Routing

About VRF (Virtual Routing and Forwarding)

About VRF

VRF stands for Virtual Routing and Fowarding, create a virtual router within the physical router (or L3 switches), the ability to hold a separate routing table.

VLAN is, to create a virtual switch in the physical switch in the world of L2, but can be thought of as a virtualization technology of L2, VRF, the virtual router in the physical router (or core switch) in the world of L3 to create a virtualization technology of L3.

In addition, in terms of the server in the world, in the physical server (such as Redhat KVM and Windows hyper-V) is similar to create a hypervisor type virtual server.

The configuration of the VRF

To configure the VRF to create a "VRF instance" First on the router.This is a virtual router.If you want to create a VRF instance named TestVRF1, in addition to the name "Route Distinguisher (RD)" is also required identifier of the VRF.RD is [0-65535]: You can set between [0-4294967295].In the example below RD = 10: You have to set of 10.

(Config) # ip vrf TestVRF1
(Config-vrf) # rd 10:10

This virtual router can be one.But you can not do anything because the state does not have the interface is also one.

Then, the L3 interface, assign the VRF instance that you just created.This is also a sub-interface at the physical interface, it can be a VLAN interface if the L3 switch.This is the interface that allows setting of the IP address.

(Config) # interface gi 1/0
(Config-if) # ip vrf forwarding TestVRF1
(Config-if) # ip address 10.100.100.1 255.255.255.0
(Config) # interface gi 1/1
(Config-if) # ip vrf forwarding TestVRF1
(Config-if) # ip address 10.100.200.1 255.255.255.0

This setting, it will be gi1 / 0 and gi1 / 1 interface is recognized as Connected interface of the virtual router called "TestVRF1".

Then, the interface is no longer visible from the physical router (called the Global instance).Then, 10.100.100.0 / 24 will be in a state that does not appear in the routing table of the Global instance (referred to as the Global routing table).

You can see from this thing, in between instances you can duplicate IP address.

However, you can also set routing between instances, when the IP duplicate because the design is confusing, you must be careful.Although if you write the routing on the VRF will be set as follows,

[Static route Add on the VRF]

(Config) # ip route vrf TestVRF1 192.168.0.0 255.255.0.0 10.100.100.2

Routing of writing between instances is as follows.

[TestVRF1 routing Add from the instance to the Global instance]

(Config) # ip route vrf TestVRF1 192.168.0.0 255.255.0.0 gi 0/0 10.1.1.254

※ gi 0/0 in the interface belonging to Global instance, IP address will be assumed to have been paid out from the range of 10.1.1.0/24.

[Routing Add from Global instance to TestVRF1 instance]

(Config) # ip route 192.168.0.0 255.255.0.0 gi 1/0 10.100.100.254

In this way, you have to write both the output interface and IP address to the specified NextHop.

Best practices and utilization of the VRF

Firewall convenient the other hand, the cost is high, I do not want to put in here and there.Therefore, it is important to be flexible logic design using the VRF.

Connect the core switch and firewall, divided the route in the VLAN by the core switch VRF, it can also be separated into a route that does not pass through a route that passes through the firewall.This can be achieved even PBR, but it design is easier than, will be easier to manage.

It is that time, may be compatible with the redundancy of the Stack and Link Aggregation.

The L3 switch stack (Convergence), separated by VRF (Divergence), bundled (Convergence) in Link Aggregation, separated by VLAN (Divergence), with repeating the Convergence and Divergence arrangement such, increasing the both flexibility and reliability.

VRF constraints

Even though a virtual router, which only separates the interface and routing table from the other, some of the resources must be managed in the entire router.Where it is from where will the individual settings in the entire set up, but it depends on the implementation, in the case of the cisco, for example, process management is done in the entire router (in that respect is very different from the virtual server).

So, the process ID of the OSPF must not be duplicated in whole.In addition, the router ID such as OSPF as well can not overlap.

Moreover, there seems to be implemented by most of devices that "IP address duplication between VRFs is OK, but VLAN ID overlapping is NG". This means rather VLAN interface(SVI) can not duplicate than VLAN ID. Because VRF will be set that "To which VRF the Physical or Logical interface belongs", so it can not share the VLAN(Logical) interface between VRFs.

VRF implementation in the MPLS-VPN

In addition, VRF is an important components that make up the MPLS-VPN, different from the above-mentioned, will be the special use the way.

For more information, please refer to this page.

コメント

タイトルとURLをコピーしました