VRF Lite Configuration For Cisco Routers

VRF LITE LAB 10
Foris Kuang
Period 3/4
Purpose
The purpose of this lab is to teach us how to use VRF Lite, a way of making the
router splice the information between a guest and an admin such that a guest does
not have access to certain routers and resources that the admin has and vice versa.
This lab allows us to not only review switching and routing set up, but also
understand the usefulness of VRF Lite and why it might be implemented in standing
networks with guests that operate it.
Background
VRF Lite
VRF stands for Virtual Routing and Forwarding. This technology allows multiple
instances of a routing table to "co-exist" in the one router. This means you can have
segmented routes that create separate routing tables and thus the traffic is
segregated. By doing this you enhance security because a guest accessing the
network cannot access admin privileges at all making the need for encryption and
authentication unnecessary. What makes this technology really cool is that if there
are same or overlapping ip addresses, they can be used without conflicting due to
the separate routing instances. An example of how this works is if you were to have
a security guard to a certain club, only people who have club memberships can
attend that club and they make sure to not allow those who arent allowed. It is a
security protocol that restricts the need to configure it on a port and more rather on
the ISP meaning that this authentication spans the entirety of the network. It acts
similarly to a private VLAN but to its customers.
Lab Summary
To begin with this lab utilizes a few configurations that are not too demanding. The
configuration of the topology is set up so that we have a switch with two pcs hooked
up to a router and that router to another switch. The switch has another two routers
connected to it. It thus made creating a topology fairly difficult. We used
192.168.0.0/16 network for our guest users, and 10.0.0.0/8 for the admin network.
There were two exceptions, 10.255.255.0/24 and 10.255.254.0/24. The next issue
one needs to address when configuring this lab is to put vlans on the network in
order to separate the network from guest and admin, this was placed on 10 and 20
respectively. We are dealing with multiple networks here so the routing protocol we
chose to handle VRF was OSPF. OSPF has a unique aspect of when you specify the
VRF on that OSPF it will only handle that specific one meaning that a guest will not
be able to access an admins network. The last thing to do was configure the
switches which was simply configuring some to handle trunk and those with the
vlans to be access.
Lab Commands
Router Commands
Commands
Router#configure terminal
Router(config)#ip VRF [name of VRF
group]
Router(config)#interface [port]
Router(config-if)#ip vrf forwarding
[name of VRF group]
Router(config-if)#ip address [ip
address] [netmask]
Router(config)#router ospf [as
number] vrf [name of VRF group]
Router(config-router)#network
[network address] area [area
number]
Router(config)#interface [ROAST
port]
Router(configrouter)#encapsulation dot 1q [vlan
number]
Purpose
Places the router into global
configuration mode
Creates a vrf group with that name
similar to creating a vlan
Enables configuration for that port
Forwards all VRF packets on that
interface
Assigns the IP to that interface
Creates an OSPF routing protocol with
that as group and applies the VRF group
to OSPF
Advertises the given network across
OSPF in the given area
Creates a port in that ROAST sub
interface
Enables encapsulation dot1q in the given
vlan
Switch Commands
Commands
Switch#configure terminal
Switch(config)#interface [port]
Switch(config-if)#switch trunk
encapsulation dot1q
Switch(config-if)#switch mode trunk
Switch(config-if)#switch mode
access
Switch(config-if)#switch access vlan
[vlan number]
Purpose
Places the router into global
configuration mode
Enables configuration for that port
Allows encapsulation dot1q on the
trunking port
Turns this port into a trunking port
Turns given port into an access port
Makes an access port have access to the
given vlan
Lab Diagam
Configurations
Switch 2
hostname S2
vlan 10
name GUEST
vlan 20
name ADMIN
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20
switchport mode trunk
switchport access vlan 20
switchport mode access

end
Switch 3
hostname S3
vlan 2-3, 5
vlan 10
name GUEST
vlan 20
name ADMIN
end
Switch 4
hostname S4
vlan 2-3,10,20,192
end
Switch 5
hostname S5
vlan 10
name vlan10
private-vlan primary
private-vlan association 20
vlan 19
vlan 20
name vlan20
private-vlan community
vlan 30
name vlan30
switchport private-vlan mapping 10 20
switchport mode private-vlan promiscuous
ip arp inspection trust
spanning-tree portfast
ip dhcp snooping limit rate 100
ip dhcp snooping trust
switchport private-vlan host-association 10 20
storm-control broadcast level 30.00
storm-control action shutdown
ip verify source port-security
storm-control broadcast level 30.00
storm-control action shutdown
ip verify source port-security
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.1.100 255.255.255.0
interface Vlan20
ip address 192.168.10.10 255.255.255.0
shutdown
end
Router 5
hostname R5
ip vrf ADMIN
description ADMIN
interface Loopback0
ip vrf forwarding ADMIN
ip address 10.255.254.1 255.255.255.0
interface GigabitEthernet0/0
ip address 10.0.4.1 255.255.255.0
router ospf 2 vrf ADMIN
log-adjacency-changes
network 10.0.4.0 0.0.0.255 area 0
network 10.255.254.0 0.0.0.255 area 0
network 192.168.0.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
end
Router 4
hostname R4
ip vrf GUEST
description GUEST
interface Loopback0
ip vrf forwarding GUEST
ip address 10.255.255.1 255.255.255.0
interface GigabitEthernet0/0
ip address 192.168.4.1 255.255.255.0
router ospf 1 vrf GUEST
network 10.255.255.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
end
Router 3
hostname R3
ip vrf ADMIN
description ADMIN
ip vrf GUEST
description GUEST
interface GigabitEthernet0/0.4
encapsulation dot1Q 10
ip address 192.168.3.1 255.255.255.0
ip address 10.0.3.1 255.255.255.0
ip address 192.168.4.2 255.255.255.0
ip address 10.0.4.2 255.255.255.0
network 10.0.3.0 0.0.0.255 area 0
network 10.0.4.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
end
Router 2
hostname R2
ip dhcp pool ADMIN
vrf ADMIN
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
ip dhcp pool GUEST
vrf GUEST
network 192.168.1.0 255.255.255.0
ip vrf ADMIN
description ADMIN
ip vrf GUEST
description GUEST
interface FastEthernet0/0.4
ip address 192.168.1.1 255.255.255.0
ip address 10.0.1.1 255.255.255.0
ip address 192.168.3.2 255.255.255.0
ip address 10.0.3.2 255.255.255.0
network 10.0.1.0 0.0.0.255 area 0
network 10.0.3.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 10.0.1.0 0.0.0.255 area 0
network 10.0.3.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
end
Router 1
hostname R1
ip dhcp pool ADMIN
vrf ADMIN
network 10.0.2.0 255.255.255.0
ip dhcp pool GUEST
vrf GUEST
network 192.168.2.0 255.255.255.0
ip vrf ADMIN
description ADMIN
ip vrf GUEST
description GUEST
ip address 192.168.2.1 255.255.255.0
ip address 10.0.2.1 255.255.255.0
ip address 192.168.3.3 255.255.255.0
ip address 10.0.3.3 255.255.255.0
network 10.0.2.0 0.0.0.255 area 0
network 10.0.3.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 10.0.2.0 0.0.0.255 area 0
network 10.0.3.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
end
Routing Tables
Router 1:
Routing Table: ADMIN
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C
10.0.2.0/24 is directly connected, FastEthernet0/0.5
C
O
10.255.254.1/32 [110/3] via 10.0.3.1, 00:00:04, FastEthernet0/1.5
O
O
Routing Table: GUEST
O
10.0.0.0/32 is subnetted, 1 subnets
O
10.255.255.1 [110/3] via 192.168.3.1, 00:00:30, FastEthernet0/1.4
O
C
C
Router 2
O
C
O
C
O
O
O
10.255.255.1 [110/3] via 192.168.3.1, 00:30:39, FastEthernet0/1.4
C
O
C

Router 3
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
O
10.255.255.1 [110/2] via 192.168.4.1, 00:33:53, GigabitEthernet0/1.4
O
192.168.1.0/24 [110/2] via 192.168.3.2, 00:31:20, GigabitEthernet0/0.4
O
C
192.168.3.0/24 is directly connected, GigabitEthernet0/0.4
L
C
L
O
O
C
L
C
L
O
Router 4
C
10.255.255.0/24 is directly connected, Loopback0
L
O
192.168.1.0/24 [110/3] via 192.168.4.2, 00:32:07, GigabitEthernet0/0
O
O
C
192.168.4.0/24 is directly connected, GigabitEthernet0/0
L
Router 5

o - ODR, P - periodic downloaded static route, + - replicated route
O
O
O
C
L
C
L
Problems
The problems we had were that we were unable to configure the commands
correctly, and when we did the pings did not go across. Even when they were in the
same VRF, for some reason we would not be able to ping across in that network. We
quickly realized that the flaw was not in the fact that our network was set up
incorrectly but that we had missed the command "ping vrf guest ..." This command
was crucial as it specified to ping through the given VRF and in the end everything
was successful. The next issue that was present was the existence of VLANs. We
forgot that ROAST required vlans and that these vlans had to be trunked or
accessed depending on the need but after we recalled it, it was a pretty simple fix.
Conclusion
This lab allowed us to learn to segment a network for an ISP such that a guest would
not be able to access it an ADMIN's network at all even though they went through
the same network thanks to VRF. This allowed them to have separate routing tables
making it very secure. The utilization of sub-interfaces and vlans basically splices
the network for you and then VRF just forwards those certain spliced packets to
their respective location. My partner and I ended up configuring it fine even though
we neglected to realize that the ping command was inherently different because it
needed to specify through which medium it was pinging. Ultimately, VRF is going to
be a useful tool for the future such as MPLS and ISP integration as it disables the
need for authentication and other forms of security.

VRF Lite Configuration For Cisco Routers

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

VRF Lite Configuration For Cisco Routers

Загружено:

Авторское право:

Доступные форматы

VRF LITE LAB 10

switchport mode access

192.168.2.0/24 [110/2] via 192.168.3.3, 00:01:09, FastEthernet0/1.4

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

Вам также может понравиться