VRF Selection Based on Source IP Addresses
In this post we are going to cover a nice tool, actually I've never used it in production, but I was fully testing it during my CCIE SP lab preparations and wish to share it with you. It's nice to have such a tool in your tool box when dealing with complex designs.
The VRF Selection feature allows a certain interface on a PE router to route packets received from the CE router to different VRFs based on the source IP address of the packet, imagine it as a form of policy-based routing, where you control the traffic forwarding based on the source IP addresses, but in this case we control to which VRF should the traffic be forwarded rather than out of which interface.
What actually happens is that simply the ingress PE router performs two tables lookups for the packets it receives from the CE router:
- In the first lookup, the source IP address is looked up in the VRF selection table to determine which VRF should this packet be forwarded to.
- In the second lookup, the destination IP address is normally looked up in the appropriate VRF table according to the previous step.
As we can see the operation is straight forward and simple, and as we are going to see later, the configuration is also straight forward and simple.
An important note to take care of though, if there was no match in the first step, then the packet is going to be forwarded based upon the global routing table, and this might imply a significant security risk for the Service Provider, and thus it is recommended to black hole such traffic as illustrated in the below example, by simply forwarding traffic from unknown sources to a special VRF (the BHOLE VRF in the example) and simply drop it.
NOTE What I've originally though of to work around the above issue was to apply a dummy VRF under the interface it self, but the Cisco IOS won't let you do this as you'll get the following error: "% Can not configure VRF if VRF Select is already configured, To enable VRF, first remove VRF Select from the interface".
PE router configuration:
! ip vrf test1 rd 1:1 route-target export 1:1 route-target import 1:1 ! ip vrf test2 rd 2:2 route-target export 2:2 route-target import 2:2 ! ip vrf BHOLE rd 1000:1000 route-target export 1000:1000 route-target import 1000:1000 ! interface Serial2/0.1 point-to-point description Connection to the CE router ip vrf select source ip vrf receive test1 ip vrf receive test2 ip vrf receive BHOLE ip address 18.104.22.168 255.255.255.0 frame-relay interface-dlci 102 ! vrf selection source 22.214.171.124 255.255.255.255 vrf test1 vrf selection source 126.96.36.199 255.255.255.255 vrf test2 vrf selection source 0.0.0.0 0.0.0.0 vrf BHOLE ! ip route vrf test1 188.8.131.52 255.255.255.255 Serial2/0.1 184.108.40.206 ip route vrf test2 220.127.116.11 255.255.255.255 Serial2/0.1 18.104.22.168 ip route vrf BHOLE 0.0.0.0 0.0.0.0 Null0 !
This should be the output of the VRF selection table on the PE router:
PE#sh ip vrf select VRF Selection Information Source IP-Address Mask Selected VRF Table 22.214.171.124 255.255.255.255 test1 126.96.36.199 255.255.255.255 test2 0.0.0.0 0.0.0.0 BHOLE
I hope that I've been informative.