Overview

To better understand FVRF (Front door VRF), consider a network diagram that does not use FVRF. We will build an overlay network with point-to-point GRE tunnels; we will consider the problems that can arise when VRF is not used.

Problems with GRE overlay network without FVRF

The GRE tunnel interface can be used to build a point-to-point network as an overlay network, which can be regarded as an apparent direct connection between routers that can communicate over IP.

In these GRE overlay networks, if only the default routing process is used without VRF, the overlay network route information is mixed with the underlay network route information.

Figure Mixed overlay and underlay network routes
Figure Mixed overlay and underlay network routes

In other words, the routing of the overlay and underlay networks will be related to each other. A minor mistake in routing configuration can break the overlay network. Additional controls, such as route filters, are necessary for the overlay network to function properly.

In addition, address ranges for overlay and underlay networks cannot overlap. Address range overlap is also not allowed when building multiple overlay networks.

In the following sections, we will explain the problems with point-to-point GRE overlay networks that do not use FVRF with specific network diagram.

Example of GRE overlay network without FVRF

Network diagram

Consider the following network diagram.

Figure Network diagram
Figure Network diagram

Build an overlay network of point-to-point GRE tunnels between R11 and R12.

In addition, the address ranges of the overlay and underlay networks do not overlap. The overlay network is addressed with Class B private addresses such as 172.16.x.x and 172.17.x.x and 172.18.x.x. And the underlay network is addressing with 10.x.x.x class A private addresses.

In order to separate the overlay and underlay networks, routing protocols are separated. EIGRP is used in the overlay network and OSPF is used in the underlay network; no redistribution between EIGRP and OSPF is performed.

Address rangeRouting protocol
Overlay network172.16.0.0/16
172.17.0.0/16
172.18.0.0/16
EIGRP
Underlay network10.0.0.0/8OSPF
Figure Routing protocol

Excerpts of configuration of each device

Here is an excerpt of the relevant configuration commands of each device. R11/R21 are the important ones.

R11 Configuration Excerpts (Click)

hostname R11
!
interface Loopback0
 ip address 10.0.0.11 255.255.255.255
!
interface Tunnel0
 ip address 172.16.0.11 255.255.255.0
 tunnel source Loopback0
 tunnel destination 10.0.0.21
!
interface Ethernet0/0
 ip address 10.0.11.11 255.255.255.0
!
interface Ethernet0/1
 ip address 172.17.0.11 255.255.255.0
!
router eigrp 1
 network 172.16.0.0
 network 172.17.0.0
 eigrp router-id 11.11.11.11
!
router ospf 1
 router-id 11.11.11.11
 network 10.0.0.11 0.0.0.0 area 0
 network 10.0.11.11 0.0.0.0 area 0

R21 Configuration Excerpts (Click)

hostname R21
!
interface Loopback0
 ip address 10.0.0.21 255.255.255.255
!
interface Tunnel0
 ip address 172.16.0.21 255.255.255.0
 tunnel source Loopback0
 tunnel destination 10.0.0.11
!
interface Ethernet0/0
 ip address 10.0.21.21 255.255.255.0
!
interface Ethernet0/1
 ip address 172.18.0.21 255.255.255.0
!
router eigrp 1
 network 172.16.0.0
 network 172.18.0.0
 eigrp router-id 21.21.21.21
!
router ospf 1
 router-id 21.21.21.21
 network 10.0.0.21 0.0.0.0 area 0
 network 10.0.21.21 0.0.0.0 area 0

R12 Configuration Excerpts (Click)

hostname R12
!
interface Loopback0
 ip address 172.17.12.12 255.255.255.0
 ip ospf network point-to-point
!
interface Ethernet0/0
 ip address 172.17.0.12 255.255.255.0
!
router eigrp 1
 network 172.17.0.0
 eigrp router-id 12.12.12.12

R22 Configuration Excerpts (Click)

hostname R22
!
interface Loopback0
 ip address 172.18.22.22 255.255.255.0
 ip ospf network point-to-point
!
interface Ethernet0/0
 ip address 172.18.0.22 255.255.255.0
!
router eigrp 1
 network 172.18.0.0
 eigrp router-id 22.22.22.22

UL1 Configuration Excerpts (Click)

hostname UL1
!
interface Ethernet0/0
 ip address 10.0.11.1 255.255.255.0
!
interface Ethernet0/1
 ip address 10.0.0.1 255.255.255.0
!
router ospf 1
 router-id 1.1.1.1
 network 10.0.0.0 0.255.255.255 area 0

UL2 Configuration Excerpts (Click)

hostname UL2
!
interface Ethernet0/0
 ip address 10.0.21.2 255.255.255.0
!
interface Ethernet0/1
 ip address 10.0.0.2 255.255.255.0
!
router ospf 1
 router-id 2.2.2.2
 network 10.0.0.0 0.255.255.255 area 0

Mixed overlay and underlay network route information

As mentioned earlier, without VRF, route information for overlay and underlay networks will be mixed; if we look at the routing table for R11, we find the following contents.

R11 Routing table

R11#show ip route | exclude L
-- omitted --

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O        10.0.0.0/24 [110/20] via 10.0.11.1, 00:00:17, Ethernet0/0
C        10.0.0.11/32 is directly connected, Loopback0
O        10.0.0.21/32 [110/31] via 10.0.11.1, 00:00:07, Ethernet0/0
C        10.0.11.0/24 is directly connected, Ethernet0/0
O        10.0.21.0/24 [110/30] via 10.0.11.1, 00:00:17, Ethernet0/0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/24 is directly connected, Tunnel0
      172.17.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        172.17.0.0/24 is directly connected, Ethernet0/1
D        172.17.12.0/24 [90/409600] via 172.17.0.12, 00:01:02, Ethernet0/1
      172.18.0.0/24 is subnetted, 2 subnets
D        172.18.0.0 [90/26905600] via 172.16.0.21, 00:00:07, Tunnel0
D        172.18.22.0 [90/27033600] via 172.16.0.21, 00:00:07, Tunnel0
Figure R11 Routing table
Figure R11 Routing table

In the routing table of R11, route information for 10.x.x.x in the underlay network and “172.16.x.x”, “172.17.x.x” and “172.18.x.x” communicating via the overlay network have been mixed together. The same is true for R21.

Note that the routing protocols for the overlay and underlay networks are separated. And we do not redistribute. Therefore, routers other than R11/R21 do not mix overlay network route information with underlay network route information. the routing table for R12 is as follows.

R12 Routing table

R12#show ip route | exclude L
-- omitted --

Gateway of last resort is not set

      172.16.0.0/24 is subnetted, 1 subnets
D        172.16.0.0 [90/26905600] via 172.17.0.11, 00:11:23, Ethernet0/0
      172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks
C        172.17.0.0/24 is directly connected, Ethernet0/0
      172.18.0.0/24 is subnetted, 2 subnets
D        172.18.0.0 [90/26931200] via 172.17.0.11, 00:11:22, Ethernet0/0
D        172.18.22.0 [90/27059200] via 172.17.0.11, 00:11:22, Ethernet0/0

Breaking the overlay network

By separating the routing protocols, we are separating the overlay network from the underlay network. However, a minor misconfiguration of the routing protocol can easily break the overlay network.

Specifically, when Loopback0 of R11/R21, which is configured as tunnel destination, is advertised with EIGRP in the overlay network, the overlay network (GRE tunnel) is broken. Let’s advertise Loopback0 (10.0.0.11) on R11 with EIGRP. Note that Lo0 (10.0.0.11) in R11 is the destination IP address when forwarding over the underlay network from R21.

R11 Advertise Lo0 with EIGRP (break GRE tunnel)

router eigrp 1
 network 10.0.0.11 0.0.0.0

This alone will break the GRE tunnel between R11 and R21. We see a log of Tunnel0 repeating up/down on R21.

R21 Tunnel0 flapping

R21#
*Aug 29 01:51:09.218: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
*Aug 29 01:51:09.218: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Aug 29 01:51:09.218: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.0.11 (Tunnel0) is down: interface down
R21#
*Aug 29 01:52:09.257: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Aug 29 01:52:10.212: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.0.11 (Tunnel0) is up: new adjacency
R21#
*Aug 29 01:52:10.535: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel0 - looped chain attempting to stack
R21#

If EIGRP is enabled on Lo0 of R11, R11 will advertise the EIGRP route 10.0.0.11/32 from Tunnel0.R21 receives OSPF route 10.0.0.11/32 and EIGRP route 10.0.0.11/32. EIGRP routes are preferred because of EIGRP’s lower administrative distance. Then R21 learns the route information needed to establish Tunnel0 via Tunnel0. As a result, R21 Tunnel0 is broken.

Figure Overlay network (GRE tunnel) is broken
Figure Overlay network (GRE tunnel) is broken

To prevent the GRE tunnel from being broken like this, the routing protocols for the overlay and underlay networks were separated. でA minor misconfiguration can break the overlay network of GRE tunnels. This can be prevented by not only separating routing protocols, but also by performing route filtering.

But …

Instead of having to do all sorts of controls within one routing process, we can just separate the VRFs!”

This is the point of FVRF.

Related article

See the following article on separating the overlay network of point-to-point GRE tunnels with VRFs.

Summary

Points

  • If the GRE overlay network uses only the default routing process without VRF, route information for the overlay network will be mixed with route information for the underlay network.
  • Various routing controls are needed to prevent the overlay network from being broken due to misconfiguration or other reasons.