Skip to content

By Administrator in All, Linux administration, Routing protocols

VRF Lite Introduction

The idea behind VRF is to separate IP networks in different groups. There are other ways to achieve layer 3 separation such as access lists, route filtering and NAT. VRF uses separate routing tables to divide network layer information. Packets are classified based on the interface they are received on. A single interface can be associated with a single VRF instance. VRF is very popular with MPLS and layer 3 VPNs offered by Service Providers. VRF Lite is the VRF implementation without MPLS.

The principle of using multiple routing tables is incorporated in the Linux policy routing tool called iproute2. Packets are classified based on a wide variety of criteria not just input interface.

Scenario details and network topology

In this simple scenario we will demonstrate how iproute2 can substitute VRF Lite and achieve similar behavior. The topology is first implemented with VRF Lite and dynamic routing between customer sites on Cisco devices and then on Linux routers with static routing. A dynamic per-VRF routing protocol is not available for Linux.

Network topology diagram

Network topology diagram

Let’s say that a company has two buildings in two different towns. In each building, the company has an office for department A and an office for department B. The networks of these two departments need to be separate. At the same time, each department office needs to be connected to its counterpart in the other town.

Cisco VRF Lite implementation

For each department, a separate VRF instance is created on routers R1 and R2. Instances are named VRF “A” and VRF ”B”, respectively. In the first town, deprtment A’s office “A1” and department B’s office “B1” are linked to the same switch SW1. Corresponding vlans are vlan 10 for office A1 and vlan 11 for office B1. SW1 connects to R1 through a trunk port carrying both vlans. The sub-interface for A1 is assigned to VRF A. The sub-interface for office B1 is assigned to VRF B. Office A2 and B2 are located in the other town and are linked to switch SW2 using the same vlans. SW2 connects to router R2 through a trunk port carrying both vlans. These are assigned to VRF A and VRF B correspondingly. R1 and R2 are linked to each other with two logical interfaces using 801.1q encapsulation. One interface is assigned to department A’s VRF (vlan 50) and the other is assigned to department B’s VRF (vlan 51). For more details see the topology drawing. The EIGRP protocol is configured on R1 and R2 and is transporting per-VRF routing information.

Router R1 configuration steps:

  • Create VRF instances for departments A and B
  • Configure per-VRF Route Distinguisher and Route Targets for import and export
  • Assign interfaces to corresponding VRFs
  • Configure EIGRP per-VRF routing

Below are the relevant configuration commands for R1 with brief comments:

R1
ip cef
!create VRF instance for department A
!
ip vrf A
!configure Route Distinguisher
 rd 1:1
!configure import and export target
 route-target export 1:1
 route-target import 1:1
!create VRF instance for department B
!
ip vrf B
 rd 2:2
 route-target export 2:2
 route-target import 2:2
!
interface FastEthernet0/0
 no ip address
duplex auto
 speed auto
!
interface FastEthernet0/0.10
 description to LAN A1
 encapsulation dot1Q 10
!assign interface to VRF A
 ip vrf forwarding A
 ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/0.11
 description to LAN B1
 encapsulation dot1Q 11
 ip vrf forwarding B
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.50
 description WAN to A2
 encapsulation dot1Q 50
 ip vrf forwarding A
 ip address 192.168.10.1 255.255.255.252
!
interface FastEthernet0/1.51
 description WAN to B2
 encapsulation dot1Q 51
 ip vrf forwarding B
 ip address 192.168.10.5 255.255.255.252
!
router eigrp 16434
 auto-summary
 !set context to VRF B
!
 address-family ipv4 vrf B
 network 192.168.1.0
 network 192.168.10.5 0.0.0.0
 no auto-summary
!EIGRP AS on each customer B site must be equal
 autonomous-system 2
 exit-address-family
 !
 address-family ipv4 vrf A
 network 192.168.0.0
 network 192.168.10.1 0.0.0.0
 no auto-summary
 autonomous-system 1
 exit-address-family
!

The configuration of router R2 is analogical and it will be omitted.

Linux iproute2 implementation

The configuration below achieves the same goals of providing connectivity between offices of the same departments while separating different departments’ traffic. Instead of dynamic routing, static routes are configured.

Router R1 configuration steps:

  • Create and configure dot1q sub-interfaces for LAN (vlan 10 and 11) and WAN (vlan 50 and 51) communication
  • [email protected]:~# vconfig add eth0 10
    Added VLAN with VID == 10 to IF -:eth0:-
    [email protected]:~# vconfig add eth0 11
    Added VLAN with VID == 11 to IF -:eth0:-
    [email protected]:~# vconfig add eth1 50
    Added VLAN with VID == 50 to IF -:eth1:-
    [email protected]:~# vconfig add eth1 51
    Added VLAN with VID == 51 to IF -:eth1:-#
    [email protected]:~# ifconfig eth0.10 192.168.0.1/24
    [email protected]:~# ifconfig eth0.11 192.168.1.1/24
    [email protected]:~# ifconfig eth1.50 192.168.10.1/30
    [email protected]:~# ifconfig eth1.51 192.168.10.5/30
  • Configure two routing table aliases for department A (comA) and for department B (comB) by creating two new entries in the /etc/iproute2/rt_tables file
  • # reserved values
    #
    1       comA
    2       comB
    255	local
    254	main
    253	default
    0	unspec
    #
    # local
    #
    #1	inr.ruhep
  • Populate the new routing tables
  • [email protected]:~#ip route add 192.168.0.0/24 table comA dev eth0.10 proto static
    [email protected]:~#
    [email protected]:~#ip route add 192.168.10.0/30 table comA dev eth1.50 proto static
    [email protected]:~#
    [email protected]:~#ip route add 192.168.1.0/24 table comB dev eth0.11 proto static
    [email protected]:~#
    [email protected]:~#ip route add 192.168.10.4/30 table comB dev eth1.50 proto static
    [email protected]:~#
    [email protected]:~#ip route add 192.168.2.0/24 table comA dev eth1.50 via \
    192.168.10.2 proto static
    [email protected]:~#
    [email protected]:~#ip route add 192.168.3.0/24 table comB dev eth1.51 via \
    192.168.10.6 proto static
    [email protected]:~#
    [email protected]:~#ip route add default table comA dev eth1.50 via \
    192.168.10.2 proto static
    [email protected]:~#
    [email protected]:~#ip route add default table comB dev eth1.51 via \
    192.168.10.6 proto static
    [email protected]:~#
  • Add rules for associating incoming interface traffic with the corresponding routing table
  • [email protected]:~#ip rule add iif eth0.10 table comA prio 1000
    [email protected]:~#ip rule add iif eth0.11 table comB prio 1010
    [email protected]:~#ip rule add iif eth1.50 table comA prio 1020
    [email protected]:~#ip rule add iif eth1.51 table comB prio 1030

To verify the routing tables, we use the ip route list command. For instance, routing table comA should have four similar entries:

[email protected]:~# ip route list table comA
192.168.2.0/24 via 192.168.1.2 dev eth1.50  proto static
192.168.0.0/24 dev eth0.10  proto static  scope link 
192.168.0.0/30 dev eth1.50  proto static  scope link 
default via 192.168.1.2 dev eth0.11  proto static

To verify policy routing rules:

[email protected]:~# ip rule show
0:	from all lookup local 
1000:	from all iif eth0.10 lookup comA 
1010:	from all iif eth0.11 lookup comB 
1020:	from all iif eth1.50 lookup comA 
1030:	from all iif eth1.51 lookup comB 
32766:	from all lookup main 
32767:	from all lookup default

Tags: , , , ,

Comment Feed

2 Responses

  1. Good article. I guess, there are some mistakes in commands/outputs.

    “ip route add 192.168.10.4/30 table comB dev eth1.50 proto static” should be “ip route add 192.168.10.4/30 table comB dev eth1.51 proto static” !

    “192.168.0.0/30 dev eth1.50 proto static scope link” should be “192.168.10.0/30 dev eth1.50 proto static scope link” !

    “default via 192.168.1.2 dev eth0.11 proto static” should be “default via 192.168.1.2 dev eth1.50 proto static” !

  2. How to make these settings stick after reboot?



Some HTML is OK

or, reply to this post via trackback.