SlideShare a Scribd company logo

Cisco VRF Lite Configuration

Harris Andrea
Harris Andrea

In this article you will learn how to isolate traffic in Layer3 level on the same router device using VRF Lite feature of Cisco routers.

Technology
1 of 7
Download to read offline
Cisco VRF Lite Configuration In the previous post, we have discussed about isolating traffic using the private VLAN feature at Layer2 level. In this tutorial, we will discuss traffic isolation at Layer3 level using VRF Lite on Cisco routers. What is VRF Lite VRFs employ essentially the same concept as VLANs and Trunking, but at Layer3. VRF (Virtual Routing and Forwarding) is traditionally associated with IP MPLS technology whereby an ISP creates Layer3 (or Layer2) VPNs for customers using VRF. Consider a VRF as a separate routing instance (and separate routing table) on the same device holding the IP routes for each customer which are isolated from the other customers. Each VRF is like a separate virtual router with its own routing table on the same physical router. If you don’t work in an ISP environment you will not encounter this technology. Also, from what I know, MPLS and VRFs are not examined at the CCNA or CCNP R&S level. They are discussed in the chapters needed for your CCIE R&S certification. If you want to read about this technology, one good book to start with is MPLS Fundamentals wrote by Luc De Ghein. Now, although VRFs and MPLS are usually configured on high-end ISP routers, you can still use this feature on some smaller Cisco ISR routers in a simplified manner called VRF Lite and have the same advantages. With VRF Lite, you can have separate routing tables on the same physical router device. Each routing table (VRF instance) is isolated from the other VRF instances. To demonstrate how to use this feature lets see the following simplified scenario:
Network Scenario using Cisco 891 and VRF Lite Consider the scenario depicted on the diagram above. We have a Cisco 891 border router with an Intranet connection for employees’ computers and company servers and also we need to offer internet connectivity for a Wi-Fi connection to allow guests to connect to the internet. The company security team demanded that the Wi-Fi connection must be totally separated from the local intranet network, so that guests don’t have access to the local network. Therefore we can isolate the two Layer3 networks using VRF Lite. We will create “VRF Intranet” and “VRF Extranet” for the two networks.
Configuration The router used is CISCO891-K9 with image c890-universalk9-mz.151- 4.M4.bin installed. Each VRF Instance will have two Layer3 routed interfaces associated with it as shown below. Consider each VRF Instance as a virtual router with two interfaces.  VRF Intranet: VLAN10 and Interface Gi0 will be included in “vrf Intranet”.  VRF Extranet: VLAN100 and Interface Fa8 will be included in “vrf Extranet”. Step 1 : Create the VRF Lite Instances ip vrf Extranet description Extranet ! ip vrf Intranet description Intranet ! Step 2 : Configure VLANs and interfaces and include them in the VRF instances vlan 10 name Intranet ! vlan 100 name Extranet ! interface GigabitEthernet0 <—— wan port facing the internet for Intranet traffic ip vrf forwarding Intranet <— interface is attached to the Intranet VRF ip address 10.10.10.1 255.255.255.0 duplex auto speed auto ! interface Vlan10 <——— SVI interface for Intranet traffic description Intranet <—— interface is attached to the Intranet VRF ip vrf forwarding Intranet
ip address 10.10.100.1 255.255.255.0 ! interface FastEthernet8 <——— wan port facing the internet for guest traffic ip vrf forwarding Extranet <——— interface is attached to the Extranet VRF ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Vlan100 <———— SVI interface for Extranet traffic description Extranet ip vrf forwarding Extranet <——— interface is attached to the Extranet VRF ip address 100.100.100.1 255.255.255.0 ! interface FastEthernet0 <—— on this interface connect the WiFi Access Point for guests description AP switchport access vlan 100 no ip address ! interface FastEthernet1 <—— on this interface connect Intranet hosts description Intranet switchport access vlan 10 no ip address ! Step 3 : Add default routes facing the internet for both VRF instances ip route vrf Intranet 0.0.0.0 0.0.0.0 10.10.10.254 ip route vrf Extranet 0.0.0.0 0.0.0.0 192.168.1.254 Step 4 : Verifications – showing the vrf configuration Networkstraining#sh run vrf Intranet Building configuration… Current configuration : 324 bytes ip vrf Intranet description Intranet !
! interface GigabitEthernet0 ip vrf forwarding Intranet ip address 10.10.10.1 255.255.255.0 duplex auto speed auto ! interface Vlan10 description Intranet ip vrf forwarding Intranet ip address 10.10.100.1 255.255.255.0 ! ip route vrf Intranet 0.0.0.0 0.0.0.0 10.10.10.254 end Networkstraining#sh run vrf Extranet Building configuration… Current configuration : 326 bytes ip vrf Extranet description Extranet ! ! interface FastEthernet8 ip vrf forwarding Extranet ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Vlan100 description Extranet ip vrf forwarding Extranet ip address 100.100.100.1 255.255.255.0 ! ip route vrf Extranet 0.0.0.0 0.0.0.0 192.168.1.254 – verify both routing tables
Networkstraining#sh ip route vrf Intranet Routing Table: Intranet Gateway of last resort is 10.10.10.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.10.10.254 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.10.0/24 is directly connected, GigabitEthernet0 L 10.10.10.1/32 is directly connected, GigabitEthernet0 Networkstraining#sh ip route vrf Extranet Routing Table: Extranet Gateway of last resort is 192.168.1.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 192.168.1.254 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, FastEthernet8 L 192.168.1.1/32 is directly connected, FastEthernet8 – verify ARP entries Networkstraining#sh ip arp vrf Intranet Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.10.1 – fc99.4712.9ee3 ARPA GigabitEthernet0 Internet 10.10.100.1 – fc99.4712.9ecb ARPA Vlan10 Internet 10.10.100.10 5 cce1.7f79.48f2 ARPA Vlan10 Networkstraining#sh ip arp vrf Extranet Protocol Address Age (min) Hardware Addr Type Interface Internet 100.100.100.1 – fc99.4712.9ecb ARPA Vlan100 Internet 100.100.100.100 5 001c.0fdc.de41 ARPA Vlan100 Internet 192.168.1.1 – fc99.4712.9ed3 ARPA FastEthernet8
Final Notes :  As you can see, the routing tables are totally separated and the traffic will be totally separated.  If you run the command “show ip route” without specifying a VRF name, it will show the “Global Routing Table” of the device (which will be empty in our example above).  When you issue ping, telnet or other commands that make us of the routing tables, you must always specify the VRF routing instance name that you want to use: Example: ping vrf Intranet 10.10.100.10  The VRF Lite feature is offered by other vendors as well. For example in Juniper environment it is called “routing instance”. About the Author Harris Andrea is a Cisco Certified Professional with more than 18 years of experience working with Cisco network technologies. He is the author of two Cisco Books (“Cisco ASA Firewall Fundamentals” and “Cisco VPN Configuration Guide”) which have been embraced by thousands of Cisco professionals all over the world. You can find more Cisco configuration guides and tutorials on his blog here http://www.networkstraining.com

Recommended

Kutna Hora
Kutna HoraKutna Hora
Kutna Hora
vegacan
 
Google Apps bureatique en ligne gratuite
Google Apps bureatique en ligne gratuiteGoogle Apps bureatique en ligne gratuite
Google Apps bureatique en ligne gratuite
AXIZ eBusiness
 
Musique : créer, gérer et développer sa communauté de fans grâce au web
Musique : créer, gérer et développer sa communauté de fans grâce au webMusique : créer, gérer et développer sa communauté de fans grâce au web
Musique : créer, gérer et développer sa communauté de fans grâce au web
af83media
 
Evaluation des competences numeriques dans les EPN
Evaluation des competences numeriques dans les EPNEvaluation des competences numeriques dans les EPN
Evaluation des competences numeriques dans les EPN
Philippe Cazeneuve
 
Cours0
Cours0Cours0
Cours0
djalal Dzn
 
Web2.0
Web2.0Web2.0
Web2.0
monnardj
 
Lexique 2.0 (volume 1)
Lexique 2.0 (volume 1)Lexique 2.0 (volume 1)
Lexique 2.0 (volume 1)
Afm Votre Magzine
 
Lexique de la communication
Lexique de la communicationLexique de la communication
Lexique de la communication
ksalivre
 

Recommended

Kutna Hora
Kutna HoraKutna Hora
Kutna Hora
vegacan
 
Google Apps bureatique en ligne gratuite
Google Apps bureatique en ligne gratuiteGoogle Apps bureatique en ligne gratuite
Google Apps bureatique en ligne gratuite
AXIZ eBusiness
 
Musique : créer, gérer et développer sa communauté de fans grâce au web
Musique : créer, gérer et développer sa communauté de fans grâce au webMusique : créer, gérer et développer sa communauté de fans grâce au web
Musique : créer, gérer et développer sa communauté de fans grâce au web
af83media
 
Evaluation des competences numeriques dans les EPN
Evaluation des competences numeriques dans les EPNEvaluation des competences numeriques dans les EPN
Evaluation des competences numeriques dans les EPN
Philippe Cazeneuve
 
Cours0
Cours0Cours0
Cours0
djalal Dzn
 
Web2.0
Web2.0Web2.0
Web2.0
monnardj
 
Lexique 2.0 (volume 1)
Lexique 2.0 (volume 1)Lexique 2.0 (volume 1)
Lexique 2.0 (volume 1)
Afm Votre Magzine
 
Lexique de la communication
Lexique de la communicationLexique de la communication
Lexique de la communication
ksalivre
 
Guide weboct2013
Guide weboct2013Guide weboct2013
Guide weboct2013
Yves Jacquot
 
Col'inn espace de travail de collaboration et d'innovation
Col'inn espace de travail de collaboration et d'innovationCol'inn espace de travail de collaboration et d'innovation
Col'inn espace de travail de collaboration et d'innovation
Guillaume MEDOC
 
Améliorez votre présence en ligne
Améliorez votre présence en ligneAméliorez votre présence en ligne
Améliorez votre présence en ligne
polenumerique33
 
Formation - Médias Sociaux - 18 mars 2015
Formation - Médias Sociaux - 18 mars 2015Formation - Médias Sociaux - 18 mars 2015
Formation - Médias Sociaux - 18 mars 2015
UPAcommunication
 
Le web tic
Le web ticLe web tic
Le web tic
Hélène Gandar
 
Twitter expliqué à mes collègues !
Twitter expliqué à mes collègues !Twitter expliqué à mes collègues !
Twitter expliqué à mes collègues !
Vincent Bellais
 
Le web tic2
Le web tic2Le web tic2
Le web tic2
Hélène Gandar
 
ATELIER ANT N°2 - (Session 2014/2015) - COMMUNICATION & MARKETING
ATELIER ANT N°2 - (Session 2014/2015) - COMMUNICATION & MARKETINGATELIER ANT N°2 - (Session 2014/2015) - COMMUNICATION & MARKETING
ATELIER ANT N°2 - (Session 2014/2015) - COMMUNICATION & MARKETING
Laurent P. PRO
 
Luxe 2.0 digitalisation point de vente
Luxe 2.0 digitalisation point de venteLuxe 2.0 digitalisation point de vente
Luxe 2.0 digitalisation point de vente
MBAMCI (Institut Léonard de Vinci)
 
Présentation de l'espace de coworking à Dijon
Présentation de l'espace de coworking à DijonPrésentation de l'espace de coworking à Dijon
Présentation de l'espace de coworking à Dijon
Bruno Louis SÉGUIN
 
Présentation m2iformation
Présentation m2iformationPrésentation m2iformation
Présentation m2iformation
M2i Formation Diplômante
 
Lexique les vêtements (A1)
Lexique les vêtements (A1)Lexique les vêtements (A1)
Lexique les vêtements (A1)
lebaobabbleu
 
Stratégie web (SEO, SEM) étude de cas Role Model par Mohammed ALAMI
Stratégie web (SEO, SEM) étude de cas Role Model par Mohammed ALAMIStratégie web (SEO, SEM) étude de cas Role Model par Mohammed ALAMI
Stratégie web (SEO, SEM) étude de cas Role Model par Mohammed ALAMI
Mohammed ALAMI ✅
 
Les vêtements
Les vêtementsLes vêtements
Les vêtements
iesdragobil
 
Lexique 2.0
Lexique 2.0Lexique 2.0
Lexique 2.0
Aboubacar Sadikh ndiaye
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
hans926745
 

More Related Content

Viewers also liked

Viewers also liked (15)

Guide weboct2013
Guide weboct2013Guide weboct2013
Guide weboct2013
 
Col'inn espace de travail de collaboration et d'innovation
Col'inn espace de travail de collaboration et d'innovationCol'inn espace de travail de collaboration et d'innovation
Col'inn espace de travail de collaboration et d'innovation
 
Améliorez votre présence en ligne
Améliorez votre présence en ligneAméliorez votre présence en ligne
Améliorez votre présence en ligne
 
Formation - Médias Sociaux - 18 mars 2015
Formation - Médias Sociaux - 18 mars 2015Formation - Médias Sociaux - 18 mars 2015
Formation - Médias Sociaux - 18 mars 2015
 
Le web tic
Le web ticLe web tic
Le web tic
 
Twitter expliqué à mes collègues !
Twitter expliqué à mes collègues !Twitter expliqué à mes collègues !
Twitter expliqué à mes collègues !
 
Le web tic2
Le web tic2Le web tic2
Le web tic2
 
ATELIER ANT N°2 - (Session 2014/2015) - COMMUNICATION & MARKETING
ATELIER ANT N°2 - (Session 2014/2015) - COMMUNICATION & MARKETINGATELIER ANT N°2 - (Session 2014/2015) - COMMUNICATION & MARKETING
ATELIER ANT N°2 - (Session 2014/2015) - COMMUNICATION & MARKETING
 
Luxe 2.0 digitalisation point de vente
Luxe 2.0 digitalisation point de venteLuxe 2.0 digitalisation point de vente
Luxe 2.0 digitalisation point de vente
 
Présentation de l'espace de coworking à Dijon
Présentation de l'espace de coworking à DijonPrésentation de l'espace de coworking à Dijon
Présentation de l'espace de coworking à Dijon
 
Présentation m2iformation
Présentation m2iformationPrésentation m2iformation
Présentation m2iformation
 
Lexique les vêtements (A1)
Lexique les vêtements (A1)Lexique les vêtements (A1)
Lexique les vêtements (A1)
 
Stratégie web (SEO, SEM) étude de cas Role Model par Mohammed ALAMI
Stratégie web (SEO, SEM) étude de cas Role Model par Mohammed ALAMIStratégie web (SEO, SEM) étude de cas Role Model par Mohammed ALAMI
Stratégie web (SEO, SEM) étude de cas Role Model par Mohammed ALAMI
 
Les vêtements
Les vêtementsLes vêtements
Les vêtements
 
Lexique 2.0
Lexique 2.0Lexique 2.0
Lexique 2.0
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Cisco VRF Lite Configuration

  • 1. Cisco VRF Lite Configuration In the previous post, we have discussed about isolating traffic using the private VLAN feature at Layer2 level. In this tutorial, we will discuss traffic isolation at Layer3 level using VRF Lite on Cisco routers. What is VRF Lite VRFs employ essentially the same concept as VLANs and Trunking, but at Layer3. VRF (Virtual Routing and Forwarding) is traditionally associated with IP MPLS technology whereby an ISP creates Layer3 (or Layer2) VPNs for customers using VRF. Consider a VRF as a separate routing instance (and separate routing table) on the same device holding the IP routes for each customer which are isolated from the other customers. Each VRF is like a separate virtual router with its own routing table on the same physical router. If you don’t work in an ISP environment you will not encounter this technology. Also, from what I know, MPLS and VRFs are not examined at the CCNA or CCNP R&S level. They are discussed in the chapters needed for your CCIE R&S certification. If you want to read about this technology, one good book to start with is MPLS Fundamentals wrote by Luc De Ghein. Now, although VRFs and MPLS are usually configured on high-end ISP routers, you can still use this feature on some smaller Cisco ISR routers in a simplified manner called VRF Lite and have the same advantages. With VRF Lite, you can have separate routing tables on the same physical router device. Each routing table (VRF instance) is isolated from the other VRF instances. To demonstrate how to use this feature lets see the following simplified scenario:
  • 2. Network Scenario using Cisco 891 and VRF Lite Consider the scenario depicted on the diagram above. We have a Cisco 891 border router with an Intranet connection for employees’ computers and company servers and also we need to offer internet connectivity for a Wi-Fi connection to allow guests to connect to the internet. The company security team demanded that the Wi-Fi connection must be totally separated from the local intranet network, so that guests don’t have access to the local network. Therefore we can isolate the two Layer3 networks using VRF Lite. We will create “VRF Intranet” and “VRF Extranet” for the two networks.
  • 3. Configuration The router used is CISCO891-K9 with image c890-universalk9-mz.151- 4.M4.bin installed. Each VRF Instance will have two Layer3 routed interfaces associated with it as shown below. Consider each VRF Instance as a virtual router with two interfaces.  VRF Intranet: VLAN10 and Interface Gi0 will be included in “vrf Intranet”.  VRF Extranet: VLAN100 and Interface Fa8 will be included in “vrf Extranet”. Step 1 : Create the VRF Lite Instances ip vrf Extranet description Extranet ! ip vrf Intranet description Intranet ! Step 2 : Configure VLANs and interfaces and include them in the VRF instances vlan 10 name Intranet ! vlan 100 name Extranet ! interface GigabitEthernet0 <—— wan port facing the internet for Intranet traffic ip vrf forwarding Intranet <— interface is attached to the Intranet VRF ip address 10.10.10.1 255.255.255.0 duplex auto speed auto ! interface Vlan10 <——— SVI interface for Intranet traffic description Intranet <—— interface is attached to the Intranet VRF ip vrf forwarding Intranet
  • 4. ip address 10.10.100.1 255.255.255.0 ! interface FastEthernet8 <——— wan port facing the internet for guest traffic ip vrf forwarding Extranet <——— interface is attached to the Extranet VRF ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Vlan100 <———— SVI interface for Extranet traffic description Extranet ip vrf forwarding Extranet <——— interface is attached to the Extranet VRF ip address 100.100.100.1 255.255.255.0 ! interface FastEthernet0 <—— on this interface connect the WiFi Access Point for guests description AP switchport access vlan 100 no ip address ! interface FastEthernet1 <—— on this interface connect Intranet hosts description Intranet switchport access vlan 10 no ip address ! Step 3 : Add default routes facing the internet for both VRF instances ip route vrf Intranet 0.0.0.0 0.0.0.0 10.10.10.254 ip route vrf Extranet 0.0.0.0 0.0.0.0 192.168.1.254 Step 4 : Verifications – showing the vrf configuration Networkstraining#sh run vrf Intranet Building configuration… Current configuration : 324 bytes ip vrf Intranet description Intranet !
  • 5. ! interface GigabitEthernet0 ip vrf forwarding Intranet ip address 10.10.10.1 255.255.255.0 duplex auto speed auto ! interface Vlan10 description Intranet ip vrf forwarding Intranet ip address 10.10.100.1 255.255.255.0 ! ip route vrf Intranet 0.0.0.0 0.0.0.0 10.10.10.254 end Networkstraining#sh run vrf Extranet Building configuration… Current configuration : 326 bytes ip vrf Extranet description Extranet ! ! interface FastEthernet8 ip vrf forwarding Extranet ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Vlan100 description Extranet ip vrf forwarding Extranet ip address 100.100.100.1 255.255.255.0 ! ip route vrf Extranet 0.0.0.0 0.0.0.0 192.168.1.254 – verify both routing tables
  • 6. Networkstraining#sh ip route vrf Intranet Routing Table: Intranet Gateway of last resort is 10.10.10.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.10.10.254 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.10.0/24 is directly connected, GigabitEthernet0 L 10.10.10.1/32 is directly connected, GigabitEthernet0 Networkstraining#sh ip route vrf Extranet Routing Table: Extranet Gateway of last resort is 192.168.1.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 192.168.1.254 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, FastEthernet8 L 192.168.1.1/32 is directly connected, FastEthernet8 – verify ARP entries Networkstraining#sh ip arp vrf Intranet Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.10.1 – fc99.4712.9ee3 ARPA GigabitEthernet0 Internet 10.10.100.1 – fc99.4712.9ecb ARPA Vlan10 Internet 10.10.100.10 5 cce1.7f79.48f2 ARPA Vlan10 Networkstraining#sh ip arp vrf Extranet Protocol Address Age (min) Hardware Addr Type Interface Internet 100.100.100.1 – fc99.4712.9ecb ARPA Vlan100 Internet 100.100.100.100 5 001c.0fdc.de41 ARPA Vlan100 Internet 192.168.1.1 – fc99.4712.9ed3 ARPA FastEthernet8
  • 7. Final Notes :  As you can see, the routing tables are totally separated and the traffic will be totally separated.  If you run the command “show ip route” without specifying a VRF name, it will show the “Global Routing Table” of the device (which will be empty in our example above).  When you issue ping, telnet or other commands that make us of the routing tables, you must always specify the VRF routing instance name that you want to use: Example: ping vrf Intranet 10.10.100.10  The VRF Lite feature is offered by other vendors as well. For example in Juniper environment it is called “routing instance”. About the Author Harris Andrea is a Cisco Certified Professional with more than 18 years of experience working with Cisco network technologies. He is the author of two Cisco Books (“Cisco ASA Firewall Fundamentals” and “Cisco VPN Configuration Guide”) which have been embraced by thousands of Cisco professionals all over the world. You can find more Cisco configuration guides and tutorials on his blog here http://www.networkstraining.com