Allied Telesis C613-16164-00 REV E User Manual
Size:
2.42 Mb
Download

Technical Guide

How To |Configure VRF-lite

Introduction

In IP-basednetworks, VRF stands for Virtual Routing and Forwarding. This technology allows multiple routing domains toco-existwithin the same device at the same time. As the routing domains are independent, overlapping IP addresses can be used without causing conflict. In large service provider networks, virtual routing and forwarding is used in conjunction with MPLS - Multi Protocol Label Switching - to separate each customer’s traffic into its own wide area VPN. VRF is also known as VPN Routing and Forwarding (when used with MPLS), and is also known asMulti-VRF.

What is VRF-lite?

VRF-liteis VRF without the need to run MPLS in the network.VRF-liteis used for isolating customer networks - it allows multiple secure customer routing domains toco-existin one physical device simultaneously, which remain completely isolated from each other.

VRF-litealso allows there-useof IP addresses on the same physical device. An IP address range in one VLAN used in one VRF domain can simultaneously be used in another VLAN in a different VRF domain within the same device. WhileVRF-litewill segregate traffic from different customers/clients,VRF-litecan also allow for route leakage between VRF domains(inter-VRFcommunication), by using staticinter-VRFroutes and/or dynamic route leakage via BGP and associated route maps. This provides filtered access from one VRF routing domain to another where the IP address ranges do not overlap.

This How to Note begins with a description of VRF-lite’skey features and the generic commands used to configureVRF-lite.There are a number of simple configuration examples provided to illustrate its use with OSPF, RIP, and BGP routing protocols. This is followed with a configuration breakdown of a complexinter-VRFscenario, which includes overlapping IP addresses and a range of routing protocols. Dynamicinter-VRFcommunication between the global VRF domain and a VRF instance is also explained. Finally, a short list of diagnostics commands are provided to help troubleshootVRF-relatedissues.

C613-16164-00REV E

 

 

 

 

 

alliedtelesis.com

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Introduction

Who should read this document?

This document is aimed at advanced network engineers.

Which products and software version does it apply to?

The information provided in this document applies to:

SwitchBlade AT-x908andAT-x900series switches running 5.4.1 and above.

x610 switches running AlliedWare+ version 5.4.2 and above.

Note: VRF-liteis not supported in the x600 series switch.

Software feature licenses

The VRF-litefeature requires a special software license. Without a proper license installed, configuring VRFs is not possible. AVRF-litefeature license key is distributed in the Advanced Layer 3 License Bundle that allows up to 8VRF-liteinstances to be configured.

The number of configurable VRF-liteinstances can be increased via an additionalVRF-lite-63license.

The Advanced Layer 3 License Bundle containing the VRF-litefeature and the additional VRF-lite-63license are available through the AW+ licensing web portal (http:// licensing.alliedtelesis.com/).

A VRF-lite-63license requires an Advanced Layer 3 License Bundle to work.

Note: Enabling multiple VRFs means there will be more routing entries on the device systemwide. This may affect the number of routes used by BGP or OSPF specified by the licence key on the device.

Command summary

All the existing CLI commands available in the current non-VRFenvironment are available with no change.

Page 2 | ConfigureVRF-lite

Introduction

Contents

Introduction .............................................................................................................................................................................

1

What is VRF-lite? .........................................................................................................................................................

1

Who should read this document?.....................................................................................................................

2

Which products and software version does it apply to?......................................................................

2

Software feature licenses ........................................................................................................................................

2

Command summary .................................................................................................................................................

2

Glossary .....................................................................................................................................................................................

3

Understanding VRF-lite.....................................................................................................................................................

4

VRF-lite security domains .......................................................................................................................................

5

Route table and interface management with VRF-lite...........................................................................

5

Inter-VRF communication.......................................................................................................................................

7

Static and dynamic inter-VRF routing...............................................................................................................

8

VRF-lite features in AW+.......................................................................................................................................

9

Route limiting per VRF instance.......................................................................................................................

10

VRF-aware utilities within AW+......................................................................................................................

10

Configuring VRF-lite.........................................................................................................................................................

12

Static inter-VRF routing.........................................................................................................................................

16

Dynamic inter-VRF communication explained..................................................................................................

17

The Forwarding Information Base (FIB) and routing protocols.....................................................

17

Inter-VRF communication via BGP.................................................................................................................

19

How VRF-lite security is maintained .............................................................................................................

23

Simple VRF-lite configuration examples...............................................................................................................

24

Multiple VRFs without inter-VRF communication..................................................................................

24

Dynamic inter-VRF communication with RIP routing to external peers..................................

27

Dynamic inter-VRF communication with BGP routing to external peers ...............................

28

Dynamic inter-VRF communication with OSPF routing to external peers ............................

29

Inter-VRF configuration examples with Internet access ..............................................................................

32

Configuring a complex inter-VRF solution ..........................................................................................................

43

Network description..............................................................................................................................................

43

Configuration breakdown ...................................................................................................................................

45

VCStack and VRF-lite ......................................................................................................................................................

70

Sharing VRF routing and double tagging on the same port ............................................................

74

Dynamic inter-VRF routing between the global VRF domain and a VRF instance ......................

77

BGP configuration tips...........................................................................................................................................

78

Dynamic inter-VRF communication with i-BGP routing to external peer...............................

80

Dynamic inter-VRF communication with e-BGP routing to external peer.............................

81

Route Limits..........................................................................................................................................................................

83

Configuring static route limits ...........................................................................................................................

83

Configuring Dynamic route limits ...................................................................................................................

84

VRF-lite usage guidelines ...............................................................................................................................................

86

Useful VRF-related diagnostics command list ...................................................................................................

87

Configure VRF-lite| Page3

Glossary

Glossary

ACRONYM

DESCRIPTION

 

 

AS

Autonomous System

 

 

ACL

Access Control List

 

 

BGP

Border Gateway Protocol

 

 

FIB

Forwarding Information Base

 

 

MPLS

Multi-ProtocolLabel Switching

 

 

OSPF

Open Shortest Path First

 

 

RIP

Routing Information Protocol

 

 

VPN

Virtual Private Network

 

 

VR

Virtual Router

 

 

VRF

Virtual Routing and Forwarding

 

 

VRF-lite

VRF without MPLS network

 

 

CE

Customer edge

 

 

PE

Provider edge

 

 

RD

Route Distinguisher

 

 

RT

Route Target

 

 

VCStack

Virtual Chassis Stacking

 

 

Page 4 | ConfigureVRF-lite

Understanding VRF-lite

Understanding VRF-lite

The purpose of VRF is to enable separate IP networks, possibly using overlapping IP addresses, to share the same links and routers. IP traffic is constrained to a set of separate IP Virtual Private Networks (VPNs). These VPNs provide a secure way for a service provider to carry multiple customers’ IP networks across a common infrastructure. The different customers’ IP networks are able to operate in complete isolation from each other, so there is no requirement for them to use separate IP address ranges, and there is no leakage of traffic from one VPN to another, unless specifically requested.

A full VRF solution commonly involves different portions of the IP networks being connected to each other by an MPLS backbone network. The separate IP networks will be allocated different tags in the MPLS network. So the full VRF solution involves not only managing multiple separate IP networks within the same routers, but also a network-to-MPLStag mapping process.

In the full VRF solution a distinction is made between Customer Edge (CE) routers and Provider Edge (PE) routers. CE routers aggregate the separate IP networks of the service provider’s different clients. PE routers connect the IP networks to the MPLS backbone.

VPN 1

 

 

VPN 1

Customer A

 

 

Customer A

CE

PE

PE

CE

 

MPLS

 

 

 

network

 

 

 

MPLS-VRF

MPLS-VRF

 

 

device

device

 

VPN 2

 

 

VPN 2

Customer B

 

 

Customer B

 

CE = Customer edge device

 

 

 

PE = Provider edge router

 

 

VRF-liteis a subset of the full VRF solution. In aVRF-litesolution there are multiple IP networks sharing the same routers, but no MPLS core is involved. So,VRF-liteis just the customer edge router part of VRF, without the provider edge router part.

VRF-litefacilitates multiple separate routing tables within a single router - one routing table associated with each of the customer VPNs connected to the device. Multiple VRF instances are defined within a router. One or more Layer 3 interfaces (VLAN) are associated with each VRF instance forming an isolated VRF routing domain. A Layer 3 interface cannot belong to more than one VRF instance at any time.

Configure VRF-lite| Page5

Understanding VRF-lite

VRF-litesecurity domains

VRF-liteprovides network isolation on a single device at Layer 3. Each VRF domain can use the same or overlapping network addresses, as they have independent routing tables. This separation of the routing tables prevents communication to Layer 3 interfaces in other VRF domains on the same device. Each Layer 3 interface belongs to exactly one VRF instance and traffic between two Layer 3 interfaces on the same VRF instance is allowed as normal. But by default, interfaces in other VRF instances are not reachable as no route exits between the interfaces unless explicitly configured viaInter-VRFrouting.

 

 

vlan2

10.

 

 

 

 

 

SW

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1.

 

 

 

 

 

 

 

 

 

PC1

 

 

 

1.

 

.1/24

 

 

 

 

 

 

 

 

 

1/8

 

 

 

 

 

 

 

 

 

 

 

 

 

.1

 

 

 

 

 

 

 

 

 

 

 

 

.1

 

.1/16

 

 

 

 

 

 

 

 

 

 

1

 

 

 

 

 

 

 

 

 

 

 

 

.1

 

 

 

 

 

 

 

 

 

 

vlan3

.1

 

vlan5

 

 

 

 

 

 

 

 

10

 

1.

 

 

 

 

 

 

 

 

vlan4

 

 

 

 

 

PC2

 

 

 

 

 

 

 

vlan6

 

1.

 

Company A

 

 

 

 

 

 

 

 

 

1.

 

 

 

 

 

 

 

 

10.

 

 

1/24

 

 

 

 

 

 

 

 

 

 

1.

 

 

 

 

 

 

 

 

 

 

 

 

 

1.

 

 

 

PC3

 

 

 

 

 

 

 

 

 

1/24

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Company B

PC4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PC5

 

 

 

 

 

 

 

 

VRF red

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Company C

 

 

 

PC6

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For example, on a device three VRF instances (VRF red, VRF green and VRF blue) are configured for three different companies. Devices PC1 and PC2 from Company A can communicate normally within the confines of VRF red, but none of PC1’s and PC2’s traffic can be seen by other devices in VRF green and VRF blue.

Route table and interface management with VRF-lite

A key feature that VRF-liteintroduces to a router is the existence of multiple IP route tables within the one router.

By default, before any VRF is configured, a router will have one route table, and routes via all IP interfaces of the router will be stored in this one table. As VRF instances are configured on the router, the original route table remains. This default route table, and its associated IP interfaces, are then referred to as the default global VRF domain.

Interface management with VRF

Each network interface can belong to only one VRF. As mentioned above, initially every interface is in the default global VRF domain. As Layer 3 interfaces are moved to the created VRF instances, they are removed from the global VRF domain, so the global VRF domain manages a decreasing set of Layer 3 interfaces.

Page 6 | ConfigureVRF-lite

Understanding VRF-lite

When a Layer 3 interface is moved to a VRF instance from the default global VRF domain, or when a Layer 3 interface is moved from one VRF instance to another via command, the interface name and id (ifindex) are never changed as a result of the interface movement. However IP configuration on the interface in the previous VRF is unset (removed) before moving the interface to a new VRF.

ARP entries associated with the Layer 3 interface are cleared when the interface is moved from one VRF instance to another. In addition (static and dynamic) ARP entries are VRF aware, as the same IP address can be used in other VRF instances.

Adding a VRF-awarestatic ARP

awplus(config)#arp

?

A.B.C.D

IP address of the ARP entry

log

Arp log

 

vrf

VRF instance

awplus(config)#arp

vrf <name> ?

A.B.C.D

IP address of the ARP entry

Route management with VRF

Each VRF instance maintains its own IPv4 routing table independent from the routing table of the global VRF domain or other VRFs.

Routing entries can be added statically by user command or dynamically by a routing protocol module such as BGP, OSPF, or RIP within the VRF instance. Use of a dynamic routing protocol allows for each VRF network to maintain a consistent routing table across all the devices within the VRF network.

The way that each routing is able to define a separate instance of itself on multiple VRF instances varies from protocol to protocol:

For BGP, one BGP routing instance will be running for an Autonomous System in the global VRF domain and individual BGP routing tables will be managed per VRF by using the address-familyfeature. Oneaddress-familyis created for each VRF instance.

For OSPF, one OSPF routing instance is configurable per VRF, and one OSPF instance is configurable within the global VRF domain.

For RIP, one RIP routing instance will be running in the default global VRF domain and individual RIP routing tables will be managed per VRF by using the address-familyfeature. Oneaddress-familyis created for each VRF instance.

Note: The command show ip route displays the routes associated with each VRF instance.

Configure VRF-lite| Page7

Understanding VRF-lite

Inter-VRFcommunication

Whilst the prime purpose of VRF-liteis to keep routing domains separate from each other, there are cases where you do want some communication between VRFs.

An example to consider is multiple 'clients' requiring shared Internet access. In this case a VRF instance can be created for each, providing secure and separate routing. Whilst overlapping IP addresses could be used with this scenario, only one instance of each overlapping address range will be able to access the Internet for the simple reason that when return traffic comes back from the Internet to an address in one of the overlapped subnets, the VRF aware device must have only one choice for which instance of that subnet to send that return traffic to.

A distinct shared VRF is utilised to allow sharing of the Internet connection. The shared VRF is actually just another VRF instance; it has no special VRF properties.

In the example below, each of the red and green VRFs need inter-VRFcommunication with the shared VRF. This is achieved by selectively leaking routes between the shared VRF and the other two VRFs, andvice-versa.The selective leaking can use statically configured routes or dynamic route import/export via the BGP protocol.

 

 

 

 

 

Internet

 

 

VRF

 

VRF

 

 

 

red

 

 

 

 

(Wi-

 

shared

 

 

Fi)

 

 

 

 

 

 

Wi

-Fi

access

 

VRF

green

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(company)

Internal Company

 

 

 

 

 

Network

 

 

 

For example, a company may wish to segregate their network and provide Wi-Fiaccess to the Internet for visitors to the company, whilst preventing the visitors from accessing the internal company network. The users in internal company network and visitors in theWi-Finetwork are able to share a single common Internet connection.

Internal company and Wi-Finetworks are isolated in Layer 3 on the same device by using different VRFs, but they want to access the Internet by using the same network interface on VRF shared. To make it work with dynamic route import/export, VRF green (company VRF) needs to import routes from VRF shared to access the Internet and some selected routes from VRF green need to be exported to VRF shared. Similar configuration is needed for VRF red(Wi-FiVRF) for importing/exporting routes between VRF red and VRF shared.

As a result traffic flows between VRF green and VRF shared and between VRF red and VRF shared but not between VRF green and VRF red.

Page 8 | ConfigureVRF-lite

Understanding VRF-lite

Static and dynamic inter-VRFrouting

As mentioned above, "Inter-VRF communication" on page 8, in some circumstances it is required to (selectively) allow traffic between two interfaces that are not in the same VRF. This will be useful if there is common network equipment (e.g. Internet connections or shared resources) that multiple VRFs need to share.

Inter-VRFrouting is achieved by statically or dynamically taking a route entry and itsnext-hopinterface from one VRF, and adding it into the routing table of another. A dynamicinter-VRFroute can be added by using the BGP route import/export feature. A staticinter-VRFroute can be added by a user command. For more information on static routing, see"Static interVRF routing" on page 17.

Static and dynamic inter-VRFcommunication can be used simultaneously or separately. Dynamicinter-VRFcommunication is only achieved via use of the BGP routing protocol. OSPF and RIP cannot be used to achieveinter-VRFcommunication.

Internally transferring routes between VRF instances is quite separate from the sharing of routes of a specific VRF routing domain, with external routers that are members of that same domain. As mentioned above, all dynamic routing protocols can be used to distribute routing information to external peer devices. OSPF, RIP, and BGP can all be used to dynamically distribute routes to external peers within VRF routing domains.

When BGP is used for dynamic inter-VRFcommunication, routes from other routing protocols (including connected routes, static routes, OSPF or RIP) are redistributed into a VRF instance’s BGP route table (BGP must be configured and associated with the VRF instance). Other VRF instances that are configured with BGP can selectively copy these routes into their own separate BGP route tables.

Inter-VRFroute leakage interoperates with the exchange of route information. Routes learnt from external peers in one VRF domain can be leaked to other VRF instances and routes leaked into a VRF instance can then be advertised to external peers connected to that instance.

The details of dynamic inter-VRFrouting are described in"Dynamic inter-VRF communication explained" on page 18.

Configure VRF-lite| Page9

Understanding VRF-lite

VRF-litefeatures in AW+

Here is a summary of the features provided by the AW+ VRF-liteimplementation:

Multiple independent routing table instances may co-existwithin the same device. The same or overlapping IP addresses can be present in different route table instances without conflicting. All routing table instances remain securely isolated from those existing in other routing tables.

By default, no communication occurs between VRF instances, facilitating multiple secure routing domains within the same VRF aware device.

However, inter-VRF communication between routing domains is possible by using either staticinter-VRFroutes and/or dynamic filtered route leakage via BGP and its associated route maps.

A single device configuration file simplifies management by providing the ability to create, manage, and monitor all VRF instances.

Detailed diagnostic and debugging information is available.

Ability to view routing table information per VRF.

All appropriate VRF related information and error messages can be viewed in the system wide log.

Separate instances of routing protocols can be mapped to VRF instances so that distribution of route information can be performed on a per VRF domain basis. This enables route information to be distributed securely within each VRF routing domain.

For example:

VRF1 = OSPF routing instance1 VRF2 = OSPF routing instance2

All Layer 3 interfaces and associated switch ports remain in the default global VRF domain until associated with a specific VRF instance.

VRF is supported in HW and SW (including Inter-VRFcommunications).

The default global VRF domain always exists and cannot be removed. Initially during startup, every VLAN belongs to the default global VRF domain. Also, when a VLAN is removed from a VRF, it is automatically returned to the default global VRF domain. Only one default global VRF domain exists in each physical device.

Static and dynamic routes can be leaked from a VRF instance to the global default VRF.

Selected routes within a VRF instance can be dynamically leaked to other VRF routing domains. This applies both to routes that have been statically configured, and to routes that have been learnt into a VRF instance on the device by routing protocol exchanges with external peer routers.

When a VRF instance has received routes leaked from other VRF instances, that instance can advertise those routes to external peer routers connected to interfaces in that VRF instance, via the routing protocol operating within the VRF instance.

Page 10 | ConfigureVRF-lite