Home » Bury the hatchet » VRF Selection Based on Source IP Addresses

VRF Selection Based on Source IP Addresses

In this post we are going to cover a nice tool, actually I’ve never used it in production, but I was fully testing it during my CCIE SP lab preparations and wish to share it with you. It’s nice to have such a tool in your tool box when dealing with complex designs.

The VRF Selection feature allows a certain interface on a PE router to route packets received from the CE router to different VRFs based on the source IP address of the packet, imagine it as a form of policy-based routing, where you control the traffic forwarding based on the source IP addresses, but in this case we control to which VRF should the traffic be forwarded rather than out of which interface.

What actually happens is that simply the ingress PE router performs two tables lookups for the packets it receives from the CE router:

  1. In the first lookup, the source IP address is looked up in the VRF selection table to determine which VRF should this packet be forwarded to.
  2. In the second lookup, the destination IP address is normally looked up in the appropriate VRF table according to the previous step.

As we can see the operation is straight forward and simple, and as we are going to see later, the configuration is also straight forward and simple.

An important note to take care of though, if there was no match in the first step, then the packet is going to be forwarded based upon the global routing table, and this might imply a significant security risk for the Service Provider, and thus it is recommended to black hole such traffic as illustrated in the below example, by simply forwarding traffic from unknown sources to a special VRF (the BHOLE VRF in the example) and simply drop it.

NOTE What I’ve originally though of to work around the above issue was to apply a dummy VRF under the interface it self, but the Cisco IOS won’t let you do this as you’ll get the following error: “% Can not configure VRF if VRF Select is already configured, To enable VRF, first remove VRF Select from the interface”.

PE router configuration:

!
ip vrf test1
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip vrf test2
 rd 2:2
 route-target export 2:2
 route-target import 2:2
!
ip vrf BHOLE
 rd 1000:1000
 route-target export 1000:1000
 route-target import 1000:1000
!
interface Serial2/0.1 point-to-point
 description Connection to the CE router
 ip vrf select source
 ip vrf receive test1
 ip vrf receive test2
 ip vrf receive BHOLE
 ip address 12.12.12.1 255.255.255.0
 frame-relay interface-dlci 102
!
vrf selection source 101.101.101.101 255.255.255.255 vrf test1
vrf selection source 202.202.202.202 255.255.255.255 vrf test2
vrf selection source 0.0.0.0 0.0.0.0 vrf BHOLE
!
ip route vrf test1 101.101.101.101 255.255.255.255 Serial2/0.1 12.12.12.2
ip route vrf test2 202.202.202.202 255.255.255.255 Serial2/0.1 12.12.12.2
ip route vrf BHOLE 0.0.0.0 0.0.0.0 Null0
!

This should be the output of the VRF selection table on the PE router:

PE#sh ip vrf select
VRF Selection Information
Source IP-Address      Mask        Selected VRF Table
101.101.101.101        255.255.255.255                test1
202.202.202.202        255.255.255.255                test2
0.0.0.0        0.0.0.0                BHOLE

I hope that I’ve been informative.

BR,
Mohammed Mahmoud.

2 comments

  1. Hi,

    I was investigating this topic as well. And it happened that this feature is not supported by 6500/7600 platforms which act as CE/PE quite often.
    So it is better to use VRF Selection using Policy Based Routing what is an extension of VRF Selection based on Source IP Address.
    And I use it in production network.

  2. Hi Alexiy,

    Features support is a very critical thing to consider. Thank you very much for your valuable post.

    For everyone, here is the documentation for the feature that Alexiy has highlighted, make sure to look at the restrictions section:
    http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_pbrsv.html

    I hope that I’ve been informative.

    BR,
    Mohammed Mahmoud.

Leave a Reply

Your email address will not be published. Required fields are marked *