Now let's configure RD's on the PE router.
Router(config)#host PE
PE(config)#ip vrf blue
PE(config-vrf)#rd 1:1
PE(config-vrf)#ip vrf red
PE(config-vrf)#rd 2:2
PE(config-vrf)#ip vrf yellow
PE(config-vrf)#rd 3:3
Basically the "rd" command is in the format ASN:nn or IP-address:nn. The VRF names and rd values are actually locally significant which means that it doesn't matter what name you create. What really matters is the "route target" value because this is what you will import or export. More about this on the next blog entry.
Now we have created VRF's, lets configure interfaces and apply the VRF's to the interfaces.
PE(config)#int fa0/0.2
PE(config-subif)#encapsulation dot1q 2
PE(config-subif)#ip vrf forwarding blue
PE(config-subif)#ip address 1.1.1.1 255.255.255.252
PE(config-subif)#int fa0/0.3
PE(config-subif)#encapsulation dot1q 3
PE(config-subif)#ip vrf forwarding red
PE(config-subif)#ip address 1.1.1.1 255.255.255.252
PE(config-subif)#int fa0/0.4
PE(config-subif)#encapsulation dot1q 4
PE(config-subif)#ip vrf forwarding yellow
PE(config-subif)#ip address 1.1.1.1 255.255.255.252
If you notice above all interfaces have the same ip address which is 1.1.1.1. Normally without VRF, the router will give a warning message that overlapping ip addresses are not allowed. The command "ip vrf forwarding
Let's configure the other routers Blue, Red and Yellow with 1.1.1.2/30 on their FastEthernet0/0 interfaces. Lets ping 1.1.1.1 from the routers.
Blue#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/35/80 ms
Red#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/48/156 ms
Yellow#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/60/136 ms
It's good! We have ip reachability to PE from the CE routers. Now, from PE point of view, how will PE know which one to ping if we use 1.1.1.2 since all Blue, Red and Yellow routers use the same ip? This can be accomplished using the "ping vrf
PE#ping vrf blue 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/68 ms
PE#ping vrf red 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/88 ms
PE#ping vrf yellow 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/31/68 ms
Now, we have proven that duplicate IP addresses is possible using VRF. Be reminded that VRF's are usually and by standard configured on PE routers. CE routers normally don't make use of VRF's but there are always exceptions. Next entries will focus on importing Route Targets and using IGP's and BGP on a MPLS VPN setup. Cheers.
Posts
Excellent
Do you intend to do a lab detailing how to utilise a management vrf and import loopbacks from each ce router
I'll be working on that but first, I need to do an MPLS VPN lab which will include that.
Simple & Clear
nice PETE!!! keep it up...
Brother small doubt.Here you used only one physical interface on PE.How could you connect three different routers from PE using single physical interface ?
It's really impossible to connect 3 devices to a single physical interface in the PE without a switch. The diagram did not show the switch but its understood that there should be a switch to make that happen.
"CE routers normally don't make use of VRF's but there are always exceptions"
Yes : multitopologies CE routers :) Or the usage of VRF-lite as a "kinda" virtualisation stuff
very good explanation. thank you.
Cheers
Stephan
Everyone pls memorized it!!
Alok Vijayvargiya
Definitely agreed with Pete, impossible to connect this without a switch even with a switch, I tried to connect it using the switch as an access port it does not work, changes to do1q neither, what module have you used mate to have these results with gns3?
hi,
an excellent explanation. I am new to MP-BGP,VRF,BGP. & unable to relate these technologies, can u also post something that explains the inter-relation between all these technologies. Also i configured basic VRF route target topology connectivity without BGP. Can u please also post BGP configuration for that topology inorder to help e grabbing the VRF with BGP & then MP-BGP
I have a device with 2 interfaces. This device uses 1 ip address. If this device sends packets out nic #1, then using VRF, i need it to go to provider 1. If it sends packets out nic #2, it needs to go to provider #2.
Today, if i send packets out Nic #2, it is routed via standard bgp to provider #1, and I am trying to prevent that. So I am hoping to use a VRF on a per interface basis on the router to force it to provider #2 if it comes in from NIC #2 on the device.
The device I have is a linux box. It sits between two edge routers. The linux box is a host but can send packets out either nic and depending on which nic it uses, must go out a different wan provider.
(this is very generic but i hope this makes sense)
Hi Guys, to make this work you do require a switch between the PE and the CE Routers. You must set the Switch port mode for the PE Router-to-Switch to dot1q (i.e trunk) and the Switch port mode for each CE Router-to-Swith to access with the respective vlan (i.e blue=2,red=3, yellow=4).
Hope that helps!
Within GNS3, I got this working using a NM-16ESW inside a c2691 for the switch.
Cheers,
AJ
10x for good post
you made my day. thanks a lot
Good explanation. Thank you.
Could you provide some info/examples on how you could use VRFs to segment an internal corporate network? What would be the advantages of doing this or not?
very Good
Doesn't it required to configure BLUE, RED and YELLOW routers as follows;
Router(config)#host BLUE
BLUE(config)#ip vrf blue
BLUE(config-vrf)#rd 1:1
PE(config)#int fa0/0.1
PE(config-subif)#encapsulation dot1q 2
PE(config-subif)#ip vrf forwarding blue
PE(config-subif)#ip address 1.1.1.2 255.255.255.252
So you could ping as below;
BLUE#ping vrf blue 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/48/76 ms
for dummies:
what is rd?
Thanx for the nice post :) it's pretty cool.
But I have question, To configure this on a router it's quite sensible. I have seen these vrf's being configured in ATCA clusters(which IMHO are just like another linux box) what could be uses of vrf in case of ATCA? Can these kinda systems used by PE ?
eager to know this.
Thanx for the nice post :) it's pretty cool.
But I have question, To configure this on a router it's quite sensible. I have seen these vrf's being configured in ATCA clusters(which IMHO are just like another linux box) what could be uses of vrf in case of ATCA? Can these kinda systems used by PE ?
eager to know this.
Thanks... I understood VRF
"Doesn't it required to configure BLUE, RED and YELLOW routers as follows;
Router(config)#host BLUE
BLUE(config)#ip vrf blue
BLUE(config-vrf)#rd 1:1
PE(config)#int fa0/0.1
PE(config-subif)#encapsulation dot1q 2
PE(config-subif)#ip vrf forwarding blue
PE(config-subif)#ip address 1.1.1.2 255.255.255.252
So you could ping as below;
BLUE#ping vrf blue 1.1.1.1"
No, these routers represent the customer edge routers and do not need to know about the VRF. (Similar to how access devices don't know, or care, which VLAN they are connected to. Sorry may not be the greatest analogy but it is the best I could come up with)
Hi:
I have a router connected to a switch. Switch has 3 different Vlans. I am trying to configure VRF on the router , so that hosts in one subnet can't ping/see hosts in other subnets. Once I configure vrf on an interface, I am able to ping the host in vlan with vrf from router using "ping vrf . But I am not able to rech this host from outside or vice versa
Any clues ...
Router config :
interface GigabitEthernet0/0.64
encapsulation dot1Q 64
ip vrf forwarding VRF-64
ip address 172.16.1.65 255.255.255.224
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
Switch Config:
interface Vlan64
no ip address
no ip route-cache
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan172
ip address 172.16.1.34 255.255.255.224
no ip route-cache
Hi:
I have a router connected to a switch. Switch has 3 different Vlans. I am trying to configure VRF on the router , so that hosts in one subnet can't ping/see hosts in other subnets. Once I configure vrf on an interface, I am able to ping the host in vlan with vrf from router using "ping vrf . But I am not able to rech this host from outside or vice versa
Any clues ...
Router config :
interface GigabitEthernet0/0.64
encapsulation dot1Q 64
ip vrf forwarding VRF-64
ip address 172.16.1.65 255.255.255.224
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
Switch Config:
interface Vlan64
no ip address
no ip route-cache
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan172
ip address 172.16.1.34 255.255.255.224
no ip route-cache
Thank u fr the post, but i am unable to understand the significance of rd(Route distribution). what does this config mean? rd 1:1 or rd 2:2? though this is local to the router what does it mean n why should v configure this?
VRFs, IGPs not VRF's and IGP's. :)
nice explanation....thanks Mate
Cheers,
Kunal
Jesus !!
"Virtual routing forwarding" ??!
Admittedly, I have been away from networking for 10 years. Came back and got surprised and scared with this new/novel/groungbreaking technology.
It is just expanding addressing space in the PDU to create a new level of network under IP. Networking would be sooooo easy if we had a global organisation that would filter out fancy, frivilous terms.
Let me repeat. Additional address space is created and used for this new technology.
@Jesus...
Frivilous terms is what helps keep Cisco in business. Without them, companies who purchse their products wouldn't need to hire a CCIE to desipher the terminology. ;)
Cisco FTW!!
VRF = VPN routing and forwarding
Thanks fella.... spot on and works a treat in GNS :-)
Hi Pete,
Nice explanation of VRFs to dummies, keep it up.
Thanks.
Really very useful...
Thanks for this tutorial , very concise and clear - does anyone have the link for the next tutorial (MPLS VPN) please?
Thanks
I just farted, but my wife didn't smell it because she's in a different VRF.
What happened to the author?
Thanks for.the explanation
cheers
SIMPLE AND EXCELLENT
excellent.... where can i find more about MPLS VPN thanks
Hi all,
Can any one answer this question, in this example,The red, blue, yellow routers respectively has to be set for dot1q encapsulations as follows, rit,
Blue - 2, Red - 3, Yellow - 4
I really had no concept of vrf's until I read this. Great job!
To further prove the theory, I suggest you telnet to each CE from the PE.
Dear Pete,
Very nice and comprehensive explanation about VRF with Step by Step approach.
Hats Off !!!
Nice and simple explanation!!... Really help me being a newbie!!... Thanks...:))
One Question : Why is the response time even in LAB scenario its high ?
Explanation was very clear.. Thank you..
Thats perfect. What I want to know is if I can run multiple instances of VRF on a single router interface or do i have to use multiple router interfaces.
Just while writing this, I figured out the fix, Used sub-interfaces. perfect.
Hi All,
On CE Routers, why they used 3 same IP's for 3 routers?
beginner on vrf, please answer...
nice , i also use this.. hence i have a little problem,, myLG070 cant connect to the internet..
if i connect myLG070 on ordinary router such as dlink or linksys.. everything are fine.
can you solve this
your help highly appreciated
Well done!! Bravo and great explanation on VRFs and the config example too!
basic cleared after reading this... Thanks a lot buddy.
Very good...neatly explained...
Thanks for the helpful explanation !!!
Thanks for the helpful and neat explanation!!!
anyone who uses GNS3 on this LAB ?
- i followed exactly the same for the PE , BLUE, RED & YELLOW router
- for the switch , i used C3640 on gns3 , then i configured trunk mode on the interface facing the PE router and access on the intreface facing the ROUTERS BLUE RED YELLOW
i am eager to get this working :)
Don't forget to configure the VLANs on the switches to make this work. For the 3640, you should use vlan database to configure the VLANs. The ports going to the Blue, Red and Yellow routers should be VLANs 2,3 and 4 respectively.