VRF Series Article 3 – Creating a Shared Services VRF

For those following the VRF Series, we currently have a topology built that consists of a segmented Layer 3 first hop network and remotely networked by carrying the isolation from the BrWan router to Main. This article covers, shared services, the next step in our journey to understanding VRFs for Segmented Layer 3 Networks.

The configuration focus is solely on the router Main. The shared services VRF that will be created could serve as a place to connect something that all other VRFs must have access to. Organizations should evaluate their requirements closely before deploying this configuration.

An organization that requires stateful inspection between two areas may choose to connect two or more VRFs together using an L4 or Next Generation Firewall (we will cover this in Article 5). The security ramification of having a shared services VRF, as described in this article, is that devices connected in this area could be used as a proxy into other areas. Therefore, careful planning and proper device level security is important prior to deploying this type of architecture.

The technologies covered here include:

  • IGP w/ Route Redistribution (EIGRP)
  • BGP w/ Route Redistribution
  • VRFs with Route Targets/Route Distinguisher vlaues

VRF_No_Int_Index

The logic of what will be configured is straightforward. First we need to create a third VRF and a loopback interface for testing. For the exercise the name shared will be used for the VRF. Route Distinguishers and Route Targets (imports/exports) will be added to the new and existing VRFs. BGP will be enabled (no peers required) to function as a clearing house for routes. Specific routes associated with each of the data and pci VRFs will be redistributed from EIGRP to BGP. The locally connected route from the shared VRF will be redistributed from BGP into the EIGRP instances for data and pci.

Main Configuration

//create the new VRF and add the RD/RT values to all VRF -- Main only
//note the exports and imports that define what CAN be leaked across VRFs
 vrf definition shared
 !
 rd 65000:199
 route-target export 65000:199
 route-target import 65000:100
 route-target import 65000:200
 address-family ipv4
 exit-address-family
 
vrf definition data
 !
 rd 65000:100
 route-target export 65000:100
 route-target import 65000:199
 
vrf definition pci
 !
 rd 65000:200
 route-target export 65000:200
 route-target import 65000:199

//create an interface in shared
interface Loopback199
  vrf forwarding shared
  description shared loopback
  ip address 10.199.199.1 255.255.255.0

//create access lists -- used by route maps to identify routes that will be leaked
ip access-list standard data-routes
 permit 10.100.0.0 0.0.255.255
 
ip access-list standard pci-routes
 permit 10.200.0.0 0.0.255.255

ip access-list standard shared-routes
  permit 10.199.0.0 0.0.255.255

//create route maps -- applied to redistribution commands to identify routes for leaking
route-map data-rm permit 10
 match ip address data-routes
route-map pci-rm permit 10
 match ip address pci-routes
route-map shared-rm permit 10
 match ip address shared-routes

//create a BGP process and redistribute from EIGRP/Connected
router bgp 65000
no synch

//redistribute 10.100.0.0/16 from data
address-family ipv4 vrf data
 redistribute eigrp 1 route-map data-rm
 no synch

//redistribute 10.200.0.0/16 from pci
address-family ipv4 vrf pci
 redistribute eigrp 1 route-map pci-rm
 no synch

//bring the 10.199.X.X connected route into bgp
address-family ipv4 vrf shared
 redistribute connected route-map shared-rm
 no synch


//redistribute the BGP route in VRF shared back to other VRFs
router eigrp NAMEDMODE
 !

 //10.199.x.x to data VRF
 address-family ipv4 unicast vrf data autonomous-system 1
  !
  topology base
   redistribute bgp 65000 metric 100000 1 255 1 1500
 
 //10.199.x.x to pci VRF
 address-family ipv4 unicast vrf pci autonomous-system 1
  !
  topology base
   redistribute bgp 65000 metric 100000 1 255 1 1500

At this point, we SHOULD have a working configuration. The testing requirement is that 10.199.199.1 is reachable from both data and pci. Likewise, pci and data should both be reachable from 10.199.199.1 (shared). However, pci and data should still be isolated from one another.

IP Addresses

  • Main
    • Gig2.100 – 10.100.128.1 (data)
    • Gig2.200 – 10.200.128.1 (pci)
    • Loopback 100 – 10.100.100.1 (data)
    • Loopback 200 – 10.200.100.1 (pci)
    • Loopgack 199 – 10.199.199.1 (shared)
  •  BrWan
    • Gig2.100 – 10.100.128.2 (data)
    • Gig2.200 – 10.200.128.2 (pci)
    • Gig3.101 – 10.100.129.1 (data)
    • Gig3.102 – 10.100.130.1 (data)
    • Gig3.201 – 10.200.129.1 (pci)
    • Gig3.202 – 10.200.130.1 (pci)
  • data-1 – 10.100.129.11 (dhcp–may vary)
  • data-2 – 10.100.130.11 (dhcp–may vary)
  • pci-1 – 10.200.129.11 (dhcp–may vary)
  • pci-2 – 10.200.130.11 (dhcp–may vary)

data-1 — Connectivity Testing

//testing to shared
data-1#ping 10.199.199.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.199.199.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/10 ms

//testing to pci
data-1#ping 10.200.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.129.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
data-1#ping 10.200.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.100.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

pci-1 — Connectivity Testing

//testing to shared
pci-1#ping 10.199.199.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.199.199.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/17 ms

//testing to data
pci-1#ping 10.100.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.129.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pci-1#ping 10.100.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

main — Connectivity Testing (shared)

//testing to data
Main#ping vrf shared 10.100.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.129.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/18 ms

//testing to pci
Main#ping vrf shared 10.200.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.129.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/15/35 ms

At this point, we can see that the configuration works as expected. However a closer look at that routing table and protocols will provide more information and clearer understanding of what is being achieved here.

Main — relevant show commands

//show ip route

//shared -- notice all routes
Main#show ip route vrf shared | beg Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 14 subnets, 3 masks
B        10.100.100.0/24 is directly connected, 00:12:46, Loopback100
L        10.100.100.1/32 is directly connected, Loopback100
B        10.100.128.0/30 is directly connected, 00:12:46, GigabitEthernet2.100
L        10.100.128.1/32 is directly connected, GigabitEthernet2.100
B        10.100.129.0/24
           [20/15360] via 10.100.128.2 (data), 00:12:46, GigabitEthernet2.100
B        10.100.130.0/24
           [20/15360] via 10.100.128.2 (data), 00:12:46, GigabitEthernet2.100
C        10.199.199.0/24 is directly connected, Loopback199
L        10.199.199.1/32 is directly connected, Loopback199
B        10.200.100.0/24 is directly connected, 00:12:46, Loopback200
L        10.200.100.1/32 is directly connected, Loopback200
B        10.200.128.0/30 is directly connected, 00:12:46, GigabitEthernet2.200
L        10.200.128.1/32 is directly connected, GigabitEthernet2.200
B        10.200.129.0/24
           [20/15360] via 10.200.128.2 (pci), 00:12:46, GigabitEthernet2.200
B        10.200.130.0/24
           [20/15360] via 10.200.128.2 (pci), 00:12:46, GigabitEthernet2.200

//data -- only pci and 10.199.199.0/24 routes
Main#show ip route vrf data | beg Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
C        10.100.100.0/24 is directly connected, Loopback100
L        10.100.100.1/32 is directly connected, Loopback100
C        10.100.128.0/30 is directly connected, GigabitEthernet2.100
L        10.100.128.1/32 is directly connected, GigabitEthernet2.100
D        10.100.129.0/24
           [90/15360] via 10.100.128.2, 10:01:59, GigabitEthernet2.100
D        10.100.130.0/24
           [90/15360] via 10.100.128.2, 10:01:59, GigabitEthernet2.100
B        10.199.199.0/24 is directly connected, 00:13:23, Loopback199
L        10.199.199.1/32 is directly connected, Loopback199

//pci -- only pci and 10.199.199.0/24 routes
Main#show ip route vrf pci | beg Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
B        10.199.199.0/24 is directly connected, 00:14:07, Loopback199
L        10.199.199.1/32 is directly connected, Loopback199
C        10.200.100.0/24 is directly connected, Loopback200
L        10.200.100.1/32 is directly connected, Loopback200
C        10.200.128.0/30 is directly connected, GigabitEthernet2.200
L        10.200.128.1/32 is directly connected, GigabitEthernet2.200
D        10.200.129.0/24
           [90/15360] via 10.200.128.2, 10:03:01, GigabitEthernet2.200
D        10.200.130.0/24
           [90/15360] via 10.200.128.2, 10:03:01, GigabitEthernet2.200

//show ip bgp
Main#show ip bgp all


     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65000:100 (default for vrf data)
 *>  10.100.100.0/24  0.0.0.0                  0         32768 ?
 *>  10.100.128.0/30  0.0.0.0                  0         32768 ?
 *>  10.100.129.0/24  10.100.128.2         15360         32768 ?
 *>  10.100.130.0/24  10.100.128.2         15360         32768 ?
 *>  10.199.199.0/24  0.0.0.0                  0         32768 ?
Route Distinguisher: 65000:199 (default for vrf shared)
 *>  10.100.100.0/24  0.0.0.0                  0         32768 ?
 *>  10.100.128.0/30  0.0.0.0                  0         32768 ?
 *>  10.100.129.0/24  10.100.128.2         15360         32768 ?
 *>  10.100.130.0/24  10.100.128.2         15360         32768 ?
 *>  10.199.199.0/24  0.0.0.0                  0         32768 ?
 *>  10.200.100.0/24  0.0.0.0                  0         32768 ?
 *>  10.200.128.0/30  0.0.0.0                  0         32768 ?
     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.200.129.0/24  10.200.128.2         15360         32768 ?
 *>  10.200.130.0/24  10.200.128.2         15360         32768 ?
Route Distinguisher: 65000:200 (default for vrf pci)
 *>  10.199.199.0/24  0.0.0.0                  0         32768 ?
 *>  10.200.100.0/24  0.0.0.0                  0         32768 ?
 *>  10.200.128.0/30  0.0.0.0                  0         32768 ?
 *>  10.200.129.0/24  10.200.128.2         15360         32768 ?
 *>  10.200.130.0/24  10.200.128.2         15360         32768 ?

Examining the routing table of BrWan, reveals similar routes in EIGRP. The shared vrf doesn’t exist here, but the External EIGRP route is populated into both the pci and data VRFs.

BrWan Routing Table

//data vrf
BrWan#show ip route vrf data | beg Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
D        10.100.100.0/24
           [90/10880] via 10.100.128.1, 10:04:23, GigabitEthernet2.100
C        10.100.128.0/30 is directly connected, GigabitEthernet2.100
L        10.100.128.2/32 is directly connected, GigabitEthernet2.100
C        10.100.129.0/24 is directly connected, GigabitEthernet3.101
L        10.100.129.1/32 is directly connected, GigabitEthernet3.101
C        10.100.130.0/24 is directly connected, GigabitEthernet3.102
L        10.100.130.1/32 is directly connected, GigabitEthernet3.102
D EX     10.199.199.0/24
           [170/61440] via 10.100.128.1, 00:14:38, GigabitEthernet2.100

//pci vrf
BrWan#show ip route vrf pci | beg Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
D EX     10.199.199.0/24
           [170/61440] via 10.200.128.1, 00:15:18, GigabitEthernet2.200
D        10.200.100.0/24
           [90/10880] via 10.200.128.1, 10:05:22, GigabitEthernet2.200
C        10.200.128.0/30 is directly connected, GigabitEthernet2.200
L        10.200.128.2/32 is directly connected, GigabitEthernet2.200
C        10.200.129.0/24 is directly connected, GigabitEthernet3.201
L        10.200.129.1/32 is directly connected, GigabitEthernet3.201
C        10.200.130.0/24 is directly connected, GigabitEthernet3.202
L        10.200.130.1/32 is directly connected, GigabitEthernet3.202

The configuration and VIRL files can be found at the URL below. Note the VIRL topology is all inclusive but we have yet to cover and configure the DMVPN part of the topology.

Conclusion

This article has demonstrated the ability to create a shared services area in a network that leverages VRFs. While this may or may not be appropriate for a given topology and organization, it is something engineers should have in their tool belt. For environments that require strict policy enforcement of traffic traversing VRFs, firewalling between VRFs is covered in article 5 of this series.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

2 Responses to VRF Series Article 3 – Creating a Shared Services VRF

  1. Pingback: Segmenting Layer 3 Networks with VRFs - PacketU

  2. Pingback: VRF Series Article 5 - Stateful Inter-Vrf connectivity - PacketU

Comments are closed.