Table of Contents
VRF Configuration Flow
The configuration flow for virtual division of one router with VRF and routing is as follows.
- Creating VRF
- Assigning interfaces to VRF
- Configuring routing for each VRF
It is important to “create a routing table for each VRF.”
Related article
Please see the following article about “What is VRF?”
VRF Configuration Commands
Creating VRF
To create a VRF, enter the following command in global configuration mode
Creating VRF
(config)#ip vrf <vrf-name>
(config-vrf)#rd <rd>
<vrf-name> : VRF name
<rd> : RD
VRF is configured with an arbitrary name. Then, the Route Distinguisher (RD) ensures that the address space does not overlap with the global and other VRFs. RD is 64 bits, and when VRF is used, the address is recognized in the format of RD:IP address. 96-bit address format as RD:IP address is called VPNv4 address.
Notice
- For MPLS-VPN, RT (Route Target) configuration is also required.
Assigning interfaces to VRF
Assign an interface to the created VRF. Enter the following command in interface configuration mode for the interface you want to assign.
Assigning interfaces to VRF
(config)#interface <interface-name>
(config-if)#ip vrf forwarding <vrf-name>
(config-if)#ip address <address> <subnetmask>
<interfane-name> : Interface Name
<vrf-name> : VRF name
<address> <subnetmask> : IP address and subnet mask
When an interface is assigned to a VRF, that interface becomes part of the relevant VRF and is no longer an interface of the original router. If an IP address is already configured for the interface, the IP address configuration will be deleted. Therefore, please configure the IP address again.
When an IP address is configured for an interface assigned to a VRF, the route information of the direct connection is registered on the routing table of the VRF. The route information for the interface assigned to VRF will no longer appear in the original global routing table.
Configuring routing for each VRF
Configure routing for each VRF and create a routing table. As with normal routing, register the route information of the remote network in the routing table of the VRF. There are two methods for registering route information for remote networks in the VRF routing table The concept is the same as for normal routing. Register the route information of the remote network in the VRF routing table with the following configuration.
- Static route
- Routing protocol
Static route
To register static routes in the routing table of a VRF, specify the VRF with the ip route command.
VRF Static route
(config)#ip route vrf <vrf-name> <network> <subnetmask> <next-hop>
<vrf-name> : VRF name
<network> : Network address
<subnetmask> : Subnet mask
<next-hop> : Next hop address
Routing protocol
There are two different approaches to the configuration of routing protocols. There are routing protocols that allow a single routing process to handle multiple VRFs, and there are routing protocols that require multiple routing processes to be configured for each VRF. To handle multiple VRFs in one routing process, specify VRF as address-family.
One routing process | RIP/EIGRP/BGP |
Multiple routing process | OSPF |
Notice
OSPFv3 allows VRF to be handled by address-family within a single routing process. This page describes the configuration of conventional OSPFv2 processes that do not support address-family.
RIP
To enable RIP in VRF, specify VRF by address-family command in RIP configuration mode. Under address-family, it is the same as the usual RIP configuration.
VRF RIP Configuration
(config)#router rip
(config-router)#address-family ipv4 vrf <vrf-name>
(config-router-af)#network <network>
(config-router-af)#version 2
(config-router-af)#no auto-summary
<vrf-name> : VRF name
<network> : Network address
EIGRP
To enable EIGRP in a VRF, specify the VRF by address-family command in EIGRP configuration mode. In address-family, the AS number is specified and determine the interface on which EIGRP is enabled with the network command.
VRF EIGRP Configuration
(config)#router eigrp <AS1>
(config-router)#address-family ipv4 vrf <vrf-name>
(config-router-af)#autonomous-system <AS2>
(config-router-af)#network <address> [<wildcard>]
(config-router-af)#no auto-summary
<AS1> : AS number of Global routing process
<vrf-name> : VRF name
<AS2> : AS number of VRF
<network> : Network address
<wildcard> : Wildcard mask
Depending on the IOS version, the commands for specifying the AS number for each VRF are different, as shown below.
(config)#router eigrp <AS1>
(config-router)#address-family ipv4 vrf <vrf-name> autonomous-system <AS2>
BGP
To enable BGP in a VRF, specify the VRF by address-family command in BGP configuration mode. Under address-family, specify the IP address of the neighbor and activate the neighbor. Also, the network command specifies the network address to be advertised as a BGP route.
VRF BGP Configuration
(config)#router bgp <AS1>
(config-router)#address-family ipv4 vrf <vrf-name>
(config-router-af)#neighbor <ip-address> remote-as <AS2>
(config-router-af)#neighbor <ip-address> activate
(config-router-af)#network <network> [mask <subnetmask>]
<AS1> : Own AS number
<vrf-name> : VRF name
<ip-address> : IP address of neighbor
<AS2> : AS number of neighbor
<network> : Network address
<subnetmask> : Subnet mask
OSPF
OSPF specifies VRF when enabling the routing process. The rest is the same as the normal OSPF configuration.
VRF OSPF Configuration
(config)#router ospf <process> vrf <vrf-name>
(config-router)#network <network> <wildcard> area <area>
<process> : Process ID
<vrf-name> : VRF name
<network> : Network address
<wildcard> : Wildcard mask
<area> : Area ID
Inter VRF Communication
The routing tables for each VRF are separated. Therefore, communication is not possible when different VRFs are used. If communication between different VRFs is necessary, configure VRF route leaks. VRF route leak allows registering route information of other VRFs in the routing table of one VRF. Registering route information of other VRFs in the routing table allows communication between VRFs.
Related article
The following article describes the VRF route leak.
VRF Verification
The following table summarizes the main commands for verifying VRF configuration and operation.
Commands | Summary |
---|---|
#show ip vrf [detail] | Verify the status of the VRF; adding detail will give you a more detailed VRF status. |
#show ip route vrf <vrf-name> | Displays the VRF routing table. |
#ping vrf <vrf-name> <ip-address> | Ping based on the routing table of the specified VRF. |
#traceroute vrf <vrf-name> <ip-address> | Traceroute based on the routing table of the specified VRF. |
#telnet <ip-address> /vrf <vrf-name> | Telnet based on the routing table of the specified VRF. |
show ip vrf [detail]
Use the show ip vrf command to display the status of VRF; verify the RD value of VRF and the assigned interfaces. Also, you can find more detailed information by adding detail.
show ip vrf/show ip vrf detail
P1#show ip vrf Name Default RD Interfaces VRF-A 10:10 Et0/1 Lo1 Et0/0.10 VRF-B 20:20 Et0/2 Lo2 Et0/0.20 P1#show ip vrf detail VRF VRF-A; default RD 10:10; default VPNID Interfaces: Et0/1 Lo1 Et0/0.10 Connected addresses are not in global routing table No Export VPN route-target communities No Import VPN route-target communities No import route-map No export route-map VRF label distribution protocol: not configured VRF VRF-B; default RD 20:20; default VPNID Interfaces: Et0/2 Lo2 Et0/0.20 Connected addresses are not in global routing table No Export VPN route-target communities No Import VPN route-target communities No import route-map No export route-map VRF label distribution protocol: not configured
show ip route vrf <vrf-name>
To display the routing table for each VRF, use the show ip route vrf command.
show ip route vrf <vrf-name>
P1#show ip route vrf VRF-A Routing Table: VRF-A -- omitted -- Gateway of last resort is not set C 192.168.0.0/24 is directly connected, Ethernet0/0.10 C 192.168.1.0/24 is directly connected, Ethernet0/1 192.168.100.0/32 is subnetted, 1 subnets C 192.168.100.1 is directly connected, Loopback1 P1#show ip route vrf VRF-B Routing Table: VRF-B -- omitted -- Gateway of last resort is not set C 192.168.0.0/24 is directly connected, Ethernet0/0.20 C 192.168.1.0/24 is directly connected, Ethernet0/2 192.168.100.0/32 is subnetted, 1 subnets C 192.168.100.1 is directly connected, Loopback2
ping vrf <vrf-name> <ip-address>
To verify communication in a VRF, ping is performed based on the routing table of the respective VRF. The ping vrf command performs a ping based on the routing table for the specified VRF.
ping vrf <vrf-name>
P1#ping vrf VRF-A 192.168.10.101 source loopback 1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.101, timeout is 2 seconds: Packet sent with a source address of 192.168.100.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/29/40 ms
traceroute vrf <vrf-name> <ip-address>
Use the traceroute vrf command to perform a traceroute based on the VRF routing table.
traceroute vrf <vrf-name>
P1#traceroute vrf VRF-A 192.168.10.101 source loopback 1 Type escape sequence to abort. Tracing the route to 192.168.10.101 1 192.168.1.11 8 msec 28 msec 20 msec 2 192.168.10.101 24 msec 44 msec 36 msec
telnet <ip-address> /vrf <vrf-name>
To Telnet based on the VRF routing table, specify the VRF name in the /vrf option.
telnet <ip-address> /vrf <vrf-name>
P1#telnet 192.168.100.11 /vrf VRF-A Trying 192.168.100.11 ... Open A1#exit [Connection to 192.168.100.11 closed by foreign host] P1#
Remember to specify VRF when performing Ping, Traceroute, or Telnet. If VRF is not specified, the command will be executed based on the routing table of the global routing process. In that case, the VRF communication cannot be verified.
Multi AF mode VRF Command (New Command format)
VRF can handle IPv6 address-family as well as IPv4. Creating a Multi AF mode VRF that supports multiple address-families and assigning interfaces differs slightly from the commands used to configure an IPv4-only VRF. To create a VRF for IPv4 in Multi AF mode, enter the following command in global configuration mode
Creating Multi AF mode VRF
(config)#vrf definition <vrf-name>
(config-vrf)#rd <RD>
(config-vrf)#address-family ipv4
(config-vrf-af)#
<vrf-name> : VRF name
<RD> : RD
Then, assign the interface to VRF. In interface configuration mode, enter the following command
Assigning Interface to Multi AF mode VRF
(config)#interface <interface-name>
(config-if)#vrf forwarding <vrf-name>
(config-if)#ip address <address> <subnetmask>
<interfane-name> : Interface name
<vrf-name> : VRF name
<address> <subnetmask> : IP Address Subnet mask
When an interface is assigned to a VRF, the IP address of that interface is deleted. Please configure the IP address again.
The routing protocol configuration for each VRF is the same in Multi AF mode as in IPv4-only VRF.
Multi AF mode VRF Configuration Commands Conversion
IPv4 VRF configuration commands can be converted to new Multi AF mode VRF configuration commands. Enter the following command in global configuration mode
Multi AF mode VRF Configuration Commands Conversion
(config)#vrf upgrade-cli multi-af-mode common-policies
The following is an example of converting IPv4 VRF configuration commands to Multi AF mode VRF configuration commands with the vrf upgrade-cli command.
Multi AF mode VRF Configuration Commands Conversion Example
IOU3#show run | section vrf|interface Ethernet0/0 ip vrf TEST rd 65001:100 interface Ethernet0/0 ip vrf forwarding TEST ip address 192.168.1.1 255.255.255.0 IOU3#configure terminal Enter configuration commands, one per line. End with CNTL/Z. IOU3(config)#vrf upgrade-cli multi-af-mode common-policies You are about to upgrade to the multi-AF VRF syntax commands. You will lose any IPv6 addresses configured on interfaces belonging to upgraded VRFs. Are you sure ? [yes]: yes Number of VRFs upgraded: 1 IOU3(config)#end IOU3#show run | section vrf|interface Ethernet0/0 vrf definition TEST rd 65001:100 ! address-family ipv4 exit-address-family interface Ethernet0/0 vrf forwarding TEST ip address 192.168.1.1 255.255.255.0
Advanced IP Routing
- Overview of Cisco Route-map
- Cisco Route-map Configuration
- GRE Tunnel Interface – Virtual Point-to-Point Connection
- GRE Tunnel Interface Configuration Example
- Overview of VRF/VRF-Lite – Virtually separating the router –
- Cisco VRF Configuration and Verification Commands
- Cisco Layer 3 VPN with VRF-Lite Configuration Example
- What Is FVRF(Front door VRF)?
- Point-to-point GRE Tunnel without FVRF
- Point-to-point GRE tunnel with FVRF (tunnel vrf command)
- IPSec VTI with FVRF
- IPSec VTI with FVRF Configuration Example
- DMVPN with FVRF
- DMVPN with FVRF Configuration Example Part1
- DMVPN with FVRF Configuration Example Part2