This post is going to be a bit of a deep dive of everything VRF-Lite, we’ll go into making VRFs, providing central services, using IOS tools that are VRF aware, and we’ll play a bit with VNET Trunks.
Topology
For this entry I’ll be using the following physical topology in VIRL.
There is nothing overly fancy here, I’m using 13 x IOSv routers connected to 4 x IOSvL2 as well as 3 x Ubuntu servers that have an external internet connection through BB1 so I can easily install stuff to my server nodes. You don’t really need so many nodes to follow along, I just like trying to use a common lab topology as much as possible.
The logical topology has R07 and R08 acting as the PE-extension routers with the servers and the CE routers connected to them through the magic of vlans.
The Basics
So what is Virtual Routing and Forwarding? It is quite simply carving your router / switch / firewall into multiple control and forwarding planes, you can think of VRFs as kind of a L3 vlan that takes the concept a bit further.
VRF-Lite refers to a VRF that doesn’t also use BGP & MPLS.
To help illustrate the concept this let’s enable OSPF everywhere in our topology, this will also make sure our vlans etc are setup correctly.
R01(config-if)#router ospf 1 R01(config-router)#network 0.0.0.0 0.0.0.0 area 0 R01(config-router)#do sh ip route ospf | be Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks O 10.2.8.0/24 [110/3] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 10.7.8.0/24 [110/2] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 10.7.11.0/24 [110/2] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 10.7.100.0/24 [110/2] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 10.8.12.0/24 [110/3] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 10.8.200.0/24 [110/3] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 172.16.0.0/32 is subnetted, 6 subnets O 172.16.0.2 [110/4] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 172.16.0.7 [110/2] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 172.16.0.8 [110/3] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 172.16.0.11 [110/3] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 172.16.0.12 [110/4] via 10.1.7.7, 00:00:58, GigabitEthernet0/1 O 192.168.2.0/24 [110/4] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 192.168.11.0/24 [110/3] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 O 192.168.12.0/24 [110/4] via 10.1.7.7, 00:00:58, GigabitEthernet0/1
We can see that R01 learned all the routes in our topology. But what if we want to make sure that R01 only learns R02’s routes? Well…we could put R01 and R02 into a non-zero area and doing some prefix filtering between the areas but that wouldn’t be a terribly scalable. As you can probably guess from the topic of the post, a VRF would be a better way of keeping the traffic isolated.
Other reasons to consider VRFs might be:
- Your providing guest internet and want additional isolation.
- You have duplicate IP space between the sites which would cause problems if their routes enter the main routing table.
- You have complex routing requirements that would be difficult otherwise, for example you want to have multiple default gateways on one box.
- You want to have a Management interface with separate access.
- Some other cool reason you thought of.
Creating a VRF
There is two ways to create VRFs in Cisco IOS, a old and boring way, and the new and hip way! Let’s look at the classic way first.
R07(config)#ip vrf RED R07(config-vrf)#exit
And that is it! There are a ton of configuration options but for VRF-Lite we only need to create the VRF. Though creating a VRF doesn’t actually accomplish anything until we assign it to some interfaces.
R07(config)#int g0/1.111 R07(config-subif)#ip vrf forwarding RED % Interface GigabitEthernet0/1.111 IPv4 disabled and address(es) removed due to disabling VRF RED
When you assign a VRF to an interface it will remove the IP address so beware!
R07(config-subif)#do sh run int g0/1.111 Building configuration... Current configuration : 88 bytes ! interface GigabitEthernet0/1.111 encapsulation dot1Q 111 ip vrf forwarding RED
I generally recommend the following order of operations:
- Do a show run interface <interface> for the interface to be added to the VRF.
- Copy the interface configuration
- Go under the interface and assign the VRF
- Paste the copied configuration, and your IP addresss is back.
If you did accidentally lose the IP address and you need it back, you can generally grab it from show startup-config.
You can see all the classic VRFs on the router by doing the following:
Note: Most modern IOS routers put the management / FastEthernet0/Gigabit0 interface into the Mgmt-intf VRF. VIRL puts the first interface of the device into the Mgmt-intf VRF.
R07#show ip vrf Name Default RD Interfaces Mgmt-intf <not set> Gi0/0 RED <not set> Gi0/1.111
The New Way
The other method is to use the vrf definition command instead of the ip vrf one. What is the difference? ip vrf doesn’t support IPv6 and the new way does. Let’s remake the RED VRF using the new method. We will stick with the new way for the rest of the blog entry.
R07(config)#no ip vrf RED % IPv4 addresses from all interfaces in VRF RED have been removed
R07(config)#vrf definition RED R07(config-vrf)#address-family ipv4
If we wanted to enable IPv6 then we we would simply activate the IPv6 address-family as well.
R07(config)#vrf definition RED R07(config-vrf)#address-family ipv6
To apply the VRF we use the vrf forwarding command instead of the ip vrf forwarding command. Hooray for less typing!
R07(config)#int g0/1.111 R07(config-subif)#vrf forwarding RED R07(config-subif)#interface GigabitEthernet0/1.111 R07(config-subif)# encapsulation dot1Q 111 R07(config-subif)# ip address 10.1.7.7 255.255.255.0
We can see the VRFs in the system by doing the show vrf command, the biggest difference is you can see the address-families listed now.
R07(config)#do sh vrf Name Default RD Protocols Interfaces Mgmt-intf <not set> ipv4,ipv6 Gi0/0 RED <not set> ipv4,ipv6 Gi0/1.111
Next we’ll create the BLUE vrf on R07 and add the G0/1.211
R07(config)#vrf definition BLUE R07(config-vrf)#address-family ipv4 R07(config-vrf-af)#address-family ipv6 R07(config-vrf)#do sh run int g0/1.211 Building configuration... Current configuration : 101 bytes ! interface GigabitEthernet0/1.211 encapsulation dot1Q 211 ip address 10.7.11.7 255.255.255.0 end R07(config-vrf)#int g0/1.211 R07(config-subif)#vrf forwarding BLUE % Interface GigabitEthernet0/1.211 IPv4 disabled and address(es) removed due to disabling VRF BLUE R07(config-subif)#! R07(config-subif)#interface GigabitEthernet0/1.211 R07(config-subif)# encapsulation dot1Q 211 R07(config-subif)# ip address 10.7.11.7 255.255.255.0 R07(config-subif)#do sh vrf Name Default RD Protocols Interfaces BLUE <not set> ipv4,ipv6 Gi0/1.211 Mgmt-intf <not set> ipv4,ipv6 Gi0/0 RED <not set> ipv4,ipv6 Gi0/1.111
VRF-Aware Tools
At this point we have one interface in the RED vrf and one in the BLUE vrf on R07 (we’re ignoring the VIRL mgmt), if we look at the output of show ip interface brief we can still see all the interfaces in the system.
R07(config-subif)#do sh ip int br | ex unass Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.255.7.25 YES NVRAM up up GigabitEthernet0/1.100 10.7.100.7 YES manual up up GigabitEthernet0/1.111 10.1.7.7 YES manual up up GigabitEthernet0/1.211 10.7.11.7 YES manual up up GigabitEthernet0/2 10.7.8.7 YES manual up up Loopback0 172.16.0.7 YES manual up up
However when we look at show ip route we can see that G0/1.111 and G0/1.211 is missing
R07(config-subif)#do sh ip route connected | be Gateway Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.7.8.0/24 is directly connected, GigabitEthernet0/2 L 10.7.8.7/32 is directly connected, GigabitEthernet0/2 C 10.7.100.0/24 is directly connected, GigabitEthernet0/1.100 L 10.7.100.7/32 is directly connected, GigabitEthernet0/1.100 172.16.0.0/32 is subnetted, 1 subnets C 172.16.0.7 is directly connected, Loopback0
When we try to ping R01 it fails because it the 10.1.7.0/24 is no longer in the routing table.
R07#debug ip packet IP packet debugging is on R07# R07#ping 10.1.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.7.1, timeout is 2 seconds: *May 8 19:33:26.936: IP: s=10.1.7.7 (local), d=10.1.7.1, len 100, unroutable. *May 8 19:33:28.936: IP: s=10.1.7.7 (local), d=10.1.7.1, len 100, unroutable. *May 8 19:33:30.937: IP: s=10.1.7.7 (local), d=10.1.7.1, len 100, unroutable. *May 8 19:33:32.939: IP: s=10.1.7.7 (local), d=10.1.7.1, len 100, unroutable. *May 8 19:33:34.939: IP: s=10.1.7.7 (local), d=10.1.7.1, len 100, unroutable. Success rate is 0 percent (0/5)
Most IOS exec commands have some sort of VRF option that allows you do apply the show command to a particular VRF. For example if we add the vrf keyword to show ip route we can see the G0/1.111 interface.
R07#show ip route vrf RED | be Gateway Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.7.0/24 is directly connected, GigabitEthernet0/1.111 L 10.1.7.7/32 is directly connected, GigabitEthernet0/1.111
The show ip route command also allows the vrf * keyword to view all routing tables on the device.
R07#show ip route vrf * | in (^C_|L_)|Routing Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP C 10.7.8.0/24 is directly connected, GigabitEthernet0/2 L 10.7.8.7/32 is directly connected, GigabitEthernet0/2 C 10.7.100.0/24 is directly connected, GigabitEthernet0/1.100 L 10.7.100.7/32 is directly connected, GigabitEthernet0/1.100 C 172.16.0.7 is directly connected, Loopback0 Routing Table: Mgmt-intf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP C 10.255.0.0/16 is directly connected, GigabitEthernet0/0 L 10.255.7.25/32 is directly connected, GigabitEthernet0/0 Routing Table: RED Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP C 10.1.7.0/24 is directly connected, GigabitEthernet0/1.111 L 10.1.7.7/32 is directly connected, GigabitEthernet0/1.111 Routing Table: BLUE Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP C 10.7.11.0/24 is directly connected, GigabitEthernet0/1.211 L 10.7.11.7/32 is directly connected, GigabitEthernet0/1.211
We can also use show ip vrf interfaces to constrain the show ip int brief output to a VRF.
R07#show ip vrf interfaces Interface IP-Address VRF Protocol Gi0/1.211 10.7.11.7 BLUE up Gi0/0 10.255.7.25 Mgmt-intf up Gi0/1.111 10.1.7.7 RED up
Ping and traceroute commands now need the vrf keyword to be successful, if you leave off the keyword then the global routing table is assumed.
R07#ping vrf RED 10.1.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.7.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 25/52/87 ms
R07#traceroute vrf RED 10.1.7.1 Type escape sequence to abort. Tracing the route to 10.1.7.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.1.7.1 21 msec * 47 msec
Telnet has a /vrf switch to specify the proper routing table to use.
R07#telnet 10.1.7.7 /vrf RED Trying 10.1.7.7 ... Open ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** User Access Verification Username:
SSH uses the -vrf switch because the only consistency in IOS is its inconsistency.
R07#ssh -l admin -vrf RED 10.1.7.1 ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password:
Routing-Contexts
Specifying vrf RED for every show command can quickly become annoying. Fortunately Cisco gives us the routing-context feature that lets IOS take care of all that for you!
R07#routing-context vrf RED R07%RED#ping 10.1.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.7.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 13/21/31 ms R07%RED# R07%RED# R07%RED#show ip route | be Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.7.0/24 is directly connected, GigabitEthernet0/1.111 L 10.1.7.7/32 is directly connected, GigabitEthernet0/1.111
To get back to the global table you can use the routing-context vrf global command.
Note: This only applies to exec commands, you still need to add the vrf keyword in configurations.
VRF-Aware services
We know how how to ping things inside a VRF but what about features like SNMP traps, logging, or things like SCP copy commands?
For those types of commands we set the source-interface to an interface that inside the proper VRF. Here is an example of copying a file with SCP.
R07(config)#ip ssh source-interface g0/1.111 R07(config)# R07(config)#exit R07#copy scp://admin@10.1.7.1/test.cfg flash:/test.cfg Destination filename [test.cfg]? ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password: ! 27 bytes copied in 3.882 secs (7 bytes/sec)
Routing Stuff with IGPs
VRFs are fun and all but at certain point we will need to do some sort of routing in order to get some communication happening.
Static Routes
Using static routes is just a simple matter of adding the vrf keyword.
R07(config)#ip route vrf RED 192.168.1.1 255.255.255.255 10.1.7.1 R01(config)#ip route 0.0.0.0 0.0.0.0 10.1.7.7
R07(config)#do ping vrf RED 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 7/30/56 ms
RIP
With RIP you specify the vrf in the address-family.
Note: Your version and no auto commands go under the address-family not under the “root” of the configuration.
R07(config)#router rip R07(config-router)#address-family ipv4 unicast vrf RED R07(config-router-af)#ver 2 R07(config-router-af)#no auto R07(config-router-af)#network 0.0.0.0 R01(config)#router rip R01(config-router)#ver 2 R01(config-router)#no auto R01(config-router)#network 0.0.0.0
We can see everything is working fine.
R07(config-router)#do sh ip route vrf RED | be Gateway Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.7.0/24 is directly connected, GigabitEthernet0/1.111 L 10.1.7.7/32 is directly connected, GigabitEthernet0/1.111 172.16.0.0/32 is subnetted, 1 subnets R 172.16.0.1 [120/1] via 10.1.7.1, 00:00:20, GigabitEthernet0/1.111 R 192.168.1.0/24 [120/1] via 10.1.7.1, 00:00:20, GigabitEthernet0/1.111
EIGRP
Same idea as RIP, you configure an address-family, the only difference is that you also need to specify the autonomous-system for the VRF, remember all configuration goes under the address-family, to show this I’ll make the main configuration use AS1.
R07(config)#router eigrp 1 R07(config-router)#address-family ipv4 unicast vrf RED autonomous-system 17 R07(config-router-af)# network 0.0.0.0 0.0.0.0 *May 8 20:24:12.282: %DUAL-5-NBRCHANGE: EIGRP-IPv4 17: Neighbor 10.1.7.1 (GigabitEthernet0/1.111) is up: new adjacency
R01(config)#router eigrp 17 R01(config-router)#network 0.0.0.0
Named Mode EIGRP uses the same logic.
Just most of the other commands we have seen today, the EIGRP show commands have a vrf keyword.
R07(config)#do show ip eigrp vrf RED nei EIGRP-IPv4 Neighbors for AS(17) VRF(RED) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.7.1 Gi0/1.111 10 00:04:04 60 360 0 2 R07(config)#do show ip eigrp vrf RED interface EIGRP-IPv4 Interfaces for AS(17) VRF(RED) Xmit Queue PeerQ Mean Pacing Time Multicast Pending Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes Gi0/1.111 1 0/0 0/0 60 0/0 232 0
OSPF
OSPF doesn’t have a address-family concept so instead we create a separate instance and add the vrf keyword to it.
Note: Once you create router ospf 11 vrf RED you only need to type router ospf 11 if you need to get into the OSPF configuration in the future. If you miss the vrf keyword you need to delete the instance and start over, you can’t add it after the fact.
R07(config)#router ospf 11 vrf RED R07(config-router)#network 0.0.0.0 0.0.0.0 area 0 R01(config)#router ospf 1 R01(config-router)#network 0.0.0.0 0.0.0.0 area 0
The show commands for OSPF doesn’t filter VRF instances so you can use the regular commands, you can specify the instance number to just show what your interested in.
R07(config)#do show ip ospf 11 int br Interface PID Area IP Address/Mask Cost State Nbrs F/C Gi0/1.111 11 0 10.1.7.7/24 1 DR 0/0
IS-IS
IS-IS doesn’t require anything special, you simply enable the protocol on the VRF enabled interface and it works.
R07(config)#router isis R07(config-router)#net 49.0007.0001.0007.00 R07(config-router)#log all R07(config-router)#exit R07(config)# R07(config)#int g0/1.111 R07(config-subif)#ip router isis R01(config)#router isis R01(config-router)#net 49.0007.0001.0001.00 R01(config-router)#log all R01(config-router)# R01(config-router)#int g0/1 R01(config-if)#ip router isis *May 8 21:50:45.688: %CLNS-5-ADJCHANGE: ISIS: Adjacency to 0007.0001.0007 (GigabitEthernet0/1) Up, new adjacency *May 8 21:50:46.675: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R07 (GigabitEthernet0/1) Up, new adjacen R01(config-if)#int l0 R01(config-if)#ip router isis
R07(config)#do sh ip route vrf RED | b Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.7.0/24 is directly connected, GigabitEthernet0/1.111 L 10.1.7.7/32 is directly connected, GigabitEthernet0/1.111 172.16.0.0/32 is subnetted, 1 subnets i L1 172.16.0.1 [115/20] via 10.1.7.1, 00:01:48, GigabitEthernet0/1.111 R 192.168.1.0/24 [120/1] via 10.1.7.1, 00:00:03, GigabitEthernet0/1.111
VRF Leaking & Central Services
Working with VRFs it is sometimes necessary to provide services from the global routing table. Common uses include providing internet access to the VRFs or allowing access to server networks.
To play with this I’ll setup a new loopback on R08 using the address of everyone’s favourite DNS server and a simple default route back to R07.
R08(config)#interface Loopback8 R08(config-if)# ip address 8.8.8.8 255.255.255.255 R08(config-if)#ip route 0.0.0.0 0.0.0.0 10.7.8.7
To make a default route for the VRF, we can add the global keyword which tells IOS to use the global routing table for the next hop. In this design we will need to make a global static route that points back to the VRF interface, this is so the return traffic can get back to R01.
R07(config)#ip route vrf RED 0.0.0.0 0.0.0.0 10.7.8.8 global R07(config)# ip route 10.1.7.0 255.255.255.0 g0/1.111
Now our RED vrf can ping 8.8.8.8!
R01(config)#do ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 35/41/50 ms
A problem with the above solution is that static routes must point to a next hop so we can’t use this solution to reach our 10.7.100.0/24 subnet. We can however use something called a import map to make the VRF aware of the global routing table.
This solution does require a BGP process but we don’t need to have any neighbors.
First things first we will make a route-map to control which routes are to be imported, since I’m not picky I’ll permit everything.
R07(config)# route-map VRF-IMPORT permit 10
Then we make a BGP process and either do a redistributed connected or some network statements for the global routes we want.
R07(config)#router bgp 65500 R07(config-router)# bgp log-neighbor-changes R07(config-router)# redistribute connected
Next in our VRF we need to specify a route-distinguisher for BGP to use, an RD is just a identifier for the BGP routing table. Then we use the import ipv4 unicast map command to call the route-map we made. R07(config-route-map)#vrf definition RED R07(config-vrf)# rd 100:100 R07(config-vrf)# address-family ipv4 R07(config-vrf-af)# import ipv4 unicast map VRF-IMPORT
After waiting for a bit (tea break!) we’ll see the global routes show up in the VRF routing table as BGP routes.
R07(config)#do sh ip route vrf RED bgp | be Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks B 10.7.8.0/24 is directly connected, 00:00:36, GigabitEthernet0/2 B 10.7.100.0/24 is directly connected, 00:00:36, GigabitEthernet0/1.100 172.16.0.0/32 is subnetted, 2 subnets B 172.16.0.7 is directly connected, 00:00:36, Loopback0
At this point we can setup routing between R01 and R07 then redistribute the BGP routes into the VRF.
R07(config-vrf-af)#router ospf 11 vrf RED R07(config-router)# redistribute bgp 65500 subnets R07(config-router)# network 0.0.0.0 255.255.255.255 area 0
We still need a static route for the return traffic but after that we can ping one of our servers.
R07(config)#ip route 192.168.1.0 255.255.255.0 g0/1.111 R01(config)#do ping 10.7.100.101 so g0/2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.7.100.101, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/45/86 ms
Lastly we can use NAT to provide access to global addresses.
We’ll enable NAT on all our R07 interfaces.
R07(config)#interface GigabitEthernet0/1.100 R07(config-subif)# ip nat enable R07(config-subif)#interface GigabitEthernet0/1.111 R07(config-subif)# ip nat enable R07(config-subif)#interface GigabitEthernet0/1.211 R07(config-subif)#interface GigabitEthernet0/2 R07(config-if)# ip nat enable
Then we’ll make some ACLs for the NAT traffic
R07(config)#ip access-list ext NAT-INET R07(config-ext-nacl)#deny ip any 10.0.0.0 0.255.255.255 R07(config-ext-nacl)#deny ip any 172.16.0.0 0.15.255.255 R07(config-ext-nacl)#deny ip any 192.168.0.0 0.0.255.255 R07(config-ext-nacl)#permit ip any any R07(config-ext-nacl)#exit R07(config)#ip access-list ext NAT-SERVER R07(config-ext-nacl)#permit ip any 10.7.100.0 0.0.0.255
Then we’ll finish up NAT by making some pools and applying them to our RED vrf (man I’m really snubbing BLUE eh)
R07(config)#ip nat pool NAT-INET-POOL 10.7.8.100 10.7.8.200 prefix-length 24 R07(config)#ip nat pool NAT-SERVER-POOL 10.7.100.200 10.7.100.230 prefix-length 24 R07(config)#ip nat source list NAT-INET pool NAT-INET-POOL vrf RED overload R07(config)#ip nat source list NAT-SERVER pool NAT-SERVER-POOL vrf RED overload
Finally we need a default route for the VRF.
R07(config)#ip route vrf RED 0.0.0.0 0.0.0.0 10.7.8.8 global
R01(config)#do ping 10.7.100.101 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.7.100.101, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 71/91/122 ms R01(config)#do ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 49/52/57 ms
Easy Virtual Networks
EVN is a Cisco method of making VRF-Lite network somewhat more scalable. It does this by removing some of the administrative burden of connecting VRFs between routers.
Setting up a EVN is pretty simple, easy is in the name after all and it is not an ironic name like EasyVPN. All we need to do for now is add the vnet tag command under the VRF, the tag should match between routers.
R07(config)#vrf definition RED R07(config-vrf)#vnet tag 10 R07(config-vrf)#address-family ipv4 R07(config-vrf-af)#vrf definition BLUE R07(config-vrf)#vnet tag 20 R07(config-vrf)#address-family ipv4
R08(config)#vrf definition RED R08(config-vrf)#vnet tag 10 R08(config-vrf)#address-family ipv4 R08(config-vrf-af)#vrf definition BLUE R08(config-vrf)#vnet tag 20 R08(config-vrf)#address-family ipv4
Then we simply add the vnet trunk command to the link between R07 and R08. That is it at a basic level!
R07(config)#int g0/2 R07(config-if)#vnet trunk R08(config)#int g0/2 R08(config-if)#vnet trunk
So what did that do?
R07(config-if)#do sh ip int br | in 0/2 GigabitEthernet0/2 10.7.8.7 YES manual up up GigabitEthernet0/2.10 10.7.8.7 YES manual up up GigabitEthernet0/2.20 10.7.8.7 YES manual up up
The feature automatically created subinterfaces for each of the VRF that uses the VNET tag value as the 802.1Q tag.
Note: Because this is a subinterface you will need to create the vlans in your switches if the link between R07 and R08 isn’t directly connected.
R07#show derived-config int g0/2.10 Building configuration... Derived configuration : 173 bytes ! interface GigabitEthernet0/2.10 description Subinterface for VNET RED encapsulation dot1Q 10 vrf forwarding RED ip address 10.7.8.7 255.255.255.0 ip ospf cost 1 end R07#show derived-config int g0/2.20 Building configuration... Derived configuration : 175 bytes ! interface GigabitEthernet0/2.20 description Subinterface for VNET BLUE encapsulation dot1Q 20 vrf forwarding BLUE ip address 10.7.8.7 255.255.255.0 ip ospf cost 1 end
At this point the VRFs should have reachablity between their sites. Let’s enable EIGRP everywhere to test this out.
R07(config)#router eigrp 1 R07(config-router)# ! R07(config-router)# address-family ipv4 vrf RED autonomous-system 12 R07(config-router-af)# network 0.0.0.0 R07(config-router-af)# exit-address-family R07(config-router)# ! R07(config-router)# address-family ipv4 vrf BLUE autonomous-system 1122 R07(config-router-af)# network 0.0.0.0 R08(config)#router eigrp 1 R08(config-router)# ! R08(config-router)# address-family ipv4 vrf RED autonomous-system 12 R08(config-router-af)# network 0.0.0.0 R08(config-router-af)# exit-address-family R08(config-router)# ! R08(config-router)# address-family ipv4 vrf BLUE autonomous-system 1122 R08(config-router-af)# network 0.0.0.0
We can see that R01 knows about R02’s routes.
R01(config)#do sh ip route eigrp | be Gate Gateway of last resort is 10.1.7.7 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks D 10.2.8.0/24 [90/3328] via 10.1.7.7, 00:01:10, GigabitEthernet0/1 D 10.7.8.0/24 [90/3072] via 10.1.7.7, 00:08:31, GigabitEthernet0/1 172.16.0.0/32 is subnetted, 2 subnets D 172.16.0.2 [90/131328] via 10.1.7.7, 00:01:08, GigabitEthernet0/1 D 192.168.2.0/24 [90/3584] via 10.1.7.7, 00:01:08, GigabitEthernet0/1
R11 also knows about R12 routes.
R11(config)#do sh ip route eigrp | be Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks D 10.7.8.0/24 [90/3072] via 10.7.11.7, 00:10:01, GigabitEthernet0/1 D 10.8.12.0/24 [90/3328] via 10.7.11.7, 00:03:54, GigabitEthernet0/1 172.16.0.0/32 is subnetted, 2 subnets D 172.16.0.12 [90/131328] via 10.7.11.7, 00:03:51, GigabitEthernet0/1 D 192.168.12.0/24 [90/3584] via 10.7.11.7, 00:03:51, GigabitEthernet0/1
You may be asking yourself, if the EVN just creates a subinterface and puts it into the proper VRF for me can’t I just do that on my own? Yup! I did same it removed some of the burden, not all of it.
It does have one final feature to help with VRF services and that is Route-Replication. Let’s try to give our RED and BLUE vrfs access to the ORANGE and PURPLE vrfs.
We configure route-replication under the VRF address-family, it is possible to be very selective of what you want to replicate but we’ll use the all keyword to grab everything the routing table knows about. The RED and BLUE VRFs will replicate the PURPLE routes and vice versa.
R07(config-vrf)#vrf definition RED R07(config-vrf)# address-family ipv4 R07(config-vrf-af)# route-replicate from vrf PURPLE unicast all R07(config)#vrf definition BLUE R07(config-vrf)# address-family ipv4 R07(config-vrf-af)# route-replicate from vrf PURPLE unicast all R07(config-vrf)#vrf definition PURPLE R07(config-vrf)# address-family ipv4 R07(config-vrf-af)# route-replicate from vrf RED unicast all R07(config-vrf-af)# route-replicate from vrf BLUE unicast all
If we look at the PURPLE routing table we can see the routes from the other VRFs, notice the + in front of the route to show it is replicated.
R07(config-vrf)#do sh ip route vrf PURPLE | be Gateway Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks C + 10.1.7.0/24 is directly connected, GigabitEthernet0/1.111 L 10.1.7.7/32 is directly connected, GigabitEthernet0/1.111 D + 10.2.8.0/24 [90/3072] via 10.7.8.8 (RED), 00:24:56, GigabitEthernet0/2.10 C + 10.7.8.0/24 is directly connected, GigabitEthernet0/2.20 L 10.7.8.7/32 is directly connected, GigabitEthernet0/2.20 C + 10.7.11.0/24 is directly connected, GigabitEthernet0/1.211 L 10.7.11.7/32 is directly connected, GigabitEthernet0/1.211 C 10.7.100.0/24 is directly connected, GigabitEthernet0/1.100 L 10.7.100.7/32 is directly connected, GigabitEthernet0/1.100 D + 10.8.12.0/24 [90/3072] via 10.7.8.8 (BLUE), 00:24:42, GigabitEthernet0/2.20 172.16.0.0/32 is subnetted, 4 subnets D + 172.16.0.1 [90/130816] via 10.1.7.1 (RED), 00:31:36, GigabitEthernet0/1.111 D + 172.16.0.2 [90/131072] via 10.7.8.8 (RED), 00:24:54, GigabitEthernet0/2.10 D + 172.16.0.11 [90/130816] via 10.7.11.11 (BLUE), 00:31:02, GigabitEthernet0/1.211 D + 172.16.0.12 [90/131072] via 10.7.8.8 (BLUE), 00:24:40, GigabitEthernet0/2.20 D + 192.168.1.0/24 [90/3072] via 10.1.7.1 (RED), 00:31:36, GigabitEthernet0/1.111 D + 192.168.2.0/24 [90/3328] via 10.7.8.8 (RED), 00:24:54, GigabitEthernet0/2.10 D + 192.168.11.0/24 [90/3072] via 10.7.11.11 (BLUE), 00:31:02, GigabitEthernet0/1.211 D + 192.168.12.0/24 [90/3328] via 10.7.8.8 (BLUE), 00:24:40, GigabitEthernet0/2.20
The final piece of the puzzle is letting the CE routers know about the routes with some redistribution. The only new part of this is the vrf keyword in the redistribution statement.
R07(config)#router eigrp 1 R07(config-router)#address-family ipv4 uni vrf RED auto 12 R07(config-router-af)#redistribute vrf PURPLE eigrp 100 R07(config-router-af)#address-family ipv4 uni vrf BLUE auto 1122 R07(config-router-af)#redistribute vrf PURPLE eigrp 100
We can see that R11 has learned the PURPLE server network and can ping it. I’ll skip doing the ORANGE side since it is the same steps and I’m tired now.
R11(config)#do sh ip route eigrp | be Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks D 10.7.8.0/24 [90/3072] via 10.7.11.7, 00:40:01, GigabitEthernet0/1 D EX 10.7.100.0/24 [170/3072] via 10.7.11.7, 00:01:35, GigabitEthernet0/1 D 10.8.12.0/24 [90/3328] via 10.7.11.7, 00:33:54, GigabitEthernet0/1 172.16.0.0/32 is subnetted, 2 subnets D 172.16.0.12 [90/131328] via 10.7.11.7, 00:33:51, GigabitEthernet0/1 D 192.168.12.0/24 [90/3584] via 10.7.11.7, 00:33:51, GigabitEthernet0/1
R11(config)#do ping 10.7.100.101 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.7.100.101, timeout is 2 seconds: !!!!!
Kudos for routing-context command.
Reblogged this on itbj00.