Solved: VRF v/s VRFLite

Arjun Dabol · ‎02-08-2015

Hi,

what is difference between vrf and vrfLite ? any examples where these can be used ?

Peter Paluch · ‎02-08-2015

Hi Jon,

In addition to your awesome explanation, I would like to add that technically, there is no difference between a VRF and a VRF-lite. The difference lies in how you use it. The naming is unfortunate: while VRF is a technology, VRF-lite is a particular way of using that technology, with the other "style" of using it (using, say, MPLS) having no special name on its own.

A VRF is a standalone routing table with its own set of interfaces that are associated with it, its own CEF instance and its own rules about populating and sharing its contents. Only interfaces associated with a particular VRF can communicate with each other (provided that by normal routing rules, a packet entering one of this set of interfaces has its destination reachable via another interface in this set, and this destination is properly recorded in the VRF). Interfaces in different VRFs in general cannot talk to each other. There are some specific exceptions but let's keep things simple for now. I like to tell my students that VRFs are to routers what VLANs are to switches. They both allow you to create multiple virtual devices on top of the physical device. With VLANs, you virtualize a single switch into multiple virtual switches. With VRFs, you virtualize a single router into multiple virtual routers.

If you use a VRF exactly like this, however, then you have VRF-lite. In a way similar to switches and VLANs, you group a set of interfaces into a VRF and thereby limit their mutual visibility just to them alone, isolating them from all other interfaces on the router.

On switches, VLANs would have only limited usability if there was no concept of trunks and trunking. Similarly, on routers, VRFs in the "VRF-lite way of usage" would be hardly usable if there was no concept of using multiple VRFs at once on a single router, allowing all VRFs to send packets out the same "trunk" interfaces out a router and receive packets back while still being able to tell the packets apart and know which packet goes into which VRF. This would constitute the full VRF implementation as opposed to just VRF-lite where you can still use multiple VRFs but to distinguish outgoing and incoming packets, you use a totally separate set of interfaces or subinterfaces.

Interestingly enough, as opposed to switches where trunking is mandated by a standard, there is no such simple thing with VRFs. Traditionally, MPLS has been used as the technology that allows carrying packets from multiple VRFs over a single interface of a router, using different label values for different networks in different VRFs and thereby keeping them distinguishable. Recently, the LISP protocol has started leveraging the instance ID field in its headers, allowing to assign a unique instance ID to a VRF, thereby again allowing to distinguish between packets belonging to different VRFs. So when VRFs are tied together with MPLS, LISP or any other technology that allows to uniquely mark and distinguish packets as belonging to a particular VRF, we have the full VRF implementation.

So to wrap it up, both VRF and VRF-lite are built on the same premise: have a separate routing table or tables (i.e. VRFs) created on your router and unique interfaces associated with them. If you remain here, you have VRF-lite. If you couple VRFs with a technology such as MPLS or LISP to communicate with other routers having similar VRFs while allowing to carry all traffic via a single interface and being able to tell the packets apart, you have a full VRF.

Lots of simplifications here but perhaps it helps.

Best regards,
Peter

View solution in original post

Jon Marshall · ‎02-08-2015

VRF-Lite is a cut down version of the full VRF implementation.

So you would usually, although not always, see VRFs in use with MPLS. Don't know how familiar you are with MPLS but in effect the VRF information can be shared amongst multiple routers (PEs) across a network containing multiple P routers.

The key thing to understand is that the P routers know nothing about the VRFs and don't need to.

Only the PE routers need that information.

VRF-Lite on the other hand is a hop by hop solution. That means each and every L3 device from one end to the other needs to be configured with VRF-Lite.

Using the above MPLS example it would mean configuring not just the PE but also the P routers with the VRF information.

VRF-Lite is typically used within a LAN environment where you want separation between networks on the same device(s).

So you could run MPLS across your WAN and then use VRF-Lite within your LANs to keep the traffic separate all the way from end to end.

Jon

Peter Paluch · ‎02-08-2015

Hi Jon,

In addition to your awesome explanation, I would like to add that technically, there is no difference between a VRF and a VRF-lite. The difference lies in how you use it. The naming is unfortunate: while VRF is a technology, VRF-lite is a particular way of using that technology, with the other "style" of using it (using, say, MPLS) having no special name on its own.

A VRF is a standalone routing table with its own set of interfaces that are associated with it, its own CEF instance and its own rules about populating and sharing its contents. Only interfaces associated with a particular VRF can communicate with each other (provided that by normal routing rules, a packet entering one of this set of interfaces has its destination reachable via another interface in this set, and this destination is properly recorded in the VRF). Interfaces in different VRFs in general cannot talk to each other. There are some specific exceptions but let's keep things simple for now. I like to tell my students that VRFs are to routers what VLANs are to switches. They both allow you to create multiple virtual devices on top of the physical device. With VLANs, you virtualize a single switch into multiple virtual switches. With VRFs, you virtualize a single router into multiple virtual routers.

If you use a VRF exactly like this, however, then you have VRF-lite. In a way similar to switches and VLANs, you group a set of interfaces into a VRF and thereby limit their mutual visibility just to them alone, isolating them from all other interfaces on the router.

On switches, VLANs would have only limited usability if there was no concept of trunks and trunking. Similarly, on routers, VRFs in the "VRF-lite way of usage" would be hardly usable if there was no concept of using multiple VRFs at once on a single router, allowing all VRFs to send packets out the same "trunk" interfaces out a router and receive packets back while still being able to tell the packets apart and know which packet goes into which VRF. This would constitute the full VRF implementation as opposed to just VRF-lite where you can still use multiple VRFs but to distinguish outgoing and incoming packets, you use a totally separate set of interfaces or subinterfaces.

Interestingly enough, as opposed to switches where trunking is mandated by a standard, there is no such simple thing with VRFs. Traditionally, MPLS has been used as the technology that allows carrying packets from multiple VRFs over a single interface of a router, using different label values for different networks in different VRFs and thereby keeping them distinguishable. Recently, the LISP protocol has started leveraging the instance ID field in its headers, allowing to assign a unique instance ID to a VRF, thereby again allowing to distinguish between packets belonging to different VRFs. So when VRFs are tied together with MPLS, LISP or any other technology that allows to uniquely mark and distinguish packets as belonging to a particular VRF, we have the full VRF implementation.

So to wrap it up, both VRF and VRF-lite are built on the same premise: have a separate routing table or tables (i.e. VRFs) created on your router and unique interfaces associated with them. If you remain here, you have VRF-lite. If you couple VRFs with a technology such as MPLS or LISP to communicate with other routers having similar VRFs while allowing to carry all traffic via a single interface and being able to tell the packets apart, you have a full VRF.

Lots of simplifications here but perhaps it helps.

Best regards,
Peter

Joseph W. Doherty · ‎02-09-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Just to add a tiny bit to what Jon and Peter have already posted, VRF-Lite can often use VLANs, and their trunks, to manage different VFR instances between devices. So, with VRF-Lite, not only do VLANs provide L2 domain instances, but they can also provide L3 topology instances.

One reason VRF-Lite, is Lite, is because the platforms that support it are often resourced constrained and/or don't support MPLS. Basically, VRF-Lite brings the most important feature of VRF to smaller platforms.

You'll find full VRF support on a 6500 which can also use MPLS, but on a 3750-X, you'll find VRF-Lite which doesn't support MPLS. Within an Enterprise, you might use either if you have a need for isolated L3 topologies on the same platform. Which you use, would depend on the capabilities of your equipment.

dvag-nsafe · ‎02-14-2020

Thanks a lot for taking some time to reply in depth here! Very helpful! TGIF!