VRF-Lite (virtual routing and forwarding)

Q: - What is VRF-Lite?
This is sort of Layer three VLAN/VPN that keep control and forwarding table separate
from each other and global routing table for security and other reason.
In other word virtual routing and forwarding (VRF) is a technology that allows
multiple instances of a routing table to co-exist within the same router at the same
time. This increases functionality by allowing network paths to be segmented without
using multiple devices. Because traffic is automatically segregated, VRF also
increases network security and can eliminate the need for encryption and
authentication.
1) Address can overlap in different VRFs
2) VRF also need to attach on particular interface
3) A individual/single interface cannot be attached with multiple VRF
4) By default different VRFs can`t talk to each other
5) You can configure inter-VRF
6) VRF-lite can run Layer three switch and router as well

Q: - What is difference b/w VRF & VRF-Lite?

VRF-Lite run without MPLS while VRF only VRF/MPLS use MPLS
backbone network
VRF-Lite does not scale to the size required by global enterprises or large
carriers, as there is the need to implement each VRF instance on every
router, including intermediate routers
Q: - Where need to use VRF-Lite?
For small network where network strategy need to keep routing separate on
exiting infra without applying route filtering tools as well as security and can
eliminate the need for encryption and authentication.
Q: - How does VRF-Lite work?
It use a special identification (Name of VRF and RD) to keep separate
routing and forwarding plane.
Q: - How to do routing in inside VRF-Lite?
You can apply both static and dynamic like (IGP, BGP) routing but not like
usual routing (see below configuration detail)
Q: - What are the troubleshooting and verification command?
show ip vrf (verifying VRF detail)
show ip route vrf “VRF_NAME”
show ip route vrf “VRF_NAME” “routing protocol” (more specific)
ping vrf “VRF_NAME” (checking connectivity of VRF)
trace route “VRF_NAME” “destination address”

In this diagram we can find Customer A and B have same (Overlapping)

network
We need to do configuration on PE1 and PE2 rest of will completed by
customer they don`t need special configuration.
Base configuration on (PE1 & PE2)
No we required routing it can be static, dynamic or Policy based
routing
1) Static routing inside VRF-Lite

PE1 router static route

PE2 router static route

Note: - Here I used name just for identification that is optional

Now route verification on PE1 & PE2 (using special command)
Note: - this is ISP routing only customers need default toward ISP form both side.
Now time to check the traffic using special command (PE1 to PE2)
 2) Dynamic routing using OSPF
PE1 & PE2 (configuration and verification)

Notice that now I need to create two instance of ospf since protocol using for entire
router not only for VRF “CA” & “CB”
Here I used “network 0.0.0.0 0.0.0.0 area 0” for all you can more specify the network
on routing protocol
 3) Dynamic using EIGRP/RIP/BGP
Need to use address family inside routing protocol

Notice that in eigrp VRF also need to specify the AS that will be locally significant for
particular VRF
 VRF-Lite route leaking

There are two king of route leaking: -

1) Inter VRF-lite/Other VRFs (required BGP)
2) Global routing tables
You cannot configure two static routes to advertise each prefix between the VRFs,
because this method is not supported—packets will not be routed by the router. To
achieve route leaking between VRFs, you must use the import functionality of route-
target and enable Border Gateway Protocol (BGP) on the router. No BGP neighbor is
required
Earlier we not required RD (Route Distinguisher) and import/Export
To achieve this we required couples of task
 Define VPNs
 Importing and exporting VRFs
 BGP with redistribution of VRF instances into it.
 Redistributes BGP into VRFs instance
To define VPN routing instances, use the following commands beginning in global configuration mode on the
PE router:

Command Purpose
Step 1 Router(config)# ip vrf vrf- Enters VRF configuration mode and define the VPN
name routing instance by assigning a VRF name.

Step 2 Router(config-vrf)# rd route- Creates routing and forwarding tables.

distinguisher

Step 3 Router(config-vrf)# route- Creates a list of import and/or export route target
target {import | communities for the specified VRF.
export | both} route-target-
ext-community

Step 4 Router(config-vrf)# import (Optional) Associates the specified route map with
map route-map the VRF.

Step 5 Router(config-if)# ip vrf Associates a VRF with an interface or subinterface.

forwarding vrf-name

http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsvpn23.html (click here for detail)

 Let take an example using OSPF (you can take other one as well)

Configuration on CRA & CRB will be straight forward noting special

Configuration on PE router

Here we importing and exporting the VRFs but will not work until BGP and rest
of configure
(There may be more than two VRF-Lite instance. You can select which one want
to leak)
Go ahead and configure interfaces, VRFs routing and also import BGP on it
Note:- so for we didn’t configure BGP but I am applying here you do it latter

Now configure BGP with address” family ipv4 vrf “and redistribute VRFs
instance on it
(In this scenario we have OSPF 1, 2 named CRA and CRB)
In this configuration I am redistributing VRFs instances which want to leak, you
can also apply route map or desired VRFs only

Now summary to understand better

Step 1 import export VRFs from each other which one you want to
Step 2 Redistributes VRFs instance on BGP so that BGP have those route
which you want to leak. Now BGP is aware to those VRFs route. Here’s
ospf instance 1 and 2 routes
Step 3 Redistributes BGP instance into VRFs (since BGP have all VRFs
route) so VRFs have each other routes by help of BGP
Now verification

Note this note all about it. Command may differ in your IOS because of
Version.
Thanks regard Aditya gaur
In any query you can e-mail me adityakrgaur@gmail.com