VRF Introduction
VRF, or Virtual Routing and Forwarding, is an IP technology part of Cisco's MPLS/VPN suite used to virtualise logical Routing Tables on a router.
Similarly to the manner in which 802.1q VLANs can be used to segregate Layer 2 broadcast domains, VRFs operate at Layer 3, and can maintain traffic seperation through Layer 3 routing domains accross routers and firewalls.
Basic VRF Configuration
Create the two VRFs:
R1(config)#ip vrf red
R1(config)#ip vrf blue
Create two sub interfaces and place them into the appropriate VRF. Notice here that we configure the IP address after joining the VRF, otherwise the router will remove the IP address
R1(config-subif)#int fa0/0.10
R1(config-subif)#encapsulation dot1Q 10
R1(config-subif)#ip vrf forwarding red
R1(config-subif)#ip address 192.168.1.1 255.255.255.0
R1(config-subif)#int fa0/0.20
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip vrf forwarding blue
R1(config-subif)#ip address 192.168.1.1 255.255.255.0
Notice that the router accepted the same IP address on both interfaces. This is because they are in separate VRF instances. As each VRF maintains its own RIB, there is no overlap of the connected routes.
If we are to test our newly configured links with a ping test, note that now we must explicitly instruct the router to use a VRF. While we have entries for the 192.168.1.0/24
network in both the red
and blue
VRFs, it does not exist in the Global Routing Table.
R1#ping vrf red 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping vrf blue 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms