Networking

Use Virtual Routing and Forwarding to create multiple routing tables on same router

CCIE Brandon Carroll shows you how to use the Virtual Routing and Forwarding (VRF) IP technology to create multiple instances of a routing table on the same router.

I'm going to take a look at how to configure IPsec on a Cisco IOS device, but I'm going to add a little twist to it by configuring it to use the Virtual Routing and Forwarding (VRF) IP technology. This method is useful in circumstances when you need to create multiple instances of a routing table on your router. First, I'll explain VRF in a little more detail, and then move on to the configuration.

What's VRF?

VRF provides a way for you to configure multiple routing instances on your router. This is beneficial if you have a need to keep customer traffic and routing separate and you want to utilize the same hardware. Some may be thinking that you can keep customers separate by using sub-interfaces or different physical interfaces, and then use ACL filtering to keep traffic segregated. This would certainly be one method of doing so, however, if for some reason you wanted to overlap customer addressing, you'd have a serious problem. With a VRF you can use the same IP address assigned to two different interfaces on a router at the same time.

I recently came across a scenario where this was a requirement for me. In my work as an instructor, I just had to build a lab environment for a class of eight pods, all with identical topology and identical addressing. Here's a look at the Basic topology in Figure A:

Now even though this topology is seemingly basic, I had to duplicate it seven more times. Essentially, I look at each lab pod as a separate customer. So I used my router to isolate them. This first step is to create the VRFs.

Creating VRFs

ip vrf POD1
 rd 1:1
!
ip vrf POD2
 rd 2:2
!
ip vrf POD3
 rd 3:3
!
ip vrf POD4
 rd 4:4
!
ip vrf POD5
 rd 5:5
!
ip vrf POD6
 rd 6:6
!
ip vrf POD7
 rd 7:7
!
ip vrf POD8
 rd 8:8
!
With the above configuration, we now have a single router that can act as eight independent routers. What's important about it, is that the rd or Route Distinguisher is what allows IP addresses to overlap. In this router, each address will be tagged by the RD, which is in the format of ip-address:rd. This is a locally significant value.

The next step is to tie each interface to a VRF:

interface FastEthernet0/0.1
 encapsulation dot1Q 201
 ip vrf forwarding POD1
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.2
 encapsulation dot1Q 202
 ip vrf forwarding POD2
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.3
 encapsulation dot1Q 203
 ip vrf forwarding POD3
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.4
 encapsulation dot1Q 204
 ip vrf forwarding POD4
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.5
 encapsulation dot1Q 205
 ip vrf forwarding POD5
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.6
 encapsulation dot1Q 206
 ip vrf forwarding POD6
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.7
 encapsulation dot1Q 207
 ip vrf forwarding POD7
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.8
 encapsulation dot1Q 208
 ip vrf forwarding POD8
 ip address 192.168.1.1 255.255.255.0
!
!
interface FastEthernet0/1.1
 encapsulation dot1Q 211
 ip vrf forwarding POD1
 ip address 172.26.26.53 255.255.255.0 secondary
 ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.2
 encapsulation dot1Q 212
 ip vrf forwarding POD2
 ip address 172.26.26.53 255.255.255.0 secondary
 ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.3
 encapsulation dot1Q 213
 ip vrf forwarding POD3
 ip address 172.26.26.53 255.255.255.0 secondary
 ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.4
 encapsulation dot1Q 214
 ip vrf forwarding POD4
 ip address 172.26.26.53 255.255.255.0 secondary
 ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.5
 encapsulation dot1Q 215
 ip vrf forwarding POD5
 ip address 172.26.26.53 255.255.255.0 secondary
 ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.6
 encapsulation dot1Q 216
 ip vrf forwarding POD6
 ip address 172.26.26.53 255.255.255.0 secondary
 ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.7
 encapsulation dot1Q 217
 ip vrf forwarding POD7
 ip address 172.26.26.53 255.255.255.0 secondary
 ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.8
 encapsulation dot1Q 218
 ip vrf forwarding POD8
 ip address 172.26.26.53 255.255.255.0 secondary
 ip address 172.26.26.1 255.255.255.0

To verify the routing is isolated, we can look at the routing table from the perspective of each VRF. First POD1:

BBR#show ip route vrf POD1
Routing Table: POD1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     172.26.0.0/24 is subnetted, 1 subnets
C       172.26.26.0 is directly connected, FastEthernet0/1.1
     10.0.0.0/24 is subnetted, 2 subnets
S       10.0.1.0 [1/0] via 192.168.1.2
C       10.0.100.0 is directly connected, Loopback201
C    192.168.1.0/24 is directly connected, FastEthernet0/0.1
BBR#
To see what interfaces are allocated to each VRF, use the show ip vrf brief command as seen below.
BBR#sh ip vrf brief
  Name                             Default RD          Interfaces
  POD1                             1:1                 Lo201
                                                       Fa0/0.1
                                                       Fa0/1.1
  POD2                             2:2                 Lo202
                                                       Fa0/0.2
                                                       Fa0/1.2
  POD3                             3:3                 Lo203
                                                       Fa0/0.3
                                                       Fa0/1.3
  POD4                             4:4                 Lo204
                                                       Fa0/0.4
                                                       Fa0/1.4
  POD5                             5:5                 Lo205
                                                       Fa0/0.5
                                                       Fa0/1.5
  POD6                             6:6                 Lo206
                                                       Fa0/0.6
                                                       Fa0/1.6
  POD7                             7:7                 Lo207
                                                       Fa0/0.7
                                                       Fa0/1.7
  POD8                             8:8                 Lo208
                                                       Fa0/0.8
                                                       Fa0/1.8
BBR#

There are a number of other commands that can be used to verify the vrf, but as you can see, this router is partitioned with eight VRFs. In the next post, I will demonstrate the VRF-aware IPsec configuration for this same setup.

About

Brandon Carroll, CCIE #23837, is an IT Director, Blogger, Podcaster, and Mac Enthusiast. Brandon has nearly 15 years in the networking industry consulting for large and small enterprise and service provider networks.

2 comments
Mohammad11132
Mohammad11132

Thank you; this was really helpful

But I couldn't understand how did you get this entry in VRF POD1 routing table:

S       10.0.1.0 [1/0] via 192.168.1.2 



ccie5000
ccie5000

(with a nod to Edsger Dijkstra) VRFs can be extremely useful, but do *not* use them unless you need them! I have seen overuse of VRFs complicate networks to the point where they're nearly unmanageable. Jerry J. Anderson, CCIE #5000