VRF
{Back to Index}  

Table of Contents

1 VRF-lite

VRF 通常用于 MPLS VPN 部署,当使用没有 MPLS 的 VRF 时,通常将其称为 VRF lite 。

VRF 可以创建虚拟路由表,逻辑上可以认为创建了一个 虚拟路由器 ,该虚拟路由器的路由表即为 VRF 路由表。

VRF 通常用于区分拥有相同子网信息的网络。

vrf-lite.png

Figure 1: 实验环境

实验配置 只需针对 R1 做基于 vrf 的配置,其余路由器正常配置。 
----------------- R1 ----------------------
en
conf t
hostname R1
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip vrf RED
 eixt
ip vrf BLUE
 exit
int lo0
 ip address 1.1.1.1 255.255.255.255
 exit
int e0/0
 ip vrf forwarding RED ! put ifc under vrf
 ip address 192.168.12.1 255.255.255.0
 no sh
 exit
int e0/1
 ip vrf forwarding RED ! put ifc under vrf
 ip address 192.168.13.1 255.255.255.0
 no sh
 exit
int e0/2
 ip vrf forwarding BLUE ! put ifc under vrf
 ip address 192.168.14.1 255.255.255.0
 no sh
 exit
int e0/3
 ip vrf forwarding BLUE ! put ifc under vrf
 ip address 192.168.15.1 255.255.255.0
 no sh
 exit
router ospf 110 vrf RED ! configure OSPF under vrf
 router-id 11.11.11.11
 network 192.168.12.1 0.0.0.0 area 0
 network 192.168.13.1 0.0.0.0 area 0
 exit
router eigrp 1
 address-family ipv4 vrf BLUE
  autonomous-system 90 ! must specify AS when configuring EIGRP under vrf
  network 192.168.14.1 0.0.0.0
  network 192.168.15.1 0.0.0.0
  exit
 exit
end

----------------- R2 ----------------------
en
conf t
hostname R2
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 2.2.2.2 255.255.255.255
 exit
int lo1
 ip add 172.16.1.1 255.255.255.0
 exit
int e0/0
 ip address 192.168.12.2 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 22.22.22.22
 network 2.2.2.2 0.0.0.0 area 0
 network 172.168.1.1 0.0.0.0 area 0
 network 192.168.12.2 0.0.0.0 area 0
 exit
end

----------------- R3 ----------------------

en
conf t
hostname R3
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 3.3.3.3 255.255.255.255
 exit
int lo1
 ip address 172.168.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.13.3 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 33.33.33.33
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.13.3 0.0.0.0 area 0
 network 172.168.2.1 0.0.0.0 area 0
 exit
end


----------------- R4 ----------------------

en
conf t
hostname R4
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 4.4.4.4 255.255.255.255
 exit
int lo1
 ip address 172.168.1.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.14.4 255.255.255.0
 no sh
 exit
router eigrp 90
 network 4.4.4.4 0.0.0.0
 network 192.168.14.4 0.0.0.0
 network 172.168.1.1 0.0.0.0
 exit
end

----------------- R5 ----------------------

en
conf t
hostname R5
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 5.5.5.5 255.255.255.255
 exit
int lo1
 ip address 172.168.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.15.5 255.255.255.0
 no sh
 exit
router eigrp 90
 network 5.5.5.5 0.0.0.0
 network 192.168.15.5 0.0.0.0
 network 172.168.2.1 0.0.0.0
 exit
end
查看接口所在 vrf 
R1#sh ip vrf interfaces
Interface              IP-Address      VRF                              Protocol
Et0/2                  192.168.14.1    BLUE                             up
Et0/3                  192.168.15.1    BLUE                             up
Et0/0                  192.168.12.1    RED                              up
Et0/1                  192.168.13.1    RED                              up
查看 R1 路由信息 
R1#sh ip route ! global
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback0
R1#sh ip route vrf RED

Routing Table: RED
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/11] via 192.168.12.2, 01:23:55, Ethernet0/0
      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/11] via 192.168.13.3, 01:23:30, Ethernet0/1
      172.168.0.0/32 is subnetted, 1 subnets
O        172.168.2.1 [110/11] via 192.168.13.3, 01:20:24, Ethernet0/1
      192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.12.0/24 is directly connected, Ethernet0/0
L        192.168.12.1/32 is directly connected, Ethernet0/0
      192.168.13.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.13.0/24 is directly connected, Ethernet0/1
L        192.168.13.1/32 is directly connected, Ethernet0/1
R1#sh ip route vrf BLUE

Routing Table: BLUE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/409600] via 192.168.14.4, 00:01:35, Ethernet0/2
      5.0.0.0/32 is subnetted, 1 subnets
D        5.5.5.5 [90/409600] via 192.168.15.5, 00:01:35, Ethernet0/3
      172.168.0.0/32 is subnetted, 2 subnets
D        172.168.1.1 [90/409600] via 192.168.14.4, 00:01:35, Ethernet0/2
D        172.168.2.1 [90/409600] via 192.168.15.5, 00:01:35, Ethernet0/3
      192.168.14.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.14.0/24 is directly connected, Ethernet0/2
L        192.168.14.1/32 is directly connected, Ethernet0/2
      192.168.15.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.15.0/24 is directly connected, Ethernet0/3
L        192.168.15.1/32 is directly connected, Ethernet0/3

2 Front-Door VRF (FVRF) 1 , 2

FVRF 指的是 underlay 网络运行于 VRF 中,而 overlay 运行于 Global 中。

主要用于在多 SP 出口的场景下屏蔽來自外部网络的访问,起到一定安全作用的同时,也可以解决多 Internet 情況下的多条默认路由相互冲突的问题。 

The multiple default route conflict is solved through the use of Front VRFs on the router. This is used in conjunction with DMVPN to permit the use of multiple default routes for both the DMVPN hub routers and DMVPN spoke routers. This combination of features is referred to as front-door (FVRF), because the VRF faces the Internet and the router internal interfaces and the mGRE tunnel all remain in the global VRF.

fvrf_ex.png

Figure 2: 实验环境

初始配置 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip add 1.1.1.1 255.255.255.255
  ip ospf 1 a 0
 exit
 int e0/0
  ip add 10.1.12.1 255.255.255.0
  ip ospf 1 a 0
  no sh
 exit
 int tun0
  ip add 192.168.0.1 255.255.255.0
  tunnel source lo0
  tunnel destination 4.4.4.4
  no sh
 exit
end
----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip add 2.2.2.2 255.255.255.255
  ip ospf 1 a 0
 exit
 int e0/0
  ip add 10.1.12.2 255.255.255.0
  ip ospf 1 a 0
  no sh
 exit
 int e0/1
  ip add 10.1.23.2 255.255.255.0
  ip ospf 1 a 0
  no sh
 exit
end
----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip add 3.3.3.3 255.255.255.255
  ip ospf 1 a 0
 exit
 int e0/0
  ip add 10.1.23.3 255.255.255.0
  ip ospf 1 a 0
  no sh
 exit
 int e0/1
  ip add 10.1.34.3 255.255.255.0
  ip ospf 1 a 0
  no sh
 exit
end
----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip add 4.4.4.4 255.255.255.255
  ip ospf 1 a 0
 exit
 int e0/0
  ip add 10.1.34.4 255.255.255.0
  ip ospf 1 a 0
  no sh
 exit
 int tun0
  ip add 192.168.0.4 255.255.255.0
  tunnel source lo0
  tunnel destination 1.1.1.1
  no sh
 exit
end
Tunnel 接口配置 EIGRP 
============== R1 ==============
router eigrp 100
 passive-interface default
 no passive-interface tun0
 network 192.168.0.1 0.0.0.0
 network 1.1.1.1 0.0.0.0
exit
============== R4 ==============
router eigrp 100
 passive-interface default
 no passive-interface tun0
 network 192.168.0.4 0.0.0.0
 network 4.4.4.4 0.0.0.0
exit

接口因为 recursive routing 的问题出现翻滚: 

R4(config)#
*Sep 22 04:53:42.853: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
*Sep 22 04:53:42.853: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Sep 22 04:53:42.854: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.0.1 (Tunnel0) is down: interface down
R4#
*Sep 22 04:54:42.877: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Sep 22 04:54:43.393: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.0.1 (Tunnel0) is up: new adjacency
*Sep 22 04:54:43.708: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel0 - looped chain attempting to stack
R4#
*Sep 22 04:54:52.879: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
*Sep 22 04:54:52.879: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Sep 22 04:54:52.880: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.0.1 (Tunnel0) is down: interface down
启用 FVRF 
============== R1 ==============
ip vrf FVRF
exit
!
no router ospf 1 ! remove global one
router ospf 1 vrf FVRF
exit
!
int lo0
 ip vrf forwarding FVRF
 ip add 1.1.1.1 255.255.255.255
 ip ospf 1 area 0
exit
int e0/0
 ip vrf forwarding FVRF
 ip add 10.1.12.1 255.255.255.0
 ip ospf 1 area 0
 no sh
exit
int tun0
 tunnel vrf FVRF
exit
============== R4 ==============
ip vrf FVRF
exit
!
no router ospf 1 ! remove global one
router ospf 1 vrf FVRF
exit
!
int lo0
 ip vrf forwarding FVRF
 ip add 4.4.4.4 255.255.255.255
 ip ospf 1 area 0
exit
int e0/0
 ip vrf forwarding FVRF
 ip add 10.1.34.4 255.255.255.0
 ip ospf 1 area 0
 no sh
exit
int tun0
 tunnel vrf FVRF
exit

Command tunnel vrf FVRF tells IOS that tunnel source and destination will be located in VRF FVRF. This also means that overlay IPs will be located in the default/global VRF as tunnels themselves are not part of this VRF.

3 VRF 路由泄露

vrf_leak.png

Figure 3: 实验环境

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 ip vrf VRF1
  rd 65535:11
  route-target both 65535:11
  route-target import 65535:12 ! leak VRF2 into VRF1
 !
 ip vrf VRF2
  rd 65535:12
  route-target both 65535:12
 !
 interface lo0
  ip add 1.1.1.1 255.255.255.255
  ip ospf 1 a 0
 int lo1
  ip vrf forwarding VRF1
  ip add 11.11.11.11 255.255.255.255
 !
 int lo2
  ip vrf forwarding VRF2
  ip add 11.11.11.12 255.255.255.255
 !
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  ip ospf 1 a 0
  mpls ip
  no sh
 !
 router bgp 65535
  no bgp default ipv4-unicast
  neighbor 3.3.3.3 remote-as 65535
  neighbor 3.3.3.3 update-source lo0
  !
  address-family ipv4 vrf VRF1
   redistribute connected
  exit
  !
  address-family ipv4 vrf VRF2
   redistribute connected
  exit
  !
  address-family vpnv4
   neighbor 3.3.3.3 act
   neighbor 3.3.3.3 send-community
  exit
 exit
 mpls ldp router-id lo0
 mpls label range 100 199
end
----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip add 2.2.2.2 255.255.255.255
  ip ospf 1 a 0
 !
 int e0/0
  ip address 10.1.12.2 255.255.255.0
  ip ospf 1 a 0
  mpls ip
  no sh
 !
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  ip ospf 1 a 0
  mpls ip
  no sh
 !
 mpls ldp router-id lo0
 mpls label range 200 299
end
----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 ip vrf VRF1
  rd 65535:31
  route-target both 65535:11
 !
 ip vrf VRF2
  rd 65535:32
  route-target both 65535:12
  route-target import 65535:11  ! leak VRF1 into VRF2
 !
 interface lo0
  vrf for
  ip add 3.3.3.3 255.255.255.255
  ip ospf 1 a 0
 int lo1
  ip vrf forwarding VRF1
  ip add 33.33.33.31 255.255.255.255
 !
 int lo2
  ip vrf forwarding VRF2
  ip add 33.33.33.32 255.255.255.255
 !
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  ip ospf 1 a 0
  mpls ip
  no sh
 !
 router bgp 65535
  no bgp default ipv4-unicast
  neighbor 1.1.1.1 remote-as 65535
  neighbor 1.1.1.1 update-source lo0
  !
  address-family ipv4 vrf VRF1
   redistribute connected
  exit
  !
  address-family ipv4 vrf VRF2
   redistribute connected
  exit
  !
  address-family vpnv4
   neighbor 1.1.1.1 act
   neighbor 1.1.1.1 send-community
  exit
 exit
 mpls ldp router-id lo0
 mpls label range 300 399
end
观察路由 
R1#sh ip route vrf VRF1

Routing Table: VRF1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      11.0.0.0/32 is subnetted, 2 subnets
C        11.11.11.11 is directly connected, Loopback1
B        11.11.11.12 is directly connected, 00:15:41, Loopback2
      33.0.0.0/32 is subnetted, 2 subnets
B        33.33.33.31 [200/0] via 3.3.3.3, 00:15:19
B        33.33.33.32 [200/0] via 3.3.3.3, 00:15:19
R1#sh ip route vrf VRF2

Routing Table: VRF2
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      11.0.0.0/32 is subnetted, 1 subnets
C        11.11.11.12 is directly connected, Loopback2
      33.0.0.0/32 is subnetted, 1 subnets
B        33.33.33.32 [200/0] via 3.3.3.3, 00:15:51

vrf_connectivity.png

Figure 4: R1 VRF1 能与 R3 VRF2 通信,但是 R1 VRF2 无法与 R3 VRF1 通信

Footnotes:

1

UNDERSTANDING USE OF FRONT-DOOR VRFs

2

DMVPN And IPSEC With Front Door VRF

Author: Hao Ruan (ruanhao1116@gmail.com)

Created: 2021-09-22 Wed 10:34

Updated: 2021-09-26 Sun 20:35

Emacs 27.1 (Org mode 9.3)