Howto Virtual Routing and Forwarding Lite (VRF-lite)

VRF

Introduction

VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different
VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN
SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time.
VRF-lite allows the network administrator to create multiple routing instances on the same routing device within the enterprise. VRF-lite can be useful when you need to isolate traffic between two networks sharing the same routing platform or if you have multiple networks with overlapping addresses sharing the same physical network. Multiple instances of routing protocols can be used for different VRFs on the same device to exchange routes dynamically with a direct connected device.

Configuration Example

Diagram

Router-A is connected via Fast Ethernet to Router-B. Two VRFs (VRF-LITE-A & B) are configured to demonstrate L3 traffic isolation. I am using static routes for this example but dynamic routing protocols can be used.

Router-A Configurations
ip vrf VRF-LITE-A  
rd 100:1  
!
ip vrf VRF-LITE-B  
rd 100:2  
!-- Assign interfaces to VRF
interface FastEthernet0/0.25  
encapsulation dot1Q 25  
ip vrf forwarding VRF-LITE-A  
ip address 25.25.25.2 255.255.255.0  
!
interface FastEthernet0/0.52  
encapsulation dot1Q 52  
ip vrf forwarding VRF-LITE-B  
ip address 52.52.52.2 255.255.255.0  
interface Loopback20  
ip vrf forwarding VRF-LITE-A  
ip address 20.20.20.20 255.255.255.255  
!
interface Loopback22  
ip vrf forwarding VRF-LITE-B  
ip address 22.22.22.22 255.255.255.255  
ip route vrf VRF-LITE-A 50.50.50.50 255.255.255.255 25.25.25.5  
ip route vrf VRF-LITE-B 55.55.55.55 255.255.255.255 52.52.52.5  
Router-B Configuration
ip vrf VRF-LITE-A  
rd 100:1  
!
ip vrf VRF-LITE-B  
rd 100:2  
interface Loopback50  
ip vrf forwarding VRF-LITE-A  
ip address 50.50.50.50 255.255.255.255  
!
interface Loopback55  
ip vrf forwarding VRF-LITE-B  
ip address 55.55.55.55 255.255.255.255  
!
interface FastEthernet0/0.25  
encapsulation dot1Q 25  
ip vrf forwarding VRF-LITE-A  
ip address 25.25.25.5 255.255.255.0  
!
interface FastEthernet0/0.52  
encapsulation dot1Q 52  
ip vrf forwarding VRF-LITE-B  
ip address 52.52.52.5 255.255.255.0  
ip route vrf VRF-LITE-A 20.20.20.20 255.255.255.255 25.25.25.2  
ip route vrf VRF-LITE-B 22.22.22.22 255.255.255.255 52.52.52.2  
Verify Connectivity
RouterA#sh ip route vrf VRF-LITE-A  
Routing Table: VRF-LITE-A  
!-- output omitted----------
Gateway of last resort is not set  
     50.0.0.0/32 is subnetted, 1 subnets
S       50.50.50.50 [1/0] via 25.25.25.5  
     20.0.0.0/32 is subnetted, 1 subnets
C       20.20.20.20 is directly connected, Loopback20  
     25.0.0.0/24 is subnetted, 1 subnets
C       25.25.25.0 is directly connected, FastEthernet0/0.25  
RouterB#sh ip route vrf VRF-LITE-B  
Routing Table: VRF-LITE-B  
!--output omitted----------
Gateway of last resort is not set  
     55.0.0.0/32 is subnetted, 1 subnets
S       55.55.55.55 [1/0] via 52.52.52.5  
     52.0.0.0/24 is subnetted, 1 subnets
C       52.52.52.0 is directly connected, FastEthernet0/0.52  
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback22  
RouterA#ping 50.50.50.50  
Type escape sequence to abort.  
Sending 5, 100-byte ICMP Echos to 50.50.50.50, timeout is 2 seconds:  
.....
Success rate is 0 percent (0/5)  
RouterA#ping vrf VRF-LITE-A 50.50.50.50  
Type escape sequence to abort.  
Sending 5, 100-byte ICMP Echos to 50.50.50.50, timeout is 2 seconds:  
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/143/396 ms  
RouterB#ping 55.55.55.55  
Type escape sequence to abort.  
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:  
.....
Success rate is 0 percent (0/5)  
RouterA#ping vrf VRF-LITE-B 55.55.55.55  
Type escape sequence to abort.  
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:  
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/133/340 ms  

Download GNS3 configurations examples RouterA RouterB VRF-Lite

Rename the VFR-Lite.txt to VRF-Lite.net

Good Luck!

Hassan El-Masri

Network Consultant Engineer

comments powered by Disqus