Demistifying VRFs, Part 2 - Hands on with some lite VRFs

Let us now see the basics of what we talked about in the first post about VRFs - in action. We'll start with an extremely small topology consisting of two Cisco routers - one running legacy IOS, the other running IOS XR - and see how we could implement "the litest" VRF-lite to segment the L3 topology into two domains.

Our task here is:

• Create one L3 instance for "user" traffic, where subnets on R1 should be reachable from subnets on XR2 and vice versa,
• Create another L3 instance for "server" traffic (whatever that might be), where only server subnets should be able to reach each other on both routers.

The starting addressing scheme is as follows:

• One "user" subnet which is connected to R1 is 192.168.0.0/24, with .254 being the Eth0/2 interfaca address (and default gateway for hosts there)
• One "server" subnet, which is using the exact same subnet and interface address as the first one 192.168.0.0/24 (and .254 on the R1 Eth0/1 interface)
• Other "user" subnet on XR2 - 192.168.1.0/24 (.254 on the router interface Gi0/0/0/2)
• Other "server" subnet ont XR2 - 10.0.0.0/24 (.254 on the router interface Gi0/0/0/1)

We can start first with subnet-to-subnet connectivity, and we'll move on later to additional connectivity requests as we go along.

First, let's make sure we don't have any VRFs configured:

R1#sh ip vrf R1#

Great, nothing there. Let's now configure a VRF, and we'll use the "newer" IOS syntax with the command "vrf definition":

R1#conf t R1(config)#vrf definition user R1(config-vrf)#address-family ipv4 R1(config-vrf-af)#end R1#

And that's about it. We created a separate routing instance, gave it a name "user", and specified that it is to be used for forwarding IPv4 unicast traffic.

Let's see what IOS has created for us:

R1#sh vrf detail user VRF user (VRF Id = 1); default RD <not set>; default VPNID <not set>   New CLI format, supports multiple address-families   Flags: 0x1808   No interfaces Address family ipv4 (Table ID = 1 (0x1)):   Flags: 0x0   No Export VPN route-target communities   No Import VPN route-target communities   No import route-map   No global export route-map   No export route-map   VRF label distribution protocol: not configured   VRF label allocation mode: per-prefix Address family ipv6 not active R1#

Great, we can see that there is something called "Table ID" which is our identifier describing the new entity we created. Let's now try and interface Eth0/2, and we'll check if the new routing table is populated as we expect in the list above:

R1(config)#interface e0/2 R1(config-if)#vrf forwarding user R1(config-if)#ip address 192.168.0.254 255.255.255.0 R1(config-if)#no shut R1(config-if)# R1# *Oct  5 10:53:57.141: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to up R1# *Oct  5 10:53:57.718: %SYS-5-CONFIG_I: Configured from console by console *Oct  5 10:53:58.146: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to up R1#

Mkay, we got an "up/up" interface, so we expect that the prefixes 192.168.0.254/32 (local) and 192.168.0.0/24 (connected) should be installed in the routing table for VRF A. Let's check and verify first that these prefixes were not inserted in the "global" routing table (the one that comes out of the box and is not tied to any VRFs):

R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        a - application route        + - replicated route, % - next hop override Gateway of last resort is not set R1#

Yup, this one is empty as expected. So far - so good. Let's display the routing table corresponding to VRF "user", since our prefixes should be installed there:

R1#show ip route vrf user Routing Table: user Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        a - application route        + - replicated route, % - next hop override Gateway of last resort is not set       192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C        192.168.0.0/24 is directly connected, Ethernet0/2 L        192.168.0.254/32 is directly connected, Ethernet0/2 R1#

There we are. It's there. This networking stuff is easy, can't see what the fuss is all about.

Let's configure the server VRF and the corresponding interface Eth0/1:

R1(config)#vrf definition server R1(config-vrf)#address-family ipv4 R1(config-vrf-af)#exit R1(config-vrf)#interface e0/1 R1(config-if)#ip address 192.168.0.254 255.255.255.0 R1(config-if)#no shut R1(config-if)#end R1# *Oct  8 15:09:34.290: %SYS-5-CONFIG_I: Configured from console by console R1# *Oct  8 15:09:34.334: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Oct  8 15:09:35.339: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R1#

Good. No, wait. We forgot to add the interface to the new VRF. Darn. Let's do that now:

R1(config)#interface e0/1 R1(config-if)#vrf forwarding server % Interface Ethernet0/1 IPv4 disabled and address(es) removed due to enabling VRF server R1(config-if)#do show run interface e0/1 Building configuration... Current configuration : 67 bytes ! interface Ethernet0/1  vrf forwarding server  no ip address end R1(config-if)#ip address 192.168.0.254 255.255.255.0 R1(config-if)#end R1#

Whoa, look at that. Moving the interface from one VRF to another (or from a "global" VRF to VRF user in this case) caused IOS to remove the configured IP address. Well, this does make sense, since the IP addresses make sense only in the context of VRF in which they're configured. So, once we re-applied the address we should be good to go. Our device now allows us to have overlapping address space (and even overlapping interface addresses!) - we have 192.168.0.254/24 configured on Eth0/1 and Eth0/2, but since those are in different VRFs - the router has no problem differentiating between the two. How cool is that…  [1]

Let us now test our static routes - we'll try and add a couple of "dummy" static routes in both VRFs, just to see if they'll behave as we expect them to. We'll remove them after we're done, because we won't need them later.

R1(config)#ip route vrf server 172.20.1.0 255.255.255.0 192.168.0.1 name Dummy_route R1(config)#end R1#sh ip route vrf server Routing Table: server [...output truncated...] Gateway of last resort is not set       172.20.0.0/24 is subnetted, 1 subnets S        172.20.1.0 [1/0] via 192.168.0.1       192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C        192.168.0.0/24 is directly connected, Ethernet0/1 L        192.168.0.254/32 is directly connected, Ethernet0/1 R1#

There it is. Onward and upward! I like it! Another!

R1(config)#ip route vrf server 172.20.2.0 255.255.255.0 172.16.1.1 name Another_dummy_route R1(config)#end R1#sh ip route *Oct  8 15:23:39.219: %SYS-5-CONFIG_I: Configured from console by consoleu R1#sh ip route vrf server Routing Table: server [...output truncated...] Gateway of last resort is not set       172.20.0.0/24 is subnetted, 1 subnets S        172.20.1.0 [1/0] via 192.168.0.1       192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C        192.168.0.0/24 is directly connected, Ethernet0/1 L        192.168.0.254/32 is directly connected, Ethernet0/1 R1#

Wow, these guys are good. The router cannot resolve which outgoing interface the configured next hop address maps to (we have no route for 172.16.1.1), so this static route isn't installed in the routing table. Everything's working as expected. (Mind you, I've now quietly removed those static routes since we won't be needing them anymore, so they won't show up in configs or routing tables anymore. Don’t go looking for them. Don't make it weird.)

Let's move on to XR2 and do the same - configure two VRFs and their interfaces, and put the addressing in place. Also, we'll note the slight syntactic difference between legacy IOS and IOS-XR:

RP/0/0/CPU0:XR2(config)#vrf user RP/0/0/CPU0:XR2(config-vrf)#address-family ipv4 unicast RP/0/0/CPU0:XR2(config-vrf-af)#exit RP/0/0/CPU0:XR2(config-vrf)#exit RP/0/0/CPU0:XR2(config)#commit Mon Oct  8 15:34:21.749 UTC RP/0/0/CPU0:XR2(config)#vrf server RP/0/0/CPU0:XR2(config-vrf)#address-family ipv4 unicast RP/0/0/CPU0:XR2(config-vrf-af)#exit RP/0/0/CPU0:XR2(config-vrf)#exit RP/0/0/CPU0:XR2(config)#commit Mon Oct  8 15:34:34.008 UTC RP/0/0/CPU0:XR2(config)#interface Gi0/0/0/1 RP/0/0/CPU0:XR2(config-if)#vrf server RP/0/0/CPU0:XR2(config-if)#ip address 10.0.0.254 255.255.255.0 RP/0/0/CPU0:XR2(config-if)#no shut RP/0/0/CPU0:XR2(config-if)#commit Mon Oct  8 15:40:06.165 UTC RP/0/0/CPU0:XR2(config-if)#interface gi0/0/0/2 RP/0/0/CPU0:XR2(config-if)#vrf user RP/0/0/CPU0:XR2(config-if)#ip address 192.168.1.254 255.255.255.0 RP/0/0/CPU0:XR2(config-if)#no shut RP/0/0/CPU0:XR2(config-if)#commit Mon Oct  8 15:40:25.024 UTC RP/0/0/CPU0:XR2(config-if)#end RP/0/0/CPU0:XR2#

In the words of great John Oliver: "Cool." [2] Let's do a quick check if we've addressed everything the way we should:

RP/0/0/CPU0:XR2#sh ip int br Mon Oct  8 15:40:32.814 UTC Interface                      IP-Address      Status                Protocol MgmtEth0/0/CPU0/0              unassigned      Up                    Up GigabitEthernet0/0/0/0         unassigned      Up                    Up GigabitEthernet0/0/0/3         unassigned      Up                    Up RP/0/0/CPU0:XR2#

What in tarnation..? Where are the two interfaces we just configured? Why aren't they displayed? Well, "ackshually", IOS-XR is just a bit more consistent with VRFs than plain old IOS. Not only we need to specify the VRF when we're trying to display the routes, we also need to specify it if we "just" want to check the interface IP addresses. So, let's do that:

RP/0/0/CPU0:XR2#show ip vrf all interface brief Mon Oct  8 15:46:02.461 UTC Interface                      IP-Address      Status          Protocol Vrf-Name MgmtEth0/0/CPU0/0              unassigned      Up              Up       default GigabitEthernet0/0/0/0         unassigned      Up              Up       default GigabitEthernet0/0/0/1         10.0.0.254      Up              Up       server GigabitEthernet0/0/0/2         192.168.1.254   Up              Up       user GigabitEthernet0/0/0/3         unassigned      Up              Up       default

Ah, there they are, much better. So - now we have two routers, running two separate routing instances on them, but they're kinda… Disconnected. Hosts connected to R1 cannot really communicate to hosts on XR2, not even in their own routing domain. While this is a quite secure solution [3], we'll definitely need to configure something to allow them to communicate. So let's do that using OSPF.

To allow VRF "server" hosts to communicate across the two routers, we'll run a single area (area 0) OSPF between R1 and XR2 to first exchange routing information about the connected subnets. But since we'll need to run the same setup for the other VRF "user" (consistency is a good design principle [4]), we'll have to think hard about how are we going to accomplish that. The thing is - to run a routing protocol "in a VRF" - especially OSPF, where we enable it on a per-interface basis - we need to think in which VRF are we going to place the interfaces over which we intend to peer the two routers.

Since we only have one physical Ethernet link between the two routers, if we add the "whole" link with the (the physical interfaces on each link end) to the VRF "server" - we'll have to run another physical connection between R1 and XR2 to bring up OSPF peering for VRF "user". But I did say we can add logical L3 interfaces into VRFs, so - VLANs to the rescue: we'll create two 802.1q tagged subinterfaces on the link between R1 and XR2, and place them into appropriate VRF, and we'll address them as follows:

		R1	XR2
VLAN ID	VRF	Eth0/0.VLANID	Gi0/0/0/0.VLANID
100	user	172.16.0.1/30	172.16.0.2/30
200	server	172.16.0.5/30	172.16.0.6/30

Let's configure R1 side:

R1(config)#interface e0/0 R1(config-if)#no shut R1(config-if)#interface e0/0.100 *Oct  8 16:12:15.569: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up *Oct  8 16:12:16.578: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up R1(config-if)#interface e0/0.100 R1(config-subif)#vrf forwarding user R1(config-subif)#encapsulation dot1q 100 R1(config-subif)#ip address 172.16.0.1 255.255.255.252 R1(config-subif)#no shut R1(config-subif)#int e0/0.200 R1(config-subif)#vrf forwarding server R1(config-subif)#encapsulation dot1q 200 R1(config-subif)#ip address 172.16.0.5 255.255.255.252 R1(config-subif)#no shut R1(config-subif)#end R1#

Now XR2:

RP/0/0/CPU0:XR2(config)#int gi0/0/0/0 RP/0/0/CPU0:XR2(config-if)#no shut RP/0/0/CPU0:XR2(config-if)#exit RP/0/0/CPU0:XR2(config)#commit Mon Oct  8 16:14:15.205 UTC RP/0/0/CPU0:XR2(config)#interface gi0/0/0/0.100 RP/0/0/CPU0:XR2(config-subif)#encapsulation dot1q 100 RP/0/0/CPU0:XR2(config-subif)#vrf user RP/0/0/CPU0:XR2(config-subif)#ip address 172.16.0.2 255.255.255.252 RP/0/0/CPU0:XR2(config-subif)#no shut RP/0/0/CPU0:XR2(config-subif)#commit Mon Oct  8 16:14:42.863 UTC RP/0/0/CPU0:XR2(config-subif)#ex RP/0/0/CPU0:XR2(config)#interface gi0/0/0/0.200 RP/0/0/CPU0:XR2(config-subif)#encapsulation dot1q 200 RP/0/0/CPU0:XR2(config-subif)#vrf server RP/0/0/CPU0:XR2(config-subif)#ip address 172.16.0.6 255.255.255.252 RP/0/0/CPU0:XR2(config-subif)#no shut RP/0/0/CPU0:XR2(config-subif)#commit Mon Oct  8 16:15:12.011 UTC RP/0/0/CPU0:XR2(config-subif)#end RP/0/0/CPU0:XR2#

Let's check the connectivity:

RP/0/0/CPU0:XR2#ping 172.16.0.1 so gi0/0/0/0.100 Mon Oct  8 16:18:25.468 UTC Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) RP/0/0/CPU0:XR2#ping 172.16.0.1 so gi0/0/0/0.200 Mon Oct  8 16:18:50.826 UTC Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) RP/0/0/CPU0:XR2#

Hmmm, did we misconfigure something..? Duh, no, it's just we can't check it like that - ping is now also VRF-aware! (and tracert as well). Let's do it properly now:

RP/0/0/CPU0:XR2#ping vrf user 172.16.0.1 Mon Oct  8 16:25:30.230 UTC Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms RP/0/0/CPU0:XR2#ping vrf server 172.16.0.5 Mon Oct  8 16:25:38.839 UTC Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms RP/0/0/CPU0:XR2#

Muuuuch better now. So, now on to OSPF. Let's start with VRF "user" and let's say we're gonna have OSPF process 12, area 0. We'll enable the following interfaces:

•  R1:
• Eth0/2 - passive
• Eth0/0.100 - point-to-point network type
• XR2:
• Gi0/0/0/2 - passive
• Gi0/0/0/0.100 - point-to-point network type

So, R1 config:

R1(config)#interface e0/0.100 R1(config-subif)#ip ospf network point-to-point R1(config-subif)#exit R1(config)#router ospf 12 vrf user R1(config-router)#network 172.16.0.1 0.0.0.0 area 0 R1(config-router)#network 192.168.0.254 0.0.0.0 area 0 R1(config-router)#passive-interface ethernet 0/2 R1(config-router)#end R1#

XR2 config:

RP/0/0/CPU0:XR2(config)#router ospf 12 vrf user RP/0/0/CPU0:XR2(config-ospf-vrf)#area 0 RP/0/0/CPU0:XR2(config-ospf-vrf-ar)#interface Gi0/0/0/0.100 RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#network point-to-point RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#exit RP/0/0/CPU0:XR2(config-ospf-vrf-ar)#interface Gi0/0/0/2 RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#passive RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#exit RP/0/0/CPU0:XR2(config-ospf-vrf-ar)#exit RP/0/0/CPU0:XR2(config-ospf-vrf)#exit RP/0/0/CPU0:XR2(config-ospf)#exit RP/0/0/CPU0:XR2(config)#commit Mon Oct  8 16:28:34.646 UTC RP/0/0/CPU0:XR2(config)#

Fingers crossed!

R1# *Oct  8 16:28:40.245: %OSPF-5-ADJCHG: Process 12, Nbr 192.168.1.254 on Ethernet0/0.100 from LOADING to FULL, Loading Done R1#

That's what I like to see. Let's check out the routing table(s):

R1#show ip route vrf user Routing Table: user [...output truncated...] Gateway of last resort is not set       172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C        172.16.0.0/30 is directly connected, Ethernet0/0.100 L        172.16.0.1/32 is directly connected, Ethernet0/0.100       192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C        192.168.0.0/24 is directly connected, Ethernet0/2 L        192.168.0.254/32 is directly connected, Ethernet0/2 O     192.168.1.0/24 [110/11] via 172.16.0.2, 00:02:36, Ethernet0/0.100 R1#

And on XR2:

RP/0/0/CPU0:XR2#show route vrf user Mon Oct  8 16:33:13.467 UTC [...output truncated...] Gateway of last resort is not set C    172.16.0.0/30 is directly connected, 00:18:30, GigabitEthernet0/0/0/0.100 L    172.16.0.2/32 is directly connected, 00:18:30, GigabitEthernet0/0/0/0.100 O    192.168.0.0/24 [110/11] via 172.16.0.1, 00:04:34, GigabitEthernet0/0/0/0.100 C    192.168.1.0/24 is directly connected, 00:52:48, GigabitEthernet0/0/0/2 L    192.168.1.254/32 is directly connected, 00:52:48, GigabitEthernet0/0/0/2

Let's check what the users say:

User-1> ping 192.168.1.1 84 bytes from 192.168.1.1 icmp_seq=1 ttl=62 time=30.148 ms 84 bytes from 192.168.1.1 icmp_seq=2 ttl=62 time=7.792 ms 84 bytes from 192.168.1.1 icmp_seq=3 ttl=62 time=4.791 ms 84 bytes from 192.168.1.1 icmp_seq=4 ttl=62 time=6.828 ms 84 bytes from 192.168.1.1 icmp_seq=5 ttl=62 time=4.776 ms User-1>

The users on each router can communicate! Let's do the same for VRF "server". The gameplan is the same, OSPF process 12, area 0, on following interfaces:

•  R1:
• Eth0/1 - passive
• Eth0/0.200 - point-to-point network type
• XR2:
• Gi0/0/0/1 - passive
• Gi0/0/0/0.200 - point-to-point network type

Let's configure it:

R1(config)#router ospf 12 vrf server %VRF specified does not match existing router R1(config)#

Uh-oh, thwarted by IOS at the first step… Could we perhaps change the process ID..? Let's try:

R1(config)#int e0/0.200 R1(config-subif)#ip ospf network point-to-point R1(config-subif)#exit R1(config)#router ospf 22 vrf server R1(config-router)#passive-interface e0/1 R1(config-router)#network 192.168.0.254 0.0.0.0 area 0 R1(config-router)#network 172.16.0.5 0.0.0.0 area 0 R1(config-router)#end R1#

Yup, that works. Now the other side. But… I'm curious - will XR2 let us have the same process ID? Let's try:

RP/0/0/CPU0:XR2(config)#router ospf 12 RP/0/0/CPU0:XR2(config-ospf)#vrf server RP/0/0/CPU0:XR2(config-ospf-vrf)#commit Mon Oct  8 17:11:54.868 UTC RP/0/0/CPU0:XR2(config-ospf-vrf)#

Yeah, XR isn't so picky. And it has a prettier syntax which makes it clear where the process is running. Let's continue:

RP/0/0/CPU0:XR2(config-ospf-vrf)#area 0 RP/0/0/CPU0:XR2(config-ospf-vrf-ar)#interface GigabitEthernet0/0/0/0.200 RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#network point-to-point RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#exit RP/0/0/CPU0:XR2(config-ospf-vrf-ar)#interface GigabitEthernet0/0/0/1 RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#passive enable RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#exit RP/0/0/CPU0:XR2(config-ospf-vrf-ar)#exit RP/0/0/CPU0:XR2(config-ospf-vrf)#exit RP/0/0/CPU0:XR2(config-ospf)#exit RP/0/0/CPU0:XR2(config)#commit Mon Oct  8 17:13:10.173 UTC RP/0/0/CPU0:XR2(config)#

So? What's the verdict?

R1# *Oct  8 17:13:11.701: %OSPF-5-ADJCHG: Process 22, Nbr 10.0.0.254 on Ethernet0/0.200 from LOADING to FULL, Loading Done R1#

There we go. This networking stuff is so easy. [5] Let's check the routing tables on both routers, verify we're receiving the OSPF internal routes for the remote subnets, and finally check the server-to-server connectivity.

R1:

R1#show ip route vrf server Routing Table: server [...output truncated...] Gateway of last resort is not set       10.0.0.0/24 is subnetted, 1 subnets O        10.0.0.0 [110/11] via 172.16.0.6, 00:03:40, Ethernet0/0.200       172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C        172.16.0.4/30 is directly connected, Ethernet0/0.200 L        172.16.0.5/32 is directly connected, Ethernet0/0.200       192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C        192.168.0.0/24 is directly connected, Ethernet0/1 L        192.168.0.254/32 is directly connected, Ethernet0/1

XR2:

RP/0/0/CPU0:XR2#show route vrf server Mon Oct  8 17:17:46.074 UTC [...output truncated...] Gateway of last resort is not set C    10.0.0.0/24 is directly connected, 01:37:39, GigabitEthernet0/0/0/1 L    10.0.0.254/32 is directly connected, 01:37:39, GigabitEthernet0/0/0/1 C    172.16.0.4/30 is directly connected, 01:02:34, GigabitEthernet0/0/0/0.200 L    172.16.0.6/32 is directly connected, 01:02:34, GigabitEthernet0/0/0/0.200 O    192.168.0.0/24 [110/11] via 172.16.0.5, 00:04:35, GigabitEthernet0/0/0/0.200

And the ultimate check:

Server-1> ping 10.0.0.1 10.0.0.1 icmp_seq=1 timeout 10.0.0.1 icmp_seq=2 timeout 84 bytes from 10.0.0.1 icmp_seq=3 ttl=62 time=5.762 ms 84 bytes from 10.0.0.1 icmp_seq=4 ttl=62 time=5.861 ms 84 bytes from 10.0.0.1 icmp_seq=5 ttl=62 time=7.816 ms Server-1>

We did it. We have established two distinct and separate routing domains over two shared physical routers, allowing the hosts in each routing instace to communicate with the other hosts in the same routing instance. We tested applying static routes, and we've configured a routing protocol to run in these two instances.

Let's now diversify a bit: let's say our enterprise network was just recently expanded, and another router - a Juniper router, we'll call it JR3 - was added to another location, and connected to our XR2 router via a Gigabit link (Gi0/0/0/3 on XR2 side is connected to ge-0/0/3 on JR3 side). So we need to expand our topology, to allow our customers in instances "user" and "server" to communicate with the rest of the network. Let's reuse the OSPF infrastructure we already have in place, and just include JR3 into the existing area(s) 0 in both VRFs.

So, let's first prepare our existing XR2. We'll create new point-to-point subinterfaces on its Gi0/0/0/3 interface, place them into appropriate VRFs, and then configure OSPF to peer with JR3 via those interfaces:

RP/0/0/CPU0:XR2(config)#interface GigabitEthernet0/0/0/3 RP/0/0/CPU0:XR2(config-if)#no shut RP/0/0/CPU0:XR2(config-if)#interface GigabitEthernet0/0/0/3.110 RP/0/0/CPU0:XR2(config-subif)#vrf user RP/0/0/CPU0:XR2(config-subif)#ipv4 address 172.16.0.13 255.255.255.252 RP/0/0/CPU0:XR2(config-subif)#encapsulation dot1q 110 RP/0/0/CPU0:XR2(config-subif)#no shut RP/0/0/CPU0:XR2(config-subif)#interface GigabitEthernet0/0/0/3.210 RP/0/0/CPU0:XR2(config-subif)#vrf server RP/0/0/CPU0:XR2(config-subif)#ipv4 address 172.16.0.9 255.255.255.252 RP/0/0/CPU0:XR2(config-subif)#encapsulation dot1q 210 RP/0/0/CPU0:XR2(config-subif)#no shut RP/0/0/CPU0:XR2(config-subif)#commit Wed Oct 10 16:08:23.719 UTC RP/0/0/CPU0:XR2(config-subif)#router ospf 12 RP/0/0/CPU0:XR2(config-ospf)#vrf user RP/0/0/CPU0:XR2(config-ospf-vrf)#area 0 RP/0/0/CPU0:XR2(config-ospf-vrf-ar)#interface GigabitEthernet0/0/0/3.110 RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#network point-to-point RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#vrf server RP/0/0/CPU0:XR2(config-ospf-vrf)#area 0 RP/0/0/CPU0:XR2(config-ospf-vrf-ar)#interface GigabitEthernet0/0/0/3.210 RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#network point-to-point RP/0/0/CPU0:XR2(config-ospf-vrf-ar-if)#commit Wed Oct 10 16:09:11.113 UTC

Let's move on to JR3. We'll configure the following:

• We'll create two "routing-instance"s with type "virtual-router" - called "user" and "server"
• We'll use logical interface Lo0.100 and place it in VRF "user", address 192.168.2.254/24
• We'll use logical interface Lo0.200 and place it in VRF "server", address 10.0.2.254/24
• Interface ge-0/0/3 will be segmented into two 802.1q tagged L3 subinterfaces, as follows:
• ge-0/0/3.110 - VLAN ID 110 - VRF "user" - address 172.16.0.10/30
• ge-0/0/3.210 - VLAN ID 210 - VRF "server" - address 172.16.0.14/30
• OSPF instance running in vrf "user", area 0:
• Interface lo0.100 passive
• Interface ge-0/0/3.110 point-to-point
• OSPF instance running in vrf "server", area 0:
• Interface lo0.200 passive
• Interface ge-0/0/3.210 point-to-point

JR3:

jcluser@vMX5> configure Entering configuration mode [edit] jcluser@vMX5#set interface lo0 unit 100 family inet address 192.168.2.254/24 [edit] jcluser@vMX5#set interface lo0 unit 200 family inet address 10.0.2.254/24 [edit] jcluser@vMX5#set routing-instances user instance-type virtual-router [edit] jcluser@vMX5#set routing-instances user interface lo0.100 [edit] jcluser@vMX5#set routing-instances server instance-type virtual-router [edit] jcluser@vMX5#set routing-instances server lo0.200 [edit] jcluser@vMX5#set interface ge-0/0/3 vlan-tagging [edit] jcluser@vMX5#set interface ge-0/0/3 encapsulation flexible-ethernet-services [edit] jcluser@vMX5#set interface ge-0/0/3 unit 110 vlan-id 110 [edit] jcluser@vMX5#set interface ge-0/0/3 unit 110 family inet address 172.16.0.14/30 [edit] jcluser@vMX5#set interface ge-0/0/3 unit 210 vlan-id 210 [edit] jcluser@vMX5#set interface ge-0/0/3 unit 210 family inet address 172.16.0.10/30 [edit] jcluser@vMX5#set routing-instances user interface ge-0/0/3.110 [edit] jcluser@vMX5#set routing-instances server interface ge-0/0/3.210 [edit] jcluser@vMX5#set routing-instances user protocols ospf area 0.0.0.0 interface ge-0/0/3.110 interface-type p2p [edit] jcluser@vMX5#set routing-instances user protocols ospf area 0.0.0.0 interface lo0.100 passive [edit] jcluser@vMX5#set routing-instances server protocols ospf area 0.0.0.0 interface ge-0/0/3.210 interface-type p2p [edit] jcluser@vMX5#set routing-instances server protocols ospf area 0.0.0.0 interface lo0.200 passive [edit] jcluser@vMX5#commit commit complete [edit] jcluser@vMX5# exit Exiting configuration mode jcluser@vMX5>

First, we'll check on XR2 if our OSPF is up and running:

RP/0/0/CPU0:XR2#show ospf vrf user neighbor Wed Oct 10 16:12:23.719 UTC * Indicates MADJ interface Neighbors for OSPF 12, VRF user Neighbor ID     Pri   State           Dead Time   Address         Interface 192.168.0.254   1     FULL/  -        00:00:31    172.16.0.1      GigabitEthernet0/0/0/0.100     Neighbor is up for 05:01:35 172.16.0.14     1     FULL/  -        00:00:32    172.16.0.14     GigabitEthernet0/0/0/3.110     Neighbor is up for 00:05:48 Total neighbor count: 2 RP/0/0/CPU0:XR2#sho ospf vrf server neighbor Wed Oct 10 16:12:42.978 UTC * Indicates MADJ interface Neighbors for OSPF 12, VRF server Neighbor ID     Pri   State           Dead Time   Address         Interface 172.16.0.5      1     FULL/  -        00:00:35    172.16.0.5      GigabitEthernet0/0/0/0.200     Neighbor is up for 05:01:55 172.16.0.10     1     FULL/  -        00:00:32    172.16.0.10     GigabitEthernet0/0/0/3.210     Neighbor is up for 00:05:46 Total neighbor count: 2 RP/0/0/CPU0:XR2#

Always nice to see FULLy adjacent neighbors.  Let's see if we're getting the route:

RP/0/0/CPU0:XR2#sh route vrf user Tue Oct 16 17:52:58.870 UTC [...output truncated...] Gateway of last resort is not set C    172.16.0.0/30 is directly connected, 06:09:42, GigabitEthernet0/0/0/0.100 L    172.16.0.2/32 is directly connected, 06:09:42, GigabitEthernet0/0/0/0.100 C    172.16.0.12/30 is directly connected, 06:09:42, GigabitEthernet0/0/0/3.110 L    172.16.0.13/32 is directly connected, 06:09:42, GigabitEthernet0/0/0/3.110 O    192.168.0.0/24 [110/11] via 172.16.0.1, 06:09:33, GigabitEthernet0/0/0/0.100 C    192.168.1.0/24 is directly connected, 06:09:42, GigabitEthernet0/0/0/2 L    192.168.1.254/32 is directly connected, 06:09:42, GigabitEthernet0/0/0/2 O    192.168.2.254/32 [110/2] via 172.16.0.14, 06:09:32, GigabitEthernet0/0/0/3.110 RP/0/0/CPU0:XR2#

A thing of beauty. JR3 now:

jcluser@vMX5> show route table ? Possible completions:   <table>              Name of routing table   inet.0                 inet6.0                user.inet.0         jcluser@vMX5> show route table user.inet.0 user.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.16.0.0/30     *[OSPF/10] 00:15:18, metric 2                     > to 172.16.0.9 via ge-0/0/3.110 172.16.0.8/30     *[Direct/0] 00:28:02                     > via ge-0/0/3.110 172.16.0.10/32    *[Local/0] 00:28:02                       Local via ge-0/0/3.110 192.168.0.0/24    *[OSPF/10] 00:15:18, metric 3                     > to 172.16.0.9 via ge-0/0/3.110 192.168.1.0/24    *[OSPF/10] 00:15:18, metric 2                     > to 172.16.0.9 via ge-0/0/3.110 192.168.2.254/32  *[Direct/0] 00:16:53                     > via lo0.100 224.0.0.5/32      *[OSPF/10] 00:25:19, metric 1                       MultiRecv

So, sweet success. We did it.

Now, since I'm lazy [6] and tired of all this configuring (and getting the printouts to put in a blog), let us now conduct a thought experiment. Let us assume that our network has grown again (that's what networks do), and let's also assume that we have been tasked with creating another (sigh [7]) routing instance, called "topsecret". This routing instance will be used to connect only two subnets - one on our trusty old R1, the other on the newly added R5. Furthermore, R5's only connectivity to the rest of the network is via R4, which in turn has no other function in the network but to provide connectivity for R5.

Disclaimer: This is not a representative example of how you should design your corporate or service provider network. This is only an example topology. It is not meant to represent anything but to illustrate a point. [8]

So, we can basically replicate the process as we did with the other two VRFs. Let's list the steps:

1. Create VRF "topsecret" on R1 for IPv4 traffic
2. Assign the Eth0/3 interface to that VRF, configure its IP address, whatever it is
3. Create a subinterface on Eth0/0, vlan ID whatever, place it into VRF "topsecret", assign an IP address, no shut
4. Create VRF "topsecret" on XR2 for IPv4 traffic
5. Create a subinterface on Gi 0/0/0/0, vlan ID whatever, place it into VRF "topsecret", assign an IP address, no shut
6. Create a subinterface on Gi 0/0/0/3, vlan ID whatever #2, place it into VRF "topsecret" , assign an IP address, no shut
7. Create a virtual-router "topsecret" on JR2 for IPv4 traffic
8. Create a subinterface on ge-0/0/3, vlan id whatever #2, place it into routing-instance "topsecret", assign an IP address
9. Create a subinterface on ge-0/0/1, vlan id whatever #3, place it into routing-instance "topsecret", assign an IP address
10. Create a VRF "topsecret" on R4, for IPv4 traffic
11. Create a subinterface on Eth0/0, vlan id whatever #3, place it into VRF "topsecret", assign an IP address, no shut
12. Create a subinterface on Eth0/1, vlan id whatever #4, place it into VRF "topsecret", assign an IP address, no shut
13. Create a VRF "topsecret" on R5, for IPv4 traffic
14. Create a subinterface on Eth0/1, vlan id whatever #4, place it into VRF "topsecret", assign an IP address, no shut
15. Assign the Eth0/0 interface to vrf "topsecret", assign an IP address, no shut
16. Create an OSPF process/instance under current process in vrf "topsecret" on routers R1, XR2, JR3, R4, R5
17. Assign on each of those routers all VRF "topsecret" interfaces to area 0
18. ..profit..?

Let's adopt some loose terminology[9] first and then we'll proceed to analyze this scenario.

Interfaces which are placed into a VRF and are interfaces where customer traffic is entering our network we'll (very aptly) name customer facing interfaces.

Interfaces which are facing routers within our own network we'll call core facing interfaces.

So, we added two routers to our topology: R4 and R5. We can say that router R4 has absolutely no customer facing interfaces - all its interfaces are towards routers internal to our network. If we look closer, the same actually goes for routers XR2 and JR3 - while they do in fact have some customer facing interfaces, for this particular VRF "topsecret" - they have none. So that means that routers XR2, JR3 and R4 are just, lets' call them transit routers.

We can see that using this "litest of VRF-lites" doesn't actually scale that well. We've ended up with quite a lot of configuration, touching all devices in our network, in order to "just" connect two customer subnets. We've also ended up configuring VRFs even on transit routers, which do not have any customer facing interfaces in that VRF [10]. And we've used up a lot of address space (and VLAN IDs) - we've added 4 /30 point-to-point subnets in order to provide connectivity for only 2 customer subnets. And let's not forget - we've also got OSPF in VRF "topsecret" running, even on transit routers, using up CPU cycles and power[11], and just "patching up" our infrastructure.

There's got to be a better way!

There is. It's called MPLS Layer 3 VPNs, and we'll go over those a bit later in the series. You'll like the flexibility[12], trust me.

Another thing. Imagine that the "topsecret" project was just top secret during development. Now the connectivity requirement has changed: stuff in this VRF is not top secret anymore, on the contrary - hosts belonging to this VRF now need to be reachable by hosts in other two VRFs - "user" and "server"! And they couldn't tell you in advance, because, well, it was top secret, wasn't it? [13]

Now, here we reach the end of possibilities for "litest of VRF-lite". We'll need to add more config to our VRFs, and probably bring out the heavy hitters - BGP to the rescue. See ya next time.

---

 [1] Nerd.

 [2] Cool

 [3] It's all downhill from here.

 [4] But don't expect to find it in production networks.

 [5] At least according to your average CTO.

 [6] Yeah, that's what got me into networking.

 [7] Did I welcome you to the bor^H^H^H exciting world of networking?

 [8] Yeah, the networks he builds and operates are far less sensible or maintainable. Is that even a word..?

 [9] I don't even have a sarcastic or witty footnote for this.

 [10] That's bad because those usually cost money to configure. Don't forget. Spending money is bad, mkay?

 [11] On the other hand - hey, at least they're not mining cryptocurrencies…

 [12] But your brain will not like the complexity.

 [13] No, not really. They didn't tell you because nobody thinks about the network until it's too late. Everybody just kinda expects it to be there and ready to serve every single of their needs. Just like that.