MPLS VPN: VRF

MPLS VPN building blocks

1. Virtual routing and forwarding (VRF) – This creates logical routing instance, each virtual instance is separated such that virtual instances to instances are not reachable.

2. MP-BGP – BGP is extended to distribute MPLS VPN tags.

3. IGP – OSPF or IS-IS among the MPLS LSRs.

4. MPLS – Using LDP to distribute labels among MPLS enabled routers.

This simple diagram will demonstrate the use of several vrf instances.

Virtual routing and forwarding (aka VRF)

1. VRF when not implemented with BGP, i.e. not using import / export rt is known as vrf-lite.

2. Each vrf instance must have one route distinguisher.

3. The route distinguisher is to distinguish the vrf instances. The rd is 64-bit long which is prepended to the IPv4 address.

4. Two types of rd:

a. ASN:nn, where ASN is the autonomous system number assigned to you by IANA, if it is a lab environment just define an arbitrary number; nn is any number you choose.

b. IP_address:nn, where nn is an arbitrary number you choose.

5. VRF allows overlapping ip addresses due to the use of rd. This is how it works:

rd is 100:10, rd prepends to the ip address to become a 96-bit long address known as vpnv4: 100:10.192.168.1.10

6. It is imperative to assign vrf to your interface by specifying ip vrf forwarding test first else the pre-configured ip address will be removed and you need to reassign the ip address one more time after you have specify the vrf instance to your interface.

7. VRF instance name and route distinguisher are locally significant to the router only.

Demonstration


vrf13#sh ip route | begin Gateway
Gateway of last resort is not set

     192.168.1.0/30 is subnetted, 2 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0.10
C       192.168.1.4 is directly connected, FastEthernet0/0.100
vrf13#

vrf14#sh ip route | begin Gateway
Gateway of last resort is not set

     192.168.1.0/30 is subnetted, 2 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0.10
C       192.168.1.4 is directly connected, FastEthernet0/0.100
vrf14#

These are the normal routing tables we expect to see everytime we do show ip route.

Two routers are reachable to each other via normal ping.


vrf14#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
vrf14#ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
vrf14#

vrf13#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
vrf13#ping 192.168.1.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms
vrf13#

Virtual routing and forwarding tables are created on each router, and each sub interfaces have been assigned ip address and associated to the respective vrf instances.


vrf13#sh ip vrf
  Name                             Default RD          Interfaces
  t2                               32:1                Fa0/0.2
  t3                               3:1                 Fa0/0.3
  test                             13:1                Fa0/0.1
vrf13#

vrf14#sh ip vrf
  Name                             Default RD          Interfaces
  test                             14:1                Fa0/0.1
  test2                            2:1                 Fa0/0.2
  test3                            4:1                 Fa0/0.3
vrf14#

Each VRF instances is isolated from one another, a vrf instance cannot reach another vrf instance, normal IP reachability cannot reach vrf instance as well.


vrf14#ping vrf test 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
vrf14#

vrf14#ping vrf test 1.1.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
vrf14#

vrf14#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
vrf14#

IP addresses overlapping is possible thanks to route distinguisher which creates a 96-bit(64-bit rd and 32-bit ipv4 address) long address known as VPNv4 address family.


vrf14#sh ip int brief | include FastEthernet0/0
FastEthernet0/0            unassigned      YES manual up                    up
FastEthernet0/0.1          1.1.1.2         YES manual up                    up
FastEthernet0/0.2          1.1.1.2         YES manual up                    up
FastEthernet0/0.3          1.1.1.6         YES manual up                    up
FastEthernet0/0.10         192.168.1.2     YES manual up                    up
FastEthernet0/0.100        192.168.1.6     YES manual up                    up
vrf14#

This property of VRF makes a component of MPLS VPN (encryption not included).

Entire configuration for vrf13 and vrf14 routers
vrf13 router

!
ip vrf t2
 rd 32:1
!
ip vrf t3
 rd 3:1
!
ip vrf test
 rd 13:1
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip vrf forwarding test
 ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip vrf forwarding t2
 ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0/0.3
 encapsulation dot1Q 3
 ip vrf forwarding t3
 ip address 1.1.1.5 255.255.255.252
!
interface FastEthernet0/0.10
 encapsulation dot1Q 20
 ip address 192.168.1.1 255.255.255.252
!
interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 192.168.1.5 255.255.255.252
!

vrf14 router

!
ip vrf test
 rd 14:1
!
ip vrf test2
 rd 2:1
!
ip vrf test3
 rd 4:1
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip vrf forwarding test
 ip address 1.1.1.2 255.255.255.252
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip vrf forwarding test2
 ip address 1.1.1.2 255.255.255.252
!
interface FastEthernet0/0.3
 encapsulation dot1Q 3
 ip vrf forwarding test3
 ip address 1.1.1.6 255.255.255.252
!
interface FastEthernet0/0.10
 encapsulation dot1Q 20
 ip address 192.168.1.2 255.255.255.252
!
interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 192.168.1.6 255.255.255.252
!
Advertisements
This entry was posted in MPLS, Security, WAN and tagged , , , , , . Bookmark the permalink.

4 Responses to MPLS VPN: VRF

  1. SV says:

    maybe this is a very very stupid question.. but im new to VRF-lite..

    question is, from the config i see that both the VRF names and RDs are also different, and we have an overlapping ip subnets as well. Then how does the router create an 1-2-1 mapping between the two end points for all the subinterfaces . I didn quite understand that part. Thanks.

  2. cyruslab says:

    Hi SV,

    I am new to VRF lite as well 🙂 MPLS, MPLS vpn technology as a whole is new to me, and no questions and doubts is stupid 🙂
    Actually even without RD assigned it will still work for VRF lite (See packetlife example, only VRF instances were defined, there were no RD at all), the thing about RD is not to identify the VPN instance or VRF instance, the vrf instance assigned on each sub interfaces is making the difference for VRF lite.

    example for this:

    interface FastEthernet0/0.3
    encapsulation dot1Q 3
    ip vrf forwarding test3
    ip address 1.1.1.6 255.255.255.252

    when I ping i need to ping through vrf instance, example i want to ping vrf test3 which is referring to fa0/0.3.
    Each VRF instance has its own routing table. the trick that same ip addresses do not have conflict is actually because of the instances not the RD.

    Also the VRF name and RD are locally significant to the router, what is important is the RT which is useless in VRF lite. VRF lite = VRF – (MPLS + MP-BGP).

    • Andrey says:

      I agree with Cyrus.

      RDs are to form VPNv4 routes in MP-BGP tables.
      VRF-lite just puts interfaces and routes into the separate routing table specific to the particular instance.

      You can create cross-VRF sttaic routes specifying outbound interface along with next hop IP though. Or route vfrp VRF to global routing table by specifying “global” at the end of the ip route command.

  3. cyruslab says:

    Thanks Andrey for taking the time to look into this post and clear the doubts 🙂 I was afraid what I replied might be misleading 😀 Thanks!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s