Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

Virtual Routing and Forwarding
layer 3 virtualization, Route Distinguisher and Target

112169-nac-layer3-01If we can virtualize  layer 2 with Vlans, maybe there is a solution that enables us to virtualize layer 3 on a router? If we could separate the traffic within the same  interface and prevent particular flow in participating in choosen routing processes. In other words alike on ASA where we create contexts in order to split one single chassis into more logical firewalls. We can use Virtual Routing and Forwarding IOS feature  to virtualize a router and shape traffic flow on its.



FUNDAMENTALS OF VRF

VRF Lite is a borrowed feature from MPLS Layer 3 VPN, except the MPLS labels we have everything else. In plain words we may have a couple of customers connected to the same Provider Edge Router and being not visible to each other in the same time. Each customer thinks, he is the only user of given router! Different customers may use the same subnets on both sites because they don’t share RIB tables.  If you want  to find out more how MPLS works, read another article about MPLS 

Now, let’s focus on VRF Lite. The main idea is the same, separating customers. So, we have 2 routers connected to the CE (Customer Edge) Router with different routing tables. Let’s have a look at the picture. Outside, let’s say ISP routers are visible only for particular inside routers. Inside router Dublin sees only outside router ISP1 and router Cork sees only outside router ISP2. We could do that by route maps and policy based routing, than we would override routing protocol rules but we are going to avoid that.

vrflite-gns3

One important thing, in order to hook up inside routers with Edge Router we may use 2 interfaces, which I used or trunk with 802.1q between the switch and router single interface (actually with subinterfaces) – Do you remember obsolete Router on the stick solution ?:).

Here is configuration  on Customer Edge Router with explanation of particular steps :

1) We have to establish 2 instances of our VRFs in config mode

ip vrf DUBLIN
ip vrf CORK

2) We have to assign interfaces to VRF forwarding tables, if you had any IP configuration, unfortunately  will be removed:

interface fa0/0
ip vrf forwarding DUBLIN
ip address 10.10.10.1 255.255.255.0

interface fa0/1
ip vrf forwarding CORK
ip address 10.20.20.1 255.255.255.0

interface fa1/0
ip vrf forwarding DUBLIN
ip address 1.1.1.1 255.255.255.0

interface fa1/1
ip vrf forwarding CORK
ip address 2.2.2.1 255.255.255.0

let’s check if interfaces have been bound properly to VRF instances:

vrf-show-vrf-br

3) Now let’s see how our routing table looks

vrf-routing-table-empty

After show ip route command, our routing table look like has gone !

It happened because now we have 2 separate routing table for Dublin and Cork

vrf-routing-table-dublin vrf-routing-table-cork

Of course now we may deploy OSPF for instance and do the other things as usual, but from now on our Edge Router has been divided onto 2 different logical parts invisible for each other.

VRFs LEVEL 2

Now, let’s make some things more complicated. Let’s assume we want to export or import some routes from one VRF into another. It is called ROUTE LEAKING. I am going to deal with this because I would like to familiar your with another important terms regarding VRF. 

MP-BGP

Before I go over route exchanging between 2 VRFs I have to mention about MP-BGP (Mulitprotocol BGP) what is actually the same well know BGP but with support of more protocols. Remember, despite we have a single router we have 2 independent routing tables, so actually we have 2 routers and we have to redistribute routes between them. In my case I changed address family slightly, we have to point out its for each VRF.  

router bgp 100
bgp router-id 2.2.2.2

address-family ipv4 vrf DUBLIN
redistribute connected

address-family ipv4 vrf CORK
redistribute connected

But this part of configuration we will configure at the end because firstly we have to configure Route Distinguisher and Route Targets, so don’t configure this now! 

ROUTE DISTINGUISHER 

Route Distinguisher is just a unique 96 bits number that is attached to the ip address and prefix, what makes each network unique even if networks from different VRFs overlap themself, for example if we would have network 10.0.0.0/24 in DUBLIN and CORK VRF.  We may define RD in two ways : <ASN>:<number> or <IP address>:<number>, ASN means of course AS number of BGP that given VRF interface is placed. The configuration is simple:

ip vrf DUBLIN
RD 10:1

ip vrf CORK
RD 10:2

ROUTE TARGET (import/export)

We are approaching to the end. We have to import and export routes between VRFs. RT has simillar format to RD. Our job is to point out what is the RT format of a routes that we are going to export to the other VRFs and which VRFs we are going to import routes from. RT Import is attached when ipv4 address is being changed into vpnv4 address (MPBGP). Import/Export are part of BGP vpnv4 extended community. Let’s have a look on configuration, everything will clarify itself:

ip vrf DUBLIN
route-target export 10:1

route-target import 10:1
route-target import 10:2

ip vrf CORK
route-target export 10:2

route-target import 10:1
route-target import 10:1

Of course our example is very simple so we don’t have to much to import/export only 2 directly connected networks on each site, but we may have a thousands of leaked routes. 

Now this is a moment when we should get back to MP-BGP configuration!

router bgp 100
bgp router-id 2.2.2.2

address-family ipv4 vrf DUBLIN
redistribute connected

address-family ipv4 vrf CORK
redistribute connected

All right we have configured VRF VPN with route leaking !

Let’s verify some things

showipvrf
 

Let’s check BGP table for vpnv4 address family

showvpnv4 all dublin cork
 

and finally let’s check VRFs routing tables – all routes have leaked !

ipvrf cork dublin routeleaking
 

,

Onlain bookmaker bet365.com - the best bokie

Menu