MPLS VPN building blocks
1. Virtual routing and forwarding (VRF) – This creates logical routing instance, each virtual instance is separated such that virtual instances to instances are not reachable.
2. MP-BGP – BGP is extended to distribute MPLS VPN tags.
3. IGP – OSPF or IS-IS among the MPLS LSRs.
4. MPLS – Using LDP to distribute labels among MPLS enabled routers.
Virtual routing and forwarding (aka VRF)
1. VRF when not implemented with BGP, i.e. not using import / export rt is known as vrf-lite.
2. Each vrf instance must have one route distinguisher.
3. The route distinguisher is to distinguish the vrf instances. The rd is 64-bit long which is prepended to the IPv4 address.
4. Two types of rd:
a. ASN:nn, where ASN is the autonomous system number assigned to you by IANA, if it is a lab environment just define an arbitrary number; nn is any number you choose.
b. IP_address:nn, where nn is an arbitrary number you choose.
5. VRF allows overlapping ip addresses due to the use of rd. This is how it works:
rd is 100:10, rd prepends to the ip address to become a 96-bit long address known as vpnv4: 100:10.192.168.1.10
6. It is imperative to assign vrf to your interface by specifying ip vrf forwarding test first else the pre-configured ip address will be removed and you need to reassign the ip address one more time after you have specify the vrf instance to your interface.
7. VRF instance name and route distinguisher are locally significant to the router only.
Demonstration
vrf13#sh ip route | begin Gateway
Gateway of last resort is not set
192.168.1.0/30 is subnetted, 2 subnets
C 192.168.1.0 is directly connected, FastEthernet0/0.10
C 192.168.1.4 is directly connected, FastEthernet0/0.100
vrf13#
vrf14#sh ip route | begin Gateway
Gateway of last resort is not set
192.168.1.0/30 is subnetted, 2 subnets
C 192.168.1.0 is directly connected, FastEthernet0/0.10
C 192.168.1.4 is directly connected, FastEthernet0/0.100
vrf14#
These are the normal routing tables we expect to see everytime we do show ip route.
Two routers are reachable to each other via normal ping.
vrf14#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms vrf14#ping 192.168.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms vrf14# vrf13#ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms vrf13#ping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms vrf13#
Virtual routing and forwarding tables are created on each router, and each sub interfaces have been assigned ip address and associated to the respective vrf instances.
vrf13#sh ip vrf Name Default RD Interfaces t2 32:1 Fa0/0.2 t3 3:1 Fa0/0.3 test 13:1 Fa0/0.1 vrf13# vrf14#sh ip vrf Name Default RD Interfaces test 14:1 Fa0/0.1 test2 2:1 Fa0/0.2 test3 4:1 Fa0/0.3 vrf14#
Each VRF instances is isolated from one another, a vrf instance cannot reach another vrf instance, normal IP reachability cannot reach vrf instance as well.
vrf14#ping vrf test 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms vrf14# vrf14#ping vrf test 1.1.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) vrf14# vrf14#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) vrf14#
IP addresses overlapping is possible thanks to route distinguisher which creates a 96-bit(64-bit rd and 32-bit ipv4 address) long address known as VPNv4 address family.
vrf14#sh ip int brief | include FastEthernet0/0 FastEthernet0/0 unassigned YES manual up up FastEthernet0/0.1 1.1.1.2 YES manual up up FastEthernet0/0.2 1.1.1.2 YES manual up up FastEthernet0/0.3 1.1.1.6 YES manual up up FastEthernet0/0.10 192.168.1.2 YES manual up up FastEthernet0/0.100 192.168.1.6 YES manual up up vrf14#
This property of VRF makes a component of MPLS VPN (encryption not included).
Entire configuration for vrf13 and vrf14 routers
vrf13 router
! ip vrf t2 rd 32:1 ! ip vrf t3 rd 3:1 ! ip vrf test rd 13:1 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip vrf forwarding test ip address 1.1.1.1 255.255.255.252 ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip vrf forwarding t2 ip address 1.1.1.1 255.255.255.252 ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip vrf forwarding t3 ip address 1.1.1.5 255.255.255.252 ! interface FastEthernet0/0.10 encapsulation dot1Q 20 ip address 192.168.1.1 255.255.255.252 ! interface FastEthernet0/0.100 encapsulation dot1Q 100 ip address 192.168.1.5 255.255.255.252 !
vrf14 router
! ip vrf test rd 14:1 ! ip vrf test2 rd 2:1 ! ip vrf test3 rd 4:1 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip vrf forwarding test ip address 1.1.1.2 255.255.255.252 ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip vrf forwarding test2 ip address 1.1.1.2 255.255.255.252 ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip vrf forwarding test3 ip address 1.1.1.6 255.255.255.252 ! interface FastEthernet0/0.10 encapsulation dot1Q 20 ip address 192.168.1.2 255.255.255.252 ! interface FastEthernet0/0.100 encapsulation dot1Q 100 ip address 192.168.1.6 255.255.255.252 !
cyruslab 
maybe this is a very very stupid question.. but im new to VRF-lite..
question is, from the config i see that both the VRF names and RDs are also different, and we have an overlapping ip subnets as well. Then how does the router create an 1-2-1 mapping between the two end points for all the subinterfaces . I didn quite understand that part. Thanks.
Hi SV,
I am new to VRF lite as well 🙂 MPLS, MPLS vpn technology as a whole is new to me, and no questions and doubts is stupid 🙂
Actually even without RD assigned it will still work for VRF lite (See packetlife example, only VRF instances were defined, there were no RD at all), the thing about RD is not to identify the VPN instance or VRF instance, the vrf instance assigned on each sub interfaces is making the difference for VRF lite.
example for this:
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip vrf forwarding test3
ip address 1.1.1.6 255.255.255.252
when I ping i need to ping through vrf instance, example i want to ping vrf test3 which is referring to fa0/0.3.
Each VRF instance has its own routing table. the trick that same ip addresses do not have conflict is actually because of the instances not the RD.
Also the VRF name and RD are locally significant to the router, what is important is the RT which is useless in VRF lite. VRF lite = VRF – (MPLS + MP-BGP).
I agree with Cyrus.
RDs are to form VPNv4 routes in MP-BGP tables.
VRF-lite just puts interfaces and routes into the separate routing table specific to the particular instance.
You can create cross-VRF sttaic routes specifying outbound interface along with next hop IP though. Or route vfrp VRF to global routing table by specifying “global” at the end of the ip route command.
Thanks Andrey for taking the time to look into this post and clear the doubts 🙂 I was afraid what I replied might be misleading 😀 Thanks!!