3.3.f Implement and troubleshoot VRF lite

most newer devices come with a mgmt interface that is vrf enabled out of the box… naturally the idea is to point your management network toward the vrf direction… so just build it anyway… it adds a layer of security between the data and the mangement networks while also keeping them separate…

ie, this simple data network:

vrf_mgmt

R1(config-router)#do sh ip route | b Gate
Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/65] via 10.1.12.2, 00:02:04, Serial1/0
3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/129] via 10.1.14.4, 00:02:14, Serial1/1
[110/129] via 10.1.12.2, 00:02:14, Serial1/0
4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/65] via 10.1.14.4, 00:02:25, Serial1/1
10.0.0.0/24 is subnetted, 4 subnets
C       10.1.14.0 is directly connected, Serial1/1
C       10.1.12.0 is directly connected, Serial1/0
O       10.1.23.0 [110/128] via 10.1.12.2, 00:02:04, Serial1/0
O       10.1.34.0 [110/128] via 10.1.14.4, 00:02:25, Serial1/1
R1(config-router)#do sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           0   FULL/  –        00:00:35    10.1.14.4       Serial1/1
2.2.2.2           0   FULL/  –        00:00:30    10.1.12.2       Serial1/0

nothing fancy… the idea is to build a management network within the data network using vrf so the wonderful user community doesn’t know about it, and use a different routing protocol….

R1(config-if)#do sh run int tun 0
Building configuration…

Current configuration : 140 bytes
!
interface Tunnel0
ip vrf forwarding r1
ip address 192.168.1.1 255.255.255.0
tunnel source Serial1/0
tunnel destination 10.1.12.2

router eigrp 1
no auto-summary
!
address-family ipv4 vrf r1
network 11.0.0.0
network 192.168.1.0
auto-summary
autonomous-system 1
exit-address-family

R1(config-router)#do sh ip route vrf r1 | b Gate
Gateway of last resort is not set

D    22.0.0.0/8 [90/297372416] via 192.168.1.2, 00:14:10, Tunnel0
11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       11.11.11.0/24 is directly connected, Loopback1
D       11.0.0.0/8 is a summary, 00:14:10, Null0
C    192.168.1.0/24 is directly connected, Tunnel0

R1(config-router)#do sh ip route | b Gate
Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/65] via 10.1.12.2, 00:30:01, Serial1/0
3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/129] via 10.1.14.4, 00:30:11, Serial1/1
[110/129] via 10.1.12.2, 00:30:11, Serial1/0
4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/65] via 10.1.14.4, 00:30:21, Serial1/1
10.0.0.0/24 is subnetted, 4 subnets
C       10.1.14.0 is directly connected, Serial1/1
C       10.1.12.0 is directly connected, Serial1/0
O       10.1.23.0 [110/128] via 10.1.12.2, 00:30:01, Serial1/0
O       10.1.34.0 [110/128] via 10.1.14.4, 00:30:21, Serial1/1

R1(config-router)#do ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms
R1(config-router)#do ping vrf r1 22.22.22.22

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms

and for the management behind the scenes:

R1#telnet 22.22.22.22 /vrf r1
Trying 22.22.22.22 … Open

User Access Verification

Password:
R2>