Cisco: The basics about VRF implementation

By On August 11, 2009 · 21 Comments

VRF, meaning Virtual Routing and Forwarding, is a technology implemented in the IP network routers that allows multiple instances of a routing table to exist on the same router in the same time. Since each VRF is independent, the same IP subnet can exist in 2 different VRFs. Basically you can overlap one IP address in 2 VRFs but without conflicting with each other. Even this is possible, I would not suggest doing so, unless you have a very good reason to do it.

Another meaning of VRF is VPN Routing and Forwarding which is a key element in Cisco’s MPLS (Multiprotocol Label Switching) VPN technology. Internet service providers often take advantage of VRF to create separate virtual private networks (VPNs) for customers. Some advantages of  using this technology is than an ISP can provision scalable IP  MPLS VPN services, generate reports (e.g. audit for services), Service Level Agreements (SLA) contracts and more…

To summarize, virtual networks enable administrators to split a physical link into multiple virtual links completely isolated one from the others. Typically, a virtual network will be dedicated to traffic from a specific application or from a specific users / customers.


Now that we clarify the basic of what is and how it works, let’s see where is VRF used the most. As you maybe guess already, this is in the MPLS VPN environment, due to the fact that in today’s business granularity is very important and VRF help network engineers to isolate and provide security for its customers in an ISP environment or to separate services in an Intranet environment. As you probably already know, MPLS functionality is based on P (Provider) routers, PE (Provider edge) routers and CE (Customer edge) routers. Each of these routers must be configured in order for MPLS to work within an enterprise’s architecture. I describe a little bit the MPLS technology, so you can understand better the topology presented below and then following configuration example:

VRF Implementation As you can see from the topology, one PE router can hold and manage multiple virtual routing table, one for each customer that an ISP have. If you are running in a private environment (e.g. Intranet), you can use MPLS VPN to separate services (e.g. office, development…) The  basic functionality is the same and I’ll show you below how to implement VRFs.

The actual configuration of VRFs  is not a complicate task to achieve. There are two main components to a VRF: The route distinguisher(RD) and the route target(RT).

The route distinguisher (RD) is a number which help identify a VPN in a provider’s network and allow for overlapping IP space.

The route target (RT) indicates the VPN membership of a route and allows VPN routes to be imported or exported into or out of your VRFs. The RT functions a little like a routing policy — determining how routes are distributed throughout the particular VPN.

The RD / RT is a 8-byte (64-bits) number which can be written down as follow:

- 16-bit AS number: your 32-bit number
(e.g.) 65000:100

or

-32-bit IP address: your 16-bit number
(e.g) 192.168.0.1:10

Usually the first method is used more often.

For some very basic VRF configuration follow the steps:
1. Enters VRF configuration mode and assigns a VRF name.

Router(config)#ip vrf vrf-name

2. Creates a VPN route distinguisher (RD) following one of the 16bit-ASN:32bit-number or 32bit-IP:16bit-number explained above

Router(config-vrf)#rd route-distinguisher

3. Creates a list of import and/or export route target communities for the specified VRF.

Router(config-vrf)# route-target {import | export | both} route-distinguisher

4. (Optional step) Associates the specified route map with the VRF.

Router(config-vrf)# import map route-map

5. Specifies an interface and enters interface configuration mode.

Router(config)# interface type number

6. Associates a VRF with an interface or subinterface.

Router(config-vrf)# ip vrf forwarding vrf-name

To check your configuration, you can use ping or traceroute tools under Cisco CLI, but remember that you have to use “vrf vrf-name” parameter:

Router# ping vrf vrf-name IP-address

Also you can check the virtual routing table:

Router# show ip route vrf vrf-name

In some of the following posts, I will present a VRF implementation following a real environment topology, but until then I hope you understood the basics of VRF functionality. It’s not hard to implement (from case to case it might be due to local topologies and technology) but it can help you to have a more granular connections and makes troubleshooting more easy, especially in the environments which have a lot of IP addresses under management.

Tagged with:
 
If you enjoyed this article, please consider sharing it!
Reddit FacebookTwitterDelicious

  • Pingback:   Cisco: The basics about VRF implementation | FirstDigest by Cisco Information Technology

  • Pingback: Cisco | All Days Long

  • http://shivlu.blogspot.com shivlu jain

    really good for new babies.

  • John Redding

    Thanks, this helped a lot for a guy new to VRFs

  • http://www.firstdigest.com Calin

    Shivlu, John thank you for your comments and I’m glad that it helped.

  • Sameer

    Realy good!!!!!!! i got the basics of VRF
    Keeep it up….

  • http://www.mplsvpn.info shivlu jain

    My blog is also full of SP and MPLSVPN :)
    Enjoy guys

  • Atif

    good one… helped me as well…as I am newbee in vrf world.

  • Andrew

    Good post!

    Keep sharing.

  • harrisonc

    Nice post. Do you have any idea where I could find some good information on creating a site to site VPN ASA to ASA? Thanks in advance.

  • http://bit.ly/driP5k Erica Busto

    Hello just thought i would tell you something.. This is twice now i’ve landed on your blog in the last 2 weeks searching for completely unrelated things. Spooky or what? If you liketo exchange the links with us please let me know.

  • S Siva

    Hi, Excellent explanation.. I just spotted one mistake, in point #3, it should say route-target {import/export/both} route-target-ext-community and not route-distinguiser… thats just a typo though… very well written. Thanks,

    Siva

  • http://keephide.us how to hide ip address

    What type of VPN? Many commercial clients such as Cisco have a setting that does just that. If you’re trying to do it with the Microsoft vpn connection, you’ll have to set it up as a service.

  • http://www.tgr6777yyytggm3w.com Tamekia Arrowsmith

    The difficulty using Plr content is buyers do not make use of it effectively. People ought to either make use of it to find suggestions for things to write about or entirely re-write it or spin and rewrite it and afterward put his or her own identify on it.

  • Jim

    It's too bad Cisco chose to hack VRF into every single command that has to do with routing. That smells like a kludgy patch retro-fit. Now we always have to remember to tack the "vrf vrf-name" parameter onto everything! What they should have done is allow you to switch into a named VRF context, then from inside that do anything you would with a normal "physical" router, including show and config t. Oh well, gotta play the hand we're dealt I suppose.

  • Aimen

    Thank you, this was greate and helped me to understand the baiscs of VRF

  • anuj tyagi
  • Ahmed

    many thanks

  • Awaghmode

    good info

  • Egelling

    I would share it ,but the people I know r stupid

  • Jayaprakash (Jp)

    Good basics. 
    Thanks