ccie blog

Inter-VRF routing using VRF-lite

Today I looked at Inter-VRF routing using VRF-lite.  If you aren’t sure what a VRF is, or how it works, check out my previous post about VRF-lite.

In this lab I’m going to  create three VRF’s; one for each site.  London is going to be the HQ for each of the branches.  The requirement is that London must be able to talk to each of the other branches using OSPF.  However, each branch should not be able to talk to each other.  So in effect we have a hub and spoke design, with London as the hub, and the other two sites as spokes.

Topology Notes

  • Red = Logical connections in terms of VRF connectivity
  • Black = Physical connections

Inter-VRF-routing-using-VRF-lite

Each site just advertises everything into OSPF and connects to the PE switch. The configs for each branch router are provided below.

London#
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.252
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0

Newcastle#
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.0.0.6 255.255.255.252
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0

Manchester#
interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.0.0.10 255.255.255.252
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0

Now let’s look at the good stuff on PE1.  I started off by configuring each of the VRF’s & setting a route distinguisher. I then leaked routes between VRFs as shown below.

ip vrf london
 rd 65001:1
 route-target export 65001:1
 route-target import 65001:3
 route-target import 65001:2
!
ip vrf manchester
 rd 65001:3
 route-target export 65001:3
 route-target import 65001:1
!
ip vrf newcastle
 rd 65001:2
 route-target export 65001:2
 route-target import 65001:1

Route Distinguisher’s & Targets

I wanted to start by talking about the Route Distinguisher (RD), and route-target.  The RD is a value we use purely for identifying a particular VRF.  So if we look at London, I’ve created a VRF RD of 65001:1.  The RD is a way to keep routes globally unique (i.e. if the subnets from London were used at Manchester, the router will still be able to distinguish whether the traffic was destined for Manchester or London because of the RD).

The route-target is a way of leaking routes between VRFs.  On the London VRF I have exported a route-target with the value of 65001:1.  If I want London routes to then be leaked into another VRF, all I have to do is import this route target on the VRF; like I did on Manchester and Newcastle.

There are two ways to name your RD:

rd [ASN]:[Number]
rd [IP Address]:[Number]

Either way, it doesn’t matter, just keep them unique per VRF.  I usually just use a number from the private bgp ASN range (64512-65535) followed by a number that I make up.

The syntax for writing a route-target is same format as the RD syntax.  Note that the route-target does not have to have the same name as the RD.

Next, we need to apply the VRF’s to the relevant interfaces.

interface Loopback100
 ip address 7.7.7.7 255.255.255.255
!
interface FastEthernet0/0
 ip vrf forwarding london
 ip address 10.0.0.1 255.255.255.252
!
interface FastEthernet0/1
 ip vrf forwarding newcastle
 ip address 10.0.0.5 255.255.255.252
!
interface FastEthernet1/0
 no switchport
 ip vrf forwarding manchester
 ip address 10.0.0.9 255.255.255.252

The loopback was created because I’m going enable BGP in just a moment & I’m going to use it for the router-id.

Because the sites want to talk to each other using OSPF, the next step is to enable OSPF on our PE1 interfaces & redistribute OSPF into BGP.

router ospf 1 vrf london
 network 10.0.0.1 0.0.0.0 area 0
!
router ospf 2 vrf newcastle
 network 10.0.0.5 0.0.0.0 area 0
!
router ospf 3 vrf manchester 
 network 10.0.0.9 0.0.0.0 area 0
!
router bgp 1
 no synchronization
 no auto-summary
!
address-family ipv4 vrf newcastle
 redistribute connected
 redistribute ospf 2 vrf newcastle match internal
 no synchronization
exit-address-family
!
address-family ipv4 vrf manchester
 redistribute connected
 redistribute ospf 3 vrf manchester match internal
 no synchronization
exit-address-family
!
address-family ipv4 vrf london
 redistribute connected
 redistribute ospf 1 vrf london match internal
 no synchronization
exit-address-family

Note the command: #redistribute ospf 1 vrf london match internal. The command I actually typed was:#redistribute ospf 1 vrf london. The “match internal” was added by default.  You may need to include the other parameters if you have external OSPF routes, at some of your sites (maybe you are redistributing EIGRP somewhere in your internal network).

The final stage is to just redistribute BGP into each of the OSPF instances

router ospf 1 vrf london
 redistribute bgp 1 subnets
!
router ospf 2 vrf newcastle
 redistribute bgp 1 subnets
!
router ospf 3 vrf manchester
 redistribute bgp 1 subnets

Now let’s see how were doing on the old redistribution.  I expect London to now learn routes from all three VRFs.  So let’s have a look at London’s routing table:

LondonCE#sh ip route
Gateway of last resort is not set

     10.0.0.0/30 is subnetted, 3 subnets
O E2    10.0.0.8 [110/1] via 10.0.0.1, 02:27:10, FastEthernet0/0
C       10.0.0.0 is directly connected, FastEthernet0/0
O E2    10.0.0.4 [110/1] via 10.0.0.1, 02:27:10, FastEthernet0/0
C    192.168.0.0/24 is directly connected, Loopback0
     192.168.1.0/32 is subnetted, 1 subnets
O E2    192.168.1.1 [110/2] via 10.0.0.1, 02:27:10, FastEthernet0/0
     192.168.2.0/32 is subnetted, 1 subnets
O E2    192.168.2.1 [110/2] via 10.0.0.1, 02:27:10, FastEthernet0/0

Cool, so we got what we were expecting.  Lets just do a quick ping to the LAN IP of each site with a source of lo0 to check they learnt routes back

LondonCE#ping 192.168.2.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/34/44 ms

LondonCE#ping 192.168.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/36/52 ms

Wikid, the last thing is to just check we didn’t provide connectivity between Newcastle and Manchester.

NewcastleCE# sh ip route

Gateway of last resort is not set

     10.0.0.0/30 is subnetted, 2 subnets
O E2    10.0.0.0 [110/1] via 10.0.0.5, 02:44:31, FastEthernet0/1
C       10.0.0.4 is directly connected, FastEthernet0/1
     192.168.0.0/32 is subnetted, 1 subnets
O E2    192.168.0.1 [110/2] via 10.0.0.5, 02:44:31, FastEthernet0/1
C    192.168.1.0/24 is directly connected, Loopback0

NewcastleCE#ping 192.168.0.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/39/52 ms

NewcastleCE#ping 192.168.2.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
…..
Success rate is 0 percent (0/5)

Great. We are getting the routes from London, but not to Manchester. Exactly what we intended.  I’m just going to do one more check on Manchester to clarify everything.

ManchesterCE# sh ip route

Gateway of last resort is not set

     10.0.0.0/30 is subnetted, 2 subnets
C       10.0.0.8 is directly connected, FastEthernet0/0
O E2    10.0.0.0 [110/1] via 10.0.0.9, 02:48:10, FastEthernet0/0
     192.168.0.0/32 is subnetted, 1 subnets
O E2    192.168.0.1 [110/2] via 10.0.0.9, 02:48:10, FastEthernet0/0
C    192.168.2.0/24 is directly connected, Loopback0

ManchesterCE#ping 192.168.0.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/40/56 ms

ManchesterCE#ping 192.168.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
…..
Success rate is 0 percent (0/5)

Happy days.Inter-VRF-routing-with-VRF-lite

14 Comments

timJuly 9th, 2013 at 9:06 am

what to be configured if PE1 connected to London, PE2 connected to Newcastle, PE3 connected to Manchester

StephenGarbettJuly 15th, 2013 at 12:40 pm

It would be the same. The only thing you is then connect the PE devices & route the relevant VRF’s through the core. Use sub-interfaces if you’re running short on ports.

JagabandhuSeptember 18th, 2013 at 2:03 pm

Thank you for such a beautiful document to clear about the inter VRF routing. COuld you please explain , how we can forward the subnets of london router to other CE router of Manchester connected from PE-2

SamMay 20th, 2014 at 10:44 am

I just need to know , if we are using OSPF between CE to PE why we need BGP ?

StephenGarbettMay 23rd, 2014 at 8:49 pm

We need BGP because we need MP-BGP to hold the VPNv4 routes in the routing table. When you do a #sh ip bgp vpnv4 all, you will see that the route distinguisher is held next to each of the routes. Without MP-BGP this is not possible. That is why we need to use BGP to redistribute the routes.

SamMay 27th, 2014 at 8:23 pm

Thanks for explanation.

manavMarch 3rd, 2016 at 12:52 am

Thanks,
worked like a charm on gns3
i tired it with ospf and eigrp on 2 different vrf’s

ajikeMarch 21st, 2016 at 6:28 pm

Are we missing OSPF configuration on the PE router?

StephenGarbettApril 18th, 2017 at 10:48 am

Hi, yes. This has now been corrected.

ajikeMarch 21st, 2016 at 7:37 pm

Also, is it accurate to say; the only configurations on London, Newcastle and Manchester are the ”
“interface and OSPF” configurations?

StephenGarbettApril 18th, 2017 at 10:49 am

Yes. Absolutely correct.

GokulSeptember 30th, 2016 at 10:35 am

A query here.. I cant see the network statements under ospf instances on the PE router. Am I missing something

StephenGarbettApril 18th, 2017 at 7:39 am

Hi, you are right. I’ve forgot to post the ospf config. I’ve now updated the post. Thanks!

Leave a comment

Your comment