Use Virtual Routing and Forwarding to create multiple routing tables on same router

I'm going to take a look at how to configure IPsec on a Cisco IOS device, but I'm going to add a little twist to it by configuring it to use the Virtual Routing and Forwarding (VRF) IP technology. This method is useful in circumstances when you need to create multiple instances of a routing table on your router. First, I'll explain VRF in a little more detail, and then move on to the configuration.

What's VRF?

VRF provides a way for you to configure multiple routing instances on your router. This is beneficial if you have a need to keep customer traffic and routing separate and you want to utilize the same hardware. Some may be thinking that you can keep customers separate by using sub-interfaces or different physical interfaces, and then use ACL filtering to keep traffic segregated. This would certainly be one method of doing so, however, if for some reason you wanted to overlap customer addressing, you'd have a serious problem. With a VRF you can use the same IP address assigned to two different interfaces on a router at the same time.

I recently came across a scenario where this was a requirement for me. In my work as an instructor, I just had to build a lab environment for a class of eight pods, all with identical topology and identical addressing. Here's a look at the Basic topology in Figure A:

Now even though this topology is seemingly basic, I had to duplicate it seven more times. Essentially, I look at each lab pod as a separate customer. So I used my router to isolate them. This first step is to create the VRFs.

Creating VRFs

ip vrf POD1

 rd 1:1

!

ip vrf POD2

 rd 2:2

!

ip vrf POD3

 rd 3:3

!

ip vrf POD4

 rd 4:4

!

ip vrf POD5

 rd 5:5

!

ip vrf POD6

 rd 6:6

!

ip vrf POD7

 rd 7:7

!

ip vrf POD8

 rd 8:8

!

With the above configuration, we now have a single router that can act as eight independent routers. What's important about it, is that the rd or Route Distinguisher is what allows IP addresses to overlap. In this router, each address will be tagged by the RD, which is in the format of ip-address:rd. This is a locally significant value.

The next step is to tie each interface to a VRF:

interface FastEthernet0/0.1

 encapsulation dot1Q 201

 ip vrf forwarding POD1

 ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.2

 encapsulation dot1Q 202

 ip vrf forwarding POD2

 ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.3

 encapsulation dot1Q 203

 ip vrf forwarding POD3

 ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.4

 encapsulation dot1Q 204

 ip vrf forwarding POD4

 ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.5

 encapsulation dot1Q 205

 ip vrf forwarding POD5

 ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.6

 encapsulation dot1Q 206

 ip vrf forwarding POD6

 ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.7

 encapsulation dot1Q 207

 ip vrf forwarding POD7

 ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.8

 encapsulation dot1Q 208

 ip vrf forwarding POD8

 ip address 192.168.1.1 255.255.255.0

!

!

interface FastEthernet0/1.1

 encapsulation dot1Q 211

 ip vrf forwarding POD1

 ip address 172.26.26.53 255.255.255.0 secondary

 ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.2

 encapsulation dot1Q 212

 ip vrf forwarding POD2

 ip address 172.26.26.53 255.255.255.0 secondary

 ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.3

 encapsulation dot1Q 213

 ip vrf forwarding POD3

 ip address 172.26.26.53 255.255.255.0 secondary

 ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.4

 encapsulation dot1Q 214

 ip vrf forwarding POD4

 ip address 172.26.26.53 255.255.255.0 secondary

 ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.5

 encapsulation dot1Q 215

 ip vrf forwarding POD5

 ip address 172.26.26.53 255.255.255.0 secondary

 ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.6

 encapsulation dot1Q 216

 ip vrf forwarding POD6

 ip address 172.26.26.53 255.255.255.0 secondary

 ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.7

 encapsulation dot1Q 217

 ip vrf forwarding POD7

 ip address 172.26.26.53 255.255.255.0 secondary

 ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.8

 encapsulation dot1Q 218

 ip vrf forwarding POD8

 ip address 172.26.26.53 255.255.255.0 secondary

 ip address 172.26.26.1 255.255.255.0

To verify the routing is isolated, we can look at the routing table from the perspective of each VRF. First POD1:

BBR#show ip route vrf POD1

Routing Table: POD1

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.26.0.0/24 is subnetted, 1 subnets

C       172.26.26.0 is directly connected, FastEthernet0/1.1

     10.0.0.0/24 is subnetted, 2 subnets

S       10.0.1.0 [1/0] via 192.168.1.2

C       10.0.100.0 is directly connected, Loopback201

C    192.168.1.0/24 is directly connected, FastEthernet0/0.1

BBR#

To see what interfaces are allocated to each VRF, use the show ip vrf brief command as seen below.

BBR#sh ip vrf brief

  Name                             Default RD          Interfaces

  POD1                             1:1                 Lo201

                                                       Fa0/0.1

                                                       Fa0/1.1

  POD2                             2:2                 Lo202

                                                       Fa0/0.2

                                                       Fa0/1.2

  POD3                             3:3                 Lo203

                                                       Fa0/0.3

                                                       Fa0/1.3

  POD4                             4:4                 Lo204

                                                       Fa0/0.4

                                                       Fa0/1.4

  POD5                             5:5                 Lo205

                                                       Fa0/0.5

                                                       Fa0/1.5

  POD6                             6:6                 Lo206

                                                       Fa0/0.6

                                                       Fa0/1.6

  POD7                             7:7                 Lo207

                                                       Fa0/0.7

                                                       Fa0/1.7

  POD8                             8:8                 Lo208

                                                       Fa0/0.8

                                                       Fa0/1.8

BBR#

There are a number of other commands that can be used to verify the vrf, but as you can see, this router is partitioned with eight VRFs. In the next post, I will demonstrate the VRF-aware IPsec configuration for this same setup.