VRF Series Article 1 – Basic L3 Segmentation with VRFs

Network engineers are well aware of the Layer 2 isolation properties of VLANs. Their use is so pervasive that they are second nature to most. This article is the first in a series that outlines specifically how VRFs can be used to provide the same type of end to end isolation for Layer 3 that VLANs provide for Layer 2.

In this example, we will work with a subset of the overall topology that I previously shared. Specifically, we are going to configure a router that I’ll call BrWan, a Layer 2 switch, and 3

VRF_Branch

routers that I’m using to emulate connected hosts (data-x/pci-x).

BrWan will contain the technology configuration that is the primary focus of the article. The other components are configured somewhat generically and using technologies that most are very familiar with.

At the end of this exercise, the requirement is that anything related to “data” can only reach other parts of the “data” network. Similar requirements exist for “pci”. There will be no ACLs used to prevent communication between pci and data, but the isolation requirement is strict. These concepts will be carried forward throughout the series. Later examples will provide a mechanism for some traffic between these zones and to access shared areas of the network.

In this example, data-1 and data-2 are on separate subnets and routed via BrWan. The same is true for pci-1 and pci-2. This example will also use dhcp to provide the IP addresses (as if these were hosts). To accomplish the isolation between pci and data networks, the concept of VRFs (virtual routing and forwarding) instances will be used.

Let’s first take a look at the configuration, then we will validate the function.

Note: I am working from some VIRL defaults, so I will be including the removal of unnecessary items. Also, I will be shutting down Gigabit 2 since the rest of the topology is out of scope for this article.

BrWan – Branch Router

//shutdown the network to the
//rest of the topology

interface GigabitEthernet2
 description to Main
 no ip address
 no ip ospf cost 1
 shut 

//remove the default ospf/bgp from VIRL config

no router ospf 1
no router bgp 1

//create the vrfs for data and pci

vrf definition data
 !
 address-family ipv4
 exit-address-family
 
vrf definition pci
 !
 address-family ipv4
 exit-address-family

//create the appropriate L3 subinterfaces to serve hosts (pci/data 1/2)


interface GigabitEthernet3
 description to iosvl2-1
 no ip address 
 no ip ospf cost 1
 negotiation auto
 
interface GigabitEthernet3.101
 description to iosvl2-1 data
 encapsulation dot1q 101
 vrf forwarding data
 ip address 10.100.129.1 255.255.255.0
 
interface GigabitEthernet3.102
 description to iosvl2-1 data
 encapsulation dot1q 102
 vrf forwarding data
 ip address 10.100.130.1 255.255.255.0

interface GigabitEthernet3.201
 description to iosvl2-1 pci
 encapsulation dot1q 201
 vrf forwarding pci
 ip address 10.200.129.1 255.255.255.0

interface GigabitEthernet3.202
 description to iosvl2-1 pci
 encapsulation dot1q 202
 vrf forwarding pci
 ip address 10.200.130.1 255.255.255.0
 
//configure the router as a VRF aware dhcp server for hosts

ip dhcp excluded-address vrf data 10.100.129.1 10.100.129.10
ip dhcp pool data-1
 vrf data
 network 10.100.129.0 255.255.255.0
 default-router 10.100.129.1

ip dhcp excluded-address vrf data 10.100.130.1 10.100.130.10
ip dhcp pool data-2
 vrf data
 network 10.100.130.0 255.255.255.0
 default-router 10.100.130.1

ip dhcp excluded-address vrf pci 10.200.129.1 10.200.129.10
ip dhcp pool pci-1
 vrf pci
 network 10.200.129.0 255.255.255.0
 default-router 10.200.129.1

ip dhcp excluded-address vrf pci 10.200.130.1 10.200.130.10
ip dhcp pool pci-2
 vrf pci
 network 10.200.130.0 255.255.255.0
 default-router 10.200.130.1

iosvl2-1 – Layer 2 Switch

//create the VLANs that will be mapped to VRFs

vlan 101
 name data-1
vlan 102
 name data-3
vlan 201
 name pci-1
vlan 202
 name pci-2

//configure the trunk port and access ports
 
interface Gi0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk 
interface Gi0/2
 description to data-1
 switchport mode access
 switchport access vlan 101 
 spanning-tree portfast
interface Gi0/3
 description to pci-1
 switchport mode access
 switchport access vlan 201
 spanning-tree portfast
interface Gi1/0
 description to data-2
 switchport mode access
 switchport access vlan 102
 spanning-tree portfast
interface Gi1/1
 description to pci-2
 switchport mode access
 switchport access vlan 202
 spanning-tree portfast

Hosts (same for all–data-1, data-2, pci-1, pci-2)

//remove unnecessary default BGP/OSPF

no router bgp 1
no router ospf 1

//configure the device for dhcp

int gig 0/1
 no ip ospf cost
 ip address dhcp

At this point, there SHOULD be a good configuration that meets the requirements. However, we will go through the process of validation to make sure that everything functions as expected. For the purpose of testing, my topology has the following IP addressing.

Current IP Addresses

  • BrWan
    • Gig3.101 – 10.100.129.1 (data)
    • Gig3.102 – 10.100.130.1 (data)
    • Gig3.201 – 10.200.129.1 (pci)
    • Gig3.202 – 10.200.130.1 (pci)
  • data-1 – 10.100.129.11 (dhcp–may vary)
  • data-2 – 10.100.130.11 (dhcp–may vary)
  • pci-1 – 10.200.129.11 (dhcp–may vary)
  • pci-2 – 10.200.130.11 (dhcp–may vary)

Validation from data-1 (host)

//should be able to ping other IP addresses in "data" vrf
data-1#ping 10.100.129.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.129.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/10 ms
data-1#ping 10.100.130.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.130.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/22/28 ms
data-1#ping 10.100.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.130.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/15/31 ms

//should not be able to ping any IP addresses in "pci" vrf
data-1#ping 10.200.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.129.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
data-1#ping 10.200.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.130.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
data-1#
data-1#ping 10.200.130.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.130.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
data-1#ping 10.200.129.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.129.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Validation from pci-1 (host)

//should be able to ping other IP addresses in "pci" vrf

pci-1#ping 10.200.130.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.130.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/14 ms
pci-1#ping 10.200.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.129.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
pci-1#ping 10.200.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.130.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/12/15 ms

//should not be able to ping any IP addresses in "data" vrf

pci-1#ping 10.100.129.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.129.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pci-1#ping 10.100.130.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.130.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pci-1#ping 10.100.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.129.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pci-1#ping 10.100.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.130.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Notice that in the case of these tests the normal ping command was used. This is because these host devices are vrf unaware. Testing from BrWan is completely different. Since there are separate vrf instances, using the normal commands assumes the “global” vrf. This is something that network administrators have to get accustomed to in a multi-vrf environment.

//notice that 10.100.129.11 doesn't exist in the "global" vrf

BrWan#ping 10.100.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.129.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

//however it can be reached by identifying the data vrf in the ping command

BrWan#ping vrf data 10.100.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.129.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms

//the same is true for 10.200.129.11 and the pci vrf

BrWan#ping vrf pci 10.200.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.129.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/16/27 ms

//it is even necessary to identify the vrf in most IP related show commands
BrWan#show ip route vrf pci

//--snip--
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.200.129.0/24 is directly connected, GigabitEthernet3.201
L        10.200.129.1/32 is directly connected, GigabitEthernet3.201
C        10.200.130.0/24 is directly connected, GigabitEthernet3.202
L        10.200.130.1/32 is directly connected, GigabitEthernet3.202

BrWan#show ip route vrf data

//--snip--

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.100.129.0/24 is directly connected, GigabitEthernet3.101
L        10.100.129.1/32 is directly connected, GigabitEthernet3.101
C        10.100.130.0/24 is directly connected, GigabitEthernet3.102
L        10.100.130.1/32 is directly connected, GigabitEthernet3.102

The final configuration and VIRL file can be found at the following URL.

It is worth noting that the VIRL file contains the complete default topology with completed configuration that is shown in this article.

Conclusion

VRFs provide a method of Layer 3 isolation that is somewhat analogous to Layer 2 VLANs. This article demonstrates the configuration and validation required to perform simple network layer isolation. In an upcoming article, we will build upon this configuration by connecting to upstream layer 3 devices while maintaining the isolation requirements.

 

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

2 Responses to VRF Series Article 1 – Basic L3 Segmentation with VRFs

  1. Pingback: Segmenting Layer 3 Networks with VRFs - PacketU

  2. Pingback: VRF Series Article 2 - Extending L3 Segmentation with VRF-lite - PacketU

Leave a Reply