VRF-Lite is quite literally a light weight version of VRF Instances, where instead of using VRF to accomplish complex configurations, it simply segregates IP Routing / Instructs Physical Interfaces to use the specific VRF Route Table needed to function.
Quick guide to configuring the above Topology with VRF-Lite
First you will want to use “ip vrf (name)” where every lab I’ve done recently is “vrf def (VRF)” with address-family ipv4 and that whole mess, this is the “Lite” part.
To configure out two VRF Instances for Networking and Engineering
TenantRtr(config)#ip vrf Networking
TenantRtr(config-vrf)#exit
TenantRtr(config)#ip vrf Engineering
TenantRtr(config-vrf)#exit
Applying the VRF’s first to Physical Interfaces before creating VRF IGP
For those that did not read my last MPLS post, OSPF VRF literally will not start unless at least one Physical Interface that is ‘Up’ is in the VRF defined on the OSPF Instance.
Configuring Interfaces on Tenant Router, removing console output
TenantRtr(config)#int fa1/0
TenantRtr(config-if)#vrf forwarding Networking
% Use ‘ip vrf forwarding’ command for VRF ‘Networking’
^^^ Wanted to leave this, VRF-Lite = VRF with “ip” in front of all VRF commands 🙂
Blue = Net Admin VRF (OSPF)
Orange = Engineer VRF (EIGRP)
TenantRtr(config-if)#int fa1/0
TenantRtr(config-if)#ip vrf forwarding Networking
TenantRtr(config-if)#ip add 172.16.1.2 255.255.255.0
TenantRtr(config-if)#int fa2/0
TenantRtr(config-if)#ip vrf forwarding Networking
TenantRtr(config-if)#ip add 172.16.2.2 255.255.255.0
TenantRtr(config)#int fa3/0
TenantRtr(config-if)#ip vrf forwarding Engineering
TenantRtr(config-if)#ip add 192.168.3.2 255.255.255.0
TenantRtr(config-if)#int fa4/0
TenantRtr(config-if)#ip vrf forwarding Engineering
TenantRtr(config-if)#ip add 192.168.4.2 255.255.255.0
Adding OSPF / EIGRP Protocols VRF-Lite style
OSPF VRF Networking
TenantRtr(config)#router ospf 1 vrf Networking
TenantRtr(config-router)#network 172.16.1.0 0.0.0.255 area 0
TenantRtr(config-router)#network 172.16.2.0 0.0.0.255 area 0
TenantRtr(config-router)#^Z
TenantRtr#
TenantRtr(config)#router eigrp 1
TenantRtr(config-router)#$ily ipv4 vrf Engineering autonomous-system 10
TenantRtr(config-router-af)#network 192.168.3.0
TenantRtr(config-router-af)#network 192.168.4.0
TenantRtr(config-router-af)#^Z
TenantRtr#wr
That ridiculously long EIGRP command that got cut off is:
“address-family ipv4 vrf Engineering autonomous-family 10” which is required to put EIGRP in any VRF Routing Instance.
So that is it – The “Tenant” router used for Redundancy for both networks is finished!
I will show Rtr1 (OSPF) and Rtr4 (EIGRP) config to demonstrate how the other two will be configured below, output removed EXCEPT Adjacency formation, otherwise just input.
Rtr1
Rtr1(config)#ip vrf Networking
Rtr1(config)#int fa0/0
Rtr1(config-if)#ip vrf forwarding Networking
Rtr1(config-if)#ip add 172.16.0.1 255.255.255.0
Rtr1(config-if)#int fa1/0
Rtr1(config-if)#ip vrf forwarding Networking
Rtr1(config-if)#router ospf 1 vrf Networking
Rtr1(config-router)#network 172.16.0.0 0.0.0.255 area 0
Rtr1(config-router)#network 172.16.1.0 0.0.0.255 area 0
Rtr1(config-router)#^Z
Rtr1#
*Dec 16 07:49:14.691: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.2.2 on FastEthernet1 /0 from LOADING to FULL, Loading Done
(It shows this IP for Adjacency because OSPF is using the highest Physical IP for the RID)
Rtr3 (Need to rename it from R3 to Rtr3, I know)
Rtr3(config)#ip vrf Engineering
Rtr3(config)#int fa3/0
Rtr3(config-if)#ip vrf forwarding Engineering
Rtr3(config-if)#ip add 192.168.3.1 255.255.255.0
Rtr3(config-if)#int fa0/0
Rtr3(config-if)#ip vrf forwarding Engineering
Rtr3(config-if)#ip add 192.168.0.1 255.255.255.0
Rtr3(config-if)#
Rtr3(config)#router eigrp 1
Rtr3(config-router)#address-family ipv4 vrf Engineering Autonomous-System 10
Rtr3(config-router-af)#network 192.168.3.0
*Dec 16 07:56:28.459: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.3.2 (Fa stEthernet3/0) is up: new adjacency
Rtr3(config-router-af)#network 192.168.0.0
Rtr3(config-router-af)#^Z
Rtr3#
Back on the Tenant we now have 2 OSPF Adjacencies and 2 EIGRP Adjacencies:
TenantRtr#
*Dec 16 07:55:25.659: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.0.1 on FastEthernet1/0 from LOADING to FULL, Loading Done
TenantRtr#
*Dec 16 07:58:24.547: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.2.1 on FastEthernet2/0 from LOADING to FULL, Loading Done
TenantRtr#
*Dec 16 08:02:55.531: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.3.1 (FastEthernet3/0) is up: new adjacency
TenantRtr#
*Dec 16 08:05:30.299: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.4.1 (FastEthernet4/0) is up: new adjacency
Can we ping these IPs now? How does VRF effect troubleshooting commands?
TenantRtr#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
TenantRtr#ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
TenantRtr#
Using a regular “ping” is trying to reach a destination in the Global IP Route table, however when trying to reach a Destination in a VRF Route Table, you must ping / traceroute / any other troubleshooting commands through that:
TenantRtr#ping vrf Networking 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/52/64 ms
TenantRtr#ping vrf Engineering 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/50/56 ms
TenantRtr#
We have both VRF Tables on this router, so both are reachable, but on either Networking or Engineering routers they will only have their own VRF available, and cannot contact the opposite subnet – This is EXACTLY what VRF-Lite is meant to do!
VRF Verification commands, in which you only really need one (outside “sh run”)
First command(s) are for seeing which VRF Tables you have on your router
TenantRtr#sh vrf ?
WORD VRF name
brief Brief VPN Routing/Forwarding instance information
counters VPN Routing/Forwarding counters
detail Detailed VPN Routing/Forwarding instance information
id Show VPN Routing/Forwarding VPN-ID information
ipmulticast Address family
ipv4 Address family
ipv6 Address family
ipv6multicast Address family
list list of VRFs
lock Show VPN lock information
select Show VPN Routing/Forwarding selection information
| Output modifiers
<cr>
Because of terrible formatting, I’ll screen snip these two table outputs:
Probably the command you really want is to see the VRF IP Route Table!
TenantRtr#sh ip route vrf Networking
Routing Table: Networking <– VRF Name – Exam day material!!
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
O 172.16.0.0/24 [110/2] via 172.16.2.1, 00:24:51, FastEthernet2/0
[110/2] via 172.16.1.1, 00:27:48, FastEthernet1/0
C 172.16.1.0/24 is directly connected, FastEthernet1/0
L 172.16.1.2/32 is directly connected, FastEthernet1/0
C 172.16.2.0/24 is directly connected, FastEthernet2/0
L 172.16.2.2/32 is directly connected, FastEthernet2/0
TenantRtr#
Same can be done for Engineering VRF Route Table, but you get the idea.
And that is all the magic and mystery behind VRF-Lite!
Given how much I’ve worked with VRF for MPLS and DMVPN this doesn’t blow my socks off, however its good to know these slight details from original VRF (like “ip …” before VRF commands), and if your not familiar with VRF at all here – Welcome to VRF-Lite! 🙂
Time for me to dream in Binary about my next lab – Until next time fellow geeks!
The DEVNET GRIND! 