Вы находитесь на странице: 1из 15

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

VRF Lite
VRF =Virtual Routing and Forwarding which allows router to have multiple
routing tables of the customer routers CEs within one physical router PE.
Each of virtual routing table is independent of each other as if they are in the
separated network. Therefore, the VRF technology allows router to route packet
from different customers with the same IP address range with the use of Route
Distinguisher.
VRF lite is a simpler version of VRF that can be used to separate the network in
the enterprise network for security purposes such as a guest network. It only
supports 802.1Q trunk encapsulation.
VRF configuration isn't at all dependent on MPLS (the two components just work
well together). In Cisco terminology, deployment of VRFs without MPLS is known
as VRF lite

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

Lab

We want to keep 4 routing table (BLUE, GREEN , YELLOW , RED ) virtually separated in the same
physical router.
R1 will connect to R2 using f0/0 and using ip address 10.1.1.1, and we will use Dot1q
encapsulation protocol to tag each vrf with its own RD . we will do the same in R2 side.
R1 will advertise its own loopback interfaces on each proper vrf

R2 connected to R3 , R3 will be our management point and we will use different ip address for
each vrf

R1 exists in BGP AS 100


R2 exists in BGP AS 200
R3 exists in BGP AS 300

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

R1
ip vrf BLUE
rd 1:1
ip vrf GREEN
rd 2:2
ip vrf YELLOW
rd 3:3
ip vrf RED
rd 4:4
int loop 1
ip vrf for BLUE
ip add 1.1.1.1 255.255.255.255
int loop 2
ip vrf for GREEN
ip add 2.2.2.2 255.255.255.255
int loop 3
ip vrf for YELLOW
ip add 3.3.3.3 255.255.255.255
int loop 4
ip vrf for RED
ip add 4.4.4.4 255.255.255.255
int f0/0
no ip add
no sh
int f0/0.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 10.1.1.1 255.255.255.0
int f0/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 10.1.1.1 255.255.255.0
int f0/0.3
encapsulation dot1Q 3
ip vrf forwarding YELLOW
ip address 10.1.1.1 255.255.255.0
int f0/0.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
3

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

router bgp 100


bgp router-id 1.1.1.1
address-family ipv4 vrf BLUE
neighbor 10.1.1.2 remote-as 200
neighbor 10.1.1.2 activate
net 1.1.1.1 mask 255.255.255.255
address-family ipv4 vrf GREEN
neighbor 10.1.1.2 remote-as 200
neighbor 10.1.1.2 activate
net 2.2.2.2 mask 255.255.255.255
address-family ipv4 vrf YELLOW
neighbor 10.1.1.2 remote-as 200
neighbor 10.1.1.2 activate
net 3.3.3.3 mask 255.255.255.255
address-family ipv4 vrf RED
neighbor 10.1.1.2 remote-as 200
neighbor 10.1.1.2 activate
net 4.4.4.4 mask 255.255.255.255
R2
ip vrf BLUE
rd 1:1
ip vrf GREEN
rd 2:2
ip vrf YELLOW
rd 3:3
ip vrf RED
rd 4:4
int f0/0
no ip add
no sh
int f0/0.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 10.1.1.2 255.255.255.0
int f0/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 10.1.1.2 255.255.255.0

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

int f0/0.3
encapsulation dot1Q 3
ip vrf forwarding YELLOW
ip address 10.1.1.2 255.255.255.0
int f0/0.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 10.1.1.2 255.255.255.0
router bgp 200
bgp router-id 2.2.2.2
address-family ipv4 vrf BLUE
neighbor 10.1.1.1 remote-as 100
neighbor 10.1.1.1 activate
address-family ipv4 vrf GREEN
neighbor 10.1.1.1 remote-as 100
neighbor 10.1.1.1 activate
address-family ipv4 vrf YELLOW
neighbor 10.1.1.1 remote-as 100
neighbor 10.1.1.1 activate
address-family ipv4 vrf RED
neighbor 10.1.1.1 remote-as 100
neighbor 10.1.1.1 activate
R2#sh ip vrf br
Name
BLUE
GREEN
RED
YELLOW

Default RD
Interfaces
1:1
Fa0/0.1
2:2
Fa0/0.2
4:4
Fa0/0.4
3:3
Fa0/0.3

R2#sh ip route vrf BLUE


Routing Table: BLUE
1.0.0.0/32 is subnetted, 1 subnets
1.1.1.1 [20/0] via 10.1.1.1, 00:00:23
10.0.0.0/24 is subnetted, 1 subnets
C
10.1.1.0 is directly connected, FastEthernet0/0.1
B

R2#sh ip bgp vpnv4 vrf BLUE


Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf BLUE)
*> 1.1.1.1/32
10.1.1.1
0
0 100 i
5

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

R2
int f0/1
no ip add
no sh
int f0/1.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 10.2.2.2 255.255.255.0
int f0/1.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 10.22.22.2 255.255.255.0
int f0/1.3
encapsulation dot1Q 3
ip vrf forwarding YELLOW
ip address 10.12.12.2 255.255.255.0
int f0/1.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 10.122.122.2 255.255.255.0
router bgp 200
bgp router-id 2.2.2.2
address-family ipv4 vrf BLUE
neighbor 10.2.2.1 remote-as 300
neighbor 10.2.2.1 activate
address-family ipv4 vrf GREEN
neighbor 10.22.22.1 remote-as 300
neighbor 10.22.22.1 activate
address-family ipv4 vrf YELLOW
neighbor 10.12.12.1 remote-as 300
neighbor 10.12.12.1 activate
address-family ipv4 vrf RED
neighbor 10.122.122.1 remote-as 300
neighbor 10.122.122.1 activate

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

Notice in R3 no need for rd commands or ip vrf forwarding commands under sub interfaces or even
bgp address family for each vrf .
R3
int f0/1
no ip add
no sh
int f0/1.1
encapsulation dot1Q 1
ip address 10.2.2.1 255.255.255.0
int f0/1.2
encapsulation dot1Q 2
ip address 10.22.22.1 255.255.255.0
int f0/1.3
encapsulation dot1Q 3
ip address 10.12.12.1 255.255.255.0
int f0/1.4
encapsulation dot1Q 4
ip address 10.122.122.1 255.255.255.0
router bgp 300
bgp router-id 3.3.3.3
neighbor 10.2.2.2 remote-as 200
neighbor 10.22.22.2 remote-as 200
neighbor 10.12.12.2 remote-as 200
neighbor 10.122.122.2 remote-as 200
R3#sh ip bgp
Network
*> 1.1.1.1/32
*> 2.2.2.2/32
*> 3.3.3.3/32
*> 4.4.4.4/32

Next Hop
Metric LocPrf Weight Path
10.2.2.2
0 200 100 i
10.22.22.2
0 200 100 i
10.12.12.2
0 200 100 i
10.122.122.2
0 200 100 i

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

Same lab above but we will add R4,R5

R4 (BGP AS 400 ) f1/0 will be connected to R2 f1/0 through vrf BLUE & GREEN using 40.40.40.0/24
R5 (BGP AS 500) f1/0 will be connected to R2 f2/0 through vrf RED & GREEN using 50.50.50.0/24
R2
interface FastEthernet1/0
no ip address
!
interface FastEthernet1/0.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 40.40.40.2 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 40.40.40.2 255.255.255.0
interface FastEtherne2/0
no ip address
interface FastEthernet2/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 50.50.50.2 255.255.255.0
!
interface FastEthernet2/0.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 50.50.50.2 255.255.255.0

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

router bgp 200


!
address-family ipv4 vrf RED
neighbor 50.50.50.5 remote-as 500
neighbor 50.50.50.5 activate
address-family ipv4 vrf GREEN
neighbor 50.50.50.5 remote-as 500
neighbor 50.50.50.5 activate
neighbor 40.40.40.4 remote-as 400
neighbor 40.40.40.4 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf BLUE
neighbor 40.40.40.4 remote-as 400
neighbor 40.40.40.4 activate
R4
ip vrf BLUE
rd 1:1
!
ip vrf GREEN
rd 2:2
interface FastEthernet1/0
no ip address
!
interface FastEthernet1/0.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 40.40.40.4 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 40.40.40.4 255.255.255.0
router bgp 400
bgp router-id 4.4.4.4
address-family ipv4 vrf GREEN
neighbor 40.40.40.2 remote-as 200
neighbor 40.40.40.2 activate
!
address-family ipv4 vrf BLUE
neighbor 40.40.40.2 remote-as 200
neighbor 40.40.40.2 activate
9

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

R4#sh ip bgp vpnv4 vrf BLUE


Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf BLUE)
*> 1.1.1.1/32
40.40.40.2
0 200 100 i
R4#sh ip bgp vpnv4 vrf GREEN
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 0:0
*> 2.2.2.2/32
40.40.40.2
0 200 100 i
R5
ip vrf GREEN
rd 2:2
!
ip vrf RED
rd 4:4
int f1/0
no ip add
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 50.50.50.5 255.255.255.0
!
interface FastEthernet1/0.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 50.50.50.5 255.255.255.0
router bgp 500
bgp router-id 5.5.5.5
address-family ipv4 vrf RED
neighbor 50.50.50.2 remote-as 200
neighbor 50.50.50.2 activate
address-family ipv4 vrf GREEN
neighbor 50.50.50.2 remote-as 200
neighbor 50.50.50.2 activate
R5#sh ip bgp vpnv4 vrf RED
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 4:4 (default for vrf RED)
*> 4.4.4.4/32
50.50.50.2
0 200 100 i
R5#sh ip bgp vpnv4 vrf GREEN
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 2:2 (default for vrf GREEN)
*> 2.2.2.2/32
50.50.50.2
0 200 100 i

10

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

Now lets assume we want R4 to get Default route in his BLUE vrf from R2
R2
router bgp 200
address-family ipv4 vrf BLUE
neighbor 40.40.40.4 default-originate
R4#sh ip bgp vpnv4 vrf BLUE
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf BLUE)
*> 0.0.0.0
40.40.40.2
0
0 200 i
*> 1.1.1.1/32
40.40.40.2
0 200 100 i

Displaying & Verifications commands


Lets take vrf BLUE AS example:

sh ip protocols vrf BLUE


sh ip route vrf BLUE
sh ip bgp vpnv4 vrf BLUE
sh ip vrf br
sh ip vrf blue
sh ip bgp vpnv4 all sum
sh ip vrf interfaces
R4#sh ip bgp vpnv4 vrf BLUE neighbors 40.40.40.2 advertised-routes
R4#sh ip bgp vpnv4 vrf BLUE neighbors 40.40.40.2 routes
R4#sh ip bgp vpnv4 vrf BLUE 1.1.1.1
R4#ping vrf BLUE 1.1.1.1
R4#traceroute vrf BLUE 1.1.1.1
R4#sh ip bgp vpnv4 rd 1:1
R2#sh ip bgp vpnv4 vrf BLUE rib-failure

11

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

Now lets practice VRF over GRE Tunnel

R7 f0/0 10.10.10.7/24
R6 f0/0 10.10.10.6/24 s0/0 20.20.20.6/24
R2 s0/0 20.20.20.2/24
R2
int s0/0
ip vrf for BLUE
ip add 20.20.20.2 255.255.255.0
no sh
! Connection to the VRF BLUE network and the VRF GREEN
! network using the GRE tunnel.

12

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

ip route vrf BLUE 10.10.10.7 255.255.255.255 20.20.20.6


! Static Host route to ensure that recursive routing does not occur.
int tunnel 0
ip vrf for GREEN
ip add 200.200.200.2 255.255.255.0
tunnel source s0/0
tunnel dest 10.10.10.7
tunnel vrf BLUE
! Tunnel 0 is part of VRF GREEN; but it uses the tunnel
! destination and source addresses from the routing
! table of VRF BLUE, because of this tunnel vrf blue command
router bgp 200
address-family ipv4 vrf GREEN
redis connected
address-family ipv4 vrf BLUE
redis conn
R6
int s0/0
ip add 20.20.20.6 255.255.255.0
no sh
int f0/0
ip add 10.10.10.6 255.255.255.0
no sh
ip access-group 100 in
ip access-group 100 out
access-list 100 permit gre host 10.10.10.7 host 20.20.20.2
access-list 100 permit gre host 20.20.20.2 host 10.10.10.7
! Permits only GRE packets between the endpoints.
ip route 0.0.0.0 0.0.0.0 20.20.20.2

13

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

R7
int f0/0
ip add 10.10.10.7 255.255.255.0
no sh
ip access-group 100 in
ip access-group 100 out
! Accessgroup to allow only GRE packets through the R2CE network. However, R1CE networks
data is in the GRE packet.
access-list 100 permit gre host 10.10.10.7 host 20.20.20.2
access-list 100 permit gre host 20.20.20.2 host 10.10.10.7
! Permits only GRE packets between the endpoints.
int tunnel 0
ip add 200.200.200.1 255.255.255.0
tunnel source f0/0
tunnel dest 20.20.20.2
! Both the tunnel source and destination address are in the VRF BLUE, to provide transport for the
VRF GREEN network.
ip route 0.0.0.0 0.0.0.0 tunnel0
ip route 20.20.20.2 255.255.255.255 10.10.10.6
! Static Host route to ensure that recursive routing does not occur.
Verification:
R2#show ip route vrf BLUE 10.10.10.1
Routing entry for 10.10.10.0/24
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 20.20.20.6
Route metric is 0, traffic share count is 1
R2#sh ip int br | i Tunnel
Tunnel0
200.200.200.2 YES manual up

up

R7#ping 200.200.200.2
!!!!!
Any BLUE or GREEN ip address directly connected in R2 , R7 can ping now :
R7#ping 10.1.1.2
!!!!!
R7#ping 10.22.22.2
!!!!!
14

CCIEv5 VRF lite Lab

By CCSI: Yasser Auda

Resources:
http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/
http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/
http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/46252grewithvrf.html
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/layer-3-vpns-l3vpn/116725configure-mgre-00.html

Good Luck
CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
https://www.youtube.com/user/yasserramzyauda

15