VRF Lite Configuration on Cisco IOS

Lessons Discussion
104

Hello everyone!

Awesome lesson, thank you so much. However, there are a few things that are not clear to me.

First, where exactly would VRF Lite be used? Are there any examples for this?

I can see how VRF could be used in an MPLS deployment, as the ISP may have a lot of customers there with duplicate private IP space. However, when it comes to VRF Lite, in what situations would we want to use it?

Thank you in advance for your help.

David

105

Hello David

VRF is typically employed with MPLS. However, when VRF is used without MPLS, it is called VRF-lite. What are some use cases for VRF lite? Well here is a partial list:

  • To serve multi-tenancy: If you have a single network infrastructure, you can create VRFs for each tenant within a building to create their own virtual network topology, thus freeing individual tenants within a building to use their own addressing scheme.
  • Used with EVN: Easy VIrtual Network is a feature that uses VRF-lite to create multiple routing tables within a routing infrastructure.
  • Used with LISP: When deploying LISP, VRFs can be used to implement virtualization. LISP supports this by binding the instance ID to VRFs and EID VRFs./box]

Additional uses can include:

  • Data and Voice segregation - Beyond using just VLANs, you can use different VRFs to route each type of traffic
  • Isolation of Management Traffic
  • Migrating networks and integrating mergers
  • Enhancing network security
  • Simplifying routing policies

I hope this has been helpful!

Laz

1 Like
106

I recently built a lab with VRF. But I did not understand the purpose of putting a interface and an ip address for the next hop
Ex: ip route 0.0.0.0 0.0.0.0 gi0/0 10.1.2.1

I am use to seeing just the ip address
Ex: ip route 0.0.0.0 0.0.0.0 10.1.2.1

When is it necessary to use both?

107

Hello David

What you are referring to is called a ā€œFully Specified Routeā€. Such a route in the routing table includes both the exit interface and the next hop IP address in the entry. You can also have a route that has only the exit interface or a route that has only the next hop IP. Whether a fully specified route or not, all of these are acceptable, however, they function a little bit differently when we perform a routing table lookup.

Take a look at this NetworkLessons note on the topic for more information. Note that this behavior is independent of whether or not you use VRFs.

If you have further questions, donā€™t hesitate to ask!

I hope this has been helpful!

Laz

108

Thank you for the explanation . i dont see the DN bit in ospf header as well in the LSAs packet. Could you please provide more details on DN and other bits as well.

109

Hello Sathish

The Down Bit or the DN bit can be found within the Options section of an LSA found within the payload of an OSPF message. Take a look at this screenshot of a packet capture to see where you can find it:

image
image697Ɨ515 14.9 KB

The DN bit is found in all LSAs as well as in DB description messages, and is used for much the same purpose. You can find out more information about it at this post, which also includes linksā€¦

I hope this has been helpful!

Laz

110

Sorry for this question guys but Iā€™d like to know the difference between:

ISP(config)#ip vrf Red

and
ISP(config)#vrf definition Red

111

Hello Daniel

Thatā€™s a great question. Both of these options will implement VRFs, however, the first is the legacy version, while the second is the newer version.

The newer version delivers advanced flexibility because it puts you into the VRF configuration mode. Within that mode you can configure a whole series of parameters. Take a look at this context-sensitive help that shows the available commands within the VRF configuration mode:

R1(config)#vrf definition CUSTOMER1
R1(config-vrf)#?
VPN Routing/Forwarding instance configuration commands:
  address-family  Enter Address Family command mode
  default         Set a command to its defaults
  description     VRF specific description
  exit            Exit from VRF configuration mode
  help            Description of the interactive help system
  ipv4            VRF IPv4 configuration
  no              Negate a command or set its defaults
  rd              Specify Route Distinguisher
  route-target    Specify Target VPN Extended Communities
  vnet            Virtual NETworking configuration
  vpn             Configure VPN ID as specified in rfc2685

R1(config-vrf)#

Can you do the same configuration with both? Yes, however, with vrf definition, you explicitly configure address families (e.g., address-family ipv4 or ipv6) under the VRF configuration mode. This allows simultaneous IPv4/IPv6 support.

The legacy ip vrf command implicitly enables IPv4 and lacks native IPv6 support without additional configuration.

So both will work, but the latter is the newer implementation method. As with most of these features, eventually, the ip vrf command will be deprecated in favor of the newer method.

I hope this has been helpful!

Laz

112

Hi Rene, Thanks for explaining this topic with such simplicity and ease. I have one question: Are VRFs used only between CE and PE or are there any scenarios in which we can run them in our local networks as well for better segregation? If yes, can you please explain such scenario(s)?

113

Hello Aaditya

VRFs are not limited to CE-PE architectures for MPLS in service provider networks. VRFs allow you to logically separate routing domains, which can be useful in a wide variety of scenarios. These include implementation in local enterprise networks for traffic segregation, security, and IP address overlap resolution. Specific scenarios include departmental network isolation, multi-tenant environments, and guest network segmentation.

I hope this has been helpful!

Laz