VRF-lite (Virtual Routing & Forwarding) is a handy construct for keeping data segregated within a network. It can be thought of as kind of a meta-VLAN thing.
At one customer site, who has a number of branch offices, has a Cisco Callmanager
solution spanning those sites. Each site has an internet connection. Three sites are in a
single metro area and are linked with metro-links as well as tunnels. A fourth site is in
another country. The three sites are linked to the fourth site through IPSEC tunnels. Four
different providers are used.
From a real usage perspective, there are six tunnels of consequence: the three tunnels
from the metro area to the single site, and the three return tunnels from the single site to
the three grouped metro sites. Each of those six tunnels can be categorized in terms of a
voice quality metric.
The design puzzle was to come up with a mechanism to route data across a set of tunnels
and route voice across a different set of tunnels, in order to make best use of
measured delay, jitter, and loss metrics. Using Policy Based Routing (PBR) was one solution
but was rejected due to its scaleability problems (ie, lack thereof).
The idea that was finally implemented was to use VRF's to segregate voice from data, but
still allow one to get to the other. The design yielded side benefits: provided a method to keep guest
traffic separate, allows a method to get external addresses to different parts of the network, and
provided a mechanism to improve secure access to network devices.
VRF's allow a routing process per VRF, thus facilitating the use of routing's built in
automated route selection and fail-over. And by assigning costs to certain routes, those
routes can be prioritized by whatever criteria you choose.
As indicated by another auditing consultant, the configuration does turn complex, but no
suitable alternative solution was offered, which says something in itself. Perhaps others
can offer up something better, I am open to suggestions.
In the example, 192.18.x.x addresses simulate external addresses, and 192.168.x.x
simulate internal addresses. Interface s0/0/0 is the external internet interface, f0/0 is
a trunked interface to the interior network, and f0/1 is an interface to the firewall
As you can see, there is an OSPF routing process per VRF, thus facilitating independant routing of
each traffic type.
The example incorporates a bunch of features
I've encountered in my searches in Cisco's documentation sites, Cisco's forums, Cisco's TAC, as well as
Cisco's 'Implementing MPLS VPN' two volume book set.
The example highlights a number of functions:
- make internet connected links a member of an external vrf (vrfExterior)
- external addresses can therefore be routed between buildings and providers
- external addresses can therefore cross pollinate firewalls as a measure of redundancy
- make internal links members of the global routing table with RFC1918 addresses
- external addresses are kept separate from internal addresses
- allows flexible use of equipment when hardware budgets are restricted
- IPSEC encrypted tunnels are can carry VRF's between sites
- each inter-site tunnel requires a separate loopback (per Cisco's docs)
- a Guest VRF is kept totally separate from the Corporate Voice and Data networks
- Multiprotocol BGP is used route between vrfData and vrfVoice
- special attention must be paid to the redistribution statements to make best use of
OSPF internal, external 1 and external 2 routes (external 2 is not redistributed)
- with careful redistribution, 'sho ip ospf vrf vrfVoice' shows which routes originate
in the vrf and which originate outside, which facilitates troubleshooting and documentation
- some will argue that carrying guest traffic on the corporate hardware is a no-no, how
do others feel about that?
If you have comments on how to improve the configuration, I'm all ears.
I hope this helps others to come up to speed with how VRF-lite can become a part of
everyone's routing/switching toolset. And of course, I'm always open to consulting gigs if
anyone would like some assistance.
!
ip cef
!
ip vrf vrfData
description Server, Workstation, Printer data
rd 65400:300
route-target export 65400:300
route-target import 65400:300
route-target import 65400:400
!
ip vrf vrfExterior
description Exterior BGP routed data
rd 65400:200
route-target export 65400:200
route-target import 65400:200
!
ip vrf vrfGuest
description Guest Wireless & Wired
rd 65400:500
route-target export 65400:500
route-target import 65400:500
!
ip vrf vrfVoice
description Voice Servers, Phones & Gateways
rd 65400:400
route-target export 65400:400
route-target import 65400:400
route-target import 65400:300
!
!
crypto keyring key4Exterior vrf vrfExterior
pre-shared-key address 0.0.0.0 0.0.0.0 key
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto ipsec transform-set transForTunnels esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile profForTunnels
set transform-set transForTunnels
!
interface Loopback10000
description OSPF ID
ip address 192.168.5.254 255.255.255.255
!
interface Loopback10001
description eBGP ID
ip vrf forwarding vrfExterior
ip address 192.18.164.191 255.255.255.255
!
interface Loopback10011
description Global Routing
ip vrf forwarding vrfExterior
ip address 192.18.10.1 255.255.255.255
!
interface Loopback10012
description vrfExterior
ip vrf forwarding vrfExterior
ip address 192.18.10.2 255.255.255.255
!
interface Loopback10013
description vrfData
ip vrf forwarding vrfExterior
ip address 192.18.10.3 255.255.255.255
!
interface Loopback10014
description vrfVoice
ip vrf forwarding vrfExterior
ip address 192.18.10.4 255.255.255.255
!
interface Loopback20000
ip vrf forwarding vrfExterior
ip address 192.168.5.224 255.255.255.255
!
interface Loopback30000
ip vrf forwarding vrfData
ip address 192.168.5.225 255.255.255.255
!
interface Loopback40000
ip vrf forwarding vrfVoice
ip address 192.168.5.226 255.255.255.255
!
interface Loopback50000
ip vrf forwarding vrfGuest
ip address 192.168.5.227 255.255.255.255
!
interface Tunnel100101
description Global Building1 - Building2
bandwidth 1000
ip address 192.168.5.69 255.255.255.252
ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5
ip ospf mtu-ignore
load-interval 30
qos pre-classify
keepalive 10 3
tunnel source Loopback10011
tunnel destination 192.18.20.1
tunnel mode ipsec ipv4
tunnel vrf vrfExterior
tunnel protection ipsec profile profForTunnels
max-reserved-bandwidth 100
service-policy output pmShapeTunnels
!
!
interface Tunnel200101
description vrfExterior Building1 - Building2
bandwidth 1000
ip vrf forwarding vrfExterior
ip address 192.168.5.77 255.255.255.252
ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5
ip ospf mtu-ignore
load-interval 30
qos pre-classify
keepalive 10 3
tunnel source Loopback10012
tunnel destination 192.18.20.2
tunnel mode ipsec ipv4
tunnel vrf vrfExterior
tunnel protection ipsec profile profForTunnels
max-reserved-bandwidth 100
service-policy output pmShapeTunnels
!
interface Tunnel300101
description vrfData Building1 - Building2
bandwidth 1000
ip vrf forwarding vrfData
ip address 192.168.5.65 255.255.255.252
ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5
ip ospf mtu-ignore
load-interval 30
qos pre-classify
keepalive 10 3
tunnel source Loopback10013
tunnel destination 192.18.20.3
tunnel mode ipsec ipv4
tunnel vrf vrfExterior
tunnel protection ipsec profile profForTunnels
max-reserved-bandwidth 100
service-policy output pmShapeTunnels
!
interface Tunnel400101
description vrfVoice Building1 - Building2
bandwidth 1000
ip vrf forwarding vrfVoice
ip address 192.168.5.73 255.255.255.252
ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5
ip ospf mtu-ignore
load-interval 30
qos pre-classify
keepalive 10 3
tunnel source Loopback10014
tunnel destination 192.18.20.4
tunnel mode ipsec ipv4
tunnel vrf vrfExterior
tunnel protection ipsec profile profForTunnels
max-reserved-bandwidth 100
service-policy output pmShapeTunnels
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
no ip address
ip route-cache flow
load-interval 30
duplex auto
speed auto
service-policy output pmFastEthernet
!
interface FastEthernet0/0.199
description Global Routing
encapsulation dot1Q 199
ip address 192.168.5.26 255.255.255.248
ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5
!
interface FastEthernet0/0.299
description vrfExterior
encapsulation dot1Q 299
ip vrf forwarding vrfExterior
ip address 192.168.5.106 255.255.255.248
ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5
!
interface FastEthernet0/0.399
description vrfData
encapsulation dot1Q 399
ip vrf forwarding vrfData
ip address 192.168.5.34 255.255.255.248
ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5
!
interface FastEthernet0/0.499
description vrfVoice
encapsulation dot1Q 499
ip vrf forwarding vrfVoice
ip address 192.168.5.122 255.255.255.248
ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5
!
interface FastEthernet0/0.599
description vrfGuest
encapsulation dot1Q 599
ip vrf forwarding vrfGuest
ip address 192.168.5.130 255.255.255.248
ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5
!
interface FastEthernet0/1
description to Firewall
ip vrf forwarding vrfExterior
ip address 192.18.10.11 255.255.255.248
ip route-cache flow
load-interval 30
duplex auto
speed auto
no cdp enable
service-policy output pmFastEthernet
!
interface Serial0/0/0:0
description Internet Access
no ip address
encapsulation frame-relay IETF
ip route-cache flow
load-interval 30
frame-relay lmi-type ansi
max-reserved-bandwidth 100
service-policy output pmShapeSerialInterface
!
interface Serial0/0/0:0.1 point-to-point
description Frame Relay to internet
ip vrf forwarding vrfExterior
ip address 192.18.10.33 255.255.255.252
ip access-group aclBlockInbound in
ip access-group aclBlockOutbound out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 170 IETF
!
router ospf 200 vrf vrfExterior
router-id 192.168.5.224
log-adjacency-changes
auto-cost reference-bandwidth 10000
capability vrf-lite
passive-interface FastEthernet0/1
passive-interface Serial0/0/0:0.1
passive-interface Loopback10001
passive-interface Loopback10011
passive-interface Loopback10012
passive-interface Loopback10013
passive-interface Loopback10014
passive-interface Loopback20000
network 192.168.5.56 0.0.0.7 area 0
network 192.168.5.76 0.0.0.3 area 0
network 192.168.5.92 0.0.0.3 area 0
network 192.168.5.104 0.0.0.7 area 0
network 192.168.5.224 0.0.0.0 area 0
network 192.168.197.36 0.0.0.3 area 0
!
router ospf 300 vrf vrfData
router-id 192.168.5.225
log-adjacency-changes
auto-cost reference-bandwidth 10000
capability vrf-lite
redistribute bgp 65400 metric 120 subnets
passive-interface Loopback30000
network 192.168.5.32 0.0.0.7 area 0
network 192.168.5.64 0.0.0.3 area 0
network 192.168.5.80 0.0.0.3 area 0
network 192.168.5.112 0.0.0.7 area 0
network 192.168.5.225 0.0.0.0 area 0
network 192.168.197.40 0.0.0.3 area 0
!
router ospf 400 vrf vrfVoice
router-id 192.168.5.226
log-adjacency-changes
auto-cost reference-bandwidth 10000
capability vrf-lite
redistribute bgp 65400 metric 120 subnets
passive-interface Loopback40000
network 192.168.5.48 0.0.0.7 area 0
network 192.168.5.72 0.0.0.3 area 0
network 192.168.5.88 0.0.0.3 area 0
network 192.168.5.120 0.0.0.7 area 0
network 192.168.5.226 0.0.0.0 area 0
network 192.168.197.44 0.0.0.3 area 0
default-information originate always
!
router ospf 500 vrf vrfGuest
router-id 192.168.5.227
log-adjacency-changes
auto-cost reference-bandwidth 10000
capability vrf-lite
passive-interface Loopback50000
network 192.168.5.40 0.0.0.7 area 0
network 192.168.5.68 0.0.0.3 area 0
network 192.168.5.84 0.0.0.3 area 0
network 192.168.5.128 0.0.0.7 area 0
network 192.168.5.227 0.0.0.0 area 0
!
router ospf 100
log-adjacency-changes
auto-cost reference-bandwidth 10000
passive-interface Loopback10000
network 192.168.5.4 0.0.0.3 area 0
network 192.168.5.16 0.0.0.3 area 0
network 192.168.5.20 0.0.0.3 area 0
network 192.168.5.24 0.0.0.7 area 0
network 192.168.5.68 0.0.0.3 area 0
network 192.168.5.80 0.0.0.7 area 0
network 192.168.5.254 0.0.0.0 area 0
network 192.168.197.32 0.0.0.3 area 0
!
router bgp 65400
no synchronization
bgp router-id 192.18.164.191
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf vrfVoice
redistribute ospf 400 vrf vrfVoice
no synchronization
exit-address-family
!
address-family ipv4 vrf vrfData
redistribute ospf 300 vrf vrfData match internal external 1
no synchronization
exit-address-family
!
end