VRF [Virtual Routing & Forwarding]
Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table. A VPN routing table is called a VPN routing/forwarding (VRF) table.
About VRF-lite
VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time.
Terminology
· ivrf : Inside VRF, the VRF that contains the clear-text traffic (before encryption for outbound flows and after decryption for inbound flows)
· fvrf : Front-door VRF (or outside VRF), the VRF that contain the encrypted traffic
global VRF: the routing instance that is used if no specific VRF is defined. If no VRF-aware config is used, everything is done in the global VRF and all interfaces are in the global VRF
Configuration Example:
Task-1: Configure VRF – CUST-A on R1, R2, R3 & R4 and VRF – CUST-B with dedicated links between R2 & R3 and run EIGRP 100 and 200 Respectively.
Task-2: Configure IPSEC Site-to-Site VPN between R2 and R3 for encrypting Traffic between R1 LAN – 10.1.1.0/24 & R4 LAN – 10.2.2.0/24.
Initial Configuration:
R1:
interface FastEthernet0/0
ip address 192.1.10.1 255.255.255.0
duplex auto
speed auto
end
interface Loopback0
ip address 10.1.1.1 255.255.255.0
end
R2:
ip vrf CUST-A
ip vrf CUST-B
interface FastEthernet0/0
ip vrf forwarding CUST-A
ip address 192.1.10.2 255.255.255.0
duplex auto
speed auto
end
interface FastEthernet0/1
ip vrf forwarding CUST-A
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
end
interface FastEthernet1/0
ip vrf forwarding CUST-B
ip address 172.16.2.2 255.255.255.0
duplex auto
speed auto
end
interface FastEthernet2/0
ip vrf forwarding CUST-B
ip address 192.1.10.2 255.255.255.0
duplex auto
speed auto
end
R3:
ip vrf CUST-A
ip vrf CUST-B
interface FastEthernet0/0
ip vrf forwarding CUST-A
ip address 192.1.20.3 255.255.255.0
duplex auto
speed auto
end
interface FastEthernet0/1
ip vrf forwarding CUST-A
ip address 172.16.1.3 255.255.255.0
duplex auto
speed auto
end
interface FastEthernet1/0
ip vrf forwarding CUST-B
ip address 172.16.2.3 255.255.255.0
duplex auto
speed auto
end
interface FastEthernet2/0
ip vrf forwarding CUST-B
ip address 192.1.20.3 255.255.255.0
duplex auto
speed auto
end
R4:
interface FastEthernet0/0
ip address 192.1.20.4 255.255.255.0
duplex auto
speed auto
end
interface Loopback0
ip address 10.2.2.2 255.255.255.0
end
R5:
interface FastEthernet0/0
ip address 192.1.10.5 255.255.255.0
duplex auto
speed auto
end
interface Loopback0
ip address 10.1.1.5 255.255.255.0
end
R6:
interface FastEthernet0/0
ip address 192.1.20.6 255.255.255.0
duplex auto
speed auto
end
interface Loopback0
ip address 10.2.2.6 255.255.255.0
end
Solution:
R1:
router eigrp 100
network 10.0.0.0
network 192.1.10.0
no auto-summary
R2:
router eigrp 1
auto-summary
!
address-family ipv4 vrf CUST-B
network 172.16.0.0
network 192.1.10.0
no auto-summary
autonomous-system 200
exit-address-family
!
address-family ipv4 vrf CUST-A
network 172.16.0.0
network 192.1.10.0
no auto-summary
autonomous-system 100
exit-address-family
R3:
router eigrp 1
auto-summary
!
address-family ipv4 vrf CUST-B
network 172.16.2.0 0.0.0.255
network 192.1.20.0
no auto-summary
autonomous-system 200
exit-address-family
!
address-family ipv4 vrf CUST-A
network 172.16.1.0 0.0.0.255
network 192.1.20.0
no auto-summary
autonomous-system 100
exit-address-family
R4:
router eigrp 100
network 10.0.0.0
network 192.1.20.0
no auto-summary
R5:
router eigrp 200
network 10.0.0.0
network 192.1.10.0
no auto-summary
R6:
router eigrp 200
network 10.0.0.0
network 192.1.20.0
no auto-summary
Verification:
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.1.10.0/24 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.1.0 [90/307200] via 192.1.10.2, 00:14:38, FastEthernet0/0
D 192.1.20.0/24 [90/332800] via 192.1.10.2, 00:14:38, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
D 10.2.2.0 [90/460800] via 192.1.10.2, 00:14:38, FastEthernet0/0
C 10.1.1.0 is directly connected, Loopback0
R1#
R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
D 192.1.10.0/24 [90/332800] via 192.1.20.3, 00:13:58, FastEthernet0/0
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.1.0 [90/307200] via 192.1.20.3, 00:13:58, FastEthernet0/0
C 192.1.20.0/24 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.2.2.0 is directly connected, Loopback0
D 10.1.1.0 [90/460800] via 192.1.20.3, 00:13:57, FastEthernet0/0
R4#
R2#show ip route vrf CUST-A
Routing Table: CUST-A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.1.10.0/24 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, FastEthernet0/1
D 192.1.20.0/24 [90/307200] via 172.16.1.3, 00:15:27, FastEthernet0/1
10.0.0.0/24 is subnetted, 2 subnets
D 10.2.2.0 [90/435200] via 172.16.1.3, 00:15:27, FastEthernet0/1
D 10.1.1.0 [90/409600] via 192.1.10.1, 00:15:26, FastEthernet0/0
R2#
R2#show ip route vrf CUST-B
Routing Table: CUST-B
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.1.10.0/24 is directly connected, FastEthernet2/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.2.0 is directly connected, FastEthernet1/0
D 192.1.20.0/24 [90/30720] via 172.16.2.3, 00:15:41, FastEthernet1/0
10.0.0.0/24 is subnetted, 2 subnets
D 10.2.2.0 [90/158720] via 172.16.2.3, 00:15:41, FastEthernet1/0
D 10.1.1.0 [90/156160] via 192.1.10.5, 00:15:40, FastEthernet2/0
R2#
R1#ping 10.2.2.2 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/37/52 ms
R1#
R1#traceroute 10.2.2.2 source 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.2.2.2
1 192.1.10.2 60 msec 44 msec 76 msec
2 172.16.1.3 108 msec 104 msec 108 msec
3 192.1.20.4 108 msec 136 msec *
R1#
Task-2: Configure IPSEC Site-to-Site VPN between R2 and R3 for encrypting Traffic between R1 LAN – 10.1.1.0/24 & R4 LAN – 10.2.2.0/24.
Solution:
R2:
Step-1 [A]: Configure ISAKMP Policy:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
Step-1 [B]: Configure Keyring:
crypto keyring KR-1 vrf CUST-A
pre-shared-key address 172.16.1.3 key cisco123
Step-1[C]: Configure ISAKMP Profile:
crypto isakmp profile PROF-1
vrf CUST-A
keyring KR-1
match identity address 172.16.1.3 255.255.255.255 CUST-A
Step-2: Configure IPSEC Transform Set:
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
Step-3: Configure Interested Traffic ACL:
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
Step-4: Configure Crypto map:
crypto map CMAP isakmp-profile PROF-1
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.3
set transform-set TSET
match address 101
Step-5: Apply Crypto Map to interface:
interface FastEthernet0/1
crypto map CMAP
end
R3:
Step-1 [A]: Configure ISAKMP Policy:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
Step-1 [B]: Configure Keyring:
crypto keyring KR-1 vrf CUST-A
pre-shared-key address 172.16.1.2 key cisco123
Step-1[C]: Configure ISAKMP Profile:
crypto isakmp profile PROF-1
vrf CUST-A
keyring KR-1
match identity address 172.16.1.2 255.255.255.255 CUST-A
Step-2: Configure IPSEC Transform Set:
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
Step-3: Configure Interested Traffic ACL:
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Step-4: Configure Crypto map:
crypto map CMAP isakmp-profile PROF-1
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set TSET
match address 101
Step-5: Apply Crypto Map to interface:
interface FastEthernet0/1
crypto map CMAP
end
Verification:
R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.1.3 172.16.1.2 QM_IDLE 1001 0 ACTIVE
R2#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: CMAP, local addr 172.16.1.2
protected vrf: CUST-A
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
current_peer 172.16.1.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.1.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x82DD20EA(2195529962)
inbound esp sas:
spi: 0xDE0EBA70(3725507184)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4590314/2663)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x82DD20EA(2195529962)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4590314/2663)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
R1#ping 10.2.2.2 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 132/137/144 ms
R4#ping 10.1.1.1 source 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/47/60 ms
R4#
Good work !
ReplyDelete