VRFing 101, Understing VRF Basics

When most engineers think about VRF, they think about MPLS. VRF, short for Virtual Routing and Forwarding, is one of the features that enable designers to create flexible MPLS network designs. However we are going going to completely forget about MPLS and look at what this does to a single IOS based router. This article is very simplified VRF 101.

Those who enjoy VRFing 101, 102 and 103 will also find the following series on Layer 3 Segmentation with VRFs useful.

http://www.packetu.com/2017/01/29/segmenting-layer-3-networks-vrfs/

The first thing that I want to mention is the pronunciation. In plural, some people simply call these “vee-are-effs”. Other pronounce them as “verf” or “verfs” (rhyming with surf). I catch myself being consistently inconsistent and pronouncing them both ways. Unless you are my eight grade grammar teacher, what VRFs do for us is more important than how we pronounce them. So what is a VRF? How does it change the behavior of a router? What does a basic configuration look like? These are the types of questions that we will answer in this article.

Some people think of VRFs as a way to do virtualization and describe it as VMWare for your router. Each areas of isolation is thought of as a VMWare guest instance. I like to think VRFs as similar to VLANS, but at layer 3. VLANs are obviously a layer two topic, but they create similar isolation. To go from one VLAN to another, there is a need to go through a device that has access to both VLANs. VRFs create the same type of isolation at layer 3. However the way that we jump between areas of isolation is a little different.

So what are we isolating? The answer to that question is key to understanding the effect of VRF instances in a router. Let’s go back to some routing fundamentals. Routers cannot typically share an IP subnet on multiple interfaces. There are some types of serial connections that break this rule, but the general use case is that an IP subnet is accessible through no more than one locally connected interface. You certainly could not have the same IP address on multiple interfaces.

R1(config-if)#int loop 1 
R1(config-if)#ip address 192.168.1.1 255.255.255.0

//let's try to put the same address on loopback 2
R1(config-if)#int loop 2
R1(config-if)#ip address
R1(config-if)#ip address 192.168.1.1 255.255.255.0 
% 192.168.1.0 overlaps with Loopback1

What if I had a multi-tenant environment and really needed to configure two interfaces with “192.168.1.1”. It would certainly suck to have to by another router. This is where VRFs come into play.

VRF, when used inside a single router, is called VRF-Lite. Each VRF instance is a separate route table. The route table that we all know and love is shown by doing a “show ip route”. This is called the global route table and does not show any routes that are specific to a VRF. In a minute, we’ll see a separate command that will show us the routes inside a VRF instance. By creating multiple route tables, we overcome the restrictions of multiple overlapping address spaces. We also provide isolation to each tenant or area of the network.

Key Concept–Each VRF instance is a separate route table.

The Challenge–

The image below contains three routers. Both routers need to be able to reach their respective sub interface and loopback on R1. R2 and R3 do not need to access one another. Both R2 and R3 must use 192.168.1.1 as a default gateway. R2 and R3 must be in separate VLANs.

I hope I’ve written the challenge in a way that VRFs are the only solution. Based on the requirements, I believe we need two VRFs. We should be able to accomplish this by implementing the diagram below.

VRF configuration is fairly straightforward, so let’s go ahead and get started.

//create the two VRFs

R1(config)#ip vrf red
R1(config)#ip vrf blue

//create each sub interface and place them into the appropriate VRF
//notice that we configure the IP address after configuring the VRF
//otherwise the router will remove the IP address

R1(config-subif)#int fa0/0.10
R1(config-subif)#encapsulation dot1Q 10             
R1(config-subif)#ip vrf forwarding red              
R1(config-subif)#ip address 192.168.1.1 255.255.255.0

R1(config-subif)#int fa0/0.20
R1(config-subif)#encapsulation dot1Q 20             
R1(config-subif)#ip vrf forwarding blue             
R1(config-subif)#ip address 192.168.1.1 255.255.255.0

//notice that the router accepted the same IP address on both interfaces
//this is because they are in separate VRF instances

Now let’s test our reachability to R2 and R3.

//notice we now have to clue R1 into the fact that we want 
//to use a VRF as opposed to the global routing table.

//ping R2
R1#ping vrf red 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

//ping R3
R1#ping vrf blue 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#

Even though 192.168.1.1 is directly connected to Fa0/0.10 and Fa0/0.20, it does not show up with a “show ip route”. Remember, “show ip route” shows the global routing table.

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R1#

To see the routes associated with a VRF, we have to add the “vrf vrfname” parameter.

R1#show ip route vrf red

Routing Table: red
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, FastEthernet0/0.10

R1#show ip route vrf blue

Routing Table: blue
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, FastEthernet0/0.20
R1#

Now let’s add our loopback interfaces into the appropriate VRFs.

R1(config)#int loop 10
R1(config-if)$ip vrf forwarding red
R1(config-if)#ip address 10.10.10.10 255.255.255.0
R1(config-if)#int loop 20
R1(config-if)$ip vrf forwarding blue
R1(config-if)#ip address 20.20.20.20 255.255.255.0
R1(config-if)#exit

Finally, we can test from R2 and R3. In a multi tenant environment, you might not have access to these. However in this lab we do and can therefor use them to confirm the functionality.

R2 (should be able to reach 10.10.10.10, but not 20.20.20.20)

R2(config)#do ping 10.10.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2(config)#do ping 20.20.20.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R3 (should not be able to reach 10.10.10.10, but should have access to 20.20.20.20)

R3(config)#do ping 10.10.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3(config)#do ping 20.20.20.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3(config)#

While solving our challenge, this article has demonstrated the simplest form of VRFs on a single router. VRFs are a foundational building block that has given network designers great flexibility when designing MPLS networks. In future articles, we will build on this example and demonstrate methods for jumping between VRFs and utilizing NAT in a multi tenant environment.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Network, Technology and tagged , , . Bookmark the permalink.

55 Responses to VRFing 101, Understing VRF Basics

  1. Roger Stewart says:

    This looks interesting.

  2. Bashir says:

    Great post for newbie..
    thanks

  3. Elvin Arias says:

    Thanks for the article.

    Elvin

  4. what is the purpose of loopback interfaces, and how does the author make this claim “R2 (should be able to reach 10.10.10.10, but not 20.20.20.20)” ?? pls help, i am a beginner.

    • Paul Stewart says:

      The loopback interfaces, in this example, are used as a demonstration. These could represent IP networks somewhere else on the network. The point is to give some points to test against. The reason that R2 can reach one network and not another is because of the isolation created by the vrf instances. This is not only a claim, but evidenced by the testing performed in the article. Thanks for the question.

  5. Kuleaze says:

    In the next coming weeks I have to set up a VRF instance in one of our new locations in Chicago, this has helped lay a good foundation for what is actually occuring; I’ll be reading your other blogs about VRF shortly. Thanks for the info!!

  6. Pingback: Cisco VRF/MP-BGP Router-on-a-Stick with NAT | The Network Hobo

  7. Santosh says:

    HI,

    I am confused, why the author talks about VLAN here.
    say “R2 and R3 must be in separate VLANs.” why this VLAN is needed here???

    • Sensie says:

      Hi
      the VLANs is Separates the traffic on layer 2 on the switch, otherwise the routers will be able to talk to each other on layer 2 based and this example will not work correctly.
      VRF is very important and this is just the basic but it’s Excellent Description.

  8. Rahul says:

    very nice article……thanks….

  9. Gowtham Balachandhiran says:

    If I create Sub interface in Serial should I change the encapsulation type to PPP from HDLC. Because I was not able to ping directly connected Interface but I was able to see them in routing table . I used vrf name while entering ping everything works except reachablility.I even see remote entries in my vrf.

  10. Paul Stewart, CCIE 26009 (Security) says:

    I’m not sure I understand why your configuration isn’t working. The typical place to use serial sub interfaces is when frame relay is used. However, that is sort of an underlying technology that could impact the results but not change the concepts being demonstrated here.

  11. Gowtham Balachandhiran says:

    This is how my topology will apear one vrf per one sub interface two customers are using the same CE with one subinterface per customer vrf. I Customer’s network in my vrf routing table but for some unusual reason I am not able to ping them

    • Paul Stewart, CCIE 26009 (Security) says:

      I would expect you should be able to send traffic to anything in the vrf you see in the routing table. Obviously, you need to tell the ping command to use the vrf. I wonder if the traffic is being blocked by an ACL (that is possibly not under your control)?

  12. vadanmehta says:

    HI paul.
    Thank you very much for this information.

    I have one basic question:

    Does One VRF points to one Public IP address !! and Multi VRF capability means One Public IP address shared by many VRF instances ??

    regds
    Vadan

  13. madim2013 says:

    Hello Paul,

    Fantasci post and i see your name also on the Cisco community.

    I was wondering if you could assit me establishing this. I have no real hardware to test this unfortunatley.

    Hope the below is clear::)

    (i can not post a diagram so hope this is sufficent:)

    Host A ———>| |
    |A LAYER 2
    ACcESS sW |trunk passing VLAN A + VLAN B to DIST SWTICH
    Host B———->| |

    the DIST SWitch will have a VRF for VLAN A only

    Host A should not ping Host B

    Host A should ping the default gateway, A layer 3 SVI placed in a VRF of the laye 3 swtich

    Host A has a dedicated vlan A in the access swtich and layer 3 dist swtich Vlan data base

    Host B should not ping Host A

    Host B should ping the default gateway, A layer 3 SVI not in any VRF of the laye 3 swtich

    Host B has a dedicated vlan B in the access swtich and layer 3 dist swtich Vlan data base

    Basically, Host B is part of the corporate network and requires to access far more network then Host A need to do .(Think of host A being a 3rd Party or Guest LAN)

    I was wondering if the trunk between layer 2 access swtich and the dist pops of the vlan.tag of VLAN A (the VRF one) and place it into the VRF-A
    which is part of the SVI for VLAN A?

    Many thanks in advance
    Best Wishes
    Markus

  14. madim2013 says:

    Sorry the above (attemtped) diagram did not come out that well,

    Basically, host A and host B are attached to the same layer 2 access switch

    each acces port is configured with the basic swtich port mode / access vlan etc…

    many thanks again
    Best wishes
    markus

    • The vrf would be a layer 3 concept. Each layer 3 SVI can exist in a vrf or globally. Each SVI would also be associated with a VLAN. The vlans would be handled normally as per the trunk configuration (native untagged and all other tagged). So your scenario, properly configured, can give isolation between host A and host B even though they are connected to the access switch.

  15. Nyan Lin Soe says:

    Great Post .Thanks a lot.

  16. This is a great, very simple explanation. Thanks!

  17. Shane Taylor says:

    Great basic 101 explanation Paul. I tripped myself up when pinging the loopbacks. I forgot that R2/R3 do not know about the 10 or 20 subnets so I either had to just add a static route on both or run a routing protocol.

  18. Sushim G. says:

    Hey Paul,
    Very helpful, nice and precise post
    It made basic understand very clear.
    Unless basic is clear moving further is trouble.
    You made it very well, thanks again.

    Best Regards
    Sushim

  19. J. David FIG says:

    Excellent intro to VRF’s and more important…why we use them!!

  20. Pingback: VRF – Virtual Routing and Forwarding |

  21. Sushanta Mishra says:

    This is indeed an excellent post to understand VRF. I have a doubt, why MPLS is supported in the local vrf only?

  22. khan says:

    Great eplanation

  23. Bernard says:

    Hi Paul,
    Great explanation :)
    I have a small question, at the end you are pinging from R3 –>R1’s loopback 20.
    how the ping is working? ( is there any static route on R3 for 20.20.20.20 via next-hop 192.168.1.1 ?)

    Or because they are in the same VRF instance they see each others ?

    Regards,

    • That is a good observation–there would be a need for a rout on R3 to reach the Loopback on R1. This could be static or dynamic. A static route would look like–

      ip route x.x.x.x y.y.y.y vrf

      Sorry for the confusion.

      • Moy says:

        A follow-up question on Bernard’s. So before defining the loopbacks and static/dynamic routes in the vrf to announce subnets 10 and 20, could R2 and R3 still ping R1 on 192.168.1.1 or do we need to do the same (ie, announce 192.168.1.1 to both R2 and R3)?

        Thanks, Paul!

      • Each Router would be able to ping “directly connected” IP addresses in their corresponding vrf.

      • Shuvo says:

        which router need to configure the this static router ?

      • Shuvo says:

        After configuring the static route in R2 and R3, can ping lo10 & lo20 ip address from R2 and R3 respectively
        =====================================================
        R2(config)#ip route 10.10.10.10 255.255.255.255 192.168.1.1

        R2(config)#do ping 10.10.10.10
        Type escape sequence to abort.
        Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
        !!!!!
        Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

        =======================================================
        R3(config)#ip route 20.20.20.20 255.255.255.255 192.168.1.1
        R3(config)#do ping 20.20.20.20
        Type escape sequence to abort.
        Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
        !!!!!
        Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

  24. Devnarayan says:

    Hi Paul,

    please help, I have 2 nos of Cisco 3560X switch with 2 different ISP connected on it. Suggest how to configure vrf here to make the auto failover between 2 ISP. The mentioned switches are connected below to Check-point. Both the switches are upgraded with IP service license as well the switches are updated with IOS “c3560e-universalk9-mz.150-2.SE8.bin”

    • Devnarayan says:

      Hi Paul, if possible can you please help me in this case…

      • I’m not sure if your scenario requires vrf. VRFs will create two areas of isolation. It seems to me that there needs to be some planning around IP addressing (do you have your own address space and ASN), NAT (where does that terminate), Checkpoint capabilities (are they A/S or clustered, do they communicate state, can IGPs and/or BGP terminate on the FW or go through it), what is positioned upstream and what had the memory to take BGP table if required? There is a lot in this question, but VRF wouldn’t typically be a requirement.

  25. Kevynjr says:

    More stuff vrf please

    • My current challenge is lack of time. I really wish I had time to post weekly or more. I’d like to do some more stuff on FirePOWER, AMP, ISE and VRF’s (and how they work with Nexus VDC’s and ASA contexts). As I find time, I’ll try to post some more of what you are requesting.

  26. Deepak MK says:

    Hi Paul , lets a we have a firewall outside interface connected to f0/0 through a switch which is also using same subnet (here 192.168.1.0/24). How we can route the subnet from internal to external on the firewall ? Because both are using 192.168.1.0 in this scenario ! Is there any other way we could route it ?

  27. Moy says:

    Great post, Paul!

    Basic question, after you set up VRFs on R1, when R2 pings R1, how does R1 know it needs to forward the packet it received to red VRF? Do we need also to configure R2 to encapsulate its traffic with “dot1Q 10” somehow?

    • Good question. The encapsulation is done in the switch. That configuration is not shown. You could do dot1q trunking on each remote router. It isn’t necessary since R2 and R3 are connected to appropriately configured access ports and R1 connect to trunk. The traffic arriving with a given dot1q will land it on a sub interface (and thus in a VRF). The traffic is assigned to and isolated in that VRF.

  28. Victor says:

    Hello Paul

    I got a quick question, I have a set up that my professor assigned my group for a big project. There are two DCs in the data center, one for Amsterdam and one for the Hague. They each have to be connected to the distribution of each corresponding site. But the problem is that our professor only gave us one port that will give us access to the data center where the DCs are. So my question is, should I assign two IP adds to the port that goes to the data center so each DC so they can have a default gateway but I’m not sure if I should used VRFs to separate each other networks after or if I should use ACLS to do the job. Any tips will be much appreciated.

    Thanks
    Victor

    • It really depends on the scenario whether ACLs or VRFs would be most appropriate. I would say if you can easily solve it with ACLs, that’d be the appropriate choice. If you need total separation at that point, use VRFs. If you need multiple VRFs on a single physical port, maybe you could leverage subinterfaces (802.1q tags on Ethernet or frame relay sub interfaces if the interface is serial). Just some thoughts.

      • Aniket Singh says:

        hello Paul,

        I have a big problem related to switch concept, please try to resolve …

        I have scenerio mentioned below :

        In this figure , there are one L3 switch ( 6513 ) which is connected to L2 switch ( SW3) . On L3 Switch I configured two SVI’s ( Interface vlan 350 and interface vlan 450 ) , IP configured on both SVI’s are of same IP pool with VRF . For Example :

        Configuration on L3 switch :

        interface Vlan350
        vrf forwarding test1
        ip address 1.1.1.1 255.255.255.252

        interface Vlan450
        vrf forwarding test2
        ip address 1.1.1.2 255.255.255.252

        interface fastethernet1/2
        switchport
        switchport mode access
        switchport access vlan 350

        interface fastethernet1/2
        switchport
        switchport mode access
        switchport access vlan 450

        L3 switch is connected with L2 switch in transparent mode with interface f1/1 and f1/2.

        I require both SVI should be reachable on same L3 Switch.Please help.

        ———f1/1
        L2(Switch) L3Switch(6513)
        ———f1/2

      • I think you have listed fa1/2 twice. So do you have a trunk between the switches?

        I’m not sure I fully understand the goal. Each of these are in their own isolation domain. That is the purpose of the vrf.

      • Aniket Singh says:

        Hello Paul,
        Thanks for your reply…
        Yes by mistake fa1/2 mentioned twice , there are two separate fa1/1 and fa1/2 and and both these interface are connected with L2 switch .
        Both fa1/1 and fa1/2 are access port that is connected with L2 Switch.

        fa1/1 access port with vlan 350
        fa1/2 access port with vlan 450

        Here L2 switch is acting as a transparent mode and connected with L3 switch( 6513 ) .

        I have configured two SVIs on vlan 350 and vlan 450 on same L3 switch with different VRF and used same IP pool on both SVIs . I want both SVIs IP should be reachable to each other.

        L3- Switch ( 6513 ) fa1/1( access port ) ——– L2 switch
        fa1/2 ( access port ) ——–. L2 switch

        please help

      • Aniket Singh says:

        No , there is no trunk in b/w switches , there are two access port ( fa1/1 and fa1/2 with vlan 350 and 450 respec. ) connected in b/w switches.
        I configured two VRF on same L3 switch to isolate the L3 switch into two separate domains by the help of two SVIs and VRF.

  29. JW says:

    Paul, If I have a customer that uses VRF-lite and they want to use NSX how does this combine with the distributed router and edge routers in NSX?

    • I don’t know NSX well enough to comment. From a network perspective each VRF is a layer 3 island. That could be mapped to L3 vlans. How NSX presents itself and how you get into and out of the fabric is the key that I’m missing in my knowledge.

  30. nevis says:

    I tried this lab on gns 3. The loopback scenario doesn’t seem to work. I config exactly the same,then ping from R2 to 10.10.10.10 and R3 to 20.20.20.20 but found request time out.

  31. nevis says:

    worked after added ip route in R2 & R3. thanks

  32. Pingback: Segmenting Layer 3 Networks with VRFs - PacketU

  33. Pingback: Cisco router VRF configuration – Dat Knowledge

Comments are closed.