CCIE Brandon Carroll shows you how to use the Virtual Routing and Forwarding (VRF) IP technology to create multiple instances of a routing table on the same router.

I'm going to take a look at how to configure IPsec on a Cisco IOS device, but I'm going to add a little twist to it by configuring it to use the Virtual Routing and Forwarding (VRF) IP technology. This method is useful in circumstances when you need to create multiple instances of a routing table on your router. First, I'll explain VRF in a little more detail, and then move on to the configuration.

What's VRF?

VRF provides a way for you to configure multiple routing instances on your router. This is beneficial if you have a need to keep customer traffic and routing separate and you want to utilize the same hardware. Some may be thinking that you can keep customers separate by using sub-interfaces or different physical interfaces, and then use ACL filtering to keep traffic segregated. This would certainly be one method of doing so, however, if for some reason you wanted to overlap customer addressing, you'd have a serious problem. With a VRF you can use the same IP address assigned to two different interfaces on a router at the same time.

I recently came across a scenario where this was a requirement for me. In my work as an instructor, I just had to build a lab environment for a class of eight pods, all with identical topology and identical addressing. Here's a look at the Basic topology in

Now even though this topology is seemingly basic, I had to duplicate it seven more times. Essentially, I look at each lab pod as a separate customer. So I used my router to isolate them. This first step is to create the VRFs.

Creating VRFs

ip vrf POD1

rd 1:1

!

ip vrf POD2

rd 2:2

!

ip vrf POD3

rd 3:3

!

ip vrf POD4

rd 4:4

!

ip vrf POD5

rd 5:5

!

ip vrf POD6

rd 6:6

!

ip vrf POD7

rd 7:7

!

ip vrf POD8

rd 8:8

!

With the above configuration, we now have a single router that can act as eight independent routers. What's important about it, is that theoris what allows IP addresses to overlap. In this router, each address will be tagged by the RD, which is in the format ofThis is a locally significant value.

The next step is to tie each interface to a VRF:

interface FastEthernet0/0.1

encapsulation dot1Q 201

ip vrf forwarding POD1

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.2

encapsulation dot1Q 202

ip vrf forwarding POD2

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.3

encapsulation dot1Q 203

ip vrf forwarding POD3

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.4

encapsulation dot1Q 204

ip vrf forwarding POD4

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.5

encapsulation dot1Q 205

ip vrf forwarding POD5

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.6

encapsulation dot1Q 206

ip vrf forwarding POD6

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.7

encapsulation dot1Q 207

ip vrf forwarding POD7

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.8

encapsulation dot1Q 208

ip vrf forwarding POD8

ip address 192.168.1.1 255.255.255.0

!

!

interface FastEthernet0/1.1

encapsulation dot1Q 211

ip vrf forwarding POD1

ip address 172.26.26.53 255.255.255.0 secondary

ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.2

encapsulation dot1Q 212

ip vrf forwarding POD2

ip address 172.26.26.53 255.255.255.0 secondary

ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.3

encapsulation dot1Q 213

ip vrf forwarding POD3

ip address 172.26.26.53 255.255.255.0 secondary

ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.4

encapsulation dot1Q 214

ip vrf forwarding POD4

ip address 172.26.26.53 255.255.255.0 secondary

ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.5

encapsulation dot1Q 215

ip vrf forwarding POD5

ip address 172.26.26.53 255.255.255.0 secondary

ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.6

encapsulation dot1Q 216

ip vrf forwarding POD6

ip address 172.26.26.53 255.255.255.0 secondary

ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.7

encapsulation dot1Q 217

ip vrf forwarding POD7

ip address 172.26.26.53 255.255.255.0 secondary

ip address 172.26.26.1 255.255.255.0

!

interface FastEthernet0/1.8

encapsulation dot1Q 218

ip vrf forwarding POD8

ip address 172.26.26.53 255.255.255.0 secondary

ip address 172.26.26.1 255.255.255.0

To verify the routing is isolated, we can look at the routing table from the perspective of each VRF. First POD1:

BBR#show ip route vrf POD1

Routing Table: POD1

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.26.0.0/24 is subnetted, 1 subnets

C 172.26.26.0 is directly connected, FastEthernet0/1.1

10.0.0.0/24 is subnetted, 2 subnets

S 10.0.1.0 [1/0] via 192.168.1.2

C 10.0.100.0 is directly connected, Loopback201

C 192.168.1.0/24 is directly connected, FastEthernet0/0.1

BBR#

BBR#sh ip vrf brief

Name Default RD Interfaces

POD1 1:1 Lo201

Fa0/0.1

Fa0/1.1

POD2 2:2 Lo202

Fa0/0.2

Fa0/1.2

POD3 3:3 Lo203

Fa0/0.3

Fa0/1.3

POD4 4:4 Lo204

Fa0/0.4

Fa0/1.4

POD5 5:5 Lo205

Fa0/0.5

Fa0/1.5

POD6 6:6 Lo206

Fa0/0.6

Fa0/1.6

POD7 7:7 Lo207

Fa0/0.7

Fa0/1.7

POD8 8:8 Lo208

Fa0/0.8

Fa0/1.8

BBR#

To see what interfaces are allocated to each VRF, use thecommand as seen below.

There are a number of other commands that can be used to verify the vrf, but as you can see, this router is partitioned with eight VRFs. In the next post, I will demonstrate the VRF-aware IPsec configuration for this same setup.