VRF (Virtual Routing and Forwarding)
is a technology that allows multiple instances of a routing table to co-exist
within the same router at the same time. This increases functionality by
allowing network paths to be segmented without using multiple devices. Because
traffic is automatically segregated, VRF also increases network security and
can eliminate the need for encryption and authentication. Internet service
providers (ISPs) often take advantage of VRF to create separate virtual private
networks (VPNs) for customers; thus the technology is also referred to as VPN
routing and forwarding. Because the routing instances are independent, the same
or overlapping IP addresses can be used without conflicting with each other.
VRF acts like a logical router, but
while a logical router may include many routing tables, a VRF instance uses
only a single routing table. In addition, VRF requires a forwarding table that
designates the next hop for each data packet, a list of devices that may be
called upon to forward the packet, and a set of rules and routing protocols
that govern how the packet is forwarded. These tables prevent traffic from
being forwarded outside a specific VRF path and also keep out traffic that
should remain outside the VRF path.
When we hear about VRF, its almost
synonymous to MPLS VPN. Virtual Routing and Forwarding is commonly used by
Service Providers to provide services within an MPLS cloud with multiple
customers. The most interesting feature of this is that, VRF allows creation of
multiple routing tables within a single router. This means that overlapping use
of IP addresses from different customers is possible. Some enterprises use VRF
to seggrate their services like VOIP, wireless, geographical location and other
varieties.
Just as with a VLAN based network
using 802.1q trunks to extend the VLAN between switches, a VRF based design
uses 802.1q trunks, GRE tunnels, or MPLS tags to extend and tie the VRFs
together.
VRF-Lite (Multi-VRF)
VRF-lite is a feature that enables
a service provider to support two or more VPNs, where IP addresses can be
overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes
for different VPNs and forms virtual packet-forwarding tables by associating
one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either
physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3
interface cannot belong to more than one VRF at any time.
It supports multiple, overlapping,
independent routing and forwarding tables per customer.
Any routing protocol supported by
normal VRF can be used in a VRF-Lite CE implementation. The CE supports traffic
separation between customer networks. As there is no MPLS functionality on the
CE, no label exchange happens between the CE and PE.
VRF-lite includes these devices:
- Customer edge (CE) devices provide customer access to the service provider network over a data link to one or more provider edge routers. The CE device advertises the site's local routes to the provider edge router and learns the remote VPN routes from it. A Catalyst 4500 series switch can be a CE.
- Provider edge (PE) routers exchange routing information with CE devices by using static routing or a routing protocol such as BGP, RIPv1, or RIPv2.
- The PE is only required to maintain VPN routes for those VPNs to which it is directly attached, eliminating the need for the PE to maintain all of the service provider VPN routes. Each PE router maintains a VRF for each of its directly connected sites. Multiple interfaces on a PE router can be associated with a single VRF if all of these sites participate in the same VPN. Each VPN is mapped to a specified VRF. After learning local VPN routes from CEs, a PE router exchanges VPN routing information with other PE routers by using internal BGP (iBPG).
- Provider routers (or core routers) are any routers in the service provider network that do not attach to CE devices.
With VRF-lite, multiple customers
can share one CE, and only one physical link is used between the CE and the PE.
The shared CE maintains separate VRF tables for each customer and switches or
routes packets for each customer based on its own routing table. VRF-lite
extends limited PE functionality to a CE device, giving it the ability to
maintain separate VRF tables to extend the privacy and security of a VPN to the
branch office.
Packet-Forwarding Process in a VRF-lite CE-enabled network:
- When the CE receives a packet from a VPN, it looks up the routing table based on the input interface. When a route is found, the CE forwards the packet to the PE.
- When the ingress PE receives a packet from the CE, it performs a VRF lookup. When a route is found, the router adds a corresponding MPLS label to the packet and sends it to the MPLS network.
- When an egress PE receives a packet from the network, it strips the label and uses the label to identify the correct VPN routing table. The egress PE then performs the normal route lookup. When a route is found, it forwards the packet to the correct adjacency.
- When a CE receives a packet from an egress PE, it uses the input interface to look up the correct VPN routing table. If a route is found, the CE forwards the packet within the VPN.
The VRF-lite network has three major components:
- -VPN route target communities- Lists all other members of a VPN community. You need to configure VPN route targets for each VPN community member.
- Multiprotocol BGP peering of VPN community PE routers- Propagates VRF reachability information to all members of a VPN community. You need to configure BGP peering in all PE routers within a VPN community.
- VPN forwarding- Transports all traffic between all VPN community members across a VPN service-provider network.
Application
- Shared Datacenters- The datacenter provider can use VRFs to reduce the number of device involved. Eg. If the datacenter is hosting three different customers (that use similar IP subnets) then there might be a need to three different routers.
But if VRF is used, then only one
router can be used.
- ISP- ISPs provide links between sites of multiple customers. By the use of VRF it is possible to use the same infrastructure for multiple customers.
Without VRF
With VRF
A tag is added to each route. This
tag is called a Route Distinguisher.
Nice Article ,,,wonderfull explanation
ReplyDeleteI'd love it !
ReplyDeleteGood article
ReplyDelete