VRF Lite

CISCO HOW-TO, MPLS

The word VRF stands for Virtual Routing and Forwarding, this feature is used to create multiple instances of the routing table on the same routing device. VRFs are usally used in conjunction with MPLS VPN to separate the traffic of multiple MPLS VPN customers. VRF Lite feature is part of Cisco’s network virtualization portfolio. VRF Lite means VRF without the need to run MPLS in the network. VRF Lite allows the network administrator to create multiple routing instances on the same routing device within the enterprise. VRF Lite can be useful when you need to isolate traffic between two networks sharing the same routing platform or if you have multiple networks with overlapping addresses sharing the same physical network. Multiple instances of routing protocols can be used for different VRFs on the same device to exchange routes dynamically with a direct connected device.

VRF Lite Configuration:

R2 is connected via Ethernet to R5. Two VRFs (VRF-LITE-A & B) are configured to demonstrate L3 traffic isolation. I am using static routes for this example but dynamic routing protocols can be used. R2 Configuration:

ip vrf VRF-LITE-A
 rd 100:1
!
ip vrf VRF-LITE-B
 rd 100:2

!-- Assign interfaces to VRF
interface FastEthernet0/1.25
 encapsulation dot1Q 25
 ip vrf forwarding VRF-LITE-A
 ip address 25.25.25.2 255.255.255.0
!
interface FastEthernet0/1.52
 encapsulation dot1Q 52
 ip vrf forwarding VRF-LITE-B
 ip address 52.52.52.2 255.255.255.0

interface Loopback20
 ip vrf forwarding VRF-LITE-A
 ip address 20.20.20.20 255.255.255.255
!
interface Loopback22
 ip vrf forwarding VRF-LITE-B
 ip address 22.22.22.22 255.255.255.255

ip route vrf VRF-LITE-A 50.50.50.50 255.255.255.255 25.25.25.5
ip route vrf VRF-LITE-B 55.55.55.55 255.255.255.255 52.52.52.5

R5 Configuration:

ip vrf VRF-LITE-A
 rd 100:1
!
ip vrf VRF-LITE-B
 rd 100:2

interface Loopback50
 ip vrf forwarding VRF-LITE-A
 ip address 50.50.50.50 255.255.255.255
!
interface Loopback55
 ip vrf forwarding VRF-LITE-B
 ip address 55.55.55.55 255.255.255.255
!
interface FastEthernet0/1.25
 encapsulation dot1Q 25
 ip vrf forwarding VRF-LITE-A
 ip address 25.25.25.5 255.255.255.0
!
interface FastEthernet0/1.52
 encapsulation dot1Q 52
 ip vrf forwarding VRF-LITE-B
 ip address 52.52.52.5 255.255.255.0

ip route vrf VRF-LITE-A 20.20.20.20 255.255.255.255 25.25.25.2
ip route vrf VRF-LITE-B 22.22.22.22 255.255.255.255 52.52.52.2

Operation Verification: The following tests were taken from R2 only, the same can be done on R5 for verification.

R2#sh ip route vrf VRF-LITE-A

Routing Table: VRF-LITE-A
!-- output omitted----------
Gateway of last resort is not set

     50.0.0.0/32 is subnetted, 1 subnets
S       50.50.50.50 [1/0] via 25.25.25.5
     20.0.0.0/32 is subnetted, 1 subnets
C       20.20.20.20 is directly connected, Loopback20
     25.0.0.0/24 is subnetted, 1 subnets
C       25.25.25.0 is directly connected, FastEthernet0/1.25

R2#sh ip route vrf VRF-LITE-B

Routing Table: VRF-LITE-B
!--output omitted----------
Gateway of last resort is not set

     55.0.0.0/32 is subnetted, 1 subnets
S       55.55.55.55 [1/0] via 52.52.52.5
     52.0.0.0/24 is subnetted, 1 subnets
C       52.52.52.0 is directly connected, FastEthernet0/1.52
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback22

R2#ping 50.50.50.50

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.50.50.50, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping vrf VRF-LITE-A 50.50.50.50

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.50.50.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/143/396 ms

R2#ping 55.55.55.55               

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2#ping vrf VRF-LITE-B 55.55.55.55

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/133/340 ms

For more information about VRF Lite configuration check Configuring VRF Lite from CISCO.

7 comments

Bala
January 4, 2010 at 10:00 am

Hi.

Configurations are self explainatory. But had a clarification. Can i use the same IP address for two interfaces and configure it in two VRF. Like how we do it in MPLS based VRF.
Wael Osama
January 4, 2010 at 10:16 am

Hi Bala,
Thanks for the comment, and yes you can use the same IP addresses as long as they are in separate VRF.
Gemmel
April 12, 2010 at 10:45 am

I have an istance where VRF names are correct but configured static cannot be seen in VRF routing table – no matter what I try. I have not rebooted switch as it is a core switch – neither have I tried to remove all vrf config and reapply – switch is a 4500 running L3 software release 12.2(40)SG.

Any tricks?
Dave
July 30, 2010 at 5:57 pm

Is it possible to connect two VRF’s on the same device together? I am connecting two gig ports together in different vlans, with each vlan using a different vrf, but same ip subnets.
I am doing this for test purposes
clayton howe
January 19, 2011 at 2:48 am

Are there any examples of using VRF inside of GRE or PPP or IPSec tunnels?
Wael Osama
January 19, 2011 at 1:07 pm

Hello Clayton

VRF can configured on GRE tunnels, this scenario is used sometimes in Internet access scenarios. There is also VRF aware IPsec but I have not used before you can check Cisco documentation for VRF aware IPsec
Milind
February 17, 2011 at 1:27 pm

Can 2 different VRFs exchange routes with each other , if yes how??