Category Archives: 3.3.f Implement and troubleshoot VRF lite

3.3.f Implement and troubleshoot VRF lite

VPN Routing and Forwarding (VRF) instances, are most commonly associated with MPLS. In service provider networks, MPLS encapsulation is used to isolate individual customer traffic and an independent routing table (VRF) is maintained for each customer . Most often, MP-BGP is employed to facilitate complex redistribution schemes to import and export routes to and from VRFs to provide Internet connectivity.

However, VRF configuration isn’t at all dependent on MPLS (the two components just work well together). In Cisco terminology, deployment of VRFs without MPLS is known as VRF lite.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 2692-2696).  . Kindle Edition.

http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

3.3.f Implement and troubleshoot VRF lite

most newer devices come with a mgmt interface that is vrf enabled out of the box… naturally the idea is to point your management network toward the vrf direction… so just build it anyway… it adds a layer of security between the data and the mangement networks while also keeping them separate…

ie, this simple data network:

vrf_mgmt

R1(config-router)#do sh ip route | b Gate
Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/65] via 10.1.12.2, 00:02:04, Serial1/0
3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/129] via 10.1.14.4, 00:02:14, Serial1/1
[110/129] via 10.1.12.2, 00:02:14, Serial1/0
4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/65] via 10.1.14.4, 00:02:25, Serial1/1
10.0.0.0/24 is subnetted, 4 subnets
C       10.1.14.0 is directly connected, Serial1/1
C       10.1.12.0 is directly connected, Serial1/0
O       10.1.23.0 [110/128] via 10.1.12.2, 00:02:04, Serial1/0
O       10.1.34.0 [110/128] via 10.1.14.4, 00:02:25, Serial1/1
R1(config-router)#do sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           0   FULL/  –        00:00:35    10.1.14.4       Serial1/1
2.2.2.2           0   FULL/  –        00:00:30    10.1.12.2       Serial1/0

nothing fancy… the idea is to build a management network within the data network using vrf so the wonderful user community doesn’t know about it, and use a different routing protocol….

R1(config-if)#do sh run int tun 0
Building configuration…

Current configuration : 140 bytes
!
interface Tunnel0
ip vrf forwarding r1
ip address 192.168.1.1 255.255.255.0
tunnel source Serial1/0
tunnel destination 10.1.12.2

router eigrp 1
no auto-summary
!
address-family ipv4 vrf r1
network 11.0.0.0
network 192.168.1.0
auto-summary
autonomous-system 1
exit-address-family

R1(config-router)#do sh ip route vrf r1 | b Gate
Gateway of last resort is not set

D    22.0.0.0/8 [90/297372416] via 192.168.1.2, 00:14:10, Tunnel0
11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       11.11.11.0/24 is directly connected, Loopback1
D       11.0.0.0/8 is a summary, 00:14:10, Null0
C    192.168.1.0/24 is directly connected, Tunnel0

R1(config-router)#do sh ip route | b Gate
Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/65] via 10.1.12.2, 00:30:01, Serial1/0
3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/129] via 10.1.14.4, 00:30:11, Serial1/1
[110/129] via 10.1.12.2, 00:30:11, Serial1/0
4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/65] via 10.1.14.4, 00:30:21, Serial1/1
10.0.0.0/24 is subnetted, 4 subnets
C       10.1.14.0 is directly connected, Serial1/1
C       10.1.12.0 is directly connected, Serial1/0
O       10.1.23.0 [110/128] via 10.1.12.2, 00:30:01, Serial1/0
O       10.1.34.0 [110/128] via 10.1.14.4, 00:30:21, Serial1/1

R1(config-router)#do ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms
R1(config-router)#do ping vrf r1 22.22.22.22

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms

and for the management behind the scenes:

R1#telnet 22.22.22.22 /vrf r1
Trying 22.22.22.22 … Open

User Access Verification

Password:
R2>

3.3.f Implement and troubleshoot VRF lite,

one of the building blocks for mpls is vrf… rene has a good lab  on this here…

http://gns3vault.com/MPLS/vrf-routing.html

it’s been a while since i configured vrf so this was a nice refresher… remember that when you set an interface to forward vrf it whacks the ip address and needs to be reset…

rene_vrf_ss

seems simple enough… one of the things rene’s labs do well is  concentrate on a single concept…

Sulu(config)#ip vrf sulu
Sulu(config-vrf)#int lo0
Sulu(config-if)#ip vrf forward sulu
% Interface Loopback0 IP address 1.1.1.1 removed due to enabling VRF sulu
Sulu(config-if)#ip add 1.1.1.1 255.255.255.0
Sulu(config-if)#int lo1
Sulu(config-if)#ip vrf forward sulu
% Interface Loopback1 IP address 11.11.11.11 removed due to enabling VRF sulu
Sulu(config-if)#ip add 11.11.11.11 255.255.255.0

again, my only complaint about rene’s labs are his stupid router names…small complaint there…

set up the interfaces on the other side:

Chekov(config-if)#do sh ip vrf int
Interface              IP-Address      VRF                              Protocol
Lo0                    2.2.2.2         chekov                           up
Lo1                    22.22.22.22     chekov                           up

the next thing is to set up a tunnel between the routers… if you add the tunnel to the vrf’s first you won’t have to retype the ip address… make the tunnel address anything you want, but the tunnel source and destination need to be the physical link…

Sulu(config-if)#int tun 0
Sulu(config-if)#ip vrf forward sulu
Sulu(config-if)#ip add 192.168.21.1 255.255.255.0
Sulu(config-if)#tunnel source 192.168.12.1
Sulu(config-if)#tunnel dest 192.168.12.2
Sulu(config-if)#
*Mar  1 00:09:27.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

for the source you can use the interface or the address; i prefer using addresses…

Chekov(config-if)#do sh ip vrf int
Interface              IP-Address      VRF                              Protocol
Lo0                    2.2.2.2         chekov                           up
Lo1                    22.22.22.22     chekov                           up
Tu0                    192.168.21.2    chekov                           up

use a routing protocol for the vrf to bring it up…

Chekov(config-if)#router eigrp 1
Chekov(config-router)#address-family ipv4 vrf chekov
Chekov(config-router-af)#netw 2.2.2.0
Chekov(config-router-af)#netw 22.22.22.0
Chekov(config-router-af)#netw 192.168.21.0
Chekov(config-router-af)#autonomous-system 1
Chekov(config-router-af)#
*Mar  1 00:15:05.695: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 1: Neighbor 192.168.21.1 (Tunnel0) is up: new adjacency
Chekov(config-router-af)#

Sulu(config-router-af)#do sh ip route vrf sulu | b Gate
Gateway of last resort is not set

1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       1.1.1.0/24 is directly connected, Loopback0
D       1.0.0.0/8 is a summary, 00:01:52, Null0
D    2.0.0.0/8 [90/297372416] via 192.168.21.2, 00:01:06, Tunnel0
D    22.0.0.0/8 [90/297372416] via 192.168.21.2, 00:01:06, Tunnel0
C    192.168.21.0/24 is directly connected, Tunnel0
11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       11.11.11.0/24 is directly connected, Loopback1
D       11.0.0.0/8 is a summary, 00:01:52, Null0

Sulu#ping vrf sulu 22.22.22.22

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/24 ms
Sulu#trace vrf sulu 22.22.22.22

Type escape sequence to abort.
Tracing the route to 22.22.22.22

1 192.168.21.2 16 msec *  12 msec