CCIE Brandon Carroll shows you how to use the Virtual Routing and Forwarding (VRF) IP technology to create multiple instances of a routing table on the same router.
I'm going to take a look at how to configure IPsec on a Cisco IOS device, but I'm going to add a little twist to it by configuring it to use the Virtual Routing and Forwarding (VRF) IP technology. This method is useful in circumstances when you need to create multiple instances of a routing table on your router. First, I'll explain VRF in a little more detail, and then move on to the configuration.
What's VRF?
VRF provides a way for you to configure multiple routing instances on your router. This is beneficial if you have a need to keep customer traffic and routing separate and you want to utilize the same hardware. Some may be thinking that you can keep customers separate by using sub-interfaces or different physical interfaces, and then use ACL filtering to keep traffic segregated. This would certainly be one method of doing so, however, if for some reason you wanted to overlap customer addressing, you'd have a serious problem. With a VRF you can use the same IP address assigned to two different interfaces on a router at the same time.
I recently came across a scenario where this was a requirement for me. In my work as an instructor, I just had to build a lab environment for a class of eight pods, all with identical topology and identical addressing. Here's a look at the Basic topology in Figure A:
Now even though this topology is seemingly basic, I had to duplicate it seven more times. Essentially, I look at each lab pod as a separate customer. So I used my router to isolate them. This first step is to create the VRFs.
Creating VRFs
ip vrf POD1
rd 1:1
!
ip vrf POD2
rd 2:2
!
ip vrf POD3
rd 3:3
!
ip vrf POD4
rd 4:4
!
ip vrf POD5
rd 5:5
!
ip vrf POD6
rd 6:6
!
ip vrf POD7
rd 7:7
!
ip vrf POD8
rd 8:8
!With the above configuration, we now have a single router that can act as eight independent routers. What's important about it, is that the rd or Route Distinguisher is what allows IP addresses to overlap. In this router, each address will be tagged by the RD, which is in the format of ip-address:rd. This is a locally significant value.
The next step is to tie each interface to a VRF:
interface FastEthernet0/0.1
encapsulation dot1Q 201
ip vrf forwarding POD1
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 202
ip vrf forwarding POD2
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 203
ip vrf forwarding POD3
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.4
encapsulation dot1Q 204
ip vrf forwarding POD4
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.5
encapsulation dot1Q 205
ip vrf forwarding POD5
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.6
encapsulation dot1Q 206
ip vrf forwarding POD6
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.7
encapsulation dot1Q 207
ip vrf forwarding POD7
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.8
encapsulation dot1Q 208
ip vrf forwarding POD8
ip address 192.168.1.1 255.255.255.0
!
!
interface FastEthernet0/1.1
encapsulation dot1Q 211
ip vrf forwarding POD1
ip address 172.26.26.53 255.255.255.0 secondary
ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.2
encapsulation dot1Q 212
ip vrf forwarding POD2
ip address 172.26.26.53 255.255.255.0 secondary
ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.3
encapsulation dot1Q 213
ip vrf forwarding POD3
ip address 172.26.26.53 255.255.255.0 secondary
ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.4
encapsulation dot1Q 214
ip vrf forwarding POD4
ip address 172.26.26.53 255.255.255.0 secondary
ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.5
encapsulation dot1Q 215
ip vrf forwarding POD5
ip address 172.26.26.53 255.255.255.0 secondary
ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.6
encapsulation dot1Q 216
ip vrf forwarding POD6
ip address 172.26.26.53 255.255.255.0 secondary
ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.7
encapsulation dot1Q 217
ip vrf forwarding POD7
ip address 172.26.26.53 255.255.255.0 secondary
ip address 172.26.26.1 255.255.255.0
!
interface FastEthernet0/1.8
encapsulation dot1Q 218
ip vrf forwarding POD8
ip address 172.26.26.53 255.255.255.0 secondary
ip address 172.26.26.1 255.255.255.0
To verify the routing is isolated, we can look at the routing table from the perspective of each VRF. First POD1:
BBR#show ip route vrf POD1
Routing Table: POD1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.26.0.0/24 is subnetted, 1 subnets
C 172.26.26.0 is directly connected, FastEthernet0/1.1
10.0.0.0/24 is subnetted, 2 subnets
S 10.0.1.0 [1/0] via 192.168.1.2
C 10.0.100.0 is directly connected, Loopback201
C 192.168.1.0/24 is directly connected, FastEthernet0/0.1
BBR#To see what interfaces are allocated to each VRF, use the show ip vrf brief command as seen below.
BBR#sh ip vrf brief
Name Default RD Interfaces
POD1 1:1 Lo201
Fa0/0.1
Fa0/1.1
POD2 2:2 Lo202
Fa0/0.2
Fa0/1.2
POD3 3:3 Lo203
Fa0/0.3
Fa0/1.3
POD4 4:4 Lo204
Fa0/0.4
Fa0/1.4
POD5 5:5 Lo205
Fa0/0.5
Fa0/1.5
POD6 6:6 Lo206
Fa0/0.6
Fa0/1.6
POD7 7:7 Lo207
Fa0/0.7
Fa0/1.7
POD8 8:8 Lo208
Fa0/0.8
Fa0/1.8
BBR#
There are a number of other commands that can be used to verify the vrf, but as you can see, this router is partitioned with eight VRFs. In the next post, I will demonstrate the VRF-aware IPsec configuration for this same setup.
