pebelnet.co.uk

Introduction

In the datacenter we have several customers who take the L2TP handoff service from us. A few of these have separate LNSs for each of their clients, so having say just ten clients like this you’re talking anything up to over a rack just for the LNSs. So if only their was a way to use a single router that all the clients can connect to but at the same time be separate from each other and allow overlapping address ranges.

We can do this simply with VRF-lite, and very little extra configuration.

Terminology: VRF-lite

VRF-lite allows a router to support two or more VPNs (Virtual Private Networks) that have IP address ranges that overlap. VRF-lite is enabled on interfaces to separate routes for the individual VPNs and creates virtual routing tables on the router for the separate VRF instances.

Configuration

We’ll use the following as the topology, Client A and Client B are both directly connected to R1 but could easily be connected to virtual interfaces cloned from a virtual template on an LNS.

 

1. On R1 we will first define our two VRF-lite instances. This is done using the command “ip vrf vrf-name” from global configuration mode where vrf-name is the name assigned to this VRF instance. Once this is set we are in VRF configuration mode, here we set our Route Distinguisher, this should be a unique value for each of our VRF instances. The Route Distinguisher is entered in the format ASN:nn or IP-address:nn, where ASN is your Autonomous System Number, IP-address is a valid address in your assignment and nn is any number.

R1(config)#ip vrf CLIENT_A
R1(config-vrf)#rd 65500:100
R1(config-vrf)#exit
R1(config)#ip vrf CLIENT_B
R1(config-vrf)#rd 65500:200

 

2. Now we have our two VRF instances defined we need to tell the router which interfaces will be part of the instances. We do this by going into the interface configuration mode of the interface we want to add to the instance and use the command “ip vrf forwarding vrf-name” where vrf-name is the name of the VRF we created earlier.

When adding an interface to a VRF instance any IP addressing configuration will be removed from the running configuration and will have to be re-added.

% Interface Ethernet0/0 IP address x.x.x.x removed due to enabling VRF VRF_NAME

If you are connected to this router remotley by telnet/SSH etc you will loose connection to the device.

So lets put the Ethernet0/0 interface into the CLIENT_A VRF instance.

R1(config)#interface ethernet 0/0
R1(config-if)#ip vrf forwarding CLIENT_A
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#no shutdown

Then the same again for Ethernet0/1, Serial 0/0 and Serial0/1.

R1(config-if)#interface Ethernet 0/1
R1(config-if)#ip vrf forwarding CLIENT_B
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#interface Serial 0/0
R1(config-if)#ip vrf forwarding CLIENT_A
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#interface Serial 0/1
R1(config-if)#ip vrf forwarding CLIENT_B
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#no shutdown

 

3. We can verify the VRF instances and the interfaces configured in those instances with the command “show ip vrf vrf-name” from privileged exec mode. We can see that the interfaces Ethernet0/0 and Serial0/0 are part of the CLIENT_A VRF instance and the interfaces Ethernet0/1 and Serial0/1 are part of the CLIENT_B VRF instance.

R1#show ip vrf CLIENT_A
Name                             Default RD          Interfaces
CLIENT_A                         65500:100           Ethernet0/0
                                                     Serial0/0
R1#
R1#show ip vrf CLIENT_B
Name                             Default RD          Interfaces
CLIENT_B                         65500:200           Ethernet0/1
                                                     Serial0/1
R1#

We can also view the routing tables using the “show ip route” command, where this will show us the main routing table of the router, we can see the individual instance routing tables with the command “show ip route vrf vrf-name“.

R1#show ip route vrf CLIENT_A

Routing Table: CLIENT_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.0.0/24 is directly connected, Ethernet0/0
R1#

 

R1#show ip route vrf CLIENT_B

Routing Table: CLIENT_B
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.0.0/24 is directly connected, Ethernet0/1
R1#

4. We can add static routes to the VRF instances with the “ip route” command. Like a normal static route we specify the destination ip prefix and mask, but we can only specify a forwarding interface if it configured as point-to-point, otherwise we get the message

% For VPN routes, must specify a next hop IP address if not a point-to-point interface

We also must specify which vrf the static route is to belong to by adding “vrf vrf-name” to the “ip route” command. So our whole command is “ip route vrf vrf-name prefix mask ip-address metric“, if the metric isn’t set the router will use the default value of 1.

R1(config)#ip route vrf CLIENT_A 0.0.0.0 0.0.0.0 172.16.0.2 5

 

R1#show ip route vrf CLIENT_A

Routing Table: CLIENT_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.0.2 to network 0.0.0.0

C    172.16.0.0/16 is directly connected, Loopback0
C    192.168.0.0/24 is directly connected, Ethernet0/0
S*   0.0.0.0/0 [5/0] via 172.16.0.2
R1#

Summary

We now have our router configured for VRF-lite and we have two virtual routing tables that are independent form each other. We have allowed the two clients to use the same ip address range and have used overlapping addresses on R1. Static routing has been setup withing the VRF instance and the configuration has been verified with the relevant show commands.

We can extend this further by using a per VLAN instance of VRF on sub-interfaces of the router trunking to a switch, or use MP-BGP to carry these customer routes through our network.

 

I hope you found this post informative, please leave a comment if you have any questions or feedback.

This entry was posted on Tuesday, July 5th, 2011 at 12:00 pm and is filed under Cisco. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.