Today, I will be discussing about VRF-Lite and will also be discussing one of the designs using BGP which have been seen in real world deployments which is the Inter-VRF Routing. Lets first start by understanding what is VRF.
VRF: Virtual Router Forwarding, an IOS feature in which multiple forwarding tables are used, with the choice of which table to use is based upon additional data outside of a packet's IP header, such as the L3 input interface or an MPLS tag.
VRF-Lite: An implementation of VRF on CE devices in which forwarding table selection is done based upon the L3 input interface. In other words, VRF deployment without MPLS is known as VRF-Lite.
Inter-VRF Routing is an implementation of VRF-Lite in which route filtering is happening between different VRF's within a single box. This kind of design is generally seen with a hub-spoke kind of topology. I will now be demonstrating an example of Inter-VRF Routing in which you are making the traffic come from one interface and leave through a different interface and the filtering is all done using vrf-lite.
Consider the below topology:
In the above topology, Traffic is leaving the router from vrf A and the return packet is entering the router through vrf C. Lets now take a look at the configuration of both the routers to better understand this topology:
Config on R1:
============
vrf definition A
rd 1:1
route-target export 2:2
!
address-family ipv4
exit-address-family
!
vrf definition B
rd 2:2
route-target export 3:3
route-target import 2:2
!
address-family ipv4
exit-address-family
!
vrf definition C
rd 3:3
route-target import 3:3
!
address-family ipv4
exit-address-family
!
interface Loopback1
vrf forwarding B
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0/0.1
encapsulation dot1Q 11
vrf forwarding A
ip address 12.12.12.1 255.255.255.252
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 22
vrf forwarding C
ip address 13.13.13.2 255.255.255.252
ip access-group test in
!
router bgp 100
bgp router-id 2.2.2.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
address-family ipv4 vrf A
redistribute connected
neighbor 12.12.12.2 remote-as 200
neighbor 12.12.12.2 activate
exit-address-family
!
address-family ipv4 vrf B
network 1.1.1.1 mask 255.255.255.255
redistribute connected
exit-address-family
!
address-family ipv4 vrf C
neighbor 13.13.13.1 remote-as 300
neighbor 13.13.13.1 local-as 400
neighbor 13.13.13.1 activate
neighbor 13.13.13.1 send-community
exit-address-family
!
Config on R2:
============
ip vrf A
rd 1:1
route-target export 2:2
!
ip vrf B
rd 2:2
route-target export 3:3
route-target import 2:2
!
ip vrf C
rd 3:3
route-target import 3:3
interface Loopback2
ip vrf forwarding B
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 11
ip vrf forwarding C
ip address 12.12.12.2 255.255.255.252
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 22
ip vrf forwarding A
ip address 13.13.13.1 255.255.255.252
!
router bgp 200
bgp router-id 1.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
!
address-family ipv4 vrf C
redistribute connected
neighbor 12.12.12.1 remote-as 100
neighbor 12.12.12.1 activate
neighbor 12.12.12.1 send-community
no synchronization
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
network 2.2.2.2 mask 255.255.255.255
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
neighbor 13.13.13.2 remote-as 400
neighbor 13.13.13.2 local-as 300
neighbor 13.13.13.2 activate
neighbor 13.13.13.2 send-community
no synchronization
exit-address-family
!
============
vrf definition A
rd 1:1
route-target export 2:2
!
address-family ipv4
exit-address-family
!
vrf definition B
rd 2:2
route-target export 3:3
route-target import 2:2
!
address-family ipv4
exit-address-family
!
vrf definition C
rd 3:3
route-target import 3:3
!
address-family ipv4
exit-address-family
!
interface Loopback1
vrf forwarding B
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0/0.1
encapsulation dot1Q 11
vrf forwarding A
ip address 12.12.12.1 255.255.255.252
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 22
vrf forwarding C
ip address 13.13.13.2 255.255.255.252
ip access-group test in
!
router bgp 100
bgp router-id 2.2.2.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
address-family ipv4 vrf A
redistribute connected
neighbor 12.12.12.2 remote-as 200
neighbor 12.12.12.2 activate
exit-address-family
!
address-family ipv4 vrf B
network 1.1.1.1 mask 255.255.255.255
redistribute connected
exit-address-family
!
address-family ipv4 vrf C
neighbor 13.13.13.1 remote-as 300
neighbor 13.13.13.1 local-as 400
neighbor 13.13.13.1 activate
neighbor 13.13.13.1 send-community
exit-address-family
!
Config on R2:
============
ip vrf A
rd 1:1
route-target export 2:2
!
ip vrf B
rd 2:2
route-target export 3:3
route-target import 2:2
!
ip vrf C
rd 3:3
route-target import 3:3
interface Loopback2
ip vrf forwarding B
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 11
ip vrf forwarding C
ip address 12.12.12.2 255.255.255.252
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 22
ip vrf forwarding A
ip address 13.13.13.1 255.255.255.252
!
router bgp 200
bgp router-id 1.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
!
address-family ipv4 vrf C
redistribute connected
neighbor 12.12.12.1 remote-as 100
neighbor 12.12.12.1 activate
neighbor 12.12.12.1 send-community
no synchronization
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
network 2.2.2.2 mask 255.255.255.255
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
neighbor 13.13.13.2 remote-as 400
neighbor 13.13.13.2 local-as 300
neighbor 13.13.13.2 activate
neighbor 13.13.13.2 send-community
no synchronization
exit-address-family
!
In the above config, lets make the value 1:1 as A, 2:2 as B and 3:3 as C respectively. You will now notice from the above config that R1, VRF A we export B, under vrf C we import C and under vrf B we import B and expert C. This kind of config makes it possible for the incoming and outgoing traffic take different paths. Lets now take a look at the routing table of all the vrf's on R1.
Output on R1:
============
R1#sh ip route vrf A
Routing Table: A
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 12.12.12.2, 5d19h
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 12.12.12.0/30 is directly connected, GigabitEthernet0/0/0.1
L 12.12.12.1/32 is directly connected, GigabitEthernet0/0/0.1
R1#sh ip route vrf B
Routing Table: B
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback1
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 12.12.12.2 (A), 5d19h
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 12.12.12.0/30
is directly connected (A), 5d19h, GigabitEthernet0/0/0.1
L 12.12.12.1/32 is directly connected, GigabitEthernet0/0/0.1
R1#sh ip route vrf C
Routing Table: C
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 is directly connected (B), 1d22h, Loopback1
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.13.13.0/30 is directly connected, GigabitEthernet0/0/0.3
L 13.13.13.2/32 is directly connected, GigabitEthernet0/0/0.3
============
R1#sh ip route vrf A
Routing Table: A
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 12.12.12.2, 5d19h
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 12.12.12.0/30 is directly connected, GigabitEthernet0/0/0.1
L 12.12.12.1/32 is directly connected, GigabitEthernet0/0/0.1
R1#sh ip route vrf B
Routing Table: B
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback1
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 12.12.12.2 (A), 5d19h
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 12.12.12.0/30
is directly connected (A), 5d19h, GigabitEthernet0/0/0.1
L 12.12.12.1/32 is directly connected, GigabitEthernet0/0/0.1
R1#sh ip route vrf C
Routing Table: C
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 is directly connected (B), 1d22h, Loopback1
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.13.13.0/30 is directly connected, GigabitEthernet0/0/0.3
L 13.13.13.2/32 is directly connected, GigabitEthernet0/0/0.3
We shall see the similar output on router R2. Lets now check the reachability on the router R1:
Output on R1:
============
R1# ping vrf B 2.2.2.2 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
============
R1# ping vrf B 2.2.2.2 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
When performing the debug ip packet on R2, we can see that the packets are forwarded from one vrf to other vrf via the RIB and then forwarded out the 3rd vrf using the FIB.
Output on R2:
============
*May 1 01:25:45.736: CEF: Try to CEF switch 2.2.2.2 from GigabitEthernet0/1
*May 1 01:25:45.736: IP: tableid=1, s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2 (Loopback2), routed via RIB
*May 1 01:25:45.736: IP: s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2, len 100, rcvd 4
*May 1 01:25:45.736: IP: tableid=1, s=2.2.2.2 (local), d=1.1.1.1 (GigabitEthernet0/1.3), routed via FIB
*May 1 01:25:45.736: IP: s=2.2.2.2 (local), d=1.1.1.1 (GigabitEthernet0/1.3), len 100, sending
*May 1 01:25:45.736: CEF: Try to CEF switch 2.2.2.2 from GigabitEthernet0/1
*May 1 01:25:45.736: IP: tableid=1, s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2 (Loopback2), routed via RIB
*May 1 01:25:45.736: IP: s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2, len 100, rcvd 4
*May 1 01:25:45.736: IP: tableid=1, s=2.2.2.2 (local), d=1.1.1.1 (GigabitEthernet0/1.3), routed via FIB
============
*May 1 01:25:45.736: CEF: Try to CEF switch 2.2.2.2 from GigabitEthernet0/1
*May 1 01:25:45.736: IP: tableid=1, s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2 (Loopback2), routed via RIB
*May 1 01:25:45.736: IP: s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2, len 100, rcvd 4
*May 1 01:25:45.736: IP: tableid=1, s=2.2.2.2 (local), d=1.1.1.1 (GigabitEthernet0/1.3), routed via FIB
*May 1 01:25:45.736: IP: s=2.2.2.2 (local), d=1.1.1.1 (GigabitEthernet0/1.3), len 100, sending
*May 1 01:25:45.736: CEF: Try to CEF switch 2.2.2.2 from GigabitEthernet0/1
*May 1 01:25:45.736: IP: tableid=1, s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2 (Loopback2), routed via RIB
*May 1 01:25:45.736: IP: s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2, len 100, rcvd 4
*May 1 01:25:45.736: IP: tableid=1, s=2.2.2.2 (local), d=1.1.1.1 (GigabitEthernet0/1.3), routed via FIB
If this was a ASR1k router, then the packet would have been forwarded via FIB which would cause all the packets to drop as there is no ipv4 route in the FIB in the receiving VRF. Lets see the result by replacing the R1 with ASR1k series router:
Output on R2:
==========
R2#ping vrf B 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)
Output on R1:
============
R1#sh plat hardware qfp active statistics drop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
Ipv4NoRoute 27 2700
==========
R2#ping vrf B 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)
Output on R1:
============
R1#sh plat hardware qfp active statistics drop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
Ipv4NoRoute 27 2700
We can see from the above output that the ping fails and with every ping drop, we will see the Ipv4NoRoute counter incrementing.
Hope this post helps in understanding Inter-VRF Routing.
Feel free to reach out in case you have any questions.