VRF Series Article 2 – Extending L3 Segmentation with VRF-lite

In the last article, we took an initial look at L3 segmentation with VRFs. In that case, we created a basic first hop configuration that had isolated pci and data segments. In reality, most networks are far larger and more complex. This article continues down that same path by building proper layer 3 links and IGP adjacency with a Headquarter (Main) location. The starting point from a configuration standpoint is where we left off in Article 1 of this series.

Specifically in this article, we will configure subinterfaces to connect BrWan to Main for each VRF. We will also create a loopback on Main in each VRF to act as a test point that should be reachable from each host. From a routing protocol perspective, we will leverage EIGRP in Named Mode. This mode is a requirement because it is the method that allows the address family command to identify VRFs.

Note: I am working from some VIRL defaults, so I will be including the removal of unnecessary items. Also, I will be shutting down Gigabit 2 since the rest of the topology is out of scope for this article.

Main – HQ Router

//removing unnecessary routing protocols
no router ospf 1
no router bgp 1

//define the VRFs
vrf definition data
 !
 address-family ipv4
 exit-address-family
 
vrf definition pci
 !
 address-family ipv4
 exit-address-family

//default the physical interface and configure subinterfaces
interface GigabitEthernet2
 description to BrWan
 no ip address
 no ip ospf cost 1
 negotiation auto
 
interface GigabitEthernet2.100
 encapsulation dot1q 100
 vrf forwarding data
 description to BrWan data
 ip address 10.100.128.1 255.255.255.252

interface GigabitEthernet2.200
 encapsulation dot1q 200
 vrf forwarding pci
 description to BrWan pci
 ip address 10.200.128.1 255.255.255.252

//configure the loopback interfaces for test
interface Loopback100
  vrf forwarding data
  description data loopback
  ip address 10.100.100.1 255.255.255.0
interface Loopback200
  vrf forwarding pci
  description pci loopback
  ip address 10.200.100.1 255.255.255.0

//configure EIGRP instance for each VRF 
router eigrp NAMEDMODE
 !
 address-family ipv4 unicast autonomous-system 1
  !
  topology base
  exit-af-topology
 exit-address-family
 !

 //instance for data
 address-family ipv4 unicast vrf data autonomous-system 1
  !
  topology base
  exit-af-topology
  network 10.100.128.0 0.0.0.255
  network 10.100.100.0 0.0.0.255
  exit-address-family
 !

//instance for pci
 address-family ipv4 unicast vrf pci autonomous-system 1
  !
  topology base
  exit-af-topology
  network 10.200.128.0 0.0.0.255
  network 10.200.100.0 0.0.0.255
  exit-address-family

BrWan – Branch Router

//Main interfaces on BrWan
interface GigabitEthernet2
 description to BrWan
 no ip address
 no ip ospf cost 1
 negotiation auto
 no shut
 
interface GigabitEthernet2.100
 encapsulation dot1q 100
 vrf forwarding data
 description to BrWan data
 ip address 10.100.128.2 255.255.255.252

interface GigabitEthernet2.200
 encapsulation dot1q 200
 vrf forwarding pci
 description to BrWan pci
 ip address 10.200.128.2 255.255.255.252

//configure EIGRP instance for each VRF 
router eigrp NAMEDMODE
 !
 address-family ipv4 unicast autonomous-system 1
  !
  topology base
  exit-af-topology
 exit-address-family
 !
 //instance for data
 address-family ipv4 unicast vrf data autonomous-system 1
  !
  topology base
  exit-af-topology
  network 10.100.128.0 0.0.0.255
  network 10.100.129.0 0.0.0.255
  network 10.100.130.0 0.0.0.255
  eigrp stub connected summary
 exit-address-family
 !
 //instance for data
 address-family ipv4 unicast vrf pci autonomous-system 1
  !
  topology base
  exit-af-topology
  network 10.200.128.0 0.0.0.255
  network 10.200.129.0 0.0.0.255
  network 10.200.130.0 0.0.0.255
  eigrp stub connected summary
  exit-address-family

At this point, our topology should meet the objectives. Let’s review what those are and do a bit of post configuration validation.

Objectives–

  • Data hosts should be able to reach everything in the data vrf including the data loopback on Main
  • PCI hosts should be able to reach everything in the pci vrf including the pci loopback on Main
  • Nothing in the pci VRF should be able to reach anything in the data VRF. The reverse should also be true

IP Addresses

  • Main
    • Gig2.100 – 10.100.128.1 (data)
    • Gig2.200 – 10.200.128.1 (pci)
    • Loopback 100 – 10.100.100.1 (data)
    • Loopback 200 – 10.200.100.1 (pci)
  •  BrWan
    • Gig2.100 – 10.100.128.2 (data)
    • Gig2.200 – 10.200.128.2 (pci)
    • Gig3.101 – 10.100.129.1 (data)
    • Gig3.102 – 10.100.130.1 (data)
    • Gig3.201 – 10.200.129.1 (pci)
    • Gig3.202 – 10.200.130.1 (pci)
  • data-1 – 10.100.129.11 (dhcp–may vary)
  • data-2 – 10.100.130.11 (dhcp–may vary)
  • pci-1 – 10.200.129.11 (dhcp–may vary)
  • pci-2 – 10.200.130.11 (dhcp–may vary)

Validation testing from data-1

//testing to other data IP addresses
data-1#ping 10.100.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/8/19 ms
data-1#ping 10.100.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.130.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/17/24 ms

//testing to pci IP addresses
data-1#ping 10.200.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.100.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
data-1#ping 10.200.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.130.11, timeout is 2 seconds:
U.U.U

Validation testing from pci-1

//testing to other pci IP addresses
pci-1#ping 10.200.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/10 ms
pci-1#ping 10.200.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.130.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/26 ms

//testing to data IP addresses
pci-1#ping 10.100.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pci-1#ping 10.100.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.130.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

As can be seen in the testing, the basic requirements have been met. Having seen the end result, let’s take a moment to look at some of the show commands that might help understand this type of configuration.

Main – show commands

//show vrf to see current vrf to interface mappings
Main#show vrf
  Name                             Default RD            Protocols   Interfaces
  Mgmt-intf                                     ipv4,ipv6   Gi1
  data                                          ipv4        Gi2.100
                                                                     Lo100
  pci                                           ipv4        Gi2.200
                                                                     Lo200
//show ip route vrf 
//note beginning at "Gateway" to remove header key 

//data
Main#show ip route vrf data | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C        10.100.100.0/24 is directly connected, Loopback100
L        10.100.100.1/32 is directly connected, Loopback100
C        10.100.128.0/30 is directly connected, GigabitEthernet2.100
L        10.100.128.1/32 is directly connected, GigabitEthernet2.100
D        10.100.129.0/24
           [90/15360] via 10.100.128.2, 00:18:58, GigabitEthernet2.100
D        10.100.130.0/24
           [90/15360] via 10.100.128.2, 00:18:58, GigabitEthernet2.100

//pci

Main#show ip route vrf pci | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C        10.200.100.0/24 is directly connected, Loopback200
L        10.200.100.1/32 is directly connected, Loopback200
C        10.200.128.0/30 is directly connected, GigabitEthernet2.200
L        10.200.128.1/32 is directly connected, GigabitEthernet2.200
D        10.200.129.0/24
           [90/15360] via 10.200.128.2, 00:20:47, GigabitEthernet2.200
D        10.200.130.0/24
           [90/15360] via 10.200.128.2, 00:20:47, GigabitEthernet2.200

//show ip eigrp vrf  interfaces
//data
Main#show ip eigrp vrf data interfaces
EIGRP-IPv4 VR(NAMEDMODE) Address-Family Interfaces for AS(1)
           VRF(data)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi2.100                  1        0/0       0/0           1       0/0           50           0
Lo100                    0        0/0       0/0           0       0/0            0           0

//pci
Main#show ip eigrp vrf pci interfaces
EIGRP-IPv4 VR(NAMEDMODE) Address-Family Interfaces for AS(1)
           VRF(pci)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi2.200                  1        0/0       0/0           5       0/0           50           0
Lo200                    0        0/0       0/0           0       0/0            0           0

//similar commands for EIGRP topology
Main#show ip eigrp vrf data topology
EIGRP-IPv4 VR(NAMEDMODE) Topology Table for AS(1)/ID(10.100.100.1)
           Topology(base) TID(0) VRF(data)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 10.100.129.0/24, 1 successors, FD is 1966080
        via 10.100.128.2 (1966080/1310720), GigabitEthernet2.100
P 10.100.130.0/24, 1 successors, FD is 1966080
        via 10.100.128.2 (1966080/1310720), GigabitEthernet2.100
P 10.100.128.0/30, 1 successors, FD is 1310720
        via Connected, GigabitEthernet2.100
P 10.100.100.0/24, 1 successors, FD is 163840
        via Connected, Loopback100

As previously seen, we must also use the VRF aware commands to do real-time testing from routers with VRFs that source traffic from inside of one of the VRFs.

//vrf aware ping
Main#ping vrf data 10.100.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.130.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/12 ms

//vrf aware traceroute
Main#traceroute vrf data 10.100.130.11
Type escape sequence to abort.
Tracing the route to 10.100.130.11
VRF info: (vrf in name/id, vrf out name/id)
  1 10.100.128.2 4 msec 1 msec 0 msec
  2 10.100.130.11 8 msec *  11 msec

//and to demonstrate the segmentation
Main#ping vrf pci 10.100.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.130.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Main#traceroute vrf pci 10.100.130.11
Type escape sequence to abort.
Tracing the route to 10.100.130.11
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
...

The configuration and VIRL files can be found at the URL below. Note the VIRL topology is all inclusive but we have yet to cover and configure the DMVPN part of the topology.

Conclusion

This article demonstrated simple extension of VRFs using subinterfaces and Named Mode IGP. Many in the industry call this VRF-lite. Basically this is VRFs without MPLS and is a simple method to have multiple isolated Layer 3 networks running over the same physical topology. In an upcoming article, we will build a shared services VRF on Main and demonstrate that ability to leak routes in and out of the shared VRF. This provides an attachment point that devices can connect to when there is a need for them to be reachable from both pci and data.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

2 Responses to VRF Series Article 2 – Extending L3 Segmentation with VRF-lite

  1. Pingback: Segmenting Layer 3 Networks with VRFs - PacketU

  2. Patrick Hines says:

    Paul,
    I have been told that VRF is what I need, but none of the scenarios you have listed come close to what I need. I am hoping you can help.
    I have 2 2901 routers with 2 ea ehwic and sgl mode fiber connects to our ISP. one link is to the Inet using BGP the other a P2P link to our other location where there is an Identical router and another Inet link.
    I have a firewall connected to Gi0/1 and Gi0/0 is connected to the main internal network.
    I want to isolate the two pairs of ports. Currently I am using Zone based with no policies. I don’t need to filter traffic, just be isolated and route traffic between the interfaces. I would like to have a separate routing table for each Zone so that I can have 2 default routes. One pointed to the internal interface of the firewall for LAN routing, and one pointed to the ISP peer interface for outbound wan routing. The networks are different on either side of the P2P and the Inet links are different networks as well.

Comments are closed.