Category Archives: CCNP – VRF

VRF-Lite: Complete configuration and explanation of behaviors, OSPF and EIGRP demonstration and how they work (or why the don’t work)

vrf_top_plain_vrf_labeled

To note I used the same color I have previously for IPSec VPN tunnels, however that color is more just one of the few colors not reserved for protocols (as I generally use blue for OSPF, red for RIP, and orange for EIGRP), so this time green is for VRF-Lite.

So I wanted to pull quick from the last lab quickly the two pieces of setup already done on the equipment from the last post:

R1:

R1(config)#int fa0/0
R1(config-if)#no shut
R1(config-if)#int fa0/0.2
R1(config-subif)#encap dot1q 2
R1(config-subif)#ip add 10.2.2.1 255.255.255.0
R1(config-subif)#int fa0/0.3
R1(config-subif)#encap dot1q 3
R1(config-subif)#ip add 10.3.3.1 255.255.255.0
R1(config-subif)#int fa0/0.4
R1(config-subif)#encap dot1q 4
R1(config-subif)#ip add 10.4.4.1 255.255.255.0
R1(config-subif)#

SW1:

SW1(config)#int fa0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 2
SW1(config-if)#int fa0/3
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 3
SW1(config-if)#int fa0/4
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 4
SW1(config-if)#

Now to demonstrate something, I have removed sub-interface .3 and .4’s IP address, which will later be revisited.

Now as VRF previously described is separating networks with virtual routing instances, the first part of the configuration is to just simply create those instances:

R1(config)#ip vrf VRF2
R1(config-vrf)#?
IP VPN Routing/Forwarding instance configuration commands:
  bgp           Commands pertaining to BGP
  context       Associate SNMP context with this vrf
  default       Set a command to its defaults
  description   VRF specific description
  exit          Exit from VRF configuration mode
  export        VRF export
  import        VRF import
  maximum       Set a limit
  mdt           Backbone Multicast Distribution Tree
  no            Negate a command or set its defaults
  rd            Specify Route Distinguisher
  route-target  Specify Target VPN Extended Communities
  vpn           Configure VPN ID as specified in rfc2685

R1(config-vrf)#exit
R1(config)#ip vrf VRG3
R1(config-vrf)#EXIT
R1(config)#no ip vrf VRG3
% IP addresses from all interfaces in VRF VRG3 have been removed

R1(config)#ip vrf VRF3
R1(config-vrf)#exit
R1(config)#ip vrf VRF4
R1(config-vrf)#exit
R1(config)#

So I left the output from the VRF mode it drops you into, to show the more advanced options not covered in the CCNP ROUTE exam, more geared to non-Lite VRF (however we may see them in the BGP section). Also I highlighted an error from my first configuration derp of the night, and this illustrates a behavior of VRF I wanted to cover first.

Unlike a majority of configurations on Cisco routers, with VRF, it does matter the order in which you enter commands because that may lead to it removing your IP addresses.

This is because the way VRF takes the route out of the “global route table” and into its own, is by removing the IP address literally from the interface (thus removing it from the global route table), making you manually re-enter it (thus putting it into its VRF instances route table). So I am wondering if the error in red will force VRF enabled interfaces to lose their IP address – I will test this quickly after step # 2 in our configuration.

Being that entering VRF on the interfaces is step #2 in configuration, I took the liberty of showing you how it will react to fa0/0.2 when I enter it on an interface with a current IP, as compared to me enabling VRF on the interface and then entering the IP address:

R1(config)#int fa0/0.2
R1(config-subif)#ip vrf forwarding VRF2
% Interface FastEthernet0/0.2 IP address 10.2.2.1 removed due to enabling VRF VRF2
R1(config-subif)#int fa0/0.3
R1(config-subif)#ip vrf forwarding VRF3
R1(config-subif)#ip add 10.3.3.1 255.255.255.0
R1(config-subif)#int fa0/0.4
R1(config-subif)#ip vrf forwarding VRF4
R1(config-subif)#ip add 10.4.4.1 255.255.255.0
R1(config-subif)#exit
R1(config)#do sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
FastEthernet0/0.2          unassigned      YES NVRAM  up                    up
FastEthernet0/0.3          10.3.3.1        YES manual up                    up
FastEthernet0/0.4          10.4.4.1        YES manual up                    up
Serial0/0                  unassigned      YES NVRAM  administratively down down
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Serial0/1                  unassigned      YES NVRAM  administratively down down
R1(config)#

So as you can see, the order of the commands allowed the IP not to be stripped off .3 and .4, and will now need to be re-entered on .2:

R1(config)#int fa0/0.2
R1(config-subif)#ip add 10.2.2.1 255.255.255.0
R1(config-subif)#exit
R1(config)#do show ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
FastEthernet0/0.2          10.2.2.1        YES manual up                    up
FastEthernet0/0.3          10.3.3.1        YES manual up                    up
FastEthernet0/0.4          10.4.4.1        YES manual up                    up
Serial0/0                  unassigned      YES NVRAM  administratively down down
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Serial0/1                  unassigned      YES NVRAM  administratively down down
R1(config)#

There we go, now lets delete an instance and see if it strips the ip address off the interface:

R1(config)#no ip vrf VRF4
% IP addresses from all interfaces in VRF VRF4 have been removed
R1(config)#do sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
FastEthernet0/0.2          10.2.2.1        YES manual up                    up
FastEthernet0/0.3          10.3.3.1        YES manual up                    up
FastEthernet0/0.4          unassigned      YES manual up                    up
Serial0/0                  unassigned      YES NVRAM  administratively down down
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Serial0/1                  unassigned      YES NVRAM  administratively down down
R1(config)#

It certainly did, and there are a few things here I want to cover, bullet point style:

  • Adding VRF to an interface with an IP, and removing a VRF instance will strip the IP address off any interface running that VRF instance
  • Any IP address removed will have to be manually re-entered on that interface
  • If the VRF instance was removed, the IP address / network will be back in the route table after manually re-adding, if it was stripped due to adding VRF to an interface, it will no longer be in the global routing table after manual re-entering it
  • VRF-Lite configurations, at least in this demonstration, are completely locally significant and downstream routers are completely unaware and will not need special commands when trying to ping R1 or when adding dynamic routing protocols (Only R1 will require them).

So then where do they all go? Good question! They go into their VRF instances routing table, which after adding a route protocol we will see a bit more illustrated:

R1#sh ip route

Gateway of last resort is not set

There be nothing here in the global route table, and that is because the only IP addresses this router knows of are the connected sub-interfaces, and they are now in their own VRF routing instances.

That being said, here is how to see them, with some ? output left in there to see options available for later use in higher level studies (or later in the current course):

R1#show ip route ?

  Hostname or A.B.C.D  Network to display information about or hostname
  bgp                  Border Gateway Protocol (BGP)
  connected            Connected
  dhcp                 Show routes added by DHCP Server or Relay
  eigrp                Enhanced Interior Gateway Routing Protocol (EIGRP)
  isis                 ISO IS-IS
  list                 IP Access list
  mobile               Mobile routes
  odr                  On Demand stub Routes
  ospf                 Open Shortest Path First (OSPF)
  profile              IP routing table profile
  rip                  Routing Information Protocol (RIP)
  static               Static routes
  summary              Summary of all routes
  supernets-only       Show supernet entries only
  track-table          Tracked static table
  update-queue         Queue of RIB updates
  vrf                  Display routes from a VPN Routing/Forwarding instance
  |                    Output modifiers
  <cr>

R1#show ip route vrf ?

  WORD  VPN Routing/Forwarding instance name

R1#show ip route vrf VRF4 ?
  Hostname or A.B.C.D  Network to display information about or hostname
  bgp                  Border Gateway Protocol (BGP)
  connected            Connected
  dhcp                 Show routes added by DHCP Server or Relay
  eigrp                Enhanced Interior Gateway Routing Protocol (EIGRP)
  isis                 ISO IS-IS
  list                 IP Access list
  mobile               Mobile routes
  odr                  On Demand stub Routes
  ospf                 Open Shortest Path First (OSPF)
  profile              IP routing table profile
  rip                  Routing Information Protocol (RIP)
  static               Static routes
  summary              Summary of all routes
  supernets-only       Show supernet entries only
  track-table          Tracked static table
  update-queue         Queue of RIB updates
  |                    Output modifiers
  <cr>

R1#show ip route vrf VRF4

Routing Table: VRF4

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.4.4.0 is directly connected, FastEthernet0/0.4
R1#

And there it is, I highlight my commands (and the options I chose) as with that much modifier output from ?, it is hard to see where the actual command is.

Alright, so our router now has 3 of these VRF instances running, and I think at this point we should know our options to view our VRF information that is configured:

R1#show ip vrf
  Name                             Default RD          Interfaces
  VRF2                             <not set>           Fa0/0.2
  VRF3                             <not set>           Fa0/0.3
  VRF4                             <not set>           Fa0/0.4

R1#sh int fa0/0.2
FastEthernet0/0.2 is up, line protocol is up
  Hardware is AmdFE, address is 000e.8475.04e0 (bia 000e.8475.04e0)
  Internet address is 10.2.2.1/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  2.
  ARP type: ARPA, ARP Timeout 04:00:00
  Last clearing of “show interface” counters never

HUGE DISCLAIMER TO THE ABOVE OUTPUT : I believe because my WAN routers for the NBMA are running IOS code 12.x it does not show the VRF forwarding instance on my “show int” output but on 15.x IOS code I believe it does.

You can also see the VRF instance in each interfaces output in “sh run” but do not count on that being an available command on exam day.

MOVING RIGHT ALONG.

To ping neighbors that are in a particular VRF instance will fail, because a general ping only tests connectivity in the global route table:

R1#ping 10.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R1#

For this, we need to add some VRF commands to the ping, to make it use our virtual routing instances route table:

R1#ping ?
  WORD       Ping destination address or hostname
  appletalk  Appletalk echo
  clns       CLNS echo
  decnet     DECnet echo
  ip         IP echo
  ipv6       IPv6 echo
  ipx        Novell/IPX echo
  srb        srb echo
  tag        Tag encapsulated IP echo
  vrf        Select VPN routing instance
  <cr>

R1#ping vrf ?
  WORD  VPN Routing/Forwarding instance name

R1#ping vrf VRF4 ?
  WORD       Ping destination address or hostname
  appletalk  Appletalk echo
  clns       CLNS echo
  decnet     DECnet echo
  ip         IP echo
  ipv6       IPv6 echo
  ipx        Novell/IPX echo
  srb        srb echo
  tag        Tag encapsulated IP echo
  <cr>

R1#ping vrf VRF4 10.4.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

So at this point, it can be noticed that when using VRF, you need to define its instance in basically everything that you do on the router it is configured on, and routing protocols are not immune to this either. So, speaking of which, lets configure us some OSPF first, then we’ll remove it and try EIGRP.

What I like about this demonstration, is that it shows a purpose for both having different locally significant processes for OSPF and VRF. It also shows that when configuring OSPF for VRF, it makes you define the VRF instance ensuring that networks in other VRF instances stay in their own VRF instances:

R1(config)#router ospf 2 ?
  vrf  VPN Routing/Forwarding Instance
  <cr>

R1(config)#router ospf 2 vrf ?
  WORD  VPN Routing/Forwarding Instance (VRF) name

R1(config)#router ospf 2 vrf VRF2 ?
  <cr>

R1(config)#router ospf 2 vrf VRF2
R1(config-router)#network 10.2.2.0 0.0.0.255 area 0
R1(config-router)#exit
R1(config)#router ospf 3 vrf VRF3
R1(config-router)#network 10.3.3.0 0.0.0.255 area 0
R1(config-router)#exit
R1(config)#router ospf 4 vrf VRF4
R1(config-router)#network 10.4.4.0 0.0.0.255 area 0
R1(config-router)#exit
R1(config)#

Notice from the ? output, VRF is the only thing proceed “router ospf (process #)” that can be configured, so that extended command is made solely for VRF. So I put in our VRF instances 2 / 3 / 4 in their own OSPF processes 2 / 3 / 4 but made them all be in Area 0 which makes this technically makes this 2 different types of OSPF router:

  • A backbone router = Must have at least one interface in Area 0
  • An Internal router = Only has OSPF interfaces in a single Area
  • Not an ABR (Area Boarder Router) because that must have one interface in Area 0 and another interface in a non-0 Area

Really wanted to stress that it isn’t an ABR, as I thought it was also that, and after double checking my OSPF Fundamentals in a can post the definition does not fit – THIS IS IT IS WHY IT IS GOOD TO CONTINUOUSLY INCORPORATE OLD LESSONS WITH NEW LESSONS TO KEEP THE KNOWLEDGE UP IN THE OL STEEL TRAP ON YOUR SHOULDERS!

Now, in R2, R3, and R4 I will put them in OSPF Process 1 because the process is locally significant only so it will not matter. I will also create a quick loopback on them to make sure we are advertising routes back to R1:

R2(config)#int lo2
R2(config-if)#
*Mar  1 21:20:51.863: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#router ospf 1
R2(config-router)#network 10.2.2.0 0.0.0.255 area 0
*Mar  1 21:21:51.777: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R2(config-router)#network 2.2.2.0 0.0.0.255 area 2
R2(config-router)#

You can see the adjacency back to R1 form before the loopback network can even be added, I’ll save the output from the other two routers as it is the exact same except their loopbacks will be 3.3.3.0/24 and 4.4.4.0/24.

  • One other note, R2 / R3 / R4 are now ABR’s because they have their fa0/0 interface in Area 0 and their loopback interface in Area #, so they are both a Backbone router and a ABR router in OSPF terminology

However from the above output, I wanted to show there are no extended VRF commands on the remote routers from R1 or matching process #’s needed, so lets see how R1 see’s everything:

R1#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           1   FULL/DR         00:00:33    10.4.4.4        FastEthernet0/0.4
3.3.3.3           1   FULL/DR         00:00:38    10.3.3.3        FastEthernet0/0.3
10.2.2.2          1   FULL/DR         00:00:31    10.2.2.2        FastEthernet0/0.2
R1#

As can be seen, “sh ip ospf nei” shows them whether they are in their own VRF’s or not, they are still OSPF neighbors, however even after a “clear ip ospf proc” on both R1 and R2 it is still showing 10.2.2.2 as it’s RID instead of the highest logical address 2.2.2.2.

So first from R1, lets see if we are getting routes advertised from all 3 neighbors:

R1#show ip route vrf VRF2

Routing Table: VRF2

Gateway of last resort is not set

     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/2] via 10.2.2.2, 00:02:39, FastEthernet0/0.2
     10.0.0.0/24 is subnetted, 1 subnets
C       10.2.2.0 is directly connected, FastEthernet0/0.2
R1#show ip route vrf VRF3

Routing Table: VRF3

Gateway of last resort is not set

     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/2] via 10.3.3.3, 00:03:00, FastEthernet0/0.3
     10.0.0.0/24 is subnetted, 1 subnets
C       10.3.3.0 is directly connected, FastEthernet0/0.3
R1#show ip route vrf VRF4

Routing Table: VRF4

Gateway of last resort is not set

     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/2] via 10.4.4.4, 00:03:04, FastEthernet0/0.4
     10.0.0.0/24 is subnetted, 1 subnets
C       10.4.4.0 is directly connected, FastEthernet0/0.4
R1#

After going back to R2 and doing “sh ip route” and confirming 2.2.2.0/24 is in the global route table, and “sh ip proto” shows 10.2.2.2 as the RID, and “sh ip int bri” confirms 10.2.2.2 is NOT on a logical interface I have no idea what’s going on.

I’d normally dig into that a little more, but it’s getting late, and I need to wrap this up, but want to test EIGRP as well so I’m going to quickly change the routing protocol to EIGRP to see if it works the same:

R1(config)#
R1(config)#
R1(config)#router eigrp ?


  <1-65535>  Autonomous system number

R1(config)#router eigrp 200 ?

  <cr>

R1(config-router)#no auto

R1(config-router)#?

Router configuration commands:
  address-family       Enter Address Family command mode
  auto-summary         Enable automatic network number summarization
  bfd                  BFD configuration commands
  default              Set a command to its defaults
  default-information  Control distribution of default information
  default-metric       Set metric of redistributed routes
  distance             Define an administrative distance
  distribute-list      Filter networks in routing updates
  eigrp                EIGRP specific commands
  exit                 Exit from routing protocol configuration mode
  help                 Description of the interactive help system
  maximum-paths        Forward packets over multiple paths
  metric               Modify EIGRP routing metrics and parameters
  neighbor             Specify a neighbor router
  network              Enable routing on an IP network
  no                   Negate a command or set its defaults
  offset-list          Add or subtract offset from RIP metrics
  passive-interface    Suppress routing updates on an interface
  redistribute         Redistribute information from another routing protocol
  timers               Adjust routing timers
  traffic-share        How to compute traffic share over alternate paths
  variance             Control load balancing variance

R1(config-router)#network ?

  A.B.C.D  Network number

R1(config-router)#network 10.2.2.0 0.0.0.255 ?

  <cr>

R1(config-router)#network 10.2.2.0 0.0.0.255
R1(config-router)#exit
R1(config)#router eigrp 300
R1(config-router)#network 10.3.3.0 0.0.0.255
R1(config-router)#exit
R1(config)#router eigrp 400
R1(config-router)#network 10.4.4.0 0.0.0.255
R1(config-router)#exit

I’ve highlight my output again in red, as there is a lot of output here that I want to illustrate mentions ABSOLUTELY NOTHING ABOUT VRF ANYWHERE WITH EIGRP.

So I just put them in their own AS’s, but I am not feeling good about this, as not defining the virtual routing process, I am assuming it is going to try to pull from the global route table. So on the neighbors I will use matching AS numbers (as required to match to form an adjacency with EIGRP neighbors, along with k weights), and lets see if we get some neighbors to form:

R2(config)#router eigrp 200
R2(config-router)#no auto
R2(config-router)#network 10.2.2.0 0.0.0.255
R2(config-router)#network 2.2.2.0 0.0.0.255
R2(config-router)#
ASR#1
[Resuming connection 1 to r1 … ]

R1(config)#do sh ip eigrp nei
IP-EIGRP neighbors for process 200
IP-EIGRP neighbors for process 300
IP-EIGRP neighbors for process 400
R1(config)#

Yeah, it looks like EIGRP is not going to work with VRF instances like OSPF did, I assume BGP will as well be we have yet to get into BGP yet in my studies. So I won’t go on to configure the other routers as we know it’s not going to work.

That concludes VRF-Lite, lots of good information to go with the configurations, now onward to IPv6! 🙂

VRF (Virtual Routing and Forwarding) and VRF-Lite theory and initial lab setup (Your CCNA Router on a Stick refresher!)

vrf_top_plain

First I would like to draw the line in the sand between VRF, and VRF-Lite.

  • VRF was created mainly for MPLS VPNs using BGP, so it is beyond the scope of the CCNP R/S, however Lite version uses the same theory and commands (mostly)
  • VRF-Lite is for smaller scale deployment, but uses the same theory and functionality as full scale VRF, without the higher level deployment configurations

That being said, VRF is used to separate networks from the “global” routing table, and put those networks in their own VRF instances perhaps for security, or to allow multiple overlapping networks to be routed on the same router because of the separation VRF provides.

So essentially, your setting up virtual routing tables for networks you don’t want on the global routing table (“sh ip route”).

I am going to dive into configuration, and explain as I go here, and the first step in this type of Topology (for me) begins on the switch and setting up VLAN’s and a Trunk. This is where I ran into my first derp moment:

SW1(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is “Auto” can not be configured to “trunk” mode.

I thought I remembered that being the beginning command, then defining the negotiation, encapsulation, etc. But I’ll play ball:

SW1(config-if)#switchport trunk encap dot1q
SW1(config-if)#switchport mode trunk

There it is, and for the rest of the ports:

SW1(config)#int fa0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 2
SW1(config-if)#int fa0/3
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 3
SW1(config-if)#int fa0/4
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 4
% Access VLAN does not exist. Creating vlan 4
SW1(config-if)#
00:58:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan4, changed state to up
SW1(config-if)#

I manually added vlan’s to interfaces fa0/2 and fa0/3 by going into the interface and simply typing “vlan 2” and “vlan 3”, but I figured I should probably do it the proper way, which shows at the end there that if you configure a switch interface for a vlan that doesn’t yet exist it will create it – Old school CCNA flash back!

Now onto the routers, R2 / R3 / R4 will have their network addresses assigned to their fa0/0 interfaces with the IP address ending in the router number, whilst on R1 it will not have an IP address on its interface but rather its sub-interfaces:

R1(config)#int fa0/0
R1(config-if)#no shut
R1(config-if)#int fa0/0.2
R1(config-subif)#encap dot1q 2
R1(config-subif)#ip add 10.2.2.1 255.255.255.0
R1(config-subif)#int fa0/0.3
R1(config-subif)#encap dot1q 3
R1(config-subif)#ip add 10.3.3.1 255.255.255.0
R1(config-subif)#int fa0/0.4
R1(config-subif)#encap dot1q 4
R1(config-subif)#ip add 10.4.4.1 255.255.255.0
R1(config-subif)#

For those of you who remember Router on a Stick, this probably looks very familiar.

This is right where I would start configuring my lab, but I am a bit fried from work, so as not to rush through it I am going to leave this as the initial lab setup and save the VRF-Lite configuration for the next post. (That and I am stalling moving onto IPv6, hisssss)

I am going to wr mem on all routers and my switch, and next post, I will fully lab vrf-lite so I can move onto the bane of my Cisco life, IPv6 🙂