Virtual Routing (and) Forwarding is a logical routing table technology. It's a way to create segmentation of routing information, similar to VLAN segmentation. This is a small start to VRF theory and configuration. The VRF theory I get into, is from a datacenter perspective.

VRF Use Cases

There's a security aspect and a big array of new configuration and routing options for the network when using VRF.

Security: A VRF is a complete routing table segmentation. Different VRFs can't communicate with each other unless at some point in the network they get routed/redistributed with each other. MP-BGP is used to redistribute VRFs on a regular router and a more common method of interconnecting is probably through a firewall. That is, if you want to connect the VRFs at all.

We tend to trust VLAN and VRF as security measures because of their segmentation. However, they are just segmentation methods and both have been part of vulnerabilities, but using VRF is definitely a great way to get easier security management. VRF is a good security measure, but there has to be others as well.

Functionality: There's a lot. It just opens up so many ways of using the network. Starting with the concept of different routing tables, the picture below illustrates that we can use the same IP, on the same router, through the same physical interface. Complete vrf routing configuration will be a topic further down.


Whether it's a good idea to use the same IPs in different VRFs is a question of manageability and sanity. You have a lot of private IP addresses to use and it'd probably be easier from an IPAM perspective to not reuse any addresses. A scenario might be having several sites in different VRFs, but using the same IP scope for each of them. That way you can look up the routing table for a VRF and faster determine if the correct route is there.

The way I personally prefer is VRF segmentation based on functionality.

Back to VRF theory. How does a router distinguish different VRFs and the routing information? With a route distinguisher. RD is an identifier for the router to keep track of which VRF a prefix belongs to. It is prepended to the routes in a 64bit format. With VRF lite, the RD is locally significant, but for the sake of management, it makes sense to have the same RD name across the routers.

The format can be typed as either AS:AS or IP:AS. This means a number from 1 - 65535 : 1 - 65535 or an ip address 192.168.1.1: 1 - 65535. Again, the RD relates to nothing else. If you use the IP format, the address you type will have no impact on anything or from anything, other than the purpose of VRF information. You can't use the same RD for different VRFs.

Another VRF component is route-target. I won't get into that now, because it doesn't matter for VRF lite. RT is used for MP-BGP/MPLS L3 VPN.

What is VRF lite? It is VRF configuration without MPLS. For a company or a "single domain" network, VRF lite will probably do just fine. The configuration is simpler, but it doesn't scale. It's not a performance scaling issue, it's a configuration and management issue. A little imaginary topology:

I'll create four VRFs. There are two ways to define a vrf. ip vrf name and vrf definition name. IP VRF creates an IPv4-only capable VRF while VRF definition has multiprotocol support. Depending on which of them you use, activating VRF on interfaces will be different. ip vrf forwarding name & vrf forwarding name.

Configuration for the VRFs

hostname r1 ! vrf definition functions1 rd 10:10 address-family ipv4 ! vrf definition functions2 rd 20:20 address-family ipv4 ! vrf definition functions3 rd 30:30 address-family ipv4 ! vrf definition functions4 rd 40:40 address-family ipv4 ___________________________ hostname r2 ! vrf definition functions1 rd 10:10 address-family ipv4 ! vrf definition functions2 rd 20:20 address-family ipv4 ! vrf definition functions3 rd 30:30 address-family ipv4 ! vrf definition functions4 rd 40:40 address-family ipv4 ___________________________ hostname r3 ! vrf definition functions1 rd 10:10 address-family ipv4 ! vrf definition functions2 rd 20:20 address-family ipv4 ! vrf definition functions3 rd 30:30 address-family ipv4 ! vrf definition functions4 rd 40:40 address-family ipv4 ___________________________ hostname r4 ! vrf definition functions1 rd 10:10 address-family ipv4 ! vrf definition functions2 rd 20:20 address-family ipv4 ! vrf definition functions3 rd 30:30 address-family ipv4 ! vrf definition functions4 rd 40:40 address-family ipv4

Configuring EIGRP for VRF support. Because it's different routing tables, I can use the same AS without issues.

hostname r1 ! router eigrp 1 address-family ipv4 vrf functions1 autonomous-system 1 no auto network 10.0.0.0 network 192.168.0.0 ! address-family ipv4 vrf functions2 autonomous-system 1 no auto network 10.0.0.0 network 192.168.1.0 ! address-family ipv4 vrf functions3 autonomous-system 1 no auto network 10.0.0.0 network 192.168.2.0 ! address-family ipv4 vrf functions4 autonomous-system 1 no auto network 10.0.0.0 network 192.168.3.0 _______________________________________________________ hostname r2 ! router eigrp 1 address-family ipv4 vrf functions1 autonomous-system 1 no auto network 10.0.0.0 network 192.168.10.0 ! address-family ipv4 vrf functions2 autonomous-system 1 no auto network 10.0.0.0 network 192.168.11.0 ! address-family ipv4 vrf functions3 autonomous-system 1 no auto network 10.0.0.0 network 192.168.12.0 ! address-family ipv4 vrf functions4 autonomous-system 1 no auto network 10.0.0.0 network 192.168.13.0 _______________________________________________________ hostname r3 ! router eigrp 1 address-family ipv4 vrf functions1 autonomous-system 1 no auto network 10.0.0.0 network 192.168.20.0 ! ! address-family ipv4 vrf functions2 autonomous-system 1 no auto network 10.0.0.0 network 192.168.1.0 ! address-family ipv4 vrf functions3 autonomous-system 1 no auto network 10.0.0.0 network 192.168.22.0 ! address-family ipv4 vrf functions4 autonomous-system 1 no auto network 10.0.0.0 network 192.168.23.0 _______________________________________________________ hostname r1 ! router eigrp 1 address-family ipv4 vrf functions1 autonomous-system 1 no auto network 10.0.0.0 network 192.168.30.0 ! ! address-family ipv4 vrf functions2 autonomous-system 1 no auto network 10.0.0.0 network 192.168.31.0 ! address-family ipv4 vrf functions3 autonomous-system 1 no auto network 10.0.0.0 network 192.168.32.0 ! address-family ipv4 vrf functions4 autonomous-system 1 no auto network 10.0.0.0 network 192.168.33.0

Now I just need to create some interfaces in the VRFs. Because I'm using GNS3 I'd be doing this with routed physical interfaces, which means I need a physical link per VRF. In a real deployment I'd be configuring the routing with VLANs.

hostname r1 ! int lo0 vrf forwarding functions1 ip address 192.168.0.1 255.255.255.0 ! int lo1 vrf forwarding functions2 ip address 192.168.1.1 255.255.255.0 ! int lo2 vrf forwarding functions2 ip address 192.168.2.1 255.255.255.0 ! int lo3 vrf forwarding functions2 ip address 192.168.3.1 255.255.255.0 ! interface e1/0 switchport mode trunk switchport trunk allowed vlan add 10-13 no shut ! interface e1/1 switchport mode trunk switchport trunk allowed vlan add 14-17 no shut ! int vlan 10 vrf forwarding functions1 name link-R2 ip address 10.0.0.1 255.255.255.252 ! int vlan 11 vrf forwarding functions2 name link-R2 ip address 10.0.1.1 255.255.255.252 ! int vlan 12 vrf forwarding functions3 name link-R2 ip address 10.0.2.1 255.255.255.252 ! int vlan 13 vrf forwarding functions4 name link-R2 ip address 10.0.3.1 255.255.255.252 ! int vlan 14 vrf forwarding functions1 name link-R3 ip address 10.0.0.5 255.255.255.252 ! int vlan 15 vrf forwarding functions2 name link-R3 ip address 10.0.1.5 255.255.255.252 ! int vlan 16 vrf forwarding functions3 name link-R3 ip address 10.0.2.5 255.255.255.252 ! int vlan 17 vrf forwarding functions4 name link-R3 ip address 10.0.3.5 255.255.255.252 ___________________________________________ hostname r2 ! int lo0 vrf forwarding functions1 ip address 192.168.10.1 255.255.255.0 ! int lo1 vrf forwarding functions2 ip address 192.168.11.1 255.255.255.0 ! int lo2 vrf forwarding functions2 ip address 192.168.12.1 255.255.255.0 ! int lo3 vrf forwarding functions2 ip address 192.168.13.1 255.255.255.0 ! interface e1/0 switchport mode trunk switchport trunk allowed vlan add 10-13 no shut ! interface e1/1 switchport mode trunk switchport trunk allowed vlan add 18-21 no shut ! vlan 10-13,18-21 ! int vlan 10 vrf forwarding functions1 name link-R1 ip address 10.0.0.2 255.255.255.252 ! int vlan 11 vrf forwarding functions2 name link-R1 ip address 10.0.1.2 255.255.255.252 ! int vlan 12 vrf forwarding functions3 name link-R1 ip address 10.0.2.2 255.255.255.252 ! int vlan 13 vrf forwarding functions4 name link-R1 ip address 10.0.3.2 255.255.255.252 ! int vlan 18 vrf forwarding functions1 name link-R4 ip address 10.0.0.9 255.255.255.252 ! int vlan 19 vrf forwarding functions2 name link-R4 ip address 10.0.1.9 255.255.255.252 ! int vlan 20 vrf forwarding functions3 name link-R4 ip address 10.0.2.9 255.255.255.252 ! int vlan 21 vrf forwarding functions4 name link-R4 ip address 10.0.3.9 255.255.255.252 ___________________________________________ hostname r3 ! int lo0 vrf forwarding functions1 ip address 192.168.20.1 255.255.255.0 ! int lo1 vrf forwarding functions2 ip address 192.168.21.1 255.255.255.0 ! int lo2 vrf forwarding functions2 ip address 192.168.22.1 255.255.255.0 ! int lo3 vrf forwarding functions2 ip address 192.168.23.1 255.255.255.0 ! interface e1/1 switchport mode trunk switchport trunk allowed vlan add 14-17 no shut ! interface e1/0 switchport mode trunk switchport trunk allowed vlan add 22-25 no shut ! vlan 14-17,22-25 ! int vlan 14 vrf forwarding functions1 name link-R1 ip address 10.0.0.6 255.255.255.252 ! int vlan 15 vrf forwarding functions2 name link-R1 ip address 10.0.1.6 255.255.255.252 ! int vlan 16 vrf forwarding functions3 name link-R1 ip address 10.0.2.6 255.255.255.252 ! int vlan 17 vrf forwarding functions4 name link-R1 ip address 10.0.3.6 255.255.255.252 ! int vlan 22 vrf forwarding functions1 name link-R4 ip address 10.0.0.13 255.255.255.252 ! int vlan 23 vrf forwarding functions2 name link-R4 ip address 10.0.1.13 255.255.255.252 ! int vlan 24 vrf forwarding functions3 name link-R4 ip address 10.0.2.13 255.255.255.252 ! int vlan 25 vrf forwarding functions4 name link-R4 ip address 10.0.3.13 255.255.255.252 ___________________________________________ hostname r4 ! int lo0 vrf forwarding functions1 ip address 192.168.30.1 255.255.255.0 ! int lo1 vrf forwarding functions2 ip address 192.168.31.1 255.255.255.0 ! int lo2 vrf forwarding functions2 ip address 192.168.32.1 255.255.255.0 ! int lo3 vrf forwarding functions2 ip address 192.168.33.1 255.255.255.0 ! interface e1/1 switchport mode trunk switchport trunk allowed vlan add 18-21 no shut ! interface e1/0 switchport mode trunk switchport trunk allowed vlan add 22-25 no shut ! vlan 18-25 ! int vlan 18 vrf forwarding functions1 name link-R2 ip address 10.0.0.10 255.255.255.252 ! int vlan 19 vrf forwarding functions2 name link-R2 ip address 10.0.1.10 255.255.255.252 ! int vlan 20 vrf forwarding functions3 name link-R2 ip address 10.0.2.10 255.255.255.252 ! int vlan 21 vrf forwarding functions4 name link-R2 ip address 10.0.3.10 255.255.255.252 ! int vlan 22 vrf forwarding functions1 name link-R3 ip address 10.0.0.14 255.255.255.252 ! int vlan 23 vrf forwarding functions2 name link-R3 ip address 10.0.1.14 255.255.255.252 ! int vlan 24 vrf forwarding functions3 name link-R3 ip address 10.0.2.14 255.255.255.252 ! int vlan 25 vrf forwarding functions4 name link-R3 ip address 10.0.3.14 255.255.255.252

16 routed interfaces, 4 links with 4 VRFs on each. That's going to be a lot of configuration really fast and it's hard to keep track of. MPLS L3 VPN scales better because I only need one routed link between each router, no matter the amount of VRFs. One routed link for BGP neighborship and that's it. MP-BGP can carry the VRF information in the MPLS VPN function. A scenario for this will have to wait for the next post.

Something to get used to when working with VRF, is remembering to prepend or append vrf name to a lot of commands. show ip route vrf name, ping vrf name 10.1.1.1 and so on.

Note 1: When a VRF is removed with no vrf definition name all interfaces and every other configuration that was part of that VRF is removed. I can't say this is true for every OS, but for the 15 IOS it is.

I think that covers the fundamental part of VRF lite. For MPLS L3 VPN I will be doing OSPF instead of EIGRP. This is due to MPLS features that link-state provides.