Cisco: The basics about VRF implementation

VRF, meaning Virtual Routing and Forwarding, is a technology implemented in the IP network routers that allows multiple instances of a routing table to exist on the same router in the same time. Since each VRF is independent, the same IP subnet can exist in 2 different VRFs. Basically you can overlap one IP address in 2 VRFs but without conflicting with each other. Even this is possible, I would not suggest doing so, unless you have a very good reason to do it.

Another meaning of VRF is VPN Routing and Forwarding which is a key element in Cisco’s MPLS (Multiprotocol Label Switching) VPN technology. Internet service providers often take advantage of VRF to create separate virtual private networks (VPNs) for customers. Some advantages of  using this technology is than an ISP can provision scalable IP  MPLS VPN services, generate reports (e.g. audit for services), Service Level Agreements (SLA) contracts and more…

To summarize, virtual networks enable administrators to split a physical link into multiple virtual links completely isolated one from the others. Typically, a virtual network will be dedicated to traffic from a specific application or from a specific users / customers.


Now that we clarify the basic of what is and how it works, let’s see where is VRF used the most. As you maybe guess already, this is in the MPLS VPN environment, due to the fact that in today’s business granularity is very important and VRF help network engineers to isolate and provide security for its customers in an ISP environment or to separate services in an Intranet environment. As you probably already know, MPLS functionality is based on P (Provider) routers, PE (Provider edge) routers and CE (Customer edge) routers. Each of these routers must be configured in order for MPLS to work within an enterprise’s architecture. I describe a little bit the MPLS technology, so you can understand better the topology presented below and then following configuration example:

VRF Implementation As you can see from the topology, one PE router can hold and manage multiple virtual routing table, one for each customer that an ISP have. If you are running in a private environment (e.g. Intranet), you can use MPLS VPN to separate services (e.g. office, development…) The  basic functionality is the same and I’ll show you below how to implement VRFs.

The actual configuration of VRFs  is not a complicate task to achieve. There are two main components to a VRF: The route distinguisher(RD) and the route target(RT).

The route distinguisher (RD) is a number which help identify a VPN in a provider’s network and allow for overlapping IP space.

The route target (RT) indicates the VPN membership of a route and allows VPN routes to be imported or exported into or out of your VRFs. The RT functions a little like a routing policy — determining how routes are distributed throughout the particular VPN.

The RD / RT is a 8-byte (64-bits) number which can be written down as follow:

16-bit AS number: your 32-bit number
(e.g.) 65000:100

or

32-bit IP address: your 16-bit number
(e.g) 192.168.0.1:10

Usually the first method is used more often.

For some very basic VRF configuration follow the steps:
1.
Enters VRF configuration mode and assigns a VRF name.

Router(config)#ip vrf vrf-name

2. Creates a VPN route distinguisher (RD) following one of the 16bit-ASN:32bit-number or 32bit-IP:16bit-number explained above

Router(config-vrf)#rd route-distinguisher

3. Creates a list of import and/or export route target communities for the specified VRF.

Router(config-vrf)# route-target {import | export | both} route-distinguisher

4. (Optional step) Associates the specified route map with the VRF.

Router(config-vrf)# import map route-map

5. Specifies an interface and enters interface configuration mode.

Router(config)# interface type number

6. Associates a VRF with an interface or subinterface.

Router(config-vrf)# ip vrf forwarding vrf-name

To check your configuration, you can use ping or traceroute tools under Cisco CLI, but remember that you have to use “vrf vrf-name” parameter:

Router# ping vrf vrf-name IP-address

Also you can check the virtual routing table:

Router# show ip route vrf vrf-name

In some of the following posts, I will present a VRF implementation following a real environment topology, but until then I hope you understood the basics of VRF functionality. It’s not hard to implement (from case to case it might be due to local topologies and technology) but it can help you to have a more granular connections and makes troubleshooting more easy, especially in the environments which have a lot of IP addresses under management.

Published by

Calin

Calin is a network engineer, with more than 20 years of experience in designing, installing, troubleshooting, and maintaining large enterprise WAN and LAN networks.

29 thoughts on “Cisco: The basics about VRF implementation”

  1. Nice post. Do you have any idea where I could find some good information on creating a site to site VPN ASA to ASA? Thanks in advance.

  2. Hello just thought i would tell you something.. This is twice now i’ve landed on your blog in the last 2 weeks searching for completely unrelated things. Spooky or what? If you liketo exchange the links with us please let me know.

  3. Hi, Excellent explanation.. I just spotted one mistake, in point #3, it should say route-target {import/export/both} route-target-ext-community and not route-distinguiser… thats just a typo though… very well written. Thanks,

    Siva

  4. What type of VPN? Many commercial clients such as Cisco have a setting that does just that. If you’re trying to do it with the Microsoft vpn connection, you’ll have to set it up as a service.

  5. The difficulty using Plr content is buyers do not make use of it effectively. People ought to either make use of it to find suggestions for things to write about or entirely re-write it or spin and rewrite it and afterward put his or her own identify on it.

  6. It's too bad Cisco chose to hack VRF into every single command that has to do with routing. That smells like a kludgy patch retro-fit. Now we always have to remember to tack the "vrf vrf-name" parameter onto everything! What they should have done is allow you to switch into a named VRF context, then from inside that do anything you would with a normal "physical" router, including show and config t. Oh well, gotta play the hand we're dealt I suppose.

  7. Hello,
    I like to practice VRF. I have two 2800 routers.
    I connected both through interface fast 0/0
    One router may be a CE and the other PE
    Should I configure VRF on both routers or only on the the PE one??
    Another question: should I ip forwardinf vrf only on the fast 0/0 interface that connects to
    the other router or also on the LAN interface fast 0/1 on which I connect my pc?
    Thank you
    Ziv

  8. Hello Ziv,

    If you’re looking for standard PE-CE relation in a MPLS environment, the VRF is configured on the PE side. The CE (customer) has not idea what a VRF. So, for your 1st question, you need to configure VRF forwarding on the Fa0/0 of PE router.

    Of course there are exceptions to the above standard. For example you, as customer, want to complete segregate the traffic in you own environment. The provider is transporting up to the PE two VRF and you configure on your CE (either two physical connections to PE, or one physical connection with subinterfaces) VRF on the L3 interfaces to PE.

    This is called VRF lite and has nothing to do with MPLS VPN, as you configure only RD part under the VRF definitions.

    If you have the above approach, to answer your 2nd question, you can “push” the VRF in your environment down to the L3 point of you LAN (let’s say Core devices), so then you need VRF on the connection from CE to Core devices.

    It’s all about which path you’re taking and how do you want to structure your infrastructure.

    HTH,
    Calin

  9. Hello Calin
    thanks for your reply.
    What I intend to do is very basic. Just connected two routers to each other in my lab to practice VRFs.
    There is no MPLS involved and no other networks or provider.
    I like to establish connection between two PCs, each of them connected to a router on a LAN interface and the two router are also connected in between by LAN interfaces via direct cable.
    I guess I need to configure the VRF lite you have mentiond on your reply.
    I configured EIGRP on both routers and ping is runnung between the PCs.
    As soon as I configure the VRF on both routers the ping stops.
    The configuration I enterd is also very basic. On each router i configured the following:
    # ip vrf a
    # rd 1:1
    # int fast 0/0
    # ip vrf forwarding a
    # ip address 10.10.10.1
    # router eigrp 100
    # network 10.10.10.0
    # network 20.20.20.0 (for the LAN end where the PC connects)
    # address family ipv4 vrf a
    # no auto summary

    What do I miss? why has the ping stopped?
    Thank you

    1. Hi Ziv,

      in your case the answer is pretty simple. You have the interface in the VRF, but you’re advertising the IP subnets out of VRF (default routing table) inside EIGRP.
      You’re interfaces are on one routing table but you actually route your prefixes on another one.

      If you want VRF Lite end-to-end connectivity this should look like this:

      PC1 (NO VRF) -> (VRF A LAN) R1 (VRF A WAN) -> (VRF A WAN) R2 (VRF A LAN) –< (NO VRF) PC2 Of course the routing protocol (in your case EIGRP) should have the mentioned subnets inside the VRF address-family. Let me know if this is working for you! Cheers, Calin

Any opinion on this post? Please let me know:

This site uses Akismet to reduce spam. Learn how your comment data is processed.