User's Manual

ManualsBrandsAllied Telesis ManualsNetworkingC613-16164-00

Technical Guide

alliedtelesis.com

How To |

C613-16164-00 REV E

Introduction

In IP-based networks, VRF stands for Virtual Routing and Forwarding. This technology allows

multiple routing domains to co-exist within the same device at the same time. As the routing

domains are independent, overlapping IP addresses can be used without causing conflict. In

large service provider networks, virtual routing and forwarding is used in conjunction with

MPLS - Multi Protocol Label Switching - to separate each customer’s traffic into its own wide

area VPN. VRF is also known as VPN Routing and Forwarding (when used with MPLS), and is

also known as Multi-VRF.

What is VRF-lite?

VRF-lite is VRF without the need to run MPLS in the network. VRF-lite is used for isolating

customer networks - it allows multiple secure customer routing domains to co-exist in one

physical device simultaneously, which remain completely isolated from each other.

VRF-lite also allows the re-use of IP addresses on the same physical device. An IP address

range in one VLAN used in one VRF domain can simultaneously be used in another VLAN in

a different VRF domain within the same device. While VRF-lite will segregate traffic from

different customers/clients, VRF-lite can also allow for route leakage between VRF domains

(inter-VRF communication), by using static inter-VRF routes and/or dynamic route leakage via

BGP and associated route maps. This provides filtered access from one VRF routing domain

to another where the IP address ranges do not overlap.

This How to Note begins with a description of VRF-lite’s key features and the generic

commands used to configure VRF-lite. There are a number of simple configuration examples

provided to illustrate its use with OSPF, RIP, and BGP routing protocols. This is followed with

a configuration breakdown of a complex inter-VRF scenario, which includes overlapping IP

addresses and a range of routing protocols. Dynamic inter-VRF communication between the

global VRF domain and a VRF instance is also explained. Finally, a short list of diagnostics

commands are provided to help troubleshoot VRF-related issues.

Configure VRF-lite

Summary of content (91 pages)

PAGE 1
Technical Guide How To | Configure VRF-lite Introduction In IP-based networks, VRF stands for Virtual Routing and Forwarding. This technology allows multiple routing domains to co-exist within the same device at the same time. As the routing domains are independent, overlapping IP addresses can be used without causing conflict.
PAGE 2
Introduction Who should read this document? This document is aimed at advanced network engineers. Which products and software version does it apply to? The information provided in this document applies to:  SwitchBlade AT-x908 and AT-x900 series switches running 5.4.1 and above.  x610 switches running AlliedWare+ version 5.4.2 and above. Note: VRF -lite is not supported in the x600 series switch. Software feature licenses The VRF-lite feature requires a special software license.
PAGE 3
Introduction Contents Introduction .............................................................................................................................................................................1 What is VRF-lite? .........................................................................................................................................................1 Who should read this document? .................................................................................................
PAGE 4
Glossary Glossary ACRONYM DESCRIPTION AS Autonomous System ACL Access Control List BGP Border Gateway Protocol FIB Forwarding Information Base MPLS Multi-Protocol Label Switching OSPF Open Shortest Path First RIP Routing Information Protocol VPN Virtual Private Network VR Virtual Router VRF Virtual Routing and Forwarding VRF-lite VRF without MPLS network CE Customer edge PE Provider edge RD Route Distinguisher RT Route Target VCStack Virtual Chassis Stacking Page 4 | Confi
PAGE 5
Understanding VRF-lite Understanding VRF-lite The purpose of VRF is to enable separate IP networks, possibly using overlapping IP addresses, to share the same links and routers. IP traffic is constrained to a set of separate IP Virtual Private Networks (VPNs). These VPNs provide a secure way for a service provider to carry multiple customers’ IP networks across a common infrastructure.
PAGE 6
Understanding VRF-lite VRF-lite security domains VRF-lite provides network isolation on a single device at Layer 3. Each VRF domain can use the same or overlapping network addresses, as they have independent routing tables. This separation of the routing tables prevents communication to Layer 3 interfaces in other VRF domains on the same device. Each Layer 3 interface belongs to exactly one VRF instance and traffic between two Layer 3 interfaces on the same VRF instance is allowed as normal.
PAGE 7
Understanding VRF-lite When a Layer 3 interface is moved to a VRF instance from the default global VRF domain, or when a Layer 3 interface is moved from one VRF instance to another via command, the interface name and id (ifindex) are never changed as a result of the interface movement. However IP configuration on the interface in the previous VRF is unset (removed) before moving the interface to a new VRF.
PAGE 8
Understanding VRF-lite Inter-VRF communication Whilst the prime purpose of VRF-lite is to keep routing domains separate from each other, there are cases where you do want some communication between VRFs. An example to consider is multiple 'clients' requiring shared Internet access. In this case a VRF instance can be created for each, providing secure and separate routing.
PAGE 9
Understanding VRF-lite Static and dynamic inter-VRF routing As mentioned above, "Inter-VRF communication" on page 8, in some circumstances it is required to (selectively) allow traffic between two interfaces that are not in the same VRF. This will be useful if there is common network equipment (e.g. Internet connections or shared resources) that multiple VRFs need to share.
PAGE 10
Understanding VRF-lite VRF-lite features in AW+ Here is a summary of the features provided by the AW+ VRF-lite implementation:  Multiple independent routing table instances may co-exist within the same device. The same or overlapping IP addresses can be present in different route table instances without conflicting. All routing table instances remain securely isolated from those existing in other routing tables.
PAGE 11
Understanding VRF-lite Route limiting per VRF instance In a multi-VRF network environment, it may be problematic if one VRF injects too many routes and fills up the hardware forwarding table (FIB) on the device, which can affect other VRFs as well as the global VRF. For more information see "Route Limits" on page 84 VRF-aware utilities within AW+ Some network utility and management features such as ping, traceroute, telnet client, SSH client, and tcpdump are supported in a VRF aware manner.
PAGE 12
Understanding VRF-lite  Telnet client awplus#telnet ? WORD IPv4/IPv6 address or hostname of a remote system ip IP telnet ipv6 IPv6 telnet vrf VRF instance awplus#telnet vrf ? WORD IPv4 address or hostname of a remote system ip IP telnet awplus#telnet vrf ip x.x.x.
PAGE 13
Configuring VRF-lite Configuring VRF-lite The following section describes the generic commands used to configure VRF-lite.  CONFIGURING ACLS PURPOSE Step 1 awplus# conf t Enter Global Configuration mode. Step 2 awplus(config)# access-list standard {deny| permit} Optional. This command configures a standard named access-control-list (ACL). Matching networks (routes) are either imported to or exported from a VRF instance to BGP.
PAGE 14
Configuring VRF-lite CONFIGURING VLANS AND VLAN DATABASE PURPOSE Step 1 awplus(config)#vlan database VLANs are created in the VLAN database, and ports are assigned to relevant VLANs. Step 2 awplus(config-vlan)#vlan x state enable Step 3 awplus(config-vlan)#exit Step 4 awplus(config)#interface portx.x.
PAGE 15
Configuring VRF-lite DYNAMIC ROUTING PROTOCOL - RIP ADDRESS-FAMILY PURPOSE Step 1 awplus(config)#router rip Optional. Enter router configuration mode for RIP. Step 2 awplus(config-router)#address-family ipv4 vrf Associate a RIP address-family with a specific VRF instance. Step 3 awplus(config-router-af)#network x.x.x.x/x Define a network on which the RIP addressfamily runs.
PAGE 16
Configuring VRF-lite STATIC ROUTES PURPOSE Step 1 Optional. To add a static route into the Routing table for a VRF instance. This can be a route pointing externally to a nexthop reachable via an interface in this VRF instance, or it can be used to facilitate inter-VRF routing, in which case it would point to an interface in a different VRF instance. Static inter-VRF routes can be used instead of BGP, or in conjunction with BGP to provide inter-VRF communications.
PAGE 17
Configuring VRF-lite Static inter-VRF routing Static inter-VRF routing involves creating static routes in one VRF instance whose egress VLAN is in a different egress VLAN. These static routes must specify both the egress VLAN and next hop IP address. The following diagram illustrates use of static routing to achieve inter- VRF communication in VRF-lite. 1 9 2 .1 6 8 .1 .0/2 4 VRF red 192.168.1.5 VLAN20 1 9 2 .1 6 8 .2 0 .0/2 4 global default VRF domain VLAN10 1 9 2 .1 6 8 .2 0 .0/2 4 VRF green 192.
PAGE 18
Dynamic inter-VRF communication explained Dynamic inter-VRF communication explained The following section explains how VRF routing domain isolation is maintained, and how routes that exist in one VRF instance are leaked to another VRF instance via BGP. Only BGP can be used to dynamically leak routes from one VRF instance to another. The Forwarding Information Base (FIB) and routing protocols Associated with each VRF instance is an IP route table, also known as the Forwarding Information Base (FIB).
PAGE 19
Dynamic inter-VRF communication explained The command redistribute can be configured in an OSPF instance, BGP address-family, or RIP address-family. Via this command, routes are imported from the FIB associated with the VRF instance into the dynamic routing protocol table. Any routing protocol (OSPF, BGP, RIP static, connected, etc.) can be redistributed.
PAGE 20
Dynamic inter-VRF communication explained Inter-VRF communication via BGP Dynamic inter-VRF route leakage is achieved by making copies of BGP routes that exist in one BGP address-family associated with one VRF instance, to another BGP address-family associated with a different VRF instance.
PAGE 21
Dynamic inter-VRF communication explained Using the route-target command When BGP is used for inter-VRF communication, dynamic route leakage of BGP routes from one VRF instance to another is achieved via the VRF route-target command. There are three variations of the route-target command: 1. route-target export for example: ip vrf red rd 100:1 route-target export 100:1 2. route-target import for example: ip vrf red rd 100:1 route-target import 100:2 3.
PAGE 22
Dynamic inter-VRF communication explained The following three examples demonstrate how the route-target command facilitates interVRF communication: 1. If VRF red configuration includes: ip vrf red rd 100:1 route-target export 100:1 And if VRF red initially has routes to networks 10.0.0.0/24, 20.0.0.0/24, then the entries in the address-family red BGP route table for each of those two routes would have the extendedcommunity attribute applied as follows: 10.0.0.0/24 100:1 20.0.0.
PAGE 23
Dynamic inter-VRF communication explained 3. If VRF red configuration includes*: ip vrf red rd 100:1 route-target route-target route-target route-target route-target route-target export export export export import import 100:1 100:2 100:3 100:4 100:5 100:6 And if VRF red initially has routes to networks 10.0.0.0/24, 20.0.0.0/24, then each of those two routes would have multiple extended community attributes (as defined in the routetarget export command configured in the VRF instance) as follows: 10.0.0.
PAGE 24
Dynamic inter-VRF communication explained How VRF-lite security is maintained Incidentally, only the original routes can be copied from one VRF to another. Copied routes cannot be subsequently copied to another VRF, to ensure VRF security domains are enforced. For example: VRFred----VRFshared----VRFgreen If VRF red routes are copied into the route table of VRF shared, VRF red routes will not be able to subsequently be copied from VRF shared into the VRF green route table.
PAGE 25
Simple VRF-lite configuration examples Simple VRF-lite configuration examples The following section contains simple configuration examples to explain the basics of VRF-lite configuration used in conjunction with a variety of routing protocols. Firstly, always create a clear VRF communication plan. This includes researching the various routing protocols and likely IP network plans for each VRF, and the likely content of each VRF routing table.
PAGE 26
Simple VRF-lite configuration examples ! interface vlan12 ip vrf forwarding red ip address 10.2.2.1/24 ! interface vlan13 ip vrf forwarding green ip address 10.1.1.1/24 ! interface vlan14 ip vrf forwarding green ip address 10.2.2.1/16 ! router ospf 1 red network 10.1.1.0/24 area network 10.2.2.0/24 area redistribute connected ! router ospf 2 green network 10.1.1.0/24 area network 10.2.0.0/16 area redistribute connected ! ...
PAGE 27
Simple VRF-lite configuration examples VRFs accessing a shared network. An example of static inter-VRF routing The partial configuration example below shows the key components required to support static inter-VRF routing. Two companies (VRF red and VRF green) are able to access shared vlan100. Shared vlan100 exists in the Global default VRF. Static inter-VRF routing is used in this example to facilitate inter-VRF communication. There are no overlapping IP addresses.
PAGE 28
Simple VRF-lite configuration examples Dynamic inter-VRF communication with RIP routing to external peers The partial configuration example below shows the key components required to support dynamic inter-VRF communication between two VRF instances using BGP, with RIP routing to external peers. RIP address-families are created, and each RIP address-family is associated with a VRF instance. To achieve inter-VRF communications, BGP is redistributed into each RIP family.
PAGE 29
Simple VRF-lite configuration examples Dynamic inter-VRF communication with BGP routing to external peers The partial configuration example below shows the key components required to support dynamic inter-VRF communication using BGP, with BGP routing to external peers. BGP address-families are created. Each BGP address-family is associated with a VRF instance. Routes within the VRF domain are advertised to external BGP peers.
PAGE 30
Simple VRF-lite configuration examples Dynamic inter-VRF communication with OSPF routing to external peers The complete configuration example below shows the key components required to support dynamic inter-VRF communication using BGP, with OSPF routing to external peers. VRFs red, green and shared are configured. VRFs red and green can access VRF shared, but not each other. OSPF routing is used in VRFs red and green, and these routes are leaked into VRF shared via BGP.
PAGE 31
Simple VRF-lite configuration examples ! access-list standard greenBlock3334 deny 192.168.33.0/24 access-list standard greenBlock3334 deny 192.168.34.0/24 access-list standard greenBlock3334 permit any access-list standard redBlock3435 deny 192.168.34.0/24 access-list standard redBlock3435 deny 192.168.35.
PAGE 32
Simple VRF-lite configuration examples interface vlan1 ip vrf forwarding red ip address 192.168.10.1/24 ! interface vlan2 ip vrf forwarding green ip address 192.168.20.1/24 ! interface vlan3 ip vrf forwarding shared ip address 192.168.30.1/24 ! router ospf 1 red network 192.168.10.0/24 area 0 redistribute bgp ! router ospf 2 green network 192.168.20.
PAGE 33
Inter-VRF configuration examples with Internet access Inter-VRF configuration examples with Internet access The following three complete examples are using a similar topology, however, each example involves a different communication plan and a variety of routing protocols. All of the following examples utilise one or more Internet connections.
PAGE 34
Inter-VRF configuration examples with Internet access Configuration ! ip vrf remote1 1 ! ip vrf remote2 2 ! ip vrf shared3 3 ! ip vrf office4 4 ! vlan database vlan 10 name remote1_a vlan 11 name remote1_b vlan 12 name remote1_c vlan 13 name remote1_d vlan 20 name remote2_a vlan 90 name remote1_e vlan 100 name shared3_a vlan 101 name shared3_b vlan 102 name shared3_c vlan 200 name office4_a vlan 248 name remote2_b vlan 10-13,20,90,100-102,200,248 state enable ! interface port1.0.
PAGE 35
Inter-VRF configuration examples with Internet access ! interface vlan13 ip vrf forwarding remote1 ip address 13.0.0.1/8 ! interface vlan20 ip vrf forwarding remote2 ip address 10.0.0.1/8 ! interface vlan90 ip vrf forwarding remote1 ip address 14.0.0.1/8 ! interface vlan100 ip vrf forwarding shared3 ip address 30.0.0.1/8 ! interface vlan101 ip vrf forwarding shared3 ip address 31.0.0.1/8 ! interface vlan102 ip vrf forwarding shared3 ip address 32.0.0.
PAGE 36
Inter-VRF configuration examples with Internet access Example B Internet Router Private to public NAT Intranet remote1 Intranet remote2 te F1 rou te VR tatic ou s tr aul t1 f e e ran net d Int er F2 ute Int VR et ro n ra Int RIP Internet 4 F R e4 0 V fic 20 a of N 4_ A L ce V offi 3 F R d3 0 V are 10 a sh N 3_ 1 A d 0 L re 1 b V ha N 3_ 2 s A d 2 F 2 L re 10 c R te 0 V ha N 3_ V o 2 s ed A m N _a L ar re A te2 48 sh 2 b L V mo N 2_ 1 re A te F 1 L o R te 0 V em V o 1 a r m N _ re A te1 11 L b V mo N 1
PAGE 37
Inter-VRF configuration examples with Internet access Configuration ! access-list standard deny_overlap deny 10.0.0.
PAGE 38
Inter-VRF configuration examples with Internet access ! interface port1.0.6-1.0.26 switchport switchport mode access ! interface vlan10 ip vrf forwarding remote1 ip address 10.0.0.1/8 ! interface vlan11 ip vrf forwarding remote1 ip address 11.0.0.1/8 ! interface vlan12 ip vrf forwarding remote1 ip address 12.0.0.1/8 ! interface vlan13 ip vrf forwarding remote1 ip address 13.0.0.1/8 ! interface vlan20 ip vrf forwarding remote2 ip address 10.0.0.1/8 ! interface vlan90 ip vrf forwarding remote1 ip address 14.
PAGE 39
Inter-VRF configuration examples with Internet access ! address-family ipv4 vrf remote2 redistribute connected exit-address-family ! address-family ipv4 vrf shared3 redistribute connected exit-address-family ! ip route vrf remote1 0.0.0.0/0 10.0.0.2 ip route vrf shared3 0.0.0.0/0 30.0.0.2 ip route vrf remote1 80.0.0.0/8 10.0.0.
PAGE 40
Inter-VRF configuration examples with Internet access Example C Intranet remote1 Intranet remote2 e ran et Int t F1 rou VR tatic 1s Internet 4 F R e4 0 V fic 20 a of N 4_ A L ce V offi 3 F R d3 0 V are 10 a sh N d3_ 01 A L re 1 b V ha N 3_ 2 s A ed 0 2 F 2 L r 1 _c R te 0 V a V o 2 a sh AN ed3 m N _ L ar re A te2 48 sh 2 b L V mo N 2_ 1 re A te F 1 L o R te 0 V em V o 1 r m N _a re A te1 11 L b V mo N 1_ 2 re LA te 1 c V mo N 1_ 3 re LA ote 1 d V N 1_ 0 m re LA te 9 e V mo N 1_ re LA ote V m re F2
PAGE 41
Inter-VRF configuration examples with Internet access Configuration ! access-list standard deny_overlap deny 10.0.0.
PAGE 42
Inter-VRF configuration examples with Internet access ! interface port1.0.4 switchport switchport mode trunk switchport trunk allowed vlan add 200 ! interface port1.0.5 switchport switchport mode access switchport access vlan 100 ! interface port1.0.6-1.0.26 switchport switchport mode access ! interface vlan10 ip vrf forwarding remote1 ip address 10.0.0.1/8 ! interface vlan11 ip vrf forwarding remote1 ip address 11.0.0.1/8 ! interface vlan12 ip vrf forwarding remote1 ip address 12.0.0.
PAGE 43
Inter-VRF configuration examples with Internet access exit-address-family ! address-family ipv4 vrf office4 network vlan200 exit-address-family ! router bgp 100 address-family ipv4 vrf remote1 redistribute connected exit-address-family ! address-family ipv4 vrf remote2 redistribute connected exit-address-family ! address-family ipv4 vrf shared3 redistribute connected exit-address-family ! ip route vrf remote1 0.0.0.0/0 30.0.0.2 vlan100 ip route vrf remote2 0.0.0.0/0 30.0.0.2 vlan100 ip route vrf shared3 0.
PAGE 44
Configuring a complex inter-VRF solution Configuring a complex inter-VRF solution A network comprising of multiple devices that demonstrates inter-VRF routing. A variety of routing protocols are used in this example. Network description Internet P G et er -B n t e ter ou r In r e e p d re r a te sh u ro 192 .16 n3 4 vla 0.0/2 8.3 .16 e g n r ra te o ou r n4 4 vla 0.0/2 8.4 .16 r e e p er IP ut R ro 192 192 .16 8.1 8.0 /24 .16 8.2 0.0 /24 192 .
PAGE 45
Configuring a complex inter-VRF solution VRF communication plan  VRF shared can access all VRFs red, green, blue and orange (excluding VRF overlap).  VRFs red, green, blue, and orange are only able to access VRF shared. They cannot access each other in this example.  VRF overlap remains completely isolated from all other VRFs, and it has a connected route to subnet 192.168.10.0/24, which is also configured in VRF red.
PAGE 46
Configuring a complex inter-VRF solution Configuration breakdown When configuring a complex inter-VFR aware device, such as in our example, the configuration order is important. We have provided a breakdown before each step to explain the key points you will need to consider. Configure the standard ACLs These standard ACL's are associated with routes maps. The route maps are referenced by VRF import and export maps. VRF export maps filter routes exported to BGP.
PAGE 47
Configuring a complex inter-VRF solution Local interfaces can be utilised by a number of protocols for various purposes. They can be used as a reliable address via which to access a device - an address that is always accessible, irrespective of the link status of any individual external interface. Within each VRF, configure optional route distinguisher (RD), route-targets and VRF import and export maps. The RD, route-targets and VRF import and export maps are used when leaking routes via BGP.
PAGE 48
Configuring a complex inter-VRF solution CONFIGURE VRFS awplus(config)#ip vrf red 1 awplus(config-vrf)#rd 100:1 awplus(config-vrf)#route-target export 100:1 awplus(config-vrf)#route-target import 100:5 awplus(config-vrf)#import map red43 awplus(config-vrf)#exit awplus(config)#ip vrf green 2 awplus(config-vrf)#rd 100:2 awplus(config-vrf)#route-target export 100:2 awplus(config-vrf)#route-target import 100:5 awplus(config-vrf)#import map green44 awplus(config-vrf)#exit awplus(config)#ip vrf blue 3 awplus(co
PAGE 49
Configuring a complex inter-VRF solution Configure the hardware ACLs The command access-list hardware creates the hardware access list. The access list is associated with individual switch ports as an access-group. Each access group contains one or more filters, which filter source traffic ingressing the switch port based on the filter entry order. Each individual filter in the example below match on IP traffic destined to a specific network from any source IP.
PAGE 50
Configuring a complex inter-VRF solution CONFIGURE HARDWARE ACLS awplus(config)#access-list hardware access43 awplus(config-ip-hw-acl)#permit ip any 192.168.43.0/24 awplus(config-ip-hw-acl)#exit awplus(config)#access-list hardware access44 awplus(config-ip-hw-acl)#permit ip any 192.168.44.0/24 awplus(config-ip-hw-acl)#exit awplus(config)#access-list hardware access45 awplus(config-ip-hw-acl)#permit ip any 192.168.45.
PAGE 51
Configuring a complex inter-VRF solution The third access group allow100_deny_private permits VRF red to access shared VRF network 192.168.100.0/24. Subsequently traffic to all networks within the 192.168.0.0/16 address ranges is denied. The order of filtering is: 1. Allow access to the subnet in which the port resides. 2. Allow access to specific remote networks via shared. 3. Allow access to the 192.168.100.0/24 address range, then deny access to all other networks within the 192.168.0.
PAGE 52
Configuring a complex inter-VRF solution awplus(config)#interface port1.0.8 awplus(config-if)#switchport access vlan 6 awplus(config-if)#exit awplus(config)#interface port1.0.9 awplus(config-if)#switchport access vlan 7 awplus(config-if)#exit Configure the IP addresses An IP address is allocated to each Local interface. Also, VLANs are associated with each VRF instance. Each VRF instance can contain multiple VLANs. A VLAN cannot be allocated to multiple VRFs. Each VLAN is allocated an IP subnet.
PAGE 53
Configuring a complex inter-VRF solution awplus(config)#interface vlan1 awplus(config-if)#ip vrf forwarding red awplus(config-if)#ip address 192.168.10.1/24 awplus(config)#interface vlan2 awplus(config-if)#ip vrf forwarding green awplus(config-if)#ip address 192.168.20.1/24 awplus(config-if)#exit awplus(config)#interface vlan3 awplus(config-if)#ip vrf forwarding blue awplus(config-if)#ip address 192.168.30.
PAGE 54
Configuring a complex inter-VRF solution Configure routing Dynamic routing protocols are configured as required and associated with each VRF. OSPF instance 1 is associated with VRF red. OSPF instance 2 is associated with VRF orange. RIP and BGP use address-families as the equivalent of OSPF instances. A RIP ipv4 addressfamily is created and associated with VRF blue. Appropriate IP networks are allocated to each routing protocol instance or address-family.
PAGE 55
Configuring a complex inter-VRF solution Connected routes associated with VRF green are redistributed into BGP, and also advertised to the external BGP neighbor router. VRF green has an i-BGP peering relationship to its neighbor as the neighbor ASN is the same (ASN 100). BGP routes learned from the external i-BGP neighbor are added to BGP 100.
PAGE 56
Configuring a complex inter-VRF solution CONFIGURE DYNAMIC ROUTING awplus(config)#router bgp 100 awplus(config-router)#address-family ipv4 vrf red awplus(config-router-af)#redistribute connected awplus(config-router-af)#redistribute ospf awplus(config-router-af)#exit-address-family awplus(config-router)#address-family ipv4 vrf green awplus(config-router-af)#redistribute connected awplus(config-router-af)#neighbor 192.168.20.2 remote-as 100 awplus(config-router-af)#neighbor 192.168.20.
PAGE 57
Configuring a complex inter-VRF solution denotes a static route to destination network 192.168.45.0/24 which has a next hop of 192.168.100.2, which originates from VRF shared, which egresses VLAN5 in VRF shared. In this example each VRF instance red, green, blue, orange and shared has their own static default route to the Internet via VRF shared. CONFIGURE STATIC ROUTING awplus(config)#ip route vrf red 0.0.0.0/0 192.168.100.254 vlan5 awplus(config)#ip route vrf green 0.0.0.0/0 192.168.100.
PAGE 58
Configuring a complex inter-VRF solution Complete show run output from VRF device is below awplus>ena awplus#sh run ! service password-encryption ! no banner motd ! username manager privilege 15 password 8 $1$bJoVec4D$JwOJGPr7YqoExA0GVasdE0 ! access-list standard blueBlock4344 deny 192.168.43.0/24 access-list standard blueBlock4344 deny 192.168.44.0/24 access-list standard blueBlock4344 permit any access-list standard greenBlock4345 deny 192.168.43.0/24 access-list standard greenBlock4345 deny 192.168.45.
PAGE 59
Configuring a complex inter-VRF solution ! ip vrf shared 5 rd 100:5 route-target import 100:1 route-target import 100:2 route-target import 100:3 route-target import 100:4 route-target export 100:5 ! ip vrf overlap 6 ! no ip multicast-routing ! spanning-tree mode rstp ! access-list hardware access43 permit ip any 192.168.43.0/24 access-list hardware access44 permit ip any 192.168.44.0/24 access-list hardware access45 permit ip any 192.168.45.
PAGE 60
Configuring a complex inter-VRF solution switchport access vlan 4 access-group allow_to_self_40 access-group access43 access-group access44 access-group access45 access-group allow100_deny_private ! interface port1.0.6-1.0.7 switchport switchport mode access switchport access vlan 5 ! interface port1.0.8 switchport switchport mode access switchport access vlan 6 ! interface port1.0.9 switchport switchport mode access switchport access vlan 7 ! interface port1.0.10-1.0.
PAGE 61
Configuring a complex inter-VRF solution interface vlan6 ip vrf forwarding overlap ip address 192.168.10.1/24 ! interface vlan7 ip vrf forwarding overlap ip address 192.168.50.1/24 ! router ospf 1 red network 192.168.10.0/24 area 0 redistribute bgp default-information originate ! router ospf 2 orange network 192.168.40.0/24 area 0 redistribute static redistribute bgp default-information originate ! router rip ! address-family ipv4 vrf blue network 192.168.30.
PAGE 62
Configuring a complex inter-VRF solution ip route vrf orange 192.168.20.0/24 192.168.40.2 ip route vrf orange 192.168.140.0/24 192.168.40.2 ip route vrf shared 0.0.0.0/0 192.168.100.254 ip route vrf shared 192.168.43.0/24 192.168.100.2 ip route vrf shared 192.168.44.0/24 192.168.100.2 ip route vrf shared 192.168.45.0/24 192.168.100.
PAGE 63
Configuring a complex inter-VRF solution [VRF: blue] S* 0.0.0.0/0 [1/0] via 192.168.100.254, vlan5 C 3.3.3.3/32 is directly connected, lo3 B 5.5.5.5/32 [20/0] is directly connected, lo5, 00:07:21 R 192.168.17.0/24 [120/2] via 192.168.30.2, vlan3, 00:06:48 R 192.168.18.0/24 [120/2] via 192.168.30.2, vlan3, 00:06:48 C 192.168.30.0/24 is directly connected, vlan3 B 192.168.45.0/24 [20/0] via 192.168.100.2, vlan5, 00:07:17 B 192.168.100.0/24 [20/0] is directly connected, vlan5, 00:07:17 [VRF: orange] S* 0.0.0.
PAGE 64
Configuring a complex inter-VRF solution Configuration files for each external router used in the topology and its associated route table is below. None of the external routers are VRF aware. hostname Internet_router ! vlan database vlan 2 state enable ! interface port1.0.2 switchport access vlan 2 ! interface vlan1 ip address 192.168.100.254/24 ! interface vlan2 ip address 192.168.200.1/24 ! router bgp 200 bgp router-id 192.168.200.1 neighbor 192.168.100.1 remote-as 100 neighbor 192.168.100.
PAGE 65
Configuring a complex inter-VRF solution hostname shared_router ! vlan database vlan 2-4 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface port1.0.4 switchport access vlan 4 ! interface vlan1 ip address 192.168.100.2/24 ! interface vlan2 ip address 192.168.43.1/24 ! interface vlan3 ip address 192.168.44.1/24 ! interface vlan4 ip address 192.168.45.1/24 ! ip route 0.0.0.0/0 192.168.100.
PAGE 66
Configuring a complex inter-VRF solution hostname red_ospf_peer ! vlan database vlan 2-3 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface vlan1 ip address 192.168.10.2/24 ! interface vlan2 ip address 192.168.13.1/24 ! interface vlan3 ip address 192.168.14.1/24 ! router ospf 1 ospf router-id 192.168.10.2 network 192.168.10.
PAGE 67
Configuring a complex inter-VRF solution hostname green_i_BGP_peer ! vlan database vlan 2-3 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface vlan1 ip address 192.168.20.2/24 ! interface vlan2 ip address 192.168.15.1/24 ! interface vlan3 ip address 192.168.16.1/24 ! router bgp 100 bgp router-id 192.168.20.2 redistribute connected neighbor 192.168.20.1 remote-as 100 neighbor 192.168.20.
PAGE 68
Configuring a complex inter-VRF solution hostname blue_rip_peer ! vlan database vlan 2-3 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface vlan1 ip address 192.168.30.2/24 ! interface vlan2 ip address 192.168.17.1/24 ! interface vlan3 ip address 192.168.18.1/24 ! router rip network 192.168.30.
PAGE 69
Configuring a complex inter-VRF solution hostname orange_router ! vlan database vlan 2-3 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface vlan1 ip address 192.168.40.2/24 ! interface vlan2 ip address 192.168.20.1/24 ! interface vlan3 ip address 192.168.140.1/24 ! ip route 0.0.0.0/0 192.168.40.
PAGE 70
Configuring a complex inter-VRF solution hostname orange_ospf_peer ! vlan database vlan 2 state enable ! interface port1.0.2 switchport access vlan 2 ! interface vlan1 ip address 192.168.40.3/24 ! interface vlan2 ip address 192.168.19.1/24 ! router ospf 1 ospf router-id 192.168.40.3 network 192.168.40.
PAGE 71
VCStack and VRF-lite VCStack and VRF-lite The following example illustrates how to configure VRF-lite in a VCStacked environment. In the example below, each port from the x900 connects to a different x610 VCStack member. Each port also belongs to a different VRF domain. E-BGP peering between IP local addresses is used between the x900 and x610 VCStack members on a per VRF basis - in order for the x900 device to learn routes to x610 subnets associated with each VRF. 14 .0.
PAGE 72
VCStack and VRF-lite Virtual Chassis ID Also, the optional command stack virtual-chassis-id specifies the VCS virtual chassis ID. If not configured, the stack will automatically select a virtual-chassis-id from a number within the assigned range 0-4095. The ID selected will determine which virtual MAC address the stack will automatically use. The MAC address assigned to a stack must be unique within its network. For more information about VCStack, refer to http://www.alliedtelesis.
PAGE 73
VCStack and VRF-lite ip address 11.11.11.1/24 ! interface vlan14 ip vrf forwarding violet ip address 192.168.14.1/24 ! interface vlan15 ip vrf forwarding grey ip address 192.168.15.1/24 ! router bgp 100 ! address-family ipv4 vrf violet redistribute connected neighbor 70.70.70.2 remote-as 300 neighbor 70.70.70.2 ebgp-multihop 2 neighbor 70.70.70.2 update-source lo7 neighbor 70.70.70.2 activate exit-address-family ! address-family ipv4 vrf grey redistribute connected neighbor 80.80.80.
PAGE 74
VCStack and VRF-lite ! interface vlan14 ip vrf forwarding violet ip address 192.168.14.2/24 ! interface vlan15 ip vrf forwarding grey ip address 192.168.15.2/24 ! router bgp 300 ! address-family ipv4 vrf grey network 80.80.80.2/32 redistribute connected neighbor 8.8.8.1 remote-as 100 neighbor 8.8.8.1 ebgp-multihop 2 neighbor 8.8.8.1 update-source lo8 neighbor 8.8.8.1 activate exit-address-family ! address-family ipv4 vrf violet network 70.70.70.2/32 redistribute connected neighbor 7.7.7.
PAGE 75
VCStack and VRF-lite Sharing VRF routing and double tagging on the same port In this scenario, both VRF-lite traffic and double vlan tagged traffic is transported between the two x610 switches via a single shared port. The double tagging feature (nested vlans) makes use of the tag-in-tag technique. The inner tag comes from the end hosts whilst the outer tag is configured in the x610 switches. VRF-lite traffic remains separated from the double vlan tagged traffic. po r 19 t6 vla 2 vrf .168 n112 po gre .
PAGE 76
VCStack and VRF-lite Configurations x610 A ip vrf red 1 ip vrf green 2 vlan database vlan 20 name nested vlan 11-12,20,111-112 state enable interface port1.0.5 switchport access vlan 111 interface port1.0.6 switchport access vlan 112 interface port1.0.12 switchport access vlan 20 switchport vlan-stacking customer-edge-port interface port1.0.
PAGE 77
VCStack and VRF-lite interface port1.0.20 switchport mode trunk switchport trunk allowed vlan add 11-12,20 switchport trunk native vlan none switchport vlan-stacking provider-port interface vlan11 ip vrf forwarding red ip address 192.168.11.2/24 interface vlan12 ip vrf forwarding green ip address 192.168.12.2/24 interface vlan111 ip vrf forwarding red ip address 192.168.211.1/24 interface vlan112 ip vrf forwarding green ip address 192.168.212.1/24 ip route vrf red 192.168.111.0/24 192.168.11.
PAGE 78
Dynamic inter-VRF routing between the global VRF domain and a VRF instance Dynamic inter-VRF routing between the global VRF domain and a VRF instance This section contains two configuration examples. Both examples show how to configure dynamic inter-VRF routing via BGP between the default global VRF domain and VRF red. Both examples use the same topology as described in the drawing below. The first example includes i-BGP peering to the external red router.
PAGE 79
Dynamic inter-VRF routing between the global VRF domain and a VRF instance For both these examples all BGP neighbor relationships involve peering between IP local addresses, not to VLAN interface IP addresses within the same subnet. BGP configuration tips The following BGP configuration tips are included to explain the use of some BGP specific commands used in the i-BGP and e-BGP example configuration files below. neighbor x.x.x.x update-source lo The command neighbor x.x.x.
PAGE 80
Dynamic inter-VRF routing between the global VRF domain and a VRF instance The global parameter in the command neighbor x.x.x.x remote-as <64515> global is required to facilitate an e-BGP peering to the global VRF domain from VRF red. Conversely, the target vrf-name in the command neighbor x.x.x.x remote-as <64512> vrf is required to be configured to facilitate an e-BGP peering to VRF red from the global VRF domain.
PAGE 81
Dynamic inter-VRF routing between the global VRF domain and a VRF instance Dynamic inter-VRF communication with i-BGP routing to external peer VRF device access-list standard redblock4445 deny 192.168.44.0/24 access-list standard redblock4445 deny 192.168.45.0/24 access-list standard redblock4445 permit any ! ip vrf red 1 rd 100:1 ! vlan database vlan 10 state enable ! interface port1.0.3 switchport access vlan 10 ! interface lo ip address 1.1.1.1/32 ! interface lo1 ip address 2.2.2.
PAGE 82
Dynamic inter-VRF routing between the global VRF domain and a VRF instance red router vlan database vlan 2-3 state enable ! interface port1.0.13 switchport access vlan 2 ! interface port1.0.14 switchport access vlan 3 ! interface lo ip address 7.7.7.7/32 ! interface vlan1 ip address 192.168.10.2/24 ! interface vlan2 ip address 192.168.13.1/24 ! interface vlan3 ip address 192.168.14.1/24 ! router bgp 100 redistribute connected redistribute static neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.
PAGE 83
Dynamic inter-VRF routing between the global VRF domain and a VRF instance redistribute connected redistribute static neighbor 2.2.2.2 remote-as 64512 vrf red neighbor 2.2.2.2 local-as 64515 neighbor 2.2.2.2 update-source 1.1.1.1 neighbor 2.2.2.2 route-map 43 out ! address-family ipv4 vrf red redistribute connected redistribute static neighbor 1.1.1.1 remote-as 64515 global neighbor 1.1.1.1 local-as 64512 neighbor 1.1.1.1 update-source lo1 neighbor 1.1.1.1 activate neighbor 7.7.7.
PAGE 84
Route Limits Route Limits In multi-VRF network environment, it may be disastrous if one VRF injects too many routes and fills up the hardware forwarding table (FIB) on a device which can affect other VRFs (as well as the global VRF). In software version 5.4.2 and later, it is possible to mitigate this risk, as route limits can now be configured on a per VRF basis. Existing AW+ commands max-static-routes and max-fib-routes have been extended in 5.4.
PAGE 85
Route Limits Configuring Dynamic route limits AW+ supports the ability to limit dynamic routes via the max-fib-routes command in the global VRF domain, which is unlimited by default. This same AW+ command is now also able to be applied on a per VRF basis. max-fib-routes Description Use the command max-fib-routes to set the maximum number of dynamic routes in FIB (Forwarding Information Base). Static and Connected routes are not included.
PAGE 86
Route Limits awplus(config)# ip vrf red awplus(config-vrf)# max-fib-routes 2000 75 Alternatively, to ensure a warning message is generated when the number of routes exceeds the limit (whilst ensuring routes exceeding the limit can still be added), configure the following: awplus(config)# ip vrf red awplus(vrf-config)# max-fib-routes <1-4294967294> warning-only Note: See Also Dynamic limits routes are applied before adding routes to the FIB.
PAGE 87
VRF-lite usage guidelines VRF-lite usage guidelines The general guideline is that all current services remain available in the default global VRF domain only, unless the service is either explicitly VRF aware, or the service runs completely independently of VRF and therefore has no requirement to be VRF aware.
PAGE 88
Useful VRF-related diagnostics command list Useful VRF-related diagnostics command list Below is a summary list of diagnostics commands that you may find helpful when troubleshooting VRF-related issues. Many existing commands have been made VRF aware and some are included below. Please refer to the software reference manual for a complete list of VRF aware commands.
PAGE 89
Useful VRF-related diagnostics command list connected database global ospf rip static summary vrf | > >> Connected IP routing table database Global Routing/Forwarding table Open Shortest Path First (OSPF) Routing Information Protocol (RIP) Static routes Summary of all routes Display routes from a VRF instance Output modifiers Output redirection Output redirection (append) awplus#show ip route vrf awplus#show ip route vrf ? bgp Border Gateway Protocol (BGP) connected Connected database
PAGE 90
Useful VRF-related diagnostics command list awplus#sh ip ospf interface awplus#sh ip ospf <0-65535> border-routers database interface neighbor route virtual-links | > >> ? Process ID number Border and Boundary Router Information Database summary Interface information Neighbor list OSPF routing table Virtual link information Output modifiers Output redirection Output redirection (append) awplus#sh ip ospf awplus#sh ip ospf border-routers database neighbor route virtual-links | > >> 1 1 ? Borde
PAGE 91
awplus#show ip bgp vrf ? A.B.C.D IP prefix , e.g., 35.0.0.0 A.B.C.D/M IP prefix /, e.g., 35.0.0.