Today I looked at Inter-VRF routing using VRF-lite. If you arent sure what a VRF is, or how it works, check out my previous post about VRF-lite.
In this lab Im going to create three VRFs; one for each site. London is going to be the HQ for each of the branches. The requirement is that London must be able to talk to each of the other branches using OSPF. However, each branch should not be able to talk to each other. So in effect we have a hub and spoke design, with London as the hub, and the other two sites as spokes.
Topology Notes
Red = Logical connections in terms of VRF connectivity
Black = Physical connections
Inter-VRF-routing-using-VRF-lite
Each site just advertises everything into OSPF and connects to the PE switch. The configs for each branch router are provided below.
London#
interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.252
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Newcastle#
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/1
ip address 10.0.0.6 255.255.255.252
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Manchester#
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.0.10 255.255.255.252
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Now lets look at the good stuff on PE1. I started off by configuring each of the VRFs & setting a route distinguisher. I then leaked routes between VRFs as shown below.
ip vrf london
rd 65001:1
route-target export 65001:1
route-target import 65001:3
route-target import 65001:2
!
ip vrf manchester
rd 65001:3
route-target export 65001:3
route-target import 65001:1
!
ip vrf newcastle
rd 65001:2
route-target export 65001:2
route-target import 65001:1
Route Distinguishers & Targets
I wanted to start by talking about the Route Distinguisher (RD), and route-target. The RD is a value we use purely for identifying a particular VRF. So if we look at London, Ive created a VRF RD of 65001:1. The RD is a way to keep routes globally unique (i.e. if the subnets from London were used at Manchester, the router will still be able to distinguish whether the traffic was destined for Manchester or London because of the RD).
The route-target is a way of leaking routes between VRFs. On the London VRF I have exported a route-target with the value of 65001:1. If I want London routes to then be leaked into another VRF, all I have to do is import this route target on the VRF; like I did on Manchester and Newcastle.
There are two ways to name your RD:
rd [ASN]:[Number]
rd [IP Address]:[Number]
Either way, it doesnt matter, just keep them unique per VRF. I usually just use a number from the private bgp ASN range (64512-65535) followed by a number that I make up.
The syntax for writing a route-target is same format as the RD syntax. Note that the route-target does not have to have the same name as the RD.
Next, we need to apply the VRFs to the relevant interfaces.
interface Loopback100
ip address 7.7.7.7 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding london
ip address 10.0.0.1 255.255.255.252
!
interface FastEthernet0/1
ip vrf forwarding newcastle
ip address 10.0.0.5 255.255.255.252
!
interface FastEthernet1/0
no switchport
ip vrf forwarding manchester
ip address 10.0.0.9 255.255.255.252
The loopback was created because Im going enable BGP in just a moment & Im going to use it for the router-id.
Because the sites want to talk to each other using OSPF, the next step is to enable OSPF on our PE1 interfaces & redistribute OSPF into BGP.
router ospf 1 vrf london
network 10.0.0.1 0.0.0.0 area 0
!
router ospf 2 vrf newcastle
network 10.0.0.5 0.0.0.0 area 0
!
router ospf 3 vrf manchester
network 10.0.0.9 0.0.0.0 area 0
!
router bgp 1
no synchronization
no auto-summary
!
address-family ipv4 vrf newcastle
redistribute connected
redistribute ospf 2 vrf newcastle match internal
no synchronization
exit-address-family
!
address-family ipv4 vrf manchester
redistribute connected
redistribute ospf 3 vrf manchester match internal
no synchronization
exit-address-family
!
address-family ipv4 vrf london
redistribute connected
redistribute ospf 1 vrf london match internal
no synchronization
exit-address-family
Note the command: #redistribute ospf 1 vrf london match internal. The command I actually typed was:#redistribute ospf 1 vrf london. The match internal was added by default. You may need to include the other parameters if you have external OSPF routes, at some of your sites (maybe you are redistributing EIGRP somewhere in your internal network).
The final stage is to just redistribute BGP into each of the OSPF instances
router ospf 1 vrf london
redistribute bgp 1 subnets
!
router ospf 2 vrf newcastle
redistribute bgp 1 subnets
!
router ospf 3 vrf manchester
redistribute bgp 1 subnets
Now lets see how were doing on the old redistribution. I expect London to now learn routes from all three VRFs. So lets have a look at Londons routing table:
LondonCE#sh ip route
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 3 subnets
O E2 10.0.0.8 [110/1] via 10.0.0.1, 02:27:10, FastEthernet0/0
C 10.0.0.0 is directly connected, FastEthernet0/0
O E2 10.0.0.4 [110/1] via 10.0.0.1, 02:27:10, FastEthernet0/0
C 192.168.0.0/24 is directly connected, Loopback0
192.168.1.0/32 is subnetted, 1 subnets
O E2 192.168.1.1 [110/2] via 10.0.0.1, 02:27:10, FastEthernet0/0
192.168.2.0/32 is subnetted, 1 subnets
O E2 192.168.2.1 [110/2] via 10.0.0.1, 02:27:10, FastEthernet0/0
Cool, so we got what we were expecting. Lets just do a quick ping to the LAN IP of each site with a source of lo0 to check they learnt routes back
LondonCE#ping 192.168.2.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/34/44 ms
LondonCE#ping 192.168.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/36/52 ms
Wikid, the last thing is to just check we didnt provide connectivity between Newcastle and Manchester.
NewcastleCE# sh ip route
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
O E2 10.0.0.0 [110/1] via 10.0.0.5, 02:44:31, FastEthernet0/1
C 10.0.0.4 is directly connected, FastEthernet0/1
192.168.0.0/32 is subnetted, 1 subnets
O E2 192.168.0.1 [110/2] via 10.0.0.5, 02:44:31, FastEthernet0/1
C 192.168.1.0/24 is directly connected, Loopback0
NewcastleCE#ping 192.168.0.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/39/52 ms
NewcastleCE#ping 192.168.2.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
..
Success rate is 0 percent (0/5)
Great. We are getting the routes from London, but not to Manchester. Exactly what we intended. Im just going to do one more check on Manchester to clarify everything.
ManchesterCE# sh ip route
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
C 10.0.0.8 is directly connected, FastEthernet0/0
O E2 10.0.0.0 [110/1] via 10.0.0.9, 02:48:10, FastEthernet0/0
192.168.0.0/32 is subnetted, 1 subnets
O E2 192.168.0.1 [110/2] via 10.0.0.9, 02:48:10, FastEthernet0/0
C 192.168.2.0/24 is directly connected, Loopback0
ManchesterCE#ping 192.168.0.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/40/56 ms
ManchesterCE#ping 192.168.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
..
Success rate is 0 percent (0/5)
Happy days.