Continue from my previous blog post about VRF-lite. This time I am trying with real gear to test out.
No route in actual routing table
RXC#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
RXC#
This should be the case, vrf is creating multiple routing tables within a single physical routed interface, the routing tables are segregated between production and guest network.
Verify Production routing table
RXC#sh ip rout vrf production
Routing Table: production
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is 192.168.10.2 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, Serial0/2
10.0.0.0/24 is subnetted, 1 subnets
C 10.100.10.0 is directly connected, FastEthernet0/0.10
S* 0.0.0.0/0 [1/0] via 192.168.10.2
RXC#
As you can see I only see Production routing table but there’s no guest routing table in here. This makes production traffic virtually private from guest traffic.
Verify Guest routing table
RXC#sh ip route vrf guest
Routing Table: guest
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is 192.168.20.2 to network 0.0.0.0
C 192.168.20.0/24 is directly connected, Serial0/3
10.0.0.0/24 is subnetted, 1 subnets
C 10.100.20.0 is directly connected, FastEthernet0/0.20
S* 0.0.0.0/0 [1/0] via 192.168.20.2
This is the routing table of Guest, same as Production, it only contains routing table of Guest.
Connectivity to Production internet
For this experiment, I have created loopback interface on Production router, I issue a normal ping to destination 1.1.1.1:
RXC#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
RXC#
This is normal because the actual routing table has no route at all. To test vrf connectivity:
RXC#ping vrf production 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
RXC#
1.1.1.1 is discovered through referencing the production routing table.
Connectivity from Production internet to RXC serial 0/2
Production#ping
Protocol [ip]:
Target IP address: 192.168.10.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Connectivity to Guest internet
Issuing a normal ping to 2.2.2.2 (guest internet) will have time out, this is because the actual routing table is empty.
RXC#ping vrf guest 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
RXC#
Same as Production, Guest’s routing table is reference to discover 2.2.2.2 (Guest internet)
Connectivity from Guest internet to RXC serial0/3
Guest#ping
Protocol [ip]:
Target IP address: 192.168.20.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 2.2.2.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
Guest#
Additional: Configuration of RXC
ip vrf guest
description Guest traffic
ip vrf production
description Production traffic
interface Serial0/2
bandwidth 1000
ip vrf forwarding production
ip address 192.168.10.1 255.255.255.0
clock rate 1000000
end
interface Serial0/3
bandwidth 512
ip vrf forwarding guest
ip address 192.168.20.1 255.255.255.0
clock rate 512000
end
interface FastEthernet0/0
no ip address
duplex auto
speed auto
end
interface FastEthernet0/0.10
description Production traffic
encapsulation dot1Q 10
ip vrf forwarding production
ip address 10.100.10.1 255.255.255.0
end
interface FastEthernet0/0.20
description Guest traffic
encapsulation dot1Q 20
ip vrf forwarding guest
ip address 10.100.20.1 255.255.255.0
end
ip route vrf guest 0.0.0.0 0.0.0.0 192.168.20.2
ip route vrf production 0.0.0.0 0.0.0.0 192.168.10.2
Note:
1. IP address assigned to routed interface will be deleted if you enable ip vrf forwarding <name of vrf>, hence it is recommended you declared ip vrf forwarding <name of vrf> before assigning ip address
2. IP vrf <name of the vrf> must be created in global configuration mode before using ip vrf forwarding command
cyruslab 