How VRFs Work (VRF Lite) | VRFs Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

vrf's do for routing what VLANs do for switching but when and how do you use them let's find out it's getting rare to find a flat network these days we just can't get away with it anymore the modern network needs to be separated into areas this may be for business units maybe you have an R&D team and they need to be kept separate to the customer service team or maybe you're a multi-talented service provider it's no good to have your customer traffic mixing or maybe your company has acquired another business and their network uses the same IP space that you do how will you merge your networks now or it could just be for good old-fashioned security you want to keep your secure data separate from your DMZ data there are plenty of reasons to segregate data VLANs are a very common way to start doing this VLANs are new of course they've been around since the dawn of networking time and we've been using them all with great success but as you know the VLANs only separate traffic at layer two it's like creating virtual switches throughout your environment the result is that hosts in a VLAN can communicate with each other but not with hosts into other VLANs until they get external help that is as soon as you put a router between these networks your separation is lost the host can communicate between VLANs again to solve this problem you could use a firewall instead of using a router or you may use ACLs on the router to selectively block traffic this may work just depending on what you need but this may not be the best solution in particular with multi-tenancy as your customers wouldn't be able to make changes on the firewall without seeing other customer data also it doesn't help when you're having overlapping IP spaces another option is to use vr af-s vr F's are used to segregate data at layer 3 I've even heard of some people calling them layer 3 VLANs although that's not actually correct so don't do that by default a router will have a global routing table just one routing table where all routes whether learned or local are added this is why those VLANs can communicate when a routers present a vrf changes its default behavior a vrf is a virtual routing table in the same way that a VLAN breaks a switch into virtual switches a vrf breaks a router into virtual routers now interfaces and by extension VLANs belong to a single vrf networks within a very F can communicate networks in different VRS cannot there is simply no routes between the V ahrefs this is something that's easier to see in action so let's build a lab and configure some verus in our little pretend business here we provide services to our customers we have one router and each of our customers has one router all routers are running Cisco IOS keep in mind that the commands you see here are a little different in other flavors of routers like nx-os but the principles all remain the same our customers also have some IP space that overlaps we need to prevent this from becoming an issue to build this network we're going to create two VRS one per customer the initial configs like hostname IP addresses and so on have already been completed to save time I'll put the initial and completed configs on the website if you want to do the lab yourself we start by creating of the RF for each customer and giving them a description the description is optional but it helps later on when you're troubleshooting creating a vrf essentially creates a new empty routing table but what's the point of a routing table if there's nothing in it so we need to add some interfaces before we do we'll have a quick look at the current interface config you'll see why I'm doing this soon and now we'll go into the interface configuration and we add it into the V RF now here's something surprising when you add an interface to a vrf or layer 3 config on the interface is lost it's a good thing we had a look at the interface conflict before we started isn't it so let's add an IP address back in and here we get surprise number two in iOS we need to make sure that ipv4 is enabled on the vrf we do this by going back into the vrf definition and entering the ipv4 address family if you're not familiar with the term an address family is used to tell the router how a particular protocol should behave in our case we're not going to set anything we're just entering into the mode to enable ipv4 on the vrf and while we're at it we'll do the same for the second customer now if we go back into the interface adding the IP address is fine let's this customers router this is failing right now but that's expected when we ping we use the global routing table by default the global routing table is the normal routing table that all the routers have whether they're using VRS or not this network is no longer in the global routing table which is why opinion fails so to fix this we can ping using a particular V RF and we can see here that works just fine so now let's repeat this process for customer B remember to have a look at the IP address on the interface before starting notice here that we're only configuring the call or router we don't need to touch the customer routers this is because of the ahrefs are locally significant routers do not need to share vrf information okay now we can take this a step further and add routes to the customers networks here we also need to specify the vrf if we don't the routes going to the global routing table you also notice that there is no problem at all adding overlapping routes as long as they go into different VR FS now we'll take a look at the routing tables to see how this looks the global routing table is completely empty we've moved everything out of here into the customer the eros keep in mind though you can still use the global routing table alongside the ahrefs we can see the customer routes in the customer VR f's you can see that the 10 1000 Network is in both customer routing tables time to run a few ping tests we can successfully ping customer networks when we use customer brf's we can also see either overlapping IP space is fine as well if we try to ping custom a from customer B this will fail this is where you can really see the traffic separation in action the main point that I want you to remember from all of this is that a vrf is a virtual routing table they used to separate traffic at layer 3 now let's go have a look at another scenario let's say that customers want to be able to communicate however this needs to happen via a firewall this might sound like an unrealistic scenario but it's not as bad as it sounds imagine for example that as an enterprise network instead of having customers inside your network like this you have an inside network and a DMZ you may do this using VR F's so you can easily find yourself in this scenario so let's grow our original topology we now have a firewall and a single physical link to the core router this is a trunk link and we'll use a sub interface for each customer the firewall itself is in routed mode so the core router will keep traffic separate and the firewall will route traffic from one customer to another if the security policy allows it there's two things to be aware of here first the firewall does not have the ahrefs all routes go into its global routing table and second we can't allow the overlapping IP spaces to mix in this scenario the firewall has already been configured that's because we're not focusing on firewall configuration here we're looking at VRS so if you're interested in how that's put together I'll put all the config files on the website and then you can do your own labs if you want to later now we'll start by getting the connection to the aasa' up part of this includes creating a sub interface on VLAN 10 adding it to the customer vrf and configuring an IP address and then the same process is repeated on customer be using VLAN 20 now's a good time to double access to the ASAS on both of Eros you now we can add routes so that customer a can reach customer B the a sa is the next hop we won't add routes for the overlapping IP address space once again you can't mix overlapping IP address spaces you need to completely separate them or avoid them and we do the same thing for customer be the equivalent routes there now I'm going to bring up customer II's router over on the side here and running this trace confirms that traffic is indeed being passed through the firewall if I bring customer bees router over here as well we used to get the same result wonderful everything so far has used static routing but what about dynamic routing can we use OSPF EIGRP and BGP with VRS the answer is most definitely yes a GPS can work with VRS so we're going to build that topology and configure all three of these routing protocols along with VR FS in the next video

Info

Channel: Network Direction

Views: 119,350

Rating: 4.9322033 out of 5

Keywords: Virtual Routing and Forwarding, how vrfs work vrf lite, network vrf, introduction to vrfs - part 1, network direction vrf, how vrfs work (vrf lite) vrf part 1, virtual route forwarding, vrf network, virtual routing and forwarding (vrf), network direction, vrf networking, vrf part 1, how vrf routing works, vrf in networking, vrf lite, vrf lite route leaking, vrf, VRF-Lite, how vrf works, vrf routing, virtual routing and forwarding animated, vrf-lite vs vrf

Id: D0IT6ZKY3tg

Channel Id: undefined

Length: 11min 26sec (686 seconds)

Published: Thu May 17 2018