VRF Selection Based on Source IP Addresses

In this post we are going to cover a nice tool, actually I've never used it in production, but I was fully testing it during my CCIE SP lab preparations and wish to share it with you. It's nice to have such a tool in your tool box when dealing with complex designs.

The VRF Selection feature allows a certain interface on a PE router to route packets received from the CE router to different VRFs based on the source IP address of the packet, imagine it as a form of policy-based routing, where you control the traffic forwarding based on the source IP addresses, but in this case we control to which VRF should the traffic be forwarded rather than out of which interface.

What actually happens is that simply the ingress PE router performs two tables lookups for the packets it receives from the CE router:

  1. In the first lookup, the source IP address is looked up in the VRF selection table to determine which VRF should this packet be forwarded to.
  2. In the second lookup, the destination IP address is normally looked up in the appropriate VRF table according to the previous step.

As we can see the operation is straight forward and simple, and as we are going to see later, the configuration is also straight forward and simple.

An important note to take care of though, if there was no match in the first step, then the packet is going to be forwarded based upon the global routing table, and this might imply a significant security risk for the Service Provider, and thus it is recommended to black hole such traffic as illustrated in the below example, by simply forwarding traffic from unknown sources to a special VRF (the BHOLE VRF in the example) and simply drop it.

NOTE What I've originally though of to work around the above issue was to apply a dummy VRF under the interface it self, but the Cisco IOS won't let you do this as you'll get the following error: "% Can not configure VRF if VRF Select is already configured, To enable VRF, first remove VRF Select from the interface".

PE router configuration:

ip vrf test1
 rd 1:1
 route-target export 1:1
 route-target import 1:1
ip vrf test2
 rd 2:2
 route-target export 2:2
 route-target import 2:2
ip vrf BHOLE
 rd 1000:1000
 route-target export 1000:1000
 route-target import 1000:1000
interface Serial2/0.1 point-to-point
 description Connection to the CE router
 ip vrf select source
 ip vrf receive test1
 ip vrf receive test2
 ip vrf receive BHOLE
 ip address
 frame-relay interface-dlci 102
vrf selection source vrf test1
vrf selection source vrf test2
vrf selection source vrf BHOLE
ip route vrf test1 Serial2/0.1
ip route vrf test2 Serial2/0.1
ip route vrf BHOLE Null0

This should be the output of the VRF selection table on the PE router:

PE#sh ip vrf select
VRF Selection Information
Source IP-Address      Mask        Selected VRF Table                test1                test2                BHOLE

I hope that I've been informative.

Mohammed Mahmoud.

Check Also

Best AI tools list