VRF Configuration Flow

The configuration flow for virtual division of one router with VRF and routing is as follows.

  1. Creating VRF
  2. Assigning interfaces to VRF
  3. Configuring routing for each VRF

It is important to “create a routing table for each VRF.”

VRF Configuration Commands

Creating VRF

To create a VRF, enter the following command in global configuration mode

Creating VRF

(config)#ip vrf <vrf-name>
(config-vrf)#rd <rd>

<vrf-name> : VRF name
<rd> : RD

VRF is configured with an arbitrary name. Then, the Route Distinguisher (RD) ensures that the address space does not overlap with the global and other VRFs. RD is 64 bits, and when VRF is used, the address is recognized in the format of RD:IP address. 96-bit address format as RD:IP address is called VPNv4 address.

Notice

  • For MPLS-VPN, RT (Route Target) configuration is also required.

Assigning interfaces to VRF

Assign an interface to the created VRF. Enter the following command in interface configuration mode for the interface you want to assign.

Assigning interfaces to VRF

(config)#interface <interface-name>
(config-if)#ip vrf forwarding <vrf-name>
(config-if)#ip address <address> <subnetmask>

<interfane-name> : Interface Name
<vrf-name> : VRF name
<address> <subnetmask> : IP address and subnet mask

When an interface is assigned to a VRF, that interface becomes part of the relevant VRF and is no longer an interface of the original router. If an IP address is already configured for the interface, the IP address configuration will be deleted. Therefore, please configure the IP address again.

When an IP address is configured for an interface assigned to a VRF, the route information of the direct connection is registered on the routing table of the VRF. The route information for the interface assigned to VRF will no longer appear in the original global routing table.

Configuring routing for each VRF

Configure routing for each VRF and create a routing table. As with normal routing, register the route information of the remote network in the routing table of the VRF. There are two methods for registering route information for remote networks in the VRF routing table The concept is the same as for normal routing. Register the route information of the remote network in the VRF routing table with the following configuration.

  • Static route
  • Routing protocol

Static route

To register static routes in the routing table of a VRF, specify the VRF with the ip route command.

VRF Static route

(config)#ip route vrf <vrf-name> <network> <subnetmask> <next-hop>

<vrf-name> : VRF name
<network> : Network address
<subnetmask> : Subnet mask
<next-hop> : Next hop address

Routing protocol

There are two different approaches to the configuration of routing protocols. There are routing protocols that allow a single routing process to handle multiple VRFs, and there are routing protocols that require multiple routing processes to be configured for each VRF. To handle multiple VRFs in one routing process, specify VRF as address-family.

One routing processRIP/EIGRP/BGP
Multiple routing processOSPF
Table Differences in Routing Processes

Notice

OSPFv3 allows VRF to be handled by address-family within a single routing process. This page describes the configuration of conventional OSPFv2 processes that do not support address-family.

RIP

To enable RIP in VRF, specify VRF by address-family command in RIP configuration mode. Under address-family, it is the same as the usual RIP configuration.

VRF RIP Configuration

(config)#router rip
(config-router)#address-family ipv4 vrf <vrf-name>
(config-router-af)#network <network>
(config-router-af)#version 2
(config-router-af)#no auto-summary

<vrf-name> : VRF name
<network> : Network address

EIGRP

To enable EIGRP in a VRF, specify the VRF by address-family command in EIGRP configuration mode. In address-family, the AS number is specified and determine the interface on which EIGRP is enabled with the network command.

VRF EIGRP Configuration

(config)#router eigrp <AS1>
(config-router)#address-family ipv4 vrf <vrf-name>
(config-router-af)#autonomous-system <AS2>
(config-router-af)#network <address> [<wildcard>]
(config-router-af)#no auto-summary

<AS1> : AS number of Global routing process
<vrf-name> : VRF name
<AS2> : AS number of VRF
<network> : Network address
<wildcard> : Wildcard mask

Depending on the IOS version, the commands for specifying the AS number for each VRF are different, as shown below.

(config)#router eigrp <AS1>
(config-router)#address-family ipv4 vrf <vrf-name> autonomous-system <AS2>

BGP

To enable BGP in a VRF, specify the VRF by address-family command in BGP configuration mode. Under address-family, specify the IP address of the neighbor and activate the neighbor. Also, the network command specifies the network address to be advertised as a BGP route.

VRF BGP Configuration

(config)#router bgp <AS1>
(config-router)#address-family ipv4 vrf <vrf-name>
(config-router-af)#neighbor <ip-address> remote-as <AS2>
(config-router-af)#neighbor <ip-address> activate
(config-router-af)#network <network> [mask <subnetmask>]

<AS1> : Own AS number
<vrf-name> : VRF name
<ip-address> : IP address of neighbor
<AS2> : AS number of neighbor
<network> : Network address
<subnetmask> : Subnet mask

OSPF

OSPF specifies VRF when enabling the routing process. The rest is the same as the normal OSPF configuration.

VRF OSPF Configuration

(config)#router ospf <process> vrf <vrf-name>
(config-router)#network <network> <wildcard> area <area>

<process> : Process ID
<vrf-name> : VRF name
<network> : Network address
<wildcard> : Wildcard mask
<area> : Area ID

Inter VRF Communication

The routing tables for each VRF are separated. Therefore, communication is not possible when different VRFs are used. If communication between different VRFs is necessary, configure VRF route leaks. VRF route leak allows registering route information of other VRFs in the routing table of one VRF. Registering route information of other VRFs in the routing table allows communication between VRFs.

VRF Verification

The following table summarizes the main commands for verifying VRF configuration and operation.

CommandsSummary
#show ip vrf [detail]Verify the status of the VRF; adding detail will give you a more detailed VRF status.
#show ip route vrf <vrf-name>Displays the VRF routing table.
#ping vrf <vrf-name> <ip-address>Ping based on the routing table of the specified VRF.
#traceroute vrf <vrf-name> <ip-address>Traceroute based on the routing table of the specified VRF.
#telnet <ip-address> /vrf <vrf-name>Telnet based on the routing table of the specified VRF.
Table Main verification commands for VRF

show ip vrf [detail]

Use the show ip vrf command to display the status of VRF; verify the RD value of VRF and the assigned interfaces. Also, you can find more detailed information by adding detail.

show ip vrf/show ip vrf detail

P1#show ip vrf
  Name                             Default RD          Interfaces
  VRF-A                            10:10               Et0/1
                                                       Lo1
                                                       Et0/0.10
  VRF-B                            20:20               Et0/2
                                                       Lo2
                                                       Et0/0.20
P1#show ip vrf detail
VRF VRF-A; default RD 10:10; default VPNID 
  Interfaces:
    Et0/1                    Lo1                      Et0/0.10
  Connected addresses are not in global routing table
  No Export VPN route-target communities
  No Import VPN route-target communities
  No import route-map
  No export route-map
  VRF label distribution protocol: not configured
VRF VRF-B; default RD 20:20; default VPNID 
  Interfaces:
    Et0/2                    Lo2                      Et0/0.20
  Connected addresses are not in global routing table
  No Export VPN route-target communities
  No Import VPN route-target communities
  No import route-map
  No export route-map
  VRF label distribution protocol: not configured

show ip route vrf <vrf-name>

To display the routing table for each VRF, use the show ip route vrf command.

show ip route vrf <vrf-name>

P1#show ip route vrf VRF-A
 
Routing Table: VRF-A
-- omitted --
 
Gateway of last resort is not set
 
C    192.168.0.0/24 is directly connected, Ethernet0/0.10
C    192.168.1.0/24 is directly connected, Ethernet0/1
     192.168.100.0/32 is subnetted, 1 subnets
C       192.168.100.1 is directly connected, Loopback1
P1#show ip route vrf VRF-B
 
Routing Table: VRF-B
-- omitted --
 
Gateway of last resort is not set
 
C    192.168.0.0/24 is directly connected, Ethernet0/0.20
C    192.168.1.0/24 is directly connected, Ethernet0/2
     192.168.100.0/32 is subnetted, 1 subnets
C       192.168.100.1 is directly connected, Loopback2

ping vrf <vrf-name> <ip-address>

To verify communication in a VRF, ping is performed based on the routing table of the respective VRF. The ping vrf command performs a ping based on the routing table for the specified VRF.

ping vrf <vrf-name>

P1#ping vrf VRF-A 192.168.10.101 source loopback 1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.101, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/29/40 ms

traceroute vrf <vrf-name> <ip-address>

Use the traceroute vrf command to perform a traceroute based on the VRF routing table.

traceroute vrf <vrf-name>

P1#traceroute vrf VRF-A 192.168.10.101 source loopback 1

Type escape sequence to abort.
Tracing the route to 192.168.10.101

  1 192.168.1.11 8 msec 28 msec 20 msec
  2 192.168.10.101 24 msec 44 msec 36 msec

telnet <ip-address> /vrf <vrf-name>

To Telnet based on the VRF routing table, specify the VRF name in the /vrf option.

telnet <ip-address> /vrf <vrf-name>

P1#telnet 192.168.100.11 /vrf VRF-A
Trying 192.168.100.11 ... Open

A1#exit

[Connection to 192.168.100.11 closed by foreign host]
P1#

Remember to specify VRF when performing Ping, Traceroute, or Telnet. If VRF is not specified, the command will be executed based on the routing table of the global routing process. In that case, the VRF communication cannot be verified.

Multi AF mode VRF Command (New Command format)

VRF can handle IPv6 address-family as well as IPv4. Creating a Multi AF mode VRF that supports multiple address-families and assigning interfaces differs slightly from the commands used to configure an IPv4-only VRF. To create a VRF for IPv4 in Multi AF mode, enter the following command in global configuration mode

Creating Multi AF mode VRF

(config)#vrf definition <vrf-name>
(config-vrf)#rd <RD>
(config-vrf)#address-family ipv4
(config-vrf-af)#

<vrf-name> : VRF name
<RD> : RD

Then, assign the interface to VRF. In interface configuration mode, enter the following command

Assigning Interface to Multi AF mode VRF

(config)#interface <interface-name>
(config-if)#vrf forwarding <vrf-name>
(config-if)#ip address <address> <subnetmask>

<interfane-name> : Interface name
<vrf-name> : VRF name
<address> <subnetmask> : IP Address Subnet mask

When an interface is assigned to a VRF, the IP address of that interface is deleted. Please configure the IP address again.

The routing protocol configuration for each VRF is the same in Multi AF mode as in IPv4-only VRF.

Multi AF mode VRF Configuration Commands Conversion

IPv4 VRF configuration commands can be converted to new Multi AF mode VRF configuration commands. Enter the following command in global configuration mode

Multi AF mode VRF Configuration Commands Conversion

(config)#vrf upgrade-cli multi-af-mode common-policies

The following is an example of converting IPv4 VRF configuration commands to Multi AF mode VRF configuration commands with the vrf upgrade-cli command.

Multi AF mode VRF Configuration Commands Conversion Example

IOU3#show run | section vrf|interface Ethernet0/0
ip vrf TEST
 rd 65001:100
interface Ethernet0/0
 ip vrf forwarding TEST
 ip address 192.168.1.1 255.255.255.0
IOU3#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
IOU3(config)#vrf upgrade-cli multi-af-mode common-policies
You are about to upgrade to the multi-AF VRF syntax commands.
You will lose any IPv6 addresses configured on interfaces
belonging to upgraded VRFs.

Are you sure ? [yes]: yes
Number of VRFs upgraded: 1
IOU3(config)#end
IOU3#show run | section vrf|interface Ethernet0/0
vrf definition TEST
 rd 65001:100
 !
 address-family ipv4
 exit-address-family
interface Ethernet0/0
 vrf forwarding TEST
 ip address 192.168.1.1 255.255.255.0