Professional Documents
Culture Documents
CCIEv5 VRF Lite Lab PDF
CCIEv5 VRF Lite Lab PDF
VRF Lite
VRF =Virtual Routing and Forwarding which allows router to have multiple
routing tables of the customer routers CE’s within one physical router PE.
Each of virtual routing table is independent of each other as if they are in the
separated network. Therefore, the VRF technology allows router to route packet
from different customers with the same IP address range with the use of Route
Distinguisher.
VRF lite is a simpler version of VRF that can be used to separate the network in
the enterprise network for security purposes such as a guest network. It only
supports 802.1Q trunk encapsulation.
VRF configuration isn't at all dependent on MPLS (the two components just work
well together). In Cisco terminology, deployment of VRFs without MPLS is known
as VRF lite
1
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
Lab
We want to keep 4 routing table (BLUE, GREEN , YELLOW , RED ) virtually separated in the same
physical router.
R1 will connect to R2 using f0/0 and using ip address 10.1.1.1, and we will use Dot1q
encapsulation protocol to tag each vrf with its own RD . we will do the same in R2 side.
R1 will advertise its own loopback interfaces on each proper vrf
R2 connected to R3 , R3 will be our management point and we will use different ip address for
each vrf
2
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
R1
ip vrf BLUE
rd 1:1
ip vrf GREEN
rd 2:2
ip vrf YELLOW
rd 3:3
ip vrf RED
rd 4:4
int loop 1
ip vrf for BLUE
ip add 1.1.1.1 255.255.255.255
int loop 2
ip vrf for GREEN
ip add 2.2.2.2 255.255.255.255
int loop 3
ip vrf for YELLOW
ip add 3.3.3.3 255.255.255.255
int loop 4
ip vrf for RED
ip add 4.4.4.4 255.255.255.255
int f0/0
no ip add
no sh
int f0/0.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 10.1.1.1 255.255.255.0
int f0/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 10.1.1.1 255.255.255.0
int f0/0.3
encapsulation dot1Q 3
ip vrf forwarding YELLOW
ip address 10.1.1.1 255.255.255.0
int f0/0.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
3
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
R2
ip vrf BLUE
rd 1:1
ip vrf GREEN
rd 2:2
ip vrf YELLOW
rd 3:3
ip vrf RED
rd 4:4
int f0/0
no ip add
no sh
int f0/0.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 10.1.1.2 255.255.255.0
int f0/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 10.1.1.2 255.255.255.0
4
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
int f0/0.3
encapsulation dot1Q 3
ip vrf forwarding YELLOW
ip address 10.1.1.2 255.255.255.0
int f0/0.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 10.1.1.2 255.255.255.0
R2#sh ip vrf br
Name Default RD Interfaces
BLUE 1:1 Fa0/0.1
GREEN 2:2 Fa0/0.2
RED 4:4 Fa0/0.4
YELLOW 3:3 Fa0/0.3
5
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
R2
int f0/1
no ip add
no sh
int f0/1.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 10.2.2.2 255.255.255.0
int f0/1.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 10.22.22.2 255.255.255.0
int f0/1.3
encapsulation dot1Q 3
ip vrf forwarding YELLOW
ip address 10.12.12.2 255.255.255.0
int f0/1.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 10.122.122.2 255.255.255.0
6
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
Notice in R3 no need for rd commands or ip vrf forwarding commands under sub interfaces or even
bgp address family for each vrf .
R3
int f0/1
no ip add
no sh
int f0/1.1
encapsulation dot1Q 1
ip address 10.2.2.1 255.255.255.0
int f0/1.2
encapsulation dot1Q 2
ip address 10.22.22.1 255.255.255.0
int f0/1.3
encapsulation dot1Q 3
ip address 10.12.12.1 255.255.255.0
int f0/1.4
encapsulation dot1Q 4
ip address 10.122.122.1 255.255.255.0
R3#sh ip bgp
7
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
R4 (BGP AS 400 ) f1/0 will be connected to R2 f1/0 through vrf BLUE & GREEN using 40.40.40.0/24
R5 (BGP AS 500) f1/0 will be connected to R2 f2/0 through vrf RED & GREEN using 50.50.50.0/24
R2
interface FastEthernet1/0
no ip address
!
interface FastEthernet1/0.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 40.40.40.2 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 40.40.40.2 255.255.255.0
interface FastEtherne2/0
no ip address
interface FastEthernet2/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 50.50.50.2 255.255.255.0
!
interface FastEthernet2/0.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 50.50.50.2 255.255.255.0
8
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
R4
ip vrf BLUE
rd 1:1
!
ip vrf GREEN
rd 2:2
interface FastEthernet1/0
no ip address
!
interface FastEthernet1/0.1
encapsulation dot1Q 1
ip vrf forwarding BLUE
ip address 40.40.40.4 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 40.40.40.4 255.255.255.0
9
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
R5
ip vrf GREEN
rd 2:2
!
ip vrf RED
rd 4:4
int f1/0
no ip add
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 50.50.50.5 255.255.255.0
!
interface FastEthernet1/0.4
encapsulation dot1Q 4
ip vrf forwarding RED
ip address 50.50.50.5 255.255.255.0
10
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
Now let’s assume we want R4 to get Default route in his BLUE vrf from R2
R2
router bgp 200
address-family ipv4 vrf BLUE
neighbor 40.40.40.4 default-originate
11
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
R7 f0/0 10.10.10.7/24
R6 f0/0 10.10.10.6/24 s0/0 20.20.20.6/24
R2 s0/0 20.20.20.2/24
R2
int s0/0
ip vrf for BLUE
ip add 20.20.20.2 255.255.255.0
no sh
!−−− Connection to the VRF BLUE network and the VRF GREEN
!−−− network using the GRE tunnel.
12
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
!−−− Static Host route to ensure that recursive routing does not occur.
int tunnel 0
ip vrf for GREEN
ip add 200.200.200.2 255.255.255.0
tunnel source s0/0
tunnel dest 10.10.10.7
tunnel vrf BLUE
R6
int s0/0
ip add 20.20.20.6 255.255.255.0
no sh
int f0/0
ip add 10.10.10.6 255.255.255.0
no sh
ip access-group 100 in
ip access-group 100 out
13
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
R7
int f0/0
ip add 10.10.10.7 255.255.255.0
no sh
ip access-group 100 in
ip access-group 100 out
!−−− Access−group to allow only GRE packets through the R2−CE network. However, R1−CE networks
data is in the GRE packet.
int tunnel 0
ip add 200.200.200.1 255.255.255.0
tunnel source f0/0
tunnel dest 20.20.20.2
!−−− Both the tunnel source and destination address are in the VRF BLUE, to provide transport for the
VRF GREEN network.
!−−− Static Host route to ensure that recursive routing does not occur.
Verification:
R7#ping 200.200.200.2
!!!!!
14
CCIEv5 VRF lite Lab By CCSI: Yasser Auda
Resources:
http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/
http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/
http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/46252-
grewithvrf.html
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/layer-3-vpns-l3vpn/116725-
configure-mgre-00.html
Good Luck
CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
https://www.youtube.com/user/yasserramzyauda
15