VRF-Lite on Cisco

Introduction

Virtual Routing and Forwarding Lite (VRF-Lite) is a powerful networking technique that enables the creation of isolated routing domains within a single physical network infrastructure. This flexibility finds applications in various network scenarios.

VRF Lite allows us to virtualize our CEF table and our RIB per network that we want to virtualize.
It acts like putting a Firewall in your environment.
We can use configurations like MP-BGP to allow routes to go between one another.
One of the factors about designing VRFs in your infrastructure is that all devices must be configured with the specific VRFs end-to-end to facilitate traffic flow. Alternatively, you can utilize L3VPN and MPLS to navigate through label-switched routers and traverse the network path

Key Uses of VRF-Lite

Multi-Tenant Environments

Scenario: In environments with multiple tenants sharing the same network infrastructure.
Use: VRF-Lite creates separate virtual networks for each tenant, ensuring security and isolation.

Secure Virtual Private Networks (VPNs)

Scenario: Organizations requiring secure and isolated communication channels.
Use: VRF-Lite establishes encrypted VPNs, safeguarding sensitive data and supporting separate VPNs for departments or clients.

Network Segmentation

Scenario: Enterprises needing network segmentation for improved security or different environments.
Use: VRF-Lite is an effective tool for segmenting networks, allowing separate operation within a shared physical infrastructure.

Traffic Engineering

Scenario: Networks requiring controlled and optimized data flow.
Use: VRF-Lite helps isolate specific traffic types, allowing network administrators to optimize resource utilization and ensure Quality of Service (QoS).

Hybrid Networks (IPv4 and IPv6)

Scenario: Networks that need to support both IPv4 and IPv6 traffic.
Use: VRF-Lite offers the flexibility to configure separate VRF instances for each IP version, allowing smooth transitions and maintaining segregation.

VRF Instances

At the core of VRF-Lite are VRF instances. Each VRF instance represents a separate routing table, ensuring that traffic within a VRF instance is isolated from traffic in other VRFs.

Guidelines and Limitations for IPv4 and IPv6

Prerequisites:

Planning for the network, including IP addressing, interface, and VLAN details, traffic types, etc. must be completed.
VRF-lite interfaces must be Layer 3 interfaces.
Multiple VLANs share a router with VRF-lite, and each VLAN is associated with a VRF.
A single VRF can be configured for both IPv4 and IPv6.
You can associate an interface with only one VRF. You cannot configure a VRF for IPv4 and a different VRF for IPv6 on the same interface.
IPv4 and/or IPv6 routing for a given VRF needs to be configured. You can use most routing protocols (BGP, OSPF, EIGRP, RIP, and static routing).

Understanding RD, RT, and VRFs in BGP Networks

RD (Route Distinguishers) are 64-bit values that are prepended to a prefix.
- Example: Between R6 and R7, if the prefix is 10.6.7.0/24, specifying the RD as 6:7 transforms the prefix into 6:7:10.6.7.0. This increases the prefix length from 32 bits to 96 bits (6:7 is 64 bits, and 10.6.7.0 is 32 bits). Multi-Protocol BGP (MP-BGP) is used to carry these prefixes.
VRFs are useful for isolating networks, especially in cases where different campuses have identical subnets. However, allowing VRFs to communicate with each other can lead to issues.
RT (Route Targets) are extended BGP communities that determine what values BGP should import/export into its routing table.
- Similar to RD, MP-BGP is used for RT. For example, on R5, specifying that routes leaving R5 should have an RT of 5:5, and informing R4 to import routes with an RT of 5:5, is a way to control routing within VRFs. RTs act like ACLs for route filtering, allowing you to specify which VRF should import or export certain routes.

Source:

Cisco CGR 1000 Series Software Guide (opens in a new tab) - Cisco

Ibgp Peerings with Default Routes 2 Lab Scenario