CCIEv5 VRF Lite Lab PDF

CCIEv5 VRF lite Lab By CCSI: Yasser Auda
VRF Lite
VRF =Virtual Routing and Forwarding which allows router to have multiple
routing tables of the customer routers CE’s within one physical router PE.
Each of virtual routing table is independent of each other as if they are in the
separated network. Therefore, the VRF technology allows router to route packet
from different customers with the same IP address range with the use of Route
Distinguisher.
VRF lite is a simpler version of VRF that can be used to separate the network in
the enterprise network for security purposes such as a guest network. It only
supports 802.1Q trunk encapsulation.
VRF configuration isn't at all dependent on MPLS (the two components just work
well together). In Cisco terminology, deployment of VRFs without MPLS is known
as VRF lite
1
Lab
 We want to keep 4 routing table (BLUE, GREEN , YELLOW , RED ) virtually separated in the same
physical router.
 R1 will connect to R2 using f0/0 and using ip address 10.1.1.1, and we will use Dot1q
encapsulation protocol to tag each vrf with its own RD . we will do the same in R2 side.
 R1 will advertise its own loopback interfaces on each proper vrf
 R2 connected to R3 , R3 will be our management point and we will use different ip address for
each vrf
 R1 exists in BGP AS 100

2
R1
ip vrf BLUE
rd 1:1
ip vrf GREEN
rd 2:2
ip vrf YELLOW
rd 3:3
ip vrf RED
rd 4:4
int loop 1
ip vrf for BLUE
ip add 1.1.1.1 255.255.255.255
int loop 2
ip vrf for GREEN
ip add 2.2.2.2 255.255.255.255
int loop 3
ip vrf for YELLOW
ip add 3.3.3.3 255.255.255.255
int loop 4
ip vrf for RED
ip add 4.4.4.4 255.255.255.255
int f0/0
no ip add
no sh
int f0/0.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 10.1.1.1 255.255.255.0
int f0/0.2
ip vrf forwarding GREEN
ip address 10.1.1.1 255.255.255.0
int f0/0.3
ip vrf forwarding YELLOW
ip address 10.1.1.1 255.255.255.0
int f0/0.4
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
3
router bgp 100

bgp router-id 1.1.1.1
address-family ipv4 vrf BLUE
neighbor 10.1.1.2 remote-as 200
neighbor 10.1.1.2 activate
net 1.1.1.1 mask 255.255.255.255
address-family ipv4 vrf GREEN

net 2.2.2.2 mask 255.255.255.255
address-family ipv4 vrf YELLOW

net 3.3.3.3 mask 255.255.255.255
address-family ipv4 vrf RED

net 4.4.4.4 mask 255.255.255.255
R2
ip vrf BLUE
rd 1:1
ip vrf GREEN
rd 2:2
ip vrf YELLOW
rd 3:3
ip vrf RED
rd 4:4
int f0/0
no ip add
no sh
int f0/0.1
ip address 10.1.1.2 255.255.255.0
int f0/0.2
ip address 10.1.1.2 255.255.255.0
4
int f0/0.3
ip address 10.1.1.2 255.255.255.0
int f0/0.4
ip address 10.1.1.2 255.255.255.0
router bgp 200




R2#sh ip vrf br
Name Default RD Interfaces
BLUE 1:1 Fa0/0.1
GREEN 2:2 Fa0/0.2
RED 4:4 Fa0/0.4
YELLOW 3:3 Fa0/0.3
R2#sh ip route vrf BLUE

Routing Table: BLUE
1.0.0.0/32 is subnetted, 1 subnets

B 1.1.1.1 [20/0] via 10.1.1.1, 00:00:23
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0.1
R2#sh ip bgp vpnv4 vrf BLUE
Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 1:1 (default for vrf BLUE)
*> 1.1.1.1/32 10.1.1.1 0 0 100 i
5
R2
int f0/1
no ip add
no sh
int f0/1.1
ip address 10.2.2.2 255.255.255.0
int f0/1.2
ip address 10.22.22.2 255.255.255.0
int f0/1.3
ip address 10.12.12.2 255.255.255.0
int f0/1.4
ip address 10.122.122.2 255.255.255.0
router bgp 200




6
Notice in R3 no need for rd commands or ip vrf forwarding commands under sub interfaces or even
bgp address family for each vrf .
R3
int f0/1
no ip add
no sh
int f0/1.1
ip address 10.2.2.1 255.255.255.0
int f0/1.2
ip address 10.22.22.1 255.255.255.0
int f0/1.3
ip address 10.12.12.1 255.255.255.0
int f0/1.4
ip address 10.122.122.1 255.255.255.0
router bgp 300

R3#sh ip bgp

*> 1.1.1.1/32 10.2.2.2 0 200 100 i
*> 2.2.2.2/32 10.22.22.2 0 200 100 i
*> 3.3.3.3/32 10.12.12.2 0 200 100 i
*> 4.4.4.4/32 10.122.122.2 0 200 100 i
7
Same lab above but we will add R4,R5
R4 (BGP AS 400 ) f1/0 will be connected to R2 f1/0 through vrf BLUE & GREEN using 40.40.40.0/24
R5 (BGP AS 500) f1/0 will be connected to R2 f2/0 through vrf RED & GREEN using 50.50.50.0/24
R2
interface FastEthernet1/0
no ip address
!
interface FastEthernet1/0.1
ip address 40.40.40.2 255.255.255.0
!
ip address 40.40.40.2 255.255.255.0
interface FastEtherne2/0
no ip address
ip address 50.50.50.2 255.255.255.0
!
ip address 50.50.50.2 255.255.255.0
8
router bgp 200

!

no synchronization
exit-address-family
!
R4
ip vrf BLUE
rd 1:1
!
ip vrf GREEN
rd 2:2
interface FastEthernet1/0
no ip address
!
ip address 40.40.40.4 255.255.255.0
!
ip address 40.40.40.4 255.255.255.0
router bgp 400

!
9

*> 1.1.1.1/32 40.40.40.2 0 200 100 i
R4#sh ip bgp vpnv4 vrf GREEN
Route Distinguisher: 0:0
*> 2.2.2.2/32 40.40.40.2 0 200 100 i
R5
ip vrf GREEN
rd 2:2
!
ip vrf RED
rd 4:4
int f1/0
no ip add
ip address 50.50.50.5 255.255.255.0
!
ip address 50.50.50.5 255.255.255.0
router bgp 500


R5#sh ip bgp vpnv4 vrf RED

Route Distinguisher: 4:4 (default for vrf RED)
*> 4.4.4.4/32 50.50.50.2 0 200 100 i
R5#sh ip bgp vpnv4 vrf GREEN
Route Distinguisher: 2:2 (default for vrf GREEN)
*> 2.2.2.2/32 50.50.50.2 0 200 100 i
10
Now let’s assume we want R4 to get Default route in his BLUE vrf from R2
R2
router bgp 200
neighbor 40.40.40.4 default-originate

*> 0.0.0.0 40.40.40.2 0 0 200 i
*> 1.1.1.1/32 40.40.40.2 0 200 100 i
Displaying & Verifications commands
Let’s take vrf BLUE AS example:
sh ip protocols vrf BLUE

sh ip route vrf BLUE
sh ip bgp vpnv4 vrf BLUE
sh ip vrf br
sh ip vrf blue
sh ip bgp vpnv4 all sum
sh ip vrf interfaces
R4#sh ip bgp vpnv4 vrf BLUE neighbors 40.40.40.2 advertised-routes

R4#sh ip bgp vpnv4 vrf BLUE neighbors 40.40.40.2 routes
R4#sh ip bgp vpnv4 vrf BLUE 1.1.1.1
R4#ping vrf BLUE 1.1.1.1
R4#traceroute vrf BLUE 1.1.1.1
R4#sh ip bgp vpnv4 rd 1:1
R2#sh ip bgp vpnv4 vrf BLUE rib-failure
11
Now let’s practice VRF over GRE Tunnel
R7 f0/0 10.10.10.7/24
R6 f0/0 10.10.10.6/24 s0/0 20.20.20.6/24
R2 s0/0 20.20.20.2/24
R2
int s0/0
ip vrf for BLUE
ip add 20.20.20.2 255.255.255.0
no sh
!−−− Connection to the VRF BLUE network and the VRF GREEN
!−−− network using the GRE tunnel.
12
ip route vrf BLUE 10.10.10.7 255.255.255.255 20.20.20.6
!−−− Static Host route to ensure that recursive routing does not occur.
int tunnel 0
ip vrf for GREEN
ip add 200.200.200.2 255.255.255.0
tunnel source s0/0
tunnel dest 10.10.10.7
tunnel vrf BLUE
!−−− Tunnel 0 is part of VRF GREEN; but it uses the tunnel

!−−− destination and source addresses from the routing
!−−− table of VRF BLUE, because of this tunnel vrf blue command
router bgp 200

redis connected
redis conn
R6
int s0/0
ip add 20.20.20.6 255.255.255.0
no sh
int f0/0
ip add 10.10.10.6 255.255.255.0
no sh
ip access-group 100 in
ip access-group 100 out
access-list 100 permit gre host 10.10.10.7 host 20.20.20.2

!−−− Permits only GRE packets between the endpoints.
ip route 0.0.0.0 0.0.0.0 20.20.20.2
13
R7
int f0/0
ip add 10.10.10.7 255.255.255.0
no sh
ip access-group 100 in
ip access-group 100 out
!−−− Access−group to allow only GRE packets through the R2−CE network. However, R1−CE networks
data is in the GRE packet.

!−−− Permits only GRE packets between the endpoints.
int tunnel 0
ip add 200.200.200.1 255.255.255.0
tunnel source f0/0
tunnel dest 20.20.20.2
!−−− Both the tunnel source and destination address are in the VRF BLUE, to provide transport for the
VRF GREEN network.
ip route 0.0.0.0 0.0.0.0 tunnel0

ip route 20.20.20.2 255.255.255.255 10.10.10.6
!−−− Static Host route to ensure that recursive routing does not occur.
Verification:
R2#show ip route vrf BLUE 10.10.10.1

Routing entry for 10.10.10.0/24
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 20.20.20.6
Route metric is 0, traffic share count is 1
R2#sh ip int br | i Tunnel

Tunnel0 200.200.200.2 YES manual up up
R7#ping 200.200.200.2
!!!!!
Any BLUE or GREEN ip address directly connected in R2 , R7 can ping now :

R7#ping 10.1.1.2
!!!!!
R7#ping 10.22.22.2
!!!!!
14
Resources:
http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/
http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/
http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/46252-
grewithvrf.html
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/layer-3-vpns-l3vpn/116725-
configure-mgre-00.html
Good Luck
CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
https://www.youtube.com/user/yasserramzyauda
15

CCIEv5 VRF Lite Lab PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCIEv5 VRF Lite Lab PDF

Uploaded by

Copyright:

Available Formats

CCIEv5 VRF lite Lab By CCSI: Yasser Auda

 R1 exists in BGP AS 100

router bgp 100

address-family ipv4 vrf GREEN

address-family ipv4 vrf YELLOW

address-family ipv4 vrf RED

router bgp 200

address-family ipv4 vrf GREEN

address-family ipv4 vrf YELLOW

address-family ipv4 vrf RED

R2#sh ip route vrf BLUE

1.0.0.0/32 is subnetted, 1 subnets

R2#sh ip bgp vpnv4 vrf BLUE

Network Next Hop Metric LocPrf Weight Path

router bgp 200

address-family ipv4 vrf GREEN

address-family ipv4 vrf YELLOW

address-family ipv4 vrf RED

router bgp 300

Network Next Hop Metric LocPrf Weight Path

Same lab above but we will add R4,R5

router bgp 200

address-family ipv4 vrf GREEN

router bgp 400

R4#sh ip bgp vpnv4 vrf BLUE

router bgp 500

address-family ipv4 vrf GREEN

R5#sh ip bgp vpnv4 vrf RED

R4#sh ip bgp vpnv4 vrf BLUE

Displaying & Verifications commands

Let’s take vrf BLUE AS example:

sh ip protocols vrf BLUE

R4#sh ip bgp vpnv4 vrf BLUE neighbors 40.40.40.2 advertised-routes

R2#sh ip bgp vpnv4 vrf BLUE rib-failure

Now let’s practice VRF over GRE Tunnel

ip route vrf BLUE 10.10.10.7 255.255.255.255 20.20.20.6

!−−− Tunnel 0 is part of VRF GREEN; but it uses the tunnel

router bgp 200

access-list 100 permit gre host 10.10.10.7 host 20.20.20.2

!−−− Permits only GRE packets between the endpoints.

ip route 0.0.0.0 0.0.0.0 20.20.20.2

access-list 100 permit gre host 10.10.10.7 host 20.20.20.2

!−−− Permits only GRE packets between the endpoints.

ip route 0.0.0.0 0.0.0.0 tunnel0

R2#show ip route vrf BLUE 10.10.10.1

R2#sh ip int br | i Tunnel

Any BLUE or GREEN ip address directly connected in R2 , R7 can ping now :

You might also like