VRF Lite
The word VRF stands for Virtual Routing and Forwarding, this feature is used to create multiple instances of the routing table on the same routing device. VRFs are usally used in conjunction with MPLS VPN to separate the traffic of multiple MPLS VPN customers. VRF Lite feature is part of Cisco's network virtualization portfolio. VRF Lite means VRF without the need to run MPLS in the network. VRF Lite allows the network administrator to create multiple routing instances on the same routing device within the enterprise. VRF Lite can be useful when you need to isolate traffic between two networks sharing the same routing platform or if you have multiple networks with overlapping addresses sharing the same physical network. Multiple instances of routing protocols can be used for different VRFs on the same device to exchange routes dynamically with a direct connected device.
VRF Lite Configuration:
R2 is connected via Ethernet to R5. Two VRFs (VRF-LITE-A & B) are configured to demonstrate L3 traffic isolation. I am using static routes for this example but dynamic routing protocols can be used. R2 Configuration:
ip vrf VRF-LITE-A rd 100:1 ! ip vrf VRF-LITE-B rd 100:2 !-- Assign interfaces to VRF interface FastEthernet0/1.25 encapsulation dot1Q 25 ip vrf forwarding VRF-LITE-A ip address 25.25.25.2 255.255.255.0 ! interface FastEthernet0/1.52 encapsulation dot1Q 52 ip vrf forwarding VRF-LITE-B ip address 52.52.52.2 255.255.255.0 interface Loopback20 ip vrf forwarding VRF-LITE-A ip address 20.20.20.20 255.255.255.255 ! interface Loopback22 ip vrf forwarding VRF-LITE-B ip address 22.22.22.22 255.255.255.255 ip route vrf VRF-LITE-A 50.50.50.50 255.255.255.255 25.25.25.5 ip route vrf VRF-LITE-B 55.55.55.55 255.255.255.255 52.52.52.5
R5 Configuration:
ip vrf VRF-LITE-A rd 100:1 ! ip vrf VRF-LITE-B rd 100:2 interface Loopback50 ip vrf forwarding VRF-LITE-A ip address 50.50.50.50 255.255.255.255 ! interface Loopback55 ip vrf forwarding VRF-LITE-B ip address 55.55.55.55 255.255.255.255 ! interface FastEthernet0/1.25 encapsulation dot1Q 25 ip vrf forwarding VRF-LITE-A ip address 25.25.25.5 255.255.255.0 ! interface FastEthernet0/1.52 encapsulation dot1Q 52 ip vrf forwarding VRF-LITE-B ip address 52.52.52.5 255.255.255.0 ip route vrf VRF-LITE-A 20.20.20.20 255.255.255.255 25.25.25.2 ip route vrf VRF-LITE-B 22.22.22.22 255.255.255.255 52.52.52.2
Operation Verification: The following tests were taken from R2 only, the same can be done on R5 for verification.
R2#sh ip route vrf VRF-LITE-A Routing Table: VRF-LITE-A !-- output omitted---------- Gateway of last resort is not set 50.0.0.0/32 is subnetted, 1 subnets S 50.50.50.50 [1/0] via 25.25.25.5 20.0.0.0/32 is subnetted, 1 subnets C 20.20.20.20 is directly connected, Loopback20 25.0.0.0/24 is subnetted, 1 subnets C 25.25.25.0 is directly connected, FastEthernet0/1.25 R2#sh ip route vrf VRF-LITE-B Routing Table: VRF-LITE-B !--output omitted---------- Gateway of last resort is not set 55.0.0.0/32 is subnetted, 1 subnets S 55.55.55.55 [1/0] via 52.52.52.5 52.0.0.0/24 is subnetted, 1 subnets C 52.52.52.0 is directly connected, FastEthernet0/1.52 22.0.0.0/32 is subnetted, 1 subnets C 22.22.22.22 is directly connected, Loopback22 R2#ping 50.50.50.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 50.50.50.50, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#ping vrf VRF-LITE-A 50.50.50.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 50.50.50.50, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/143/396 ms R2#ping 55.55.55.55 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#ping vrf VRF-LITE-B 55.55.55.55 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/133/340 ms
For more information about VRF Lite configuration check Configuring VRF Lite from CISCO.
Check Also
