Skip to main content

Step by Step Into MPLS – VRF LITE

 

Although VRF (virtual routing and forwarding) is not actually part of the MPLS you can think of the VRF as a helper for the MPLS in achieving the MPLS VPN infrastructure, now as I would like to make that a very simple to understand guide , I will address here only the VRF part without any MPLS, also known as VRF Lite.

Simple Topology :

vrf_lite_basic

R1 Configuration R2 Configuration

!
ip cef
no ip domain lookup
!
!
ip vrf VRF_GOLD
!
ip vrf VRF_SILVER
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip vrf forwarding VRF_SILVER
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 200
ip vrf forwarding VRF_GOLD
ip address 20.0.0.1 255.255.255.0
!

!
ip cef
no ip domain lookup
!
ip vrf VRF_GOLD
!
ip vrf VRF_SILVER
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip vrf forwarding VRF_SILVER
ip address 10.0.0.2 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 200
ip vrf forwarding VRF_GOLD
ip address 20.0.0.2 255.255.255.0
!
!

 

As you can see from above I have done something very simple, 2 VRF’s GOLD and SILVER, I have configured sub interface for FastEthernet 0/0 and each is assigned to its own VRF with the ip vrf forwarding <VRF_NAME> command.

see what happen if I try to see my routing table:

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set

What happen here?! where are my connected interfaces ?!

Well this is the VRF, as you can see from above configuration I have configured only interface assigned to VRF, and the VRF job is to take my router and give each VRF a totally separate virtual ip routing table. you can see the same result is with R2 main routing table.

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set

So , where is the routing table I have created?!

R1

R1#sh ip route vrf VRF_GOLD
Routing Table: VRF_GOLD
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     20.0.0.0/24 is subnetted, 1 subnets
C       20.0.0.0 is directly connected, FastEthernet0/0.2
R1#sh ip route vrf VRF_SILVER
Routing Table: VRF_SILVER
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, FastEthernet0/0.1

 

R2

R2#sh ip vrf
  Name                             Default RD          Interfaces
  VRF_GOLD                         <not set>           Fa0/0.2
  VRF_SILVER                       <not set>           Fa0/0.1
R2#sh ip route vrf VRF_GOLD
Routing Table: VRF_GOLD
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     20.0.0.0/24 is subnetted, 1 subnets
C       20.0.0.0 is directly connected, FastEthernet0/0.2

 

Now lets check simple connectivity:

R2#ping 20.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.2, timeout is 2 seconds:
.....

 

Now what is going on?!  I am pinging my own interface!!!

Relax again, when working with VRF everything need to be referred with the VRF, ping traceroute…

R2#ping vrf VRF_GOLD 20.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.2, timeout is 2 seconds:
!!!!!
R2#ping vrf VRF_GOLD 20.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
.!!!!
R2#ping vrf VRF_SILVER 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.!!!!

 

Now I would like to take it one step further and show you that the VRF is locally significant, meaning the router it self have virtual separation there is no tagging or added header’s or anything like MPLS.

R2(config)#ip vrf VRF_A
R2(config-vrf)#ip vrf VRF_B
R2(config-vrf)#int f0/0.1
R2(config-subif)#ip vrf f
R2(config-subif)#ip vrf forwarding VRF_A
% Interface FastEthernet0/0.1 IP address 10.0.0.2 removed due to enabling VRF VRF_A
R2(config-subif)#ip add 10.0.0.2 255.255.255.0
R2(config-subif)#int f0/0.2
R2(config-subif)#ip vrf forwarding VRF_B
% Interface FastEthernet0/0.2 IP address 20.0.0.2 removed due to enabling VRF VRF_B
R2(config-subif)#ip add 20.0.0.2 255.255.255.0
R2(config-subif)#^Z
R2#sh
*Mar  1 00:08:58.651: %SYS-5-CONFIG_I: Configured from console by console
R2#sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  up                    up  
FastEthernet0/0.1          10.0.0.2        YES manual up                    up  
FastEthernet0/0.2          20.0.0.2        YES manual up                    up  
R2#sh ip vrf
  Name                             Default RD          Interfaces
  VRF_A                            <not set>           Fa0/0.1
  VRF_B                            <not set>           Fa0/0.2
  VRF_GOLD                         <not set>
  VRF_SILVER                       <not set>

as you can see from above I have configured 2 new VRF’s and reassign them to the interfaces, replacing old VRF_GOLD and VRF_SILVER, notice I had to reconfigure the ip address, as when assigning VRF to an interface the ip address is removed (I have just assigned the same to each interface)

Now lets test

R2#ping vrf VRF_A 10.0.0.1 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 200/200/200 ms

 

Success !!!

Now If you have any doubts

R1#debug ip packet detail
IP packet debugging is on (detailed)
R1#
*Mar  1 00:09:20.979: IP: tableid=1, s=10.0.0.2 (FastEthernet0/0.1), d=10.0.0.1 (FastEthernet0/0.1), routed via RIB
*Mar  1 00:09:20.979: IP: s=10.0.0.2 (FastEthernet0/0.1), d=10.0.0.1 (FastEthernet0/0.1), len 100, rcvd 3
*Mar  1 00:09:20.983:     ICMP type=8, code=0
*Mar  1 00:09:20.983: IP: tableid=1, s=10.0.0.1 (local), d=10.0.0.2 (FastEthernet0/0.1), routed via FIB
*Mar  1 00:09:20.983: IP: s=10.0.0.1 (local), d=10.0.0.2 (FastEthernet0/0.1), len 100, sending
*Mar  1 00:09:20.983:     ICMP type=0, code=0
R1#un all

 

Now I could have made it more confusing and switch the names, but why go there take below .net file for GNS and play your self:

autostart = False
[127.0.0.1:7200]
    workingdir = D:\DYN\Work
    udp = 10000
    [[3640]]
        image = D:\DYN\C3640-JK.BIN
        idlepc = 0x6060d328
        ghostios = True
        chassis = 3640
    [[ROUTER R1]]
        model = 3640
        console = 2000
        cnfg = R1.cfg
        slot0 = NM-1FE-TX
        f0/0 = R2 f0/0
        x = -221.0
        y = -91.0
    [[ROUTER R2]]
        model = 3640
        console = 2001
        cnfg = R2.cfg
        slot0 = NM-1FE-TX
        f0/0 = R1 f0/0
        x = 144.0
        y = -83.0
[GNS3-DATA]
    configs = .
    [[NOTE 1]]
        text = f0/0
        x = -6.99933176856
        y = 21.7687899898
        interface = R2 f0/0
    [[NOTE 2]]
        text = f0/0
        x = 72.9993317686
        y = 22.2312100102
        interface = R1 f0/0

 

This is the very basic VRF , If you understand that it is the first step to understanding MPLS VPN’s

4 comments

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
CISSP - Before Apr 2018CISSP - from Apr 20181. Security and Risk Management16%15%2. Asset Security10%10%3. Security Engineering12%13%4. Communications and Network Security12%14%5. Identity and Access Management13%13%6. …