VRF Basics

When we hear about VRF, its almost synonymous to MPLS VPN. Virtual Routing and Forwarding is commonly used by Service Providers to provide services within an MPLS cloud with multiple customers. The most interesting feature of this is that, VRF allows creation of multiple routing tables within a single router. This means that overlapping use of IP addresses from different customers is possible. Some enterprises use VRF to seggrate their services like VOIP, wireless, geographical location and other varieties. Through the network setup below, we will see how to configure VRF and check if its really possible for duplicate ip addresses. We have 3 customers in the figure connected to a Provider Edge router. We will name the VRF's Blue, Red and Yellow. Click image for a bigger view.


Now let's configure RD's on the PE router.


Router(config)#host PE
PE(config)#ip vrf blue

PE(config-vrf)#rd 1:1

PE(config-vrf)#ip vrf red

PE(config-vrf)#rd 2:2

PE(config-vrf)#ip vrf yellow

PE(config-vrf)#rd 3:3

Basically the "rd" command is in the format ASN:nn or IP-address:nn. The VRF names and rd values are actually locally significant which means that it doesn't matter what name you create. What really matters is the "route target" value because this is what you will import or export. More about this on the next blog entry.

Now we have created VRF's, lets configure interfaces and apply the VRF's to the interfaces.


PE(config)#int fa0/0.2
PE(config-subif)#encapsulation dot1q 2
PE(config-subif)#ip vrf forwarding blue
PE(config-subif)#ip address 1.1.1.1 255.255.255.252
PE(config-subif)#int fa0/0.3
PE(config-subif)#encapsulation dot1q 3
PE(config-subif)#ip vrf forwarding red
PE(config-subif)#ip address 1.1.1.1 255.255.255.252
PE(config-subif)#int fa0/0.4
PE(config-subif)#encapsulation dot1q 4
PE(config-subif)#ip vrf forwarding yellow
PE(config-subif)#ip address 1.1.1.1 255.255.255.252

If you notice above all interfaces have the same ip address which is 1.1.1.1. Normally without VRF, the router will give a warning message that overlapping ip addresses are not allowed. The command "ip vrf forwarding " will add the vrf to a specific interface.

Let's configure the other routers Blue, Red and Yellow with 1.1.1.2/30 on their FastEthernet0/0 interfaces. Lets ping 1.1.1.1 from the routers.


Blue#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/35/80 ms

Red#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/48/156 ms

Yellow#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/60/136 ms

It's good! We have ip reachability to PE from the CE routers. Now, from PE point of view, how will PE know which one to ping if we use 1.1.1.2 since all Blue, Red and Yellow routers use the same ip? This can be accomplished using the "ping vrf " command. See below.


PE#ping vrf blue 1.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/68 ms
PE#ping vrf red 1.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/88 ms
PE#ping vrf yellow 1.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/31/68 ms

Now, we have proven that duplicate IP addresses is possible using VRF. Be reminded that VRF's are usually and by standard configured on PE routers. CE routers normally don't make use of VRF's but there are always exceptions. Next entries will focus on importing Route Targets and using IGP's and BGP on a MPLS VPN setup. Cheers.

Comments

52 Responses to "VRF Basics"

Anonymous said... July 23, 2009 at 4:20 AM

Excellent

Do you intend to do a lab detailing how to utilise a management vrf and import loopbacks from each ce router

Pete said... July 23, 2009 at 8:54 AM

I'll be working on that but first, I need to do an MPLS VPN lab which will include that.

MS said... July 31, 2009 at 12:18 PM

Simple & Clear

Anonymous said... September 5, 2009 at 1:10 PM

nice PETE!!! keep it up...

Anonymous said... September 18, 2009 at 2:43 PM

Brother small doubt.Here you used only one physical interface on PE.How could you connect three different routers from PE using single physical interface ?

Pete said... September 18, 2009 at 5:13 PM

It's really impossible to connect 3 devices to a single physical interface in the PE without a switch. The diagram did not show the switch but its understood that there should be a switch to make that happen.

Anonymous said... November 16, 2009 at 6:31 AM

"CE routers normally don't make use of VRF's but there are always exceptions"

Yes : multitopologies CE routers :) Or the usage of VRF-lite as a "kinda" virtualisation stuff

Stephan said... March 10, 2010 at 5:27 AM

very good explanation. thank you.
Cheers
Stephan

Anonymous said... March 27, 2010 at 7:02 PM

Everyone pls memorized it!!

Alok Vijayvargiya

Anonymous said... April 16, 2010 at 3:27 PM

Definitely agreed with Pete, impossible to connect this without a switch even with a switch, I tried to connect it using the switch as an access port it does not work, changes to do1q neither, what module have you used mate to have these results with gns3?

sohail said... April 26, 2010 at 3:13 PM

hi,
an excellent explanation. I am new to MP-BGP,VRF,BGP. & unable to relate these technologies, can u also post something that explains the inter-relation between all these technologies. Also i configured basic VRF route target topology connectivity without BGP. Can u please also post BGP configuration for that topology inorder to help e grabbing the VRF with BGP & then MP-BGP

Anonymous said... May 8, 2010 at 6:12 AM

I have a device with 2 interfaces. This device uses 1 ip address. If this device sends packets out nic #1, then using VRF, i need it to go to provider 1. If it sends packets out nic #2, it needs to go to provider #2.

Today, if i send packets out Nic #2, it is routed via standard bgp to provider #1, and I am trying to prevent that. So I am hoping to use a VRF on a per interface basis on the router to force it to provider #2 if it comes in from NIC #2 on the device.

The device I have is a linux box. It sits between two edge routers. The linux box is a host but can send packets out either nic and depending on which nic it uses, must go out a different wan provider.

(this is very generic but i hope this makes sense)

Anonymous said... June 16, 2010 at 1:20 PM

Hi Guys, to make this work you do require a switch between the PE and the CE Routers. You must set the Switch port mode for the PE Router-to-Switch to dot1q (i.e trunk) and the Switch port mode for each CE Router-to-Swith to access with the respective vlan (i.e blue=2,red=3, yellow=4).
Hope that helps!
Within GNS3, I got this working using a NM-16ESW inside a c2691 for the switch.
Cheers,
AJ

cc said... July 30, 2010 at 5:20 PM

10x for good post

Anonymous said... November 2, 2010 at 11:35 PM

you made my day. thanks a lot

Anonymous said... November 15, 2010 at 11:39 PM

Good explanation. Thank you.

Could you provide some info/examples on how you could use VRFs to segment an internal corporate network? What would be the advantages of doing this or not?

Anonymous said... January 18, 2011 at 6:24 PM

very Good

Anonymous said... February 26, 2011 at 5:50 AM

Doesn't it required to configure BLUE, RED and YELLOW routers as follows;

Router(config)#host BLUE
BLUE(config)#ip vrf blue
BLUE(config-vrf)#rd 1:1

PE(config)#int fa0/0.1
PE(config-subif)#encapsulation dot1q 2
PE(config-subif)#ip vrf forwarding blue
PE(config-subif)#ip address 1.1.1.2 255.255.255.252

So you could ping as below;
BLUE#ping vrf blue 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/48/76 ms

Anonymous said... June 1, 2011 at 11:09 PM

for dummies:
what is rd?

Anonymous said... July 2, 2011 at 11:24 PM

Thanx for the nice post :) it's pretty cool.

But I have question, To configure this on a router it's quite sensible. I have seen these vrf's being configured in ATCA clusters(which IMHO are just like another linux box) what could be uses of vrf in case of ATCA? Can these kinda systems used by PE ?

eager to know this.

Anonymous said... July 2, 2011 at 11:24 PM

Thanx for the nice post :) it's pretty cool.

But I have question, To configure this on a router it's quite sensible. I have seen these vrf's being configured in ATCA clusters(which IMHO are just like another linux box) what could be uses of vrf in case of ATCA? Can these kinda systems used by PE ?

eager to know this.

Anonymous said... August 16, 2011 at 9:19 PM

Thanks... I understood VRF

Anonymous said... August 17, 2011 at 11:29 PM

"Doesn't it required to configure BLUE, RED and YELLOW routers as follows;

Router(config)#host BLUE
BLUE(config)#ip vrf blue
BLUE(config-vrf)#rd 1:1

PE(config)#int fa0/0.1
PE(config-subif)#encapsulation dot1q 2
PE(config-subif)#ip vrf forwarding blue
PE(config-subif)#ip address 1.1.1.2 255.255.255.252

So you could ping as below;
BLUE#ping vrf blue 1.1.1.1"

No, these routers represent the customer edge routers and do not need to know about the VRF. (Similar to how access devices don't know, or care, which VLAN they are connected to. Sorry may not be the greatest analogy but it is the best I could come up with)

Anonymous said... August 18, 2011 at 5:18 AM

Hi:
I have a router connected to a switch. Switch has 3 different Vlans. I am trying to configure VRF on the router , so that hosts in one subnet can't ping/see hosts in other subnets. Once I configure vrf on an interface, I am able to ping the host in vlan with vrf from router using "ping vrf . But I am not able to rech this host from outside or vice versa

Any clues ...

Router config :
interface GigabitEthernet0/0.64
encapsulation dot1Q 64
ip vrf forwarding VRF-64
ip address 172.16.1.65 255.255.255.224
!

ip route 0.0.0.0 0.0.0.0 172.16.1.1



Switch Config:

interface Vlan64
no ip address
no ip route-cache

interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!

interface Vlan172
ip address 172.16.1.34 255.255.255.224
no ip route-cache

Anonymous said... August 18, 2011 at 5:18 AM

Hi:
I have a router connected to a switch. Switch has 3 different Vlans. I am trying to configure VRF on the router , so that hosts in one subnet can't ping/see hosts in other subnets. Once I configure vrf on an interface, I am able to ping the host in vlan with vrf from router using "ping vrf . But I am not able to rech this host from outside or vice versa

Any clues ...

Router config :
interface GigabitEthernet0/0.64
encapsulation dot1Q 64
ip vrf forwarding VRF-64
ip address 172.16.1.65 255.255.255.224
!

ip route 0.0.0.0 0.0.0.0 172.16.1.1



Switch Config:

interface Vlan64
no ip address
no ip route-cache

interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!

interface Vlan172
ip address 172.16.1.34 255.255.255.224
no ip route-cache

Anonymous said... September 6, 2011 at 3:43 PM

Thank u fr the post, but i am unable to understand the significance of rd(Route distribution). what does this config mean? rd 1:1 or rd 2:2? though this is local to the router what does it mean n why should v configure this?

Anonymous said... October 30, 2011 at 3:40 AM

VRFs, IGPs not VRF's and IGP's. :)

Anonymous said... December 7, 2011 at 8:46 AM

nice explanation....thanks Mate

Cheers,
Kunal

Anonymous said... January 8, 2012 at 10:58 PM

Jesus !!
"Virtual routing forwarding" ??!
Admittedly, I have been away from networking for 10 years. Came back and got surprised and scared with this new/novel/groungbreaking technology.
It is just expanding addressing space in the PDU to create a new level of network under IP. Networking would be sooooo easy if we had a global organisation that would filter out fancy, frivilous terms.
Let me repeat. Additional address space is created and used for this new technology.

Anonymous said... February 10, 2012 at 11:53 PM

@Jesus...

Frivilous terms is what helps keep Cisco in business. Without them, companies who purchse their products wouldn't need to hire a CCIE to desipher the terminology. ;)

Cisco FTW!!

Anonymous said... February 10, 2012 at 11:55 PM

VRF = VPN routing and forwarding

ModBoy said... February 15, 2012 at 8:08 PM

Thanks fella.... spot on and works a treat in GNS :-)

Anonymous said... March 28, 2012 at 1:52 PM

Hi Pete,

Nice explanation of VRFs to dummies, keep it up.

Thanks.

Anonymous said... May 3, 2012 at 8:46 PM

Really very useful...

Anonymous said... May 8, 2012 at 4:30 PM

Thanks for this tutorial , very concise and clear - does anyone have the link for the next tutorial (MPLS VPN) please?
Thanks

Anonymous said... June 29, 2012 at 12:57 PM

I just farted, but my wife didn't smell it because she's in a different VRF.

Anonymous said... July 9, 2012 at 5:18 AM

What happened to the author?

Thanks for.the explanation

cheers

satyajit nath .. said... August 27, 2012 at 2:40 PM

SIMPLE AND EXCELLENT

Anonymous said... October 18, 2012 at 7:09 AM

excellent.... where can i find more about MPLS VPN thanks

Dhanushka Gayan said... January 13, 2013 at 4:53 PM

Hi all,

Can any one answer this question, in this example,The red, blue, yellow routers respectively has to be set for dot1q encapsulations as follows, rit,
Blue - 2, Red - 3, Yellow - 4

Anonymous said... January 23, 2013 at 9:42 PM

I really had no concept of vrf's until I read this. Great job!

Anonymous said... February 5, 2013 at 5:14 PM

To further prove the theory, I suggest you telnet to each CE from the PE.

Anonymous said... March 20, 2013 at 3:10 PM

Dear Pete,
Very nice and comprehensive explanation about VRF with Step by Step approach.
Hats Off !!!

Adnan Shahid said... April 24, 2013 at 3:24 AM

Nice and simple explanation!!... Really help me being a newbie!!... Thanks...:))

Anonymous said... May 10, 2013 at 10:34 PM

One Question : Why is the response time even in LAB scenario its high ?

Anonymous said... May 16, 2013 at 9:21 PM

Explanation was very clear.. Thank you..

xyz said... July 31, 2013 at 11:28 AM

Thats perfect. What I want to know is if I can run multiple instances of VRF on a single router interface or do i have to use multiple router interfaces.

Just while writing this, I figured out the fix, Used sub-interfaces. perfect.

Jorell Jesus Gaufo said... August 12, 2013 at 2:06 PM

Hi All,

On CE Routers, why they used 3 same IP's for 3 routers?

beginner on vrf, please answer...

Anonymous said... August 19, 2013 at 5:28 PM

nice , i also use this.. hence i have a little problem,, myLG070 cant connect to the internet..

if i connect myLG070 on ordinary router such as dlink or linksys.. everything are fine.

can you solve this

your help highly appreciated

Shawn Thomas said... August 26, 2013 at 8:32 AM

Well done!! Bravo and great explanation on VRFs and the config example too!

Yatin Sadhwani said... September 6, 2013 at 12:32 PM

basic cleared after reading this... Thanks a lot buddy.

Anonymous said... October 26, 2013 at 11:31 PM

Very good...neatly explained...

Post a Comment

Certifications

Certifications

The Dreamer

A fun loving person who enjoys learning new things. Currently working as a Network Engineer supporting the global network of a Fortune 500 company. This blog serves as my notes for the labs I created for my CCIE journey. I can guarantee there are errors in my posts. If you spot them, please let me know.

Join my Facebook Page I WANT TO BE A CCIE

Donate to the Cause

My aim is to create materials for free and possibly a free lab. If you wish to help out, please send any amount. Thanks.

Join my Bandwagon

Blogs that I Read