Pages

VRF-Lite

Route-Distinguisher (not sent to other routers, local significant)
By adding a unique route-distinguisher to each advertisement, and by adding that route-distinguisher to the start of the prefix, two VRFs can advertise the same prefix, and the receiving routers don’t override one prefix with the other. For example, instead of advertising just 192.168.10.0/24, a router might instead advertise something like “64512:900:192.168.10.0/24”. In this example, “64512:900” might be the route-distinguisher assigned to a particular customer. 

What the route distinguisher does NOT do is tell the receiving router which VRF the prefix is a part of. That is exclusively the job of the route target.

Route Target - are sent to other routers

vrf CustA
 rd 65000:10
 route-target export 65000:10
 route-target import 65000:10
 
vrf CustB
 rd 65000:20
 route-target export 65000:20 = takes all routes in VRF and adds the customer tag to them
 route-target import 65000:10 = received routes imported to correct VRF (incoming routes with tag 65000:10 imported to vrf CustB)
 route-target import 65000:20

-----------------------------

- auto-summary (BGP)
 - if enabled: BGP automatically summarizes routes to classful network boundaries
 - route summarization is used to reduce the amount of routing information in routing tables
 - Automatic summarization applies to connected, static, and redistributed routes.
 - By default, automatic summarization is disabled and BGP accepts subnets redistributed from IGP
 - To advertise and carry subnet routes in BGP when auto-summ is enabled, use an explicit network command to advertise the subnet.
 - does not apply to routes injected into BGP via the network command or through iBGP or eBGP.

 - no synchronization   -- it's an old loop prevention mechanism that is no longer used,
Basically the SYNC Logic is: Do not consider an iBGP route in the BGP table BEST unless the EXACT PREFIX was learned via IGP and is currently in the routing table.

 - bgp redistribute-internal   -- iBGP routes are not forwarded to an IGP with the 'redistribute' command, must be used this instead

VPN Routing/Forwarding instance information
Shows a summary of all VRFs present on the current router and their associated route-distinguishers and interface(s).
R7609# show ip vrf
  Name                             Default RD          Interfaces
  DNS                              9999:853            Po11.851
                                                       Po12.852
                                                       Vl853
  INTERNET                         9999:100            Po11.374
                                                       Po12.373
                                                       Vl224


https://learningnetwork.cisco.com/thread/97007
route-target export 1:1
route-target import 1:1
SITE1-vrfA  1:1:192.168.1.0/24      SP      SITE-3-vrfB  2:2:10.10.10.0/24
SITE2-vrfB  2:2:192.168.1.0/24            SITE-4-vrfA   1:1:172.16.1.0/24
Site 1 originates prefix 1:1:192.168.1.0/24
That prefix is sent (exported) with a RT (tag) of 1:1.
Site 4 is configured to install (import) all prefixes with a RT (tag) of 1:1
As the prefix 1:1:192.168.1.0/24 is sent across the SP network it carries the RT value with it.
Once the update arrives at Site-4, Route at Site-4 should install that prefix in the routing table.


A VRF is a Virtual Routing and Fowarding table. 

VRF-lite is normally VRF without MPLS.

VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time.
VRF 'UP' and 'DOWN' are configured on ISP router

Initial configuration
UP-LEFT and UP-RIGHT will use EIGRP 1
DOWN-LEFT and DOWN-RIGHT will use OSPF 1
"ISP"  router will use VRFs to separate RIBs for UP and DOWN networks.

UP-LEFT
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.0.1.2 255.255.255.0
!
router eigrp 1
 network 1.0.0.0
 network 10.0.0.0
 no auto-summary
 eigrp router-id 1.1.1.1
!
UP-RIGHT
!
interface Loopback1
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.0.2.2 255.255.255.0
!
router eigrp 1
 network 2.0.0.0
 network 10.0.0.0
 no auto-summary
 eigrp router-id 2.2.2.2
!
DOWN-LEFT
!
interface Loopback1
 ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.0.3.2 255.255.255.0
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.0 0.0.0.255 area 0
 network 10.0.0.0 0.255.255.255 area 0
!
DOWN-RIGHT
!
interface Loopback1
 ip address 4.4.4.4 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.0.4.2 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.0 0.0.0.255 area 0
 network 10.0.0.0 0.255.255.255 area 0
!

ISP
1) Create and define VRFs
 - VRF name and RD is locally significant.

BGP/MPLS IP VPNs  - http://tools.ietf.org/html/rfc4364

Route Distinguisher
 - A RD is the most basic requirement to activate the VRF and create the VRF tables.
 - Route Distinguisher (RD) - is simply a number, and it does not contain any inherent information; it does not identify the origin of the route or the set of VPNs to which the route is to be distributed.
-  A VPN-IPv4 address is a 12-byte quantity, beginning with an 8-byte (64bits) Route Distinguisher (RD) and ending with a 4-byte(32 bits) IPv4 address. 
 - A RD identifier is  prepended to a IPv4 address which turns a non-unique IPv4 prefix  into a unique 96-bit VPNv4 prefix.
ISP(config-vrf)#rd ?
  ASN:nn or IP-address:nn  VPN Route Distinguisher

Route Target
 - What counts is what you import and export. Importing and exporting route targets use the same syntax as the RD and it is ASN:NN as shown by the example below.
 - A RT or route-target  on the other hand is a BGP extended community which gets attached when a prefix is exported from the VRF RIB table into the VRF-aware BGP table to identify VPN membership. The confusing part is that the RT import/export function in Cisco IOS is defined under the VRF configuration section and not under the BGP section. Thus to use RTs BGP is required. This means without BGP enabled on Router1, the RT import/export would yield no result.
 - By definition the routes that you "export" are only the routes you advertise on the vrf address family in BGP. 
 - The BGP process is required for the creation of the VRF-aware BGP tables.
 - BGP neighbors are not necessary.
 - Lastly since BGP is used the BGP next-hop must be reachable, else the imported routes will not be considered for route-selection.
ISP(config-vrf)#route-target ?
  ASN:nn or IP-address:nn  Target VPN Extended Community
  both                     Both import and export Target-VPN community
  export                   Export Target-VPN community
  import                   Import Target-VPN community
route-target export = redistribute from VRF RIB to VRF BGP.
    (Exported route is now a VPNv4 route in MP-BGP and the RT is included as an extended BGP community.)
route-target import = redistribute from another VRF BGP to current (selected) VRF BGP.



ISP#
!
ip vrf UP
 rd 123:1
 route-target export 123:1
 route-target import 123:99
!
ip vrf DOWN
 rd 123:2
 route-target export 123:2       <- export routes from VRF DOWN's RIB to BGP-VRF-DOWN
 route-target import 123:99    <- import routes from VRF-ALL's RIB to this VRF
!
ip vrf ALL
 rd 123:99
 route-target export 123:99
 route-target import 123:1
 route-target import 123:2
!
2) Set IP on interfaces according to VRF
!
interface Loopback99
 ip vrf forwarding ALL
 ip address 99.99.99.99 255.255.255.0
!
interface FastEthernet0/0
 ip vrf forwarding UP
 ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet0/1
 ip vrf forwarding DOWN
 ip address 10.0.3.1 255.255.255.0
!
interface FastEthernet1/0
 ip vrf forwarding UP
 ip address 10.0.2.1 255.255.255.0
!
interface FastEthernet1/1
 ip vrf forwarding DOWN
 ip address 10.0.4.1 255.255.255.0
!
3) Configure routing protocols in specific VRF's
!
router eigrp 1
 auto-summary
 !
 address-family ipv4 vrf UP
  network 10.0.0.0
  network 99.0.0.0
  no auto-summary
  autonomous-system 1
 exit-address-family
!
router ospf 1 vrf DOWN
 router-id 5.5.5.5
 log-adjacency-changes
 redistribute bgp 1 subnets
 network 10.0.0.0 0.255.255.255 area 0
 network 99.99.99.0 0.0.0.255 area 0
!
4) Configure BGP to make possible VRF iport/export process to work
!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 bgp redistribute-internal   <-- iBGP routes are not forwarded to an IGP with the 'redistribute' command
 no auto-summary
 !
 address-family ipv4 vrf UP
  redistribute connected
  redistribute eigrp 1 metric 99
  no synchronization
  bgp redistribute-internal
 exit-address-family
 !
 address-family ipv4 vrf DOWN
  redistribute connected
  redistribute ospf 1 vrf DOWN metric 110
  no synchronization
  bgp redistribute-internal
 exit-address-family
 !
 address-family ipv4 vrf ALL
  redistribute connected
  no synchronization
  bgp redistribute-internal
 exit-address-family
!
5) Verification
UP-LEFT#sh ip route | be Gatewa
Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback1
     2.0.0.0/24 is subnetted, 1 subnets
D       2.2.2.0 [90/158720] via 10.0.1.1, 2d21h, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
D       10.0.2.0 [90/30720] via 10.0.1.1, 2d21h, FastEthernet0/0

C       10.0.1.0 is directly connected, FastEthernet0/0
UP-LEFT#
DOWN-LEFT#sh ip route | be Gatewa
Gateway of last resort is not set

     3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Loopback1
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/3] via 10.0.3.1, 2d21h, FastEthernet0/0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.3.0 is directly connected, FastEthernet0/0
O       10.0.4.0 [110/2] via 10.0.3.1, 2d21h, FastEthernet0/0
DOWN-LEFT#

ISP# sh ip route | beg Gate
Gateway of last resort is not set
ISP#

ISP# sh ip route vrf UP | b Gate
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
D       1.1.1.0 [90/156160] via 10.0.1.2, 2d21h, FastEthernet0/0
     2.0.0.0/24 is subnetted, 1 subnets
D       2.2.2.0 [90/156160] via 10.0.2.2, 2d21h, FastEthernet1/0
     99.0.0.0/24 is subnetted, 1 subnets
B       99.99.99.0 is directly connected, 2d21h, Loopback99
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.2.0 is directly connected, FastEthernet1/0
C       10.0.1.0 is directly connected, FastEthernet0/0
ISP#

ISP# sh ip route vrf DOWN  | b Gate
Gateway of last resort is not set
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/2] via 10.0.3.2, 2d21h, FastEthernet0/1
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/2] via 10.0.4.2, 2d21h, FastEthernet1/1
     99.0.0.0/24 is subnetted, 1 subnets
B       99.99.99.0 is directly connected, 2d21h, Loopback99
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.3.0 is directly connected, FastEthernet0/1
C       10.0.4.0 is directly connected, FastEthernet1/1
ISP#


ISP# sh ip route vrf ALL  | b Gate
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets       <-imported from VRF 'UP'
B       1.1.1.0 [20/99] via 10.0.1.2 (UP), 2d21h, FastEthernet0/0
     2.0.0.0/24 is subnetted, 1 subnets
B       2.2.2.0 [20/99] via 10.0.2.2 (UP), 2d21h, FastEthernet1/0

     3.0.0.0/32 is subnetted, 1 subnets     <-imported from VRF 'DOWN'
B       3.3.3.3 [20/110] via 10.0.3.2 (DOWN), 2d21h, FastEthernet0/1
     4.0.0.0/32 is subnetted, 1 subnets
B       4.4.4.4 [20/110] via 10.0.4.2 (DOWN), 2d21h, FastEthernet1/1

     99.0.0.0/24 is subnetted, 1 subnets
C       99.99.99.0 is directly connected, Loopback99
     10.0.0.0/24 is subnetted, 4 subnets
B       10.0.2.0 is directly connected, 2d21h, FastEthernet1/0
B       10.0.3.0 is directly connected, 2d21h, FastEthernet0/1
B       10.0.1.0 is directly connected, 2d21h, FastEthernet0/0
B       10.0.4.0 is directly connected, 2d21h, FastEthernet1/1
ISP#

ISP#show ip bgp vpnv4 all
% BGP cannot run because the router-id is not configured

BGP table version is 34, local router ID is 0.0.0.0
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 123:1 (default for vrf UP)
*> 1.1.1.0/24       10.0.1.2                99         32768 ?
*> 2.2.2.0/24       10.0.2.2                99         32768 ?
*> 10.0.1.0/24      0.0.0.0                  0         32768 ?
*> 10.0.2.0/24      0.0.0.0                  0         32768 ?
*> 99.99.99.0/24    0.0.0.0                  0         32768 ?
Route Distinguisher: 123:2 (default for vrf DOWN)
*> 3.3.3.3/32       10.0.3.2               110         32768 ?
*> 4.4.4.4/32       10.0.4.2               110         32768 ?
*> 10.0.3.0/24      0.0.0.0                  0         32768 ?
*> 10.0.4.0/24      0.0.0.0                  0         32768 ?
*> 99.99.99.0/24    0.0.0.0                  0         32768 ?
Route Distinguisher: 123:99 (default for vrf ALL)
*> 1.1.1.0/24       10.0.1.2                99         32768 ?
*> 2.2.2.0/24       10.0.2.2                99         32768 ?
*> 3.3.3.3/32       10.0.3.2               110         32768 ?
   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       10.0.4.2               110         32768 ?
*> 10.0.1.0/24      0.0.0.0                  0         32768 ?
*> 10.0.2.0/24      0.0.0.0                  0         32768 ?
*> 10.0.3.0/24      0.0.0.0                  0         32768 ?
*> 10.0.4.0/24      0.0.0.0                  0         32768 ?
*> 99.99.99.0/24    0.0.0.0                  0         32768 ?
ISP#
ISP#show ip bgp vpnv4 vrf UP 1.1.1.0
% BGP cannot run because the router-id is not configured
BGP routing table entry for 123:1:1.1.1.0/24, version 10
Paths: (1 available, best #1, table UP)
  Not advertised to any peer
  Local
    10.0.1.2 from 0.0.0.0 (0.0.0.0)
      Origin incomplete, metric 99, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:123:1 Cost:pre-bestpath:128:156160
        0x8800:32768:0 0x8801:1:130560 0x8802:65281:25600 0x8803:65281:1500
      mpls labels in/out 18/nolabel
ISP#


ISP# ping vrf ALL 4.4.4.4 source loopback 99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 99.99.99.99
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms
ISP#


Ping from ISP vrf ALL to UP-LEFT's lo1 (vrf UP) failed
ISP# ping vrf ALL 1.1.1.1 source loopback 99
Packet sent with a source address of 99.99.99.99
.....
Success rate is 0 percent (0/5)

 Route 99.99.99.0/24 is present in RIB but not EIGRP topology
ISP#sh ip route vrf UP
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
D       1.1.1.0 [90/156160] via 10.0.1.2, 2d22h, FastEthernet0/0
     2.0.0.0/24 is subnetted, 1 subnets
D       2.2.2.0 [90/156160] via 10.0.2.2, 2d22h, FastEthernet1/0
     99.0.0.0/24 is subnetted, 1 subnets
B       99.99.99.0 is directly connected, 00:06:46, Loopback99
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.2.0 is directly connected, FastEthernet1/0
C       10.0.1.0 is directly connected, FastEthernet0/0
ISP#

Redistribute this network
ISP(config)#router eigrp 1
ISP(config-router)#address-family ipv4 vrf UP 
ISP(config-router-af)#redistribute bgp 1 metric  1 1 1 1 1500
Check again
ISP# ping vrf ALL 1.1.1.1 source loopback 99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 99.99.99.99
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/18/24 ms
ISP#