VRF - virtual routing and forwarding

Unanswered Question
Feb 6th, 2007

HI NetPros .. would you mind making sense of these config I have found in one of my customers .. I know it is related to virtual routing and forwarding but am confused as to what exactly is doing .. perhaps it is a missconfiguration which I would like to remove !!!

ip vrf orange

rd 100:100

interface Vlan30

ip vrf forwarding orange

ip address 172.19.0.251 255.255.0.0

ip route vrf orange 0.0.0.0 0.0.0.0 172.19.0.250

ip route vrf orange 10.0.0.0 255.0.0.0 172.19.0.1

ip route vrf orange 10.1.5.3 255.255.255.255 172.19.0.250

ip route vrf orange 172.16.0.0 255.255.0.0 172.19.0.1

ip route vrf orange 172.18.200.0 255.255.255.0 172.19.0.1

ip route vrf orange 172.20.0.0 255.255.0.0 172.19.0.1

Any comments are appreciated !!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sachinraja Tue, 02/06/2007 - 21:49

Hello fernando,

Yeah.. VRF configurations.. this basically builds up a seperate routing table for a customer or vendor called orange.. it has a route-distinguisher of 100:100, which will be unique to this customer... Are you still using VRF's on this router/switch ?? Just check also if tag switching is enabled on the interfaces... all the routing configurations on VRF, has the ip route vrf context with the reqruied route.. so, if any packet comes with a vrf tag or orange, it will basically look into the vrf routing table and not the ip routing table..

SO, If you dont require, REMOVE IT, and have some good sleep :)

Raj

Fernando_Meza Wed, 02/07/2007 - 19:12

Hi Raj,

Cheers, this is a core 6513 switch and it is the only device configured with vrf so I think someone was trying to configure something in the past.

Just to confirm what you said and what I have been thinking.

1.- Assuming that a device in the range 172.19.0.0/16 has its default gateway as 172.19.0.251 ( the vrf interface ) then when a packet is sent by this device towards a different segment, the packet will :

a.- hit the default gateway ( vrf interface )

b.- the ip routing lookup will be performed on the routes that belong to the vrf instance instead of the normal routing table.

c.- the packets will go out accordingly to point 2.

Is that correct ..?

sachinraja Wed, 02/07/2007 - 19:35

Hello Fernando,

Yeah.. you are right.. Just to add.. When a packet enters or exits an interface, and if the interface is tagged to any VRF, using the "ip vrf forwarding" command, (eg orange in ur case), it looks for a route in that particular VRF routing table.. This applies only to the router, which tags the VRF information (PE - Provider Edge), and not to the router which sends this information (CE - customer edge).. The CE router will still have only a IP routing table...

Just to brief:

1) IP Packets are sent from an interface, which is tagged with VRF forwarding...

2) packets enter the router, and are attached with a particular rd (route distinguisher), which is attached to the VRF name.. This makes it to have a distinct routing table info...

3) Depending on the VRF name, the VRF routing table entries are checked and packets are forwarded to the next hop PE router..

4) Packet goes to the destination PHP (Penultimate Hop Router) router, where a VRF lookup is done, and packets are forwarded to the appropriate interface, where the ip vrf forwarding is configured....

uff. did i confuse you too much ??

Raj

Fernando_Meza Wed, 02/07/2007 - 20:41

Hi .. a bit .. but I think I have got the principle very clear now .. basically vrf instances are used for creating multiple routing tables which can be used as alternate paths to a destination .. Cheers for your explanation Raj .. it definetly made things clear .. Cheers,

mikedavi1 Thu, 02/08/2007 - 06:46

With regard to previous posts about tag-switching, PEs, PHPs, etc., are only true if MPLS is involved. Doesn't look like this is the case.

Based on the config posted which has no route-targets nor import/export policies configured, this looks more like vrf-lite. It appears that this switch is used as the default-gateway for hosts on the vlan. It appears to co-exist with 2 other routers - 172.19.0.250 and 172.19.0.1. And it will use icmp-redirects to move host traffic to the other destinations listed by the route statements via either of those two routers.

Why would this be done? If one of your customers has address space that overlaps with another, it is desireable to allocate that customer its own routing table. That's all vrf-lite and/or this config are doing.

If it were me, I would verify the existence of the other two routers as well as hosts on that vlan before changing config.

ping vrf orange 172.19.0.250

ping vrf orange 172.19.0.1

show arp vrf orange

ping vrf orange

contact customer to verify routing scheme

etc...

Actions

This Discussion