candidatedefault,Uperuserstaticroute
oODR,Pperiodicdownloadedstaticroute
Gatewayoflastresortisnotset
R1#
ToseetheroutesassociatedwithaVRF,wehavetoaddthevrfvrfnameparameter.
6/21
5/10/2015
R1#showiproutevrfred
RoutingTable:red
C192.168.1.0/24isdirectlyconnected,FastEthernet0/0.10
R1#showiproutevrfblue
RoutingTable:blue
C192.168.1.0/24isdirectlyconnected,FastEthernet0/0.20
R1#
NowletsaddourloopbackinterfacesintotheappropriateVRFs.
7/21
5/10/2015
R1(config)#intloop10
R1(configif)$ipvrfforwardingred
R1(configif)$ipvrfforwardingblue
R1(configif)#exit
Finally,wecantestfromR2andR3.Inamultitenantenvironment,youmightnothaveaccesstothese.However
inthislabwedoandcanthereforusethemtoconfirmthefunctionality.
R2(shouldbeabletoreach10.10.10.10,butnot20.20.20.20)
R2(config)#doping10.10.10.10
!!!!!
U.U.U
Successrateis0percent(0/5)
R3(shouldnotbeabletoreach10.10.10.10,butshouldhaveaccessto20.20.20.20)
8/21
5/10/2015
U.U.U
Successrateis0percent(0/5)
!!!!!
R3(config)#
Whilesolvingourchallenge,thisarticlehasdemonstratedthesimplestformofVRFsonasinglerouter.VRFsare
afoundationalbuildingblockthathasgivennetworkdesignersgreatflexibilitywhendesigningMPLSnetworks.
Infuturearticles,wewillbuildonthisexampleanddemonstratemethodsforjumpingbetweenVRFsandutilizing
NATinamultitenantenvironment.
MigratingServers?
PlanDataorFullServerMigrationsWithOurNearZeroDowntimeGuide
Readersofthisarticlemayalsoenjoy:
1. VRFing102,ProvidingInternetAccessWithDynamicPAT
2. VRFing103,UsingNATVirtualInterfacesforGlobalReachability
3. TheOperationofProxyArp
4. MultipleProtocolsoverIPSec
9/21
5/10/2015
5. CombiningGREandIPSecwithaFrontSideVRF
pcktu.com/MbJpGb
COPY
SpreadtheWord:
Pocket
Twitter
Facebook
LinkedIn
Google
More
AboutPaulStewart,CCIE26009(Security)
PaulisaNetworkandSecurityEngineer,TrainerandBloggerwhoenjoysunderstandinghowthingsreallywork.Withover15
yearsofexperienceinthetechnologyindustry,Paulhashelpedmanyorganizationsbuild,maintainandsecuretheirnetworks
andsystems.
ViewallpostsbyPaulStewart,CCIE26009(Security)
ThisentrywaspostedinNetwork,Technologyandtaggedmpls,network,vrf.Bookmarkthepermalink.
34ResponsestoVRFing101,UnderstingVRFBasics
RogerStewartsays:
July12,2012at11:19AM
Thislooksinteresting.
Reply
Bashirsays:
July14,2012at3:25AM
10/21
5/10/2015
Greatpostfornewbie..
thanks
Reply
ElvinAriassays:
July15,2012at6:31PM
Thanksforthearticle.
Elvin
Reply
AbhishekSagarsays:
November4,2012at5:51AM
whatisthepurposeofloopbackinterfaces,andhowdoestheauthormakethisclaimR2(shouldbeabletoreach
10.10.10.10,butnot20.20.20.20)??plshelp,iamabeginner.
Reply
PaulStewartsays:
Theloopbackinterfaces,inthisexample,areusedasademonstration.ThesecouldrepresentIPnetworkssomewhere
elseonthenetwork.Thepointistogivesomepointstotestagainst.ThereasonthatR2canreachonenetworkand
notanotherisbecauseoftheisolationcreatedbythevrfinstances.Thisisnotonlyaclaim,butevidencedbythe
testingperformedinthearticle.Thanksforthequestion.
Reply
11/21
5/10/2015
Kuleazesays:
March6,2013at4:37PM
InthenextcomingweeksIhavetosetupaVRFinstanceinoneofournewlocationsinChicago,thishashelpedlayagood
foundationforwhatisactuallyoccuringIllbereadingyourotherblogsaboutVRFshortly.Thanksfortheinfo!!
Reply
Pingback:CiscoVRF/MPBGPRouteronaStickwithNAT|TheNetworkHobo
Santoshsays:
February24,2014at6:56AM
HI,
Iamconfused,whytheauthortalksaboutVLANhere.
sayR2andR3mustbeinseparateVLANs.whythisVLANisneededhere???
Reply
Sensiesays:
December25,2014at4:53PM
Hi
theVLANsisSeparatesthetrafficonlayer2ontheswitch,otherwisetherouterswillbeabletotalktoeachotheron
layer2basedandthisexamplewillnotworkcorrectly.
VRFisveryimportantandthisisjustthebasicbutitsExcellentDescription.
Reply
Rahulsays:
12/21
5/10/2015
March6,2014at7:59AM
verynicearticlethanks.
Reply
GowthamBalachandhiransays:
May16,2014at3:45AM
IfIcreateSubinterfaceinSerialshouldIchangetheencapsulationtypetoPPPfromHDLC.BecauseIwasnotabletoping
directlyconnectedInterfacebutIwasabletoseetheminroutingtable.Iusedvrfnamewhileenteringpingeverythingworks
exceptreachablility.Ievenseeremoteentriesinmyvrf.
Reply
PaulStewart,CCIE26009(Security)says:
May16,2014at4:08AM
ImnotsureIunderstandwhyyourconfigurationisntworking.Thetypicalplacetouseserialsubinterfacesiswhenframe
relayisused.However,thatissortofanunderlyingtechnologythatcouldimpacttheresultsbutnotchangetheconcepts
beingdemonstratedhere.
Reply
GowthamBalachandhiransays:
May16,2014at5:37AM
ThisishowmytopologywillapearonevrfperonesubinterfacetwocustomersareusingthesameCEwithonesubinterface
percustomervrf.ICustomersnetworkinmyvrfroutingtablebutforsomeunusualreasonIamnotabletopingthem
Reply
13/21
5/10/2015
May16,2014at1:36PM
Iwouldexpectyoushouldbeabletosendtraffictoanythinginthevrfyouseeintheroutingtable.Obviously,you
needtotellthepingcommandtousethevrf.IwonderifthetrafficisbeingblockedbyanACL(thatispossiblynot
underyourcontrol)?
Reply
vadanmehtasays:
June26,2014at3:07PM
HIpaul.
Thankyouverymuchforthisinformation.
Ihaveonebasicquestion:
DoesOneVRFpointstoonePublicIPaddress!!andMultiVRFcapabilitymeansOnePublicIPaddresssharedbymanyVRF
instances??
regds
Vadan
Reply
June26,2014at6:18PM
Ivenottriedthat,butIthinkIshould.MyinitialreactionisthatitprobablywouldntworkwithasingleIPaddress.
AnexampleofNATNVIisattheurlbelow.However,itisusingapoolpervrf.
14/21
5/10/2015
http://www.packetu.com/2012/07/26/vrfing103usingnatvirtualinterfacesforglobalreachability/
Reply
madim2013says:
August5,2014at6:09PM
HelloPaul,
FantascipostandiseeyournamealsoontheCiscocommunity.
Iwaswonderingifyoucouldassitmeestablishingthis.Ihavenorealhardwaretotestthisunfortunatley.
Hopethebelowisclear::)
(icannotpostadiagramsohopethisissufficent:)
HostA>||
|ALAYER2
ACcESSsW|trunkpassingVLANA+VLANBtoDISTSWTICH
HostB>||
theDISTSWitchwillhaveaVRFforVLANAonly
HostAshouldnotpingHostB
HostAshouldpingthedefaultgateway,Alayer3SVIplacedinaVRFofthelaye3swtich
HostAhasadedicatedvlanAintheaccessswtichandlayer3distswtichVlandatabase
15/21
5/10/2015
HostBshouldnotpingHostA
HostBshouldpingthedefaultgateway,Alayer3SVInotinanyVRFofthelaye3swtich
HostBhasadedicatedvlanBintheaccessswtichandlayer3distswtichVlandatabase
Basically,HostBispartofthecorporatenetworkandrequirestoaccessfarmorenetworkthenHostAneedtodo.(Thinkof
hostAbeinga3rdPartyorGuestLAN)
Iwaswonderingifthetrunkbetweenlayer2accessswtichandthedistpopsofthevlan.tagofVLANA(theVRFone)and
placeitintotheVRFA
whichispartoftheSVIforVLANA?
Manythanksinadvance
BestWishes
Markus
Reply
madim2013says:
Sorrytheabove(attemtped)diagramdidnotcomeoutthatwell,
Basically,hostAandhostBareattachedtothesamelayer2accessswitch
eachaccesportisconfiguredwiththebasicswtichportmode/accessvlanetc
manythanksagain
Bestwishes
16/21
5/10/2015
markus
Reply
Thevrfwouldbealayer3concept.Eachlayer3SVIcanexistinavrforglobally.EachSVIwouldalsobeassociated
withaVLAN.Thevlanswouldbehandlednormallyasperthetrunkconfiguration(nativeuntaggedandallother
tagged).Soyourscenario,properlyconfigured,cangiveisolationbetweenhostAandhostBeventhoughtheyare
connectedtotheaccessswitch.
Reply
NyanLinSoesays:
GreatPost.Thanksalot.
Reply
ClaytonMeyersays:
November24,2014at12:51PM
Thisisagreat,verysimpleexplanation.Thanks!
Reply
ShaneTaylorsays:
January28,2015at11:06AM
17/21
5/10/2015
Greatbasic101explanationPaul.Itrippedmyselfupwhenpingingtheloopbacks.IforgotthatR2/R3donotknowaboutthe
10or20subnetssoIeitherhadtojustaddastaticrouteonbothorrunaroutingprotocol.
Reply
SushimG.says:
March14,2015at10:47AM
HeyPaul,
Veryhelpful,niceandprecisepost
Itmadebasicunderstandveryclear.
Unlessbasicisclearmovingfurtheristrouble.
Youmadeitverywell,thanksagain.
BestRegards
Sushim
Reply
J.DavidFIGsays:
March23,2015at4:46PM
ExcellentintrotoVRFsandmoreimportantwhyweusethem!!
Reply
Pingback:VRFVirtualRoutingandForwarding|
SushantaMishrasays:
May15,2015at6:48AM
18/21
5/10/2015
ThisisindeedanexcellentposttounderstandVRF.Ihaveadoubt,whyMPLSissupportedinthelocalvrfonly?
Reply
khansays:
August24,2015at5:30AM
Greateplanation
Reply
Bernardsays:
September2,2015at2:59AM
HiPaul,
Greatexplanation
Ihaveasmallquestion,attheendyouarepingingfromR3>R1sloopback20.
howthepingisworking?(isthereanystaticrouteonR3for20.20.20.20vianexthop192.168.1.1?)
OrbecausetheyareinthesameVRFinstancetheyseeeachothers?
Regards,
Reply
September2,2015at2:10PM
ThatisagoodobservationtherewouldbeaneedforaroutonR3toreachtheLoopbackonR1.Thiscouldbestatic
ordynamic.Astaticroutewouldlooklike
19/21
5/10/2015
iproutex.x.x.xy.y.y.yvrf
Sorryfortheconfusion.
Reply
Devnarayansays:
October1,2015at7:08AM
HiPaul,
pleasehelp,Ihave2nosofCisco3560Xswitchwith2differentISPconnectedonit.Suggesthowtoconfigurevrfhereto
maketheautofailoverbetween2ISP.ThementionedswitchesareconnectedbelowtoCheckpoint.Boththeswitchesare
upgradedwithIPservicelicenseaswelltheswitchesareupdatedwithIOSc3560euniversalk9mz.1502.SE8.bin
Reply
Devnarayansays:
HiPaul,ifpossiblecanyoupleasehelpmeinthiscase
Reply
Imnotsureifyourscenariorequiresvrf.VRFswillcreatetwoareasofisolation.Itseemstomethatthere
needstobesomeplanningaroundIPaddressing(doyouhaveyourownaddressspaceandASN),NAT
(wheredoesthatterminate),Checkpointcapabilities(aretheyA/Sorclustered,dotheycommunicatestate,
canIGPsand/orBGPterminateontheFWorgothroughit),whatispositionedupstreamandwhathadthe
memorytotakeBGPtableifrequired?Thereisalotinthisquestion,butVRFwouldnttypicallybea
20/21
5/10/2015
requirement.
Kevynjrsays:
October3,2015at12:46PM
Morestuffvrfplease
Reply
Mycurrentchallengeislackoftime.IreallywishIhadtimetopostweeklyormore.Idliketodosomemorestuffon
FirePOWER,AMP,ISEandVRFs(andhowtheyworkwithNexusVDCsandASAcontexts).AsIfindtime,Illtryto
postsomemoreofwhatyouarerequesting.
Reply
PacketU
ProudlypoweredbyWordPress.
21/21

VRFing 101, Understing VRF Basics - PacketU PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

VRFing 101, Understing VRF Basics - PacketU PDF

Hochgeladen von

Copyright:

Verfügbare Formate

5/10/2015

Das könnte Ihnen auch gefallen