EIGRP over VRF-lite

At first glance a VRF’s are slightly confusing since they do not show up directly in the routing table, by running a IP route on a Cisco router / switch the user would not find VRF routes. VRFs are great since you can have multiple routing tables and over lapping subnets. The idea here is to create virtual routing tables to segregate other Layer 3 addresses. This is very similar to VLANs 2 layer 2. This is heavily used in a service provider environment since you can have multiple routing tables in one router saving space and money by not having to purchase more equipment.

I will show in this brief demonstration how to setup what is called VRF-Lite(fancy name for VRF without MPLS) and then configure EIGRP to pass routes from each one of the virtual instances.

My lab is the following
-3550 switch
-3560 switch
-3640 router
-1841 router

The very first thing we will want to create here is the VRFs and create a route distringuisher per vrf. The purpose behind a RD is for the same reason we have over lapping subnets in a VRF.

I will be using the following subnets
test1->192.168.1.0/24
test2->192.168.2.0/24
test3->192.168.3.0/24
test4->192.168.4.0/24

If I wanted to I could create another subnet in test 2 and give it the same subnet as test1, each time a packet goes from switch 1 to switch 2 it will append a route distinguisher to tell the neighboring device it belongs to VRF test1.

First and formost add the VRF’s First under each VRF you will add either the Autonomous system : number or ip address : number.

3550swouter

ip vrf test1
rd 65001:1
!
ip vrf test2
rd 65001:2
!
ip vrf test3
rd 65001:3
!
ip vrf test4
rd 65001:4

Next add the interfaces. Keep in mind when adding VRF’s you will want to add the VRF on the interface before putting in the IP address. If you have a IP address on a interface already it will remove it once the VRF is applied… so make sure you have a clean interface with no configs.

interface Vlan1
ip vrf forwarding test1
ip address 192.168.1.3 255.255.255.0
!
interface Vlan2
ip vrf forwarding test2
ip address 192.168.2.3 255.255.255.0
!
interface Vlan3
ip vrf forwarding test3
ip address 192.168.3.3 255.255.255.0
!
interface Vlan4
ip vrf forwarding test4
ip address 192.168.4.3 255.255.255.0

Over on R1 adding the VRFs and RD

R1

ip vrf test1
rd 65001:1
!
ip vrf test2
rd 65001:2
!
ip vrf test3
rd 65001:3
!
ip vrf test4
rd 65001:4

Since R1 has one interface I had to split each interface into Sub interfaces. This is common in a service provide normally a VRF goes through a Sub interface on a VLAN/Tagged.

interface FastEthernet1/0.1
encapsulation dot1Q 1 native
ip vrf forwarding test1
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip vrf forwarding test2
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet1/0.3
encapsulation dot1Q 3
ip vrf forwarding test3
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet1/0.4
encapsulation dot1Q 4
ip vrf forwarding test4
ip address 192.168.4.1 255.255.255.0

On R2, same with tagged traffic.

R2

ip vrf test1
rd 65001:1
!
ip vrf test2
rd 65001:2
!
ip vrf test3
rd 65001:3
!
ip vrf test4
rd 65001:4

interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding test1
ip address 192.168.1.2 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip vrf forwarding test2
ip address 192.168.2.2 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip vrf forwarding test3
ip address 192.168.3.2 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.4
encapsulation dot1Q 4
ip vrf forwarding test4
ip address 192.168.4.2 255.255.255.0
no snmp trap link-status

now for the real test, without any routing protocols or routes since everything under VRF/Test1 should work properly to ping each other.

R1#ping vrf test1 ip 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

By the given syntex here we have to specify the VRF… Theres some really neat commands that will allow a user to ping from one VRF to another. Another useful command is the telnet command.

R2#telnet 1.1.1.1 /vrf test1

Now adding a IGP gets a bit tricky. I decided to use EIGRP since OSPF is a very easy configuration when it comes to VRF’s. I think EIGRP would be a little better when it comes to VRFs since the amount of flexibility you have when it comes to being able to summarize at any point.

Here is the configuration on a 3550 which is the same as R1 and R2.

3550swouter(config)#router eigrp 1
3550swouter(config-router)#no auto-summary
3550swouter(config-router)#address-family ipv4 vrf test1
3550swouter(config-router-af)#network 192.168.1.0 0.0.0.255
3550swouter(config-router-af)#network 0.0.0.0
3550swouter(config-router-af)#autonomous-system 10
3550swouter(config-router)#address-family ipv4 vrf test2
3550swouter(config-router-af)#network 192.168.2.0 0.0.0.255
3550swouter(config-router-af)#network 0.0.0.0
3550swouter(config-router-af)#auton
3550swouter(config-router-af)#autonomous-system 20
3550swouter(config-router-af)#exi
3550swouter(config-router)#address-family ipv4 vrf test3
3550swouter(config-router-af)#network 192.168.3.0 0.0.0.255
3550swouter(config-router-af)#autonomous
3550swouter(config-router-af)#autonomous-system 30
3550swouter(config-router-af)#exi

Different on 3560’s
3650swouter(config-router)#address-family ipv4 vrf test1 au
3650swouter(config-router)#address-family ipv4 vrf test1 autonomous-system 10
3650swouter(config-router-af)#network 0.0.0.0
3650swouter(config-router-af)#

Verifying we have Eigrp Connectivity

3550swouter#sh ip protocol vrf test1
*** IP Routing is NSF aware ***

Routing Protocol is “eigrp 10”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
Redistributing: eigrp 10

Address Family Protocol EIGRP-IPv4:(10)
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
EIGRP NSF-aware route hold timer is 240
Topologies : 0(base)

Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
192.168.1.0
0.0.0.0
Routing Information Sources:
Gateway Distance Last Update
Distance: internal 90 external 170

R2#sh ip route vrf test1

Routing Table: test1
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

D 1.0.0.0/8 [90/156160] via 192.168.1.1, 00:02:52, FastEthernet0/0.1
C 192.168.1.0/24 is directly connected, FastEthernet0/0.1

R2#sh ip eigrp vrf test1 neighbors
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.1.1 Fa0/0.1 14 00:03:16 432 2592 0 3
0 192.168.1.3 Fa0/0.1 14 00:03:20 8 200 0 11
R2#

I will now setup what is called MBGP within one iBGP AS through the two switchs. This will alow the two switchs to have all the routes and VRF’s to so they can easily route from even the outside world if
needed

router bgp 65001
no synchronization
bgp log-neighbor-changes
neighbor 192.168.5.2 remote-as 65001
no auto-summary
!
address-family ipv4 vrf test4
redistribute eigrp 40
no synchronization
exit-address-family
!
address-family ipv4 vrf test2
redistribute eigrp 20
no synchronization
exit-address-family
!
address-family ipv4 vrf test1
redistribute eigrp 10
no synchronization
exit-address-family

Next we will use what are called Route targets, so if we wanted to have Test1 talk to Test2 and vice versa. So I will take that exact example.

ip vrf test1
rd 65001:1
route-target export 65001:11
!
ip vrf test2
rd 65001:2
route-target export 65001:22
!
ip vrf test3
rd 65001:3
route-target export 65001:33
!
ip vrf test4
rd 65001:4
route-target export 65001:44

Now what happens here is that on test one we have 192.168.1.0/24 network. It will export it same goes with all the other VRF’s. So if I wanted to import 192.168.1.0 network into the 192.168.2.0 network
All I have to do is import it there. So here is what it looks like currently on the VRF.

3650swouter#sh ip route vrf test2

Routing Table: test2
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

D 2.0.0.0/8 [90/130816] via 192.168.2.2, 01:00:12, Vlan2
C 192.168.2.0/24 is directly connected, Vlan2

I go ahead and import routes from test1.

ip vrf test2
rd 65001:2
route-target export 65001:22
route-target import 65001:11

3650swouter#sh ip route vrf test2

Routing Table: test2
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

B 1.0.0.0/8 [20/130816] via 192.168.1.1 (test1), 00:00:01, Vlan1
D 2.0.0.0/8 [90/130816] via 192.168.2.2, 01:01:00, Vlan2
B 192.168.1.0/24 is directly connected, 00:00:01, Vlan1
C 192.168.2.0/24 is directly connected, Vlan2

alright, my brain hurts.

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: