VRF Lite Introduction

The idea behind VRF is to separate IP networks in different groups. There are other ways to achieve layer 3 separation such as access lists, route filtering and NAT. VRF uses separate routing tables to divide network layer information. Packets are classified based on the interface they are received on. A single interface can be associated with a single VRF instance. VRF is very popular with MPLS and layer 3 VPNs offered by Service Providers. VRF Lite is the VRF implementation without MPLS.

The principle of using multiple routing tables is incorporated in the Linux policy routing tool called iproute2. Packets are classified based on a wide variety of criteria not just input interface.

Scenario details and network topology

In this simple scenario we will demonstrate how iproute2 can substitute VRF Lite and achieve similar behavior. The topology is first implemented with VRF Lite and dynamic routing between customer sites on Cisco devices and then on Linux routers with static routing. A dynamic per-VRF routing protocol is not available for Linux.

Let’s say that a company has two buildings in two different towns. In each building, the company has an office for department A and an office for department B. The networks of these two departments need to be separate. At the same time, each department office needs to be connected to its counterpart in the other town.

Cisco VRF Lite implementation

For each department, a separate VRF instance is created on routers R1 and R2. Instances are named VRF “A” and VRF ”B”, respectively. In the first town, deprtment A’s office “A1” and department B’s office “B1” are linked to the same switch SW1. Corresponding vlans are vlan 10 for office A1 and vlan 11 for office B1. SW1 connects to R1 through a trunk port carrying both vlans. The sub-interface for A1 is assigned to VRF A. The sub-interface for office B1 is assigned to VRF B. Office A2 and B2 are located in the other town and are linked to switch SW2 using the same vlans. SW2 connects to router R2 through a trunk port carrying both vlans. These are assigned to VRF A and VRF B correspondingly. R1 and R2 are linked to each other with two logical interfaces using 801.1q encapsulation. One interface is assigned to department A’s VRF (vlan 50) and the other is assigned to department B’s VRF (vlan 51). For more details see the topology drawing. The EIGRP protocol is configured on R1 and R2 and is transporting per-VRF routing information.

Router R1 configuration steps:

Create VRF instances for departments A and B

Configure per-VRF Route Distinguisher and Route Targets for import and export

Assign interfaces to corresponding VRFs

Configure EIGRP per-VRF routing

Below are the relevant configuration commands for R1 with brief comments:

R1 ip cef !create VRF instance for department A ! ip vrf A !configure Route Distinguisher rd 1:1 !configure import and export target route-target export 1:1 route-target import 1:1 !create VRF instance for department B ! ip vrf B rd 2:2 route-target export 2:2 route-target import 2:2 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.10 description to LAN A1 encapsulation dot1Q 10 !assign interface to VRF A ip vrf forwarding A ip address 192.168.0.1 255.255.255.0 ! interface FastEthernet0/0.11 description to LAN B1 encapsulation dot1Q 11 ip vrf forwarding B ip address 192.168.1.1 255.255.255.0 ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.50 description WAN to A2 encapsulation dot1Q 50 ip vrf forwarding A ip address 192.168.10.1 255.255.255.252 ! interface FastEthernet0/1.51 description WAN to B2 encapsulation dot1Q 51 ip vrf forwarding B ip address 192.168.10.5 255.255.255.252 ! router eigrp 16434 auto-summary !set context to VRF B ! address-family ipv4 vrf B network 192.168.1.0 network 192.168.10.5 0.0.0.0 no auto-summary !EIGRP AS on each customer B site must be equal autonomous-system 2 exit-address-family ! address-family ipv4 vrf A network 192.168.0.0 network 192.168.10.1 0.0.0.0 no auto-summary autonomous-system 1 exit-address-family !

The configuration of router R2 is analogical and it will be omitted.

Linux iproute2 implementation

The configuration below achieves the same goals of providing connectivity between offices of the same departments while separating different departments’ traffic. Instead of dynamic routing, static routes are configured.

Router R1 configuration steps:

Create and configure dot1q sub-interfaces for LAN (vlan 10 and 11) and WAN (vlan 50 and 51) communication

Configure two routing table aliases for department A (comA) and for department B (comB) by creating two new entries in the /etc/iproute2/rt_tables file

# reserved values # 1 comA 2 comB 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep

Populate the new routing tables

Add rules for associating incoming interface traffic with the corresponding routing table

[email protected]:~#ip rule add iif eth0.10 table comA prio 1000 [email protected]:~#ip rule add iif eth0.11 table comB prio 1010 [email protected]:~#ip rule add iif eth1.50 table comA prio 1020 [email protected]:~#ip rule add iif eth1.51 table comB prio 1030

To verify the routing tables, we use the ip route list command. For instance, routing table comA should have four similar entries:

[email protected]:~# ip route list table comA 192.168.2.0/24 via 192.168.1.2 dev eth1.50 proto static 192.168.0.0/24 dev eth0.10 proto static scope link 192.168.0.0/30 dev eth1.50 proto static scope link default via 192.168.1.2 dev eth0.11 proto static

To verify policy routing rules:

[email protected]:~# ip rule show 0: from all lookup local 1000: from all iif eth0.10 lookup comA 1010: from all iif eth0.11 lookup comB 1020: from all iif eth1.50 lookup comA 1030: from all iif eth1.51 lookup comB 32766: from all lookup main 32767: from all lookup default