Configuring VRF lite

Unanswered Question
May 21st, 2009

Is it the correct assumption that VRF lite needs to be configured with the same VRFs all through the network for traffic to be routed properly? I'm playing with gns3, and I'm using 3600 series routers. While these support VRFs, I was unable to get traffic out of the "network." I later found documentation that shows vlans and vrfs all the way to the exiting router, and even that router had the vrfs and subinterfaces for vlans configured on them. This seems to be something that you wouldn't haphazardly want to configure without very careful planning.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 05/21/2009 - 04:15


"This seems to be something that you wouldn't haphazardly want to configure without very careful planning."

No you definitely wouldn't. Basically vrf's allows you to create multiple virtual networks which are isolated from one another on top of the same physical infrastructure so when you look at it like that it makes sense that you need consistency across your network per vrf. So if you were to create a guest access network using vrf's then you would want the guest vrf on all the network devices that traffic would need to cross and this vrf mapping would need to be consistent.

Generally speaking the whole concept of vrf is not to get traffic out of the virtual network expect for the entry and exit points.


John Blakley Thu, 05/21/2009 - 04:18

So with that said, how do you think the ASA would handle vrfs? I was looking at this after Edison posted it last night, and I thought it would be great for my guest wireless side, but after playing with it I'm not so sure. I see a couple of problems in my network using it, but I also don't know enough about it to really make an educated decision. :-)



Jon Marshall Thu, 05/21/2009 - 04:28


I don't know whether the ASA supports vrf's or not, the FWSM certainly does.

But you could easily terminate your guest vrf onto a different interface on the ASA and that way you could control the traffic between the guest vrf and the rest of your network.


rakesh.hegde Thu, 05/21/2009 - 06:53

Hi John,

I am not quite sure about what you mean by "configured with the same VRFs".

Generally speaking VRF names are locally significant. What matters is the route descriptor(RD) value. You don't even have to worry about the RD if you are doing vrf lite with out BGP. You can use differnt vrf name on your routers to represent the same address space .

I would still use the same name just to keep everything consistent.



Jon Marshall Thu, 05/21/2009 - 10:14


"Generally speaking VRF names are locally significant"

I agree that using the same name keeps everything consistent but yes your'e right, the VRF name is only locally significant.

Thanks for clarifying that.


Giuseppe Larosa Thu, 05/21/2009 - 11:15

Hello John,

the difference between VRF lite and full featured MPLS VRFs and VPN is that the second is able to use MPLS for the forwarding plane.

VRF lite has only VRF access links and it needs to use them both for connecting CE nodes and for building the desired topology.

to deploy correctly multiple VRF lite topologies you need to provide a collection of back to back links between nodes.

Actually each topology requires its own collection of logical links between network devices to work well.

This can be done for example using 802.1Q vlan subinterfaces or FR or ATM p-t-p subinterfaces.

The name of the VRF is locally significant as noted by Rakesh.

Of course this is a great limitation to scalability: as the number of VRFs to be implemented grows the effort is bigger then compared to a full MPLS VPN solution that can use a single backbone link to support multiple VRF traffic (using an MPLS stack of two labels).

ASA can be multicontext as FWSM and roughly one context can be equated to a VRF lite instance.

If the design requires to go via one of them the front end device needs to expose N logical interfaces to the ASA/FWSM.

Hope to help


rakesh.hegde Thu, 05/21/2009 - 12:28

Thanks Giuseppe . I missed that point. As you said, ASA/FWSMs dont support vrfs. Generally, a context per vrf would be the way to keep address spaces separate.


daswafford Thu, 05/21/2009 - 13:58

One thing that hasn't been mentioned--

If you want traffic to cross between the VRFs then you would not be configuring VRF on the ASA or PIX. Instead you would connect interfaces from the ASA/PIX into ports/VLANs associated with each VRF needing to talk. Think of the concept of inside and outisde interfaces, you could put your PIX inside interface on the production network and the PIX outside interface on the guest VRF network and configure your rules to allow somehting specific you may need.

If you want the VRF network to only use the same physical ASA/PIX for internet access but not be able to touch the other networks then you would need to setup multiple contexts on the firewall. Not necessarily configure VRF but you do need to virtualize the firewall.


This Discussion