Overview
Virtual Routing and Forwarding (VRF) is a technology that allows multiple instances of a routing table to co-exist within the same router. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. The control and data plane are isolated in each VRF. This isolation keeps the traffic from crossing VRFs, and therefore multiple routing tables can coexist within the same physical L3 switch/router, without requiring multiple routers.
Inter-Virtual Router Forwarding (IVRF) or route leaking allows for routes to leak (be distributed), across multiple VRFs in a controlled manner. Using an external system such as a firewall to provide routing is common, especially where additional security is required.
Scenario
A common use case where route leaking is useful is for shared services such as NTP, ClearPass (RADIUS), etc that exist in one VRF need to be accessible from a different VRF. That is the use case for this article, where I have NTP on 10.2.10.23, and ClearPass on 10.2.30.188, both in VRF default.
A CX 8400 switch hosts these VRFs:
- default
- Sandpit - this VRF needs access to the resources in default
Devices in different VRFs cannot access to each other until IVRF is enabled.
Before I introduced new VRFs into this environment, everything was in the default VRF, and regular routing was used - this was certainly simpler. VRFs and IVRF enable additional functionality and capabilities, but they will not be necessary in all environments.
References
This is the high-level process flow for the 8400, from Chapter 11 Inter-Virtual Router Forwarding (IVRF).
Configuration on a CX 8400
All config was done with MultiEdit in Central, but you could use something else such as NetEdit or the CLI.
VRFs and Route Distinguishers (RDs)
vrf Sandpit
rd 10.80.255.1:2
address-family ipv4 unicast
route-target export 10.80.255.1:2
route-target import 10.80.255.1:1
exit-address-family
vrf default
rd 10.80.255.1:1
address-family ipv4 unicast
route-target export 10.80.255.1:1
route-target import 10.80.255.1:2
exit-address-family
VLANs
interface vlan 2001
vrf attach Sandpit
ip address 10.80.1.1/24
:
:
interface vlan 2044
vrf attach Sandpit
ip address 10.80.44.1/24
Router Config
router ospf 2 vrf Sandpit
router-id 10.80.255.1
trap-enable
area 0.0.0.0
router ospf 1
router-id 10.80.255.1
trap-enable
redistribute bgp
redistribute connected
redistribute static
area 0.0.0.0
router bgp 65080
bgp router-id 10.80.255.1
bgp log-neighbor-changes
address-family ipv4 unicast
redistribute ospf
exit-address-family
!
vrf Sandpit
no bgp fast-external-fallover
address-family ipv4 unicast
redistribute connected
redistribute ospf
network 10.80.0.0/16
aggregate-address 10.80.0.0/16 summary-only
exit-address-family
Additional Services
DNS is specific to each VRF - you will get name resolution errors unless you also include DNS for each VRF.
ip dns server-address 10.20.30.85 vrf Sandpit
ip dns server-address 10.50.0.100 vrf Sandpit
If DHCP-server is running on the switch, this can also be allocated to the relevant VRF.
dhcp-server vrf Sandpit
pool vlan2001
range 10.80.1.101 10.80.1.249 prefix-len 24
default-router 10.80.1.1
dns-server 10.20.30.85 10.50.0.100
lease 30:01:02
exit
:
:
authoritative
enable
Testing
This is what the routing looked like in the default VRF before enabling dynamic IVRF:
This is what the routing looked like after enabling dynamic IVRF - default VRF:
This is what the routing looked like after enabling dynamic IVRF - view from Sandpit VRF:
------------------------------
Richard Litchfield
Airheads MVP 2020, 2021, 2022
------------------------------