CCNP ROUTE 300-101 Part 3.8 – Configure and Verify VRF-Lite

Cisco Virtual Routing and Forwarding-Lite

In this article I’m sharing the basics of VRF Lite with two practical labs. I’ve received a couple of requests about this some time ago so, here it is. Note that the second lab is one I found on the internet and made a few changes.

Service providers often need to allow their customers’ traffic to pass through their cloud
without one customer’s traffic (and corresponding routes) be exposed to another customer.

VRF configuration isn’t at all dependent on MPLS but often the two components are chosen to run together. In Cisco terminology, deployment of VRFs without MPLS is known as VRF Lite.

Similarly, enterprise networks might need to segregate various application types, such as keeping voice and video traffic separate from data. These are just a couple of scenarios that could benefit from the Cisco Virtual Routing and Forwarding (VRF) feature.

VRF allows a single physical router to host multiple virtual routers, with those virtual routers logically isolated from one another, each with its own IP routing table. Simply put it, VRF’s are VLANs for layer 3, and is the basics to understanding MPLS.

Note:  Some Cisco documentation states that VRF is an acronym for Virtual Routing and
Forwarding, while other Cisco documentation states that VRF is an acronym for VPN Routing/Forwarding because of its common use in Virtual Private Networks VPN.

Cisco Easy Virtual Network (EVN), is a newer approach to VRF configuration, as compared to VRF-Lite. With VRF-Lite, if you want to send traffic for multiple virtual networks (that is, multiple VRFs) between two routers, you need to create a subinterface for each VRF on each router. However, with Cisco EVN, you instead create a trunk (called a Virtual Network
(VNET) trunk) between the routers. Then, traffic for multiple virtual networks can travel
over that single trunk interface, which uses tags to identify the virtual networks to which
packets belong.

Even though Cisco EVN can help reduce the amount of configuration required for a VRF
solution, VRF-Lite configuration is still often used in VRF networks. This section covers
the basics of setting up and verifying a VRF configuration, for VRFs using OSPF as their IGP.

 

VRF-Lite Configuration and Verification

Below lists the steps to configure a basic VRF-Lite configuration for VRF instances
running OSPF.

Note:  VRF-Lite has several other options, beyond the scope of this post. For example,
you can allow VRF to selectively “leak” routes between VRF instances.

ip vrf vrf-name: A global command that creates a VRF and enters VRF configuration mode.

ip vrf forwarding vrf-name: Interface or subinterface configuration command that assigns an interface or a subinterface to a VRF instance. (Note: If the interface or subinterface already had an IP address assigned, this command will remove that address, and you will need to add it back.)

router ospf process-id vrf vrf-name: A global configuration command that
associates a unique process ID with a VRF instance and enters OSPF router configuration mode for a specific VRF instance.

 

Below is a simple topology using VRF running two different instances and OSPF. I have configured overlapping networks so we can clearly see that using VRF-Lite inside an enterprise or between an HQ and a Branch office with overlapping networks is not a problem at all. It’s also useful to understand how each VRF instance is completely separated from each other, thus its considered VPN.

 

VRF-Lite OSPF

 

Routers CA1, CA2, CB1 and CB2 have the initial configurations. I’ll add the ISP router’s configuration now. Enabling VRF globally and defining the VRFs, CA and CB respectively. Interface configuration for both VRF’s and finalizing with the OSPF configuration for VRF CA and CB. The OSPF adjacencies with both customer’s HQ and Branch offices routers should come up instantly. Let’s do it.

ISP# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISP(config)# ip vrf CA
ISP(config-vrf)# ip vrf CB
ISP(config-vrf)# int f0/0
ISP(config-if)# ip vrf forwarding CA
ISP(config-if)# description TO->CA1_HQ
ISP(config-if)# ip add 172.31.100.2 255.255.255.0
ISP(config-if)# no shut
ISP(config-if)#
*Mar 1 00:03:43.623: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:03:44.623: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
ISP(config-if)# int f1/0
ISP(config-if)# ip vrf forwarding CA
ISP(config-if)# description TO->CA2_Branch
ISP(config-if)# ip add 172.31.200.2 255.255.255.0 
ISP(config-if)# no shut
ISP(config-if)#
*Mar 1 00:08:19.927: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:08:20.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
ISP(config-if)# router ospf 100 vrf CA
ISP(config-router)# net 172.31.100.2 0.0.0.255 area 0
ISP(config-router)# net 172.31.200.2 0.0.0.255 area 0
ISP(config-router)# exit
ISP(config)# int f2/0
ISP(config-if)# ip vrf forwarding CB
ISP(config-if)# description TO->CB1_HQ 
ISP(config-if)# ip address 172.31.100.2 255.255.255.0
ISP(config-if)# no shut
*Mar 1 00:16:54.691: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up
*Mar 1 00:16:55.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to up
ISP(config)# int f3/0
ISP(config-if)# ip vrf forwarding CB
ISP(config-if)# description TO->CB2_Branch 
ISP(config-if)# ip address 172.31.200.2 255.255.255.0 
ISP(config-if)# no shut
ISP(config-if)#
*Mar 1 00:12:57.515: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to up
*Mar 1 00:12:58.515: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0, changed state to up
ISP(config-if)# router ospf 200 vrf CB
ISP(config-router)# net 172.31.100.0 0.0.0.255 area 0
ISP(config-router)# net 172.31.200.0 0.0.0.255 area 0
ISP(config-router)# end
ISP#
*Mar 1 00:19:30.199: %SYS-5-CONFIG_I: Configured from console by console
ISP#
*Mar 1 03:10:06.223: %OSPF-5-ADJCHG: Process 200, Nbr 2.2.2.2 on FastEthernet3/0 from LOADING to FULL, Loading Done
ISP#
*Mar 1 03:10:07.619: %OSPF-5-ADJCHG: Process 100, Nbr 2.2.2.2 on FastEthernet1/0 from LOADING to FULL, Loading Done
ISP#
*Mar 1 03:10:09.115: %OSPF-5-ADJCHG: Process 200, Nbr 1.1.1.1 on FastEthernet2/0 from LOADING to FULL, Loading Done
ISP#
*Mar 1 03:10:28.771: %OSPF-5-ADJCHG: Process 100, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
ISP#

 

Looking good so far, all neighbors adjacencies came up with CA1, CA2, CB1 and CB2. Let’s examine the result in more detail beginning with ISP router.

ISP# sh ip int bri | e admin
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.31.100.2 YES manual up up 
FastEthernet1/0 172.31.200.2 YES manual up up 
FastEthernet2/0 172.31.100.2 YES manual up up 
FastEthernet3/0 172.31.200.2 YES manual up up 
ISP# sh interfaces description 
Interface Status Protocol Description
Fa0/0 up up VRF_CA_HQ
Fa1/0 up up VRF_CA_Branch
Fa2/0 up up VRF_CB_HQ
Fa3/0 up up VRF_CB_Branch
ISP#
ISP# sh ip vrf detail 
VRF CA; default RD <not set>; default VPNID <not set>
 Interfaces:
 Fa0/0 Fa1/0 
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
VRF CB; default RD <not set>; default VPNID <not set>
 Interfaces:
 Fa2/0 Fa3/0 
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
ISP#

From the output of the first verification commands we can see that we have overlapping segments on four interfaces but as we are using VRF they are completely separated as if it were two different routers.

The reason is that each VRF instance acts like a virtual router thus not using the global routing table. Each VRF instance, in this case VRF CA uses VRF CA routing table as I’ll demonstrate below with more verification commands, but now let’s look at the interfaces configuration. Using the interfaces description command is very helpful to keep a clean configuration, especially in complex scenarios like VRFs. interface f0/0 and f1/0 are configured in VRF CA instance and interfaces f2/0 and f3/0 in VRF CB respectively.

Using the show ip vrf detail command show us detail information about each VRF configured, including which interface is configured in each VRF so, helpful to have those interfaces description accordingly. Also, notice that it states that “connected addresses are not in global routing table”, this is because, again, each VRF uses a separate IP routing table, independant.

Let’s have a look at more verification commands. To view the contents of a specific
VRF’s IP routing table, you can use the show ip route vrf vrf-name command.

ISP# sh ip vrf
 Name Default RD Interfaces
 CA <not set> Fa0/0
              Fa1/0
 CB <not set> Fa2/0
              Fa3/0
ISP# sh ip route vrf CA | e c

Routing Table: CA
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 172.31.100.1, 03:27:48, FastEthernet0/0
 2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 172.31.200.3, 03:27:48, FastEthernet1/0
 172.31.0.0/24 is subnetted, 2 subnets
ISP# sh ip route vrf CB | e c

Routing Table: CB
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 172.31.100.1, 03:29:29, FastEthernet2/0
 2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 172.31.200.3, 03:29:29, FastEthernet3/0
 172.31.0.0/24 is subnetted, 2 subnets
ISP#

 

Each VRF instance is configured with an OSPF process, VRF CA process 100, VRF CB process 200. Now let’s analyze the client’s routers CA1, CA2, CB1, CB2.

CA1# sh ip route ospf
 2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/3] via 172.31.100.2, 03:34:25, FastEthernet0/0
 172.31.0.0/24 is subnetted, 2 subnets
O 172.31.200.0 [110/2] via 172.31.100.2, 03:34:25, FastEthernet0/0
CA1# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
172.31.100.2 1 FULL/DR 00:00:33 172.31.100.2 FastEthernet0/0
CA1# ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
CA1# ping 172.31.200.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.200.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/25/40 ms
CA1#

CA2# sh ip route ospf
 1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/3] via 172.31.200.2, 03:37:33, FastEthernet0/0
 172.31.0.0/24 is subnetted, 2 subnets
O 172.31.100.0 [110/2] via 172.31.200.2, 03:37:33, FastEthernet0/0
CA2# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
172.31.100.2 1 FULL/DR 00:00:35 172.31.200.2 FastEthernet0/0
CA2# ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/28 ms
CA2# ping 172.31.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/36 ms
CA2#

 

Over VRF CA, both routers CA1 and CA2 have full reachability to each other and to the ISP’s OSPF running interfaces and we can confirm from the output that we are peering with the ISP router (or else we wouldn’t have anything in the routing table). Let’s examine VRF CB now.

CB1# sh ip route ospf
 2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/3] via 172.31.100.2, 03:43:31, FastEthernet0/0
 172.31.0.0/24 is subnetted, 2 subnets
O 172.31.200.0 [110/2] via 172.31.100.2, 03:43:31, FastEthernet0/0
CB1# sh ip ospf neighbor 

Neighbor ID Pri State Dead Time Address Interface
172.31.200.2 1 FULL/DR 00:00:31 172.31.100.2 FastEthernet0/0
CB1# ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms
CB1# ping 172.31.200.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.200.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/32 ms
CB1#

CB2# sh ip route ospf
 1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/3] via 172.31.200.2, 03:52:59, FastEthernet0/0
 172.31.0.0/24 is subnetted, 2 subnets
O 172.31.100.0 [110/2] via 172.31.200.2, 03:52:59, FastEthernet0/0
CB2# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
172.31.200.2 1 FULL/DR 00:00:34 172.31.200.2 FastEthernet0/0
CB2# ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/29/52 ms
CB2# ping 172.31.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/28 ms
CB2#

 

Confirmed full reachability between all client routers, in each separate VRF, routing tables are properly populated and we are peering with ISP router, zuper!

With this command you have a clear look of which VRF instance is running in which interface.

ISP# sh ip vrf interfaces CA
Interface IP-Address VRF Protocol
Fa0/0 172.31.100.2 CA up 
Fa1/0 172.31.200.2 CA up 
ISP# sh ip vrf interfaces CB
Interface IP-Address VRF Protocol
Fa2/0 172.31.100.2 CB up 
Fa3/0 172.31.200.2 CB up 
ISP#

 

Even with overlapping segments, which is in itself confusing to look at, this command makes it easy to view the interfaces assigned to the different VRF instances. Each VRF instance, CA and CB, are completely unaware of each other, acting like L3 VPNs.

 

Next scenario, found it online which I’ve copied and made a few changes, with a somewhat more complex scenario. We’re separating two VRF’s with transit traffic coming from different VLANs, (10 and 20), classifying them in TRUSTED and UNTRUSTED traffic types, at the edge we have two possible gateways, TRUSTED and UNTRUSTED.

Trusted traffic belongs to VLAN 10 (PURPLE label), and Untrusted traffic belongs to VLAN 20 (RED label). OSPF will be running as the dynamic routing protocol used.

The switches configuration are pretty straight forward. The links connecting to the routers are dot1q trunk links, transporting tagged frames from the appropriate VLANs, and the links attached to the access layer computers are access ports configured in VLANs 10 and 20 respectively. Each SVI (VLAN 10 and VLAN 20), are forwarding traffic for each VRF and the switches are also running OSPF. The client computers are running a mixture of Windows 2012 Server and Windows 2008 Server.

R1, R2 and R3 are connected with trunk links on sub-interfaces, transporting those VLANs and forwarding them to the appropriate VRFs gateways. At the edge we have router’s ER09 which is the gateway to the UNTRUSTED traffic destination, and ETT as gateway for the TRUSTED traffic. Labs are done in GNS3 with the images below:

Routers are running:

R1# sh version 
Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 11:43 by prod_rel_team

ROM: ROMMON Emulation Microcode
ROM: 3600 Software (C3640-JK9S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)

 

Switches are running:

SW1# sh version 
Cisco IOS Software, Solaris Software (I86BI_LINUXL2-ADVENTERPRISEK9-M), Experimental Version 15.1(20140814:053243) [mmen 112]
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 14-Aug-14 08:28 by mmen

 

Here is the topology for this lab.

VRF-Lite OSPF Scenario

Note: SRV1 is located on SW1 port e1/0, SRV2 is located on SW1 port e1/1 and SRV3 is located in SW3 port e1/2.

 

Router ER09 configuration.

ER09# en
ER09# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ER09(config)# ip cef
ER09(config)# interface Loopback0
ER09(config-if)# description TO->CLOUD_UNTRUSTED
ER09(config-if)# ip vrf forwarding RED
ER09(config-if)# ip address 93.20.3.254 255.0.0.0
ER09(config)# ip vrf RED
ER09(config-vrf)# description UNTRUSTED_TRAFFIC
ER09(config-vrf)# interface FastEthernet0/0
ER09(config-if)# description TO->R1
ER09(config-if)# ip vrf forwarding RED
ER09(config-if)# ip address 192.168.0.1 255.255.255.252
ER09(config-if)# no shut
ER09(config-if)# router ospf 2 vrf RED
ER09(config-router)# network 192.168.0.0 0.0.255.255 area 0
ER09(config-router)# end
ER09#
*Mar 1 00:44:25.915: %SYS-5-CONFIG_I: Configured from console by console
ER09#
*Mar 1 00:44:27.291: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:44:28.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
ER09#

 

Configuration on edge router ETT.

ETT# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ETT(config)# hostname ETT
ETT(config)# ip cef
ETT(config)# ip vrf PURPLE
ETT(config-vrf)# description TRUSTED_TRAFFIC
ETT(config-vrf)# interface FastEthernet0/0
ETT(config-if)# description TO->R1
ETT(config-if)# ip vrf forwarding PURPLE
ETT(config-if)# ip address 10.0.0.1 255.255.255.252
ETT(config-if)# no shut
ETT(config-if)# interface lo0
ETT(config-if)# ip vrf forwarding PURPLE
ETT(config-if)# description TO->CLOUD_TRUSTED
ETT(config-if)# ip add 148.0.0.1 255.0.0.0
ETT(config-if)# exit
ETT(config)# router ospf 1 vrf PURPLE
ETT(config-router)# router-id 0.0.1.254
ETT(config-router)# network 10.0.0.1 0.0.0.0 area 0
ETT(config-router)# end
*Mar 1 00:00:38.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
*Mar 1 00:00:39.191: %SYS-5-CONFIG_I: Configured from console by console
ETT#
*Mar 1 00:00:39.639: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:00:40.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
ETT#

 

Both edge routers are now configured with the VRF instances, interfaces configuration are also assigned to the correct VRFs. OSPF is also configured to run over the correct VRF instances. Now let’s continue with the rest of the configuration. Up next, router’s R2 and R3.

R2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# hostname R2
R2(config)# ip vrf PURPLE
R2(config-vrf)# description TRUSTED_TRAFFIC
R2(config-vrf)# ip vrf RED
R2(config-vrf)# description UNTRUSTED_TRAFFIC
R2(config-vrf)# interface FastEthernet0/0
R2(config-if)# description TO->R1
R2(config-if)# no ip address
R2(config-if)# no shut
R2(config-if)# interface FastEthernet0/0.10
R2(config-subif)# encapsulation dot1Q 10
R2(config-subif)# ip vrf forwarding PURPLE
R2(config-subif)# ip address 10.0.12.2 255.255.255.252
R2(config-subif)# no shut
R2(config-subif)# interface FastEthernet0/0.20
R2(config-subif)# encapsulation dot1Q 20
R2(config-subif)# ip vrf forwarding RED
R2(config-subif)# ip address 192.168.12.2 255.255.255.252
R2(config-subif)# no shut
R2(config-subif)# interface FastEthernet1/0
R2(config-if)# description TO->R3
R2(config-if)# no ip address
R2(config-if)# no shut
R2(config-if)# interface FastEthernet1/0.10
R2(config-subif)# encapsulation dot1Q 10
R2(config-subif)# ip vrf forwarding PURPLE
R2(config-subif)# ip address 10.0.23.1 255.255.255.252
R2(config-subif)# no shut
R2(config-subif)# interface FastEthernet1/0.20
R2(config-subif)# encapsulation dot1Q 20
R2(config-subif)# ip vrf forwarding RED
R2(config-subif)# ip address 192.168.23.1 255.255.255.252
R2(config-subif)# no shut
R2(config-subif)# interface FastEthernet2/0
R2(config-if)# description TO-SW1
R2(config-if)# no ip address
R2(config-if)# no shut
R2(config-if)# interface FastEthernet2/0.10
R2(config-subif)# encapsulation dot1Q 10
R2(config-subif)# ip vrf forwarding PURPLE
R2(config-subif)# ip address 10.0.1.1 255.255.255.0
R2(config-subif)# no shut
R2(config-subif)# interface FastEthernet2/0.20
R2(config-subif)# encapsulation dot1Q 20
R2(config-subif)# ip vrf forwarding RED
R2(config-subif)# ip address 192.168.1.1 255.255.255.0
R2(config-subif)# no shut
R2(config-subif)# interface FastEthernet3/0
R2(config-if)# description TO->SW2
R2(config-if)# no ip address
R2(config-if)# no shut
R2(config-if)# interface FastEthernet3/0.10
R2(config-subif)# encapsulation dot1Q 10
R2(config-subif)# ip vrf forwarding PURPLE
R2(config-subif)# ip address 10.0.2.1 255.255.255.0
R2(config-subif)# no shut
R2(config-subif)# interface FastEthernet3/0.20
R2(config-subif)# encapsulation dot1Q 20
R2(config-subif)# ip vrf forwarding RED
R2(config-subif)# ip address 192.168.2.1 255.255.255.0
R2(config-subif)# no shut
R2(config-subif)# router ospf 1 vrf PURPLE
R2(config-router)# router-id 0.0.2.1
*Mar 1 00:01:58.747: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:01:58.999: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:01:59.215: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up
*Mar 1 00:01:59.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Mar 1 00:01:59.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
*Mar 1 00:02:00.215: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to up
R2(config-router)# network 10.0.0.0 0.0.255.255 area 0
R2(config-router)# router ospf 2 vrf RED
R2(config-router)# router-id 0.0.2.2
R2(config-router)# network 192.168.0.0 0.0.255.255 area 0
R2(config-router)# end
R2#
*Mar 1 00:02:01.023: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to up
*Mar 1 00:02:02.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0, changed state to up
*Mar 1 00:02:02.239: %SYS-5-CONFIG_I: Configured from console by console
R2#

 

Configuration on R3

R3# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)# hostname R3
R3(config)# ip cef
R3(config)# ip vrf PURPLE
R3(config-vrf)# description TRUSTED_TRAFFIC
R3(config-vrf)# ip vrf RED
R3(config-vrf)# description UNTRUSTED_TRAFFIC
R3(config-vrf)# interface FastEthernet0/0
R3(config-if)# description TO->R1
R3(config-if)# no ip address
R3(config-if)# no shut
R3(config-if)# interface FastEthernet0/0.10
R3(config-subif)# encapsulation dot1Q 10
R3(config-subif)# ip vrf forwarding PURPLE
R3(config-subif)# ip address 10.0.13.2 255.255.255.252
R3(config-subif)# no shut
R3(config-subif)# interface FastEthernet0/0.20
R3(config-subif)# encapsulation dot1Q 20
R3(config-subif)# ip vrf forwarding RED
R3(config-subif)# ip address 192.168.13.2 255.255.255.252
R3(config-subif)# no shut
R3(config-subif)# interface FastEthernet1/0
R3(config-if)# description TO->R2
R3(config-if)# no ip address
R3(config-if)# no shut
R3(config-if)# interface FastEthernet1/0.10
R3(config-subif)# encapsulation dot1Q 10
R3(config-subif)# ip vrf forwarding PURPLE
R3(config-subif)# ip address 10.0.23.2 255.255.255.252
R3(config-subif)# no shut
R3(config-subif)# interface FastEthernet1/0.20
R3(config-subif)# encapsulation dot1Q 20
R3(config-subif)# ip vrf forwarding RED
R3(config-subif)# ip address 192.168.23.2 255.255.255.252
R3(config-subif)# no shut
*Mar 1 00:02:14.055: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:02:15.055: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Mar 1 00:02:15.539: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:02:16.539: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R3(config-subif)# interface FastEthernet2/0
R3(config-if)# description TO->SW3
R3(config-if)# no ip address
R3(config-if)# no shut
R3(config-if)# interface FastEthernet2/0.10
R3(config-subif)# encapsulation dot1Q 10
R3(config-subif)# ip vrf forwarding PURPLE
R3(config-subif)# ip address 10.0.3.1 255.255.255.0
R3(config-subif)# no shut
R3(config-subif)# interface FastEthernet2/0.20
R3(config-subif)# encapsulation dot1Q 20
R3(config-subif)# ip vrf forwarding RED
R3(config-subif)# ip address 192.168.3.1 255.255.255.0
R3(config-subif)# no shut
R3(config-subif)# router ospf 1 vrf PURPLE
R3(config-router)# router-id 0.0.3.1
R3(config-router)# network 10.0.0.0 0.0.255.255 area 0
R3(config-router)# router ospf 2 vrf RED
R3(config-router)# router-id 0.0.3.2
R3(config-router)# network 192.168.0.0 0.0.255.255 area 0
R3(config-router)# end
*Mar 1 00:02:23.667: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:02:25.367: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up
*Mar 1 00:02:26.367: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to up
R3#

 

So we have configured R2 and R3’s interfaces, VRF instances, associate the interfaces with the VRF’s instances, OSPF configuration in each VRF instance, trunking with each other, SW1, SW2 and SW3 and R1. Now let’s configure R1 and bring everything up…

 

Configuration on R1.

R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# hostname R1
R1(config)# ip cef
R1(config)# ip vrf PURPLE
R1(config-vrf)# description TRUSTED_TRAFFIC
R1(config-vrf)# ip vrf RED
R1(config-vrf)# description UNTRUSTED_TRAFFIC
R1(config-vrf)# interface FastEthernet0/0
R1(config-if)# description TO->CLOUD->EDGE_UNTRUSTED_GUEST_TRAFFIC
R1(config-if)# ip vrf forwarding RED
R1(config-if)# ip address 192.168.0.2 255.255.255.252
R1(config-if)# no shut
R1(config-if)# interface FastEthernet1/0
R1(config-if)# description TO->EDGE_TRUSTED_TRAFFIC
R1(config-if)# ip vrf forwarding PURPLE
R1(config-if)# ip address 10.0.0.2 255.255.255.252
R1(config-if)# no shut
R1(config-if)# interface FastEthernet2/0
R1(config-if)# description TO->R2
R1(config-if)# no ip address
R1(config-if)# no shut
R1(config-if)# interface FastEthernet2/0.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip vrf forwarding PURPLE
R1(config-subif)# ip address 10.0.12.1 255.255.255.252
R1(config-subif)# no shut
R1(config-subif)# interface FastEthernet2/0.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip vrf forwarding RED
R1(config-subif)# ip address 192.168.12.1 255.255.255.252
R1(config-subif)# no shut
R1(config-subif)# interface FastEthernet3/0
R1(config-if)# description TO->R3
R1(config-if)# no ip address
R1(config-if)# no shut
R1(config-if)# interface FastEthernet3/0.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip vrf forwarding PURPLE
*Mar 1 00:01:54.327: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:01:54.711: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:01:55.091: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up
*Mar 1 00:01:55.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Mar 1 00:01:55.711: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
*Mar 1 00:01:56.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to up
*Mar 1 00:01:56.571: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to up
*Mar 1 00:01:57.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0, changed state to up
R1(config-subif)# ip address 10.0.13.1 255.255.255.252
R1(config-subif)# no shut
R1(config-subif)# interface FastEthernet3/0.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip vrf forwarding RED
R1(config-subif)# ip address 192.168.13.1 255.255.255.252
R1(config-subif)# router ospf 1 vrf PURPLE
R1(config-router)# router-id 0.0.1.1
R1(config-router)# network 10.0.0.0 0.0.255.255 area 0
R1(config-router)# default-information originate
R1(config-router)# router ospf 2 vrf RED
R1(config-router)# router-id 0.0.1.2
R1(config-router)# redistribute static metric 10 subnets
R1(config-router)# network 192.168.0.0 0.0.255.255 area 0
R1(config-router)# default-information originate
R1(config-router)# ip route vrf PURPLE 0.0.0.0 0.0.0.0 10.0.0.1
R1(config)# ip route vrf RED 0.0.0.0 0.0.0.0 192.168.0.1
R1(config)# end
*Mar 1 00:01:59.627: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:02:04.703: %OSPF-5-ADJCHG: Process 2, Nbr 192.168.0.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar 1 00:02:39.667: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.2.1 on FastEthernet2/0.10 from LOADING to FULL, Loading Done
*Mar 1 00:02:39.667: %OSPF-5-ADJCHG: Process 2, Nbr 0.0.2.2 on FastEthernet2/0.20 from LOADING to FULL, Loading Done
*Mar 1 00:03:19.679: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.3.1 on FastEthernet3/0.10 from LOADING to FULL, Loading Done
*Mar 1 00:03:19.683: %OSPF-5-ADJCHG: Process 2, Nbr 0.0.3.2 on FastEthernet3/0.20 from LOADING to FULL, Loading Done
*Mar 1 00:08:49.671: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.1.254 on FastEthernet1/0 from LOADING to FULL, Loading Done
R1#

 

And now for the switches configuration. I’ll show you how to configure SW1. SW2 and SW3 have similar configuration, obviously. Pretty straight forward!

SW1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)# ip vrf PURPLE
SW1(config-vrf)# description TRUSTED_TRAFFIC
SW1(config-vrf)# ip vrf RED
SW1(config-vrf)# description UNTRUSTED_TRAFFIC
SW1(config-vrf)# ip cef
SW1(config)# interface Ethernet0/0
SW1(config-if)# description TO->R2
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
SW1(config-if)# duplex full
SW1(config-if)# no shut
SW1(config-if)# interface Ethernet1/0
SW1(config-if)# switchport access vlan 10
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security maximum 3
SW1(config-if)# switchport port-security violation restrict
SW1(config-if)# switchport port-security mac-address sticky
SW1(config-if)# duplex full
SW1(config-if)# spanning-tree portfast
SW1(config-if)# no shut
SW1(config-if)# interface Ethernet1/1
SW1(config-if)# switchport access vlan 10
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security maximum 3
SW1(config-if)# switchport port-security violation restrict
SW1(config-if)# switchport port-security mac-address sticky
SW1(config-if)# duplex full
SW1(config-if)# spanning-tree portfast
SW1(config-if)# no shut
SW1(config-if)# interface Ethernet1/2
SW1(config-if)# switchport access vlan 20
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security maximum 3
SW1(config-if)# switchport port-security violation restrict
SW1(config-if)# switchport port-security mac-address sticky
SW1(config-if)# duplex full
SW1(config-if)# spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on Ethernet1/2 but will only
 have effect when the interface is in a non-trunking mode.
SW1(config-if)# no shut
SW1(config-if)# interface Vlan1
SW1(config-if)# no ip address
SW1(config-if)# shutdown
SW1(config-if)# interface Vlan10
SW1(config-if)# description TRUSTED_TRAFFIC
SW1(config-if)# ip vrf forwarding PURPLE
SW1(config-if)# ip address 10.0.1.10 255.255.255.0
SW1(config-if)# no shut
SW1(config-if)# interface Vlan20
SW1(config-if)# description UNTRUSTED_TRAFFIC
SW1(config-if)# ip vrf forwarding RED
SW1(config-if)# ip address 192.168.1.10 255.255.255.0
SW1(config-if)# no shut
*May 24 08:26:23.384: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0/0 (not full duplex), with R2 FastEthernet2/0 (full duplex). 
SW1(config-if)# router ospf 1 vrf PURPLE
SW1(config-router)# router-id 0.0.1.10
SW1(config-router)# network 10.0.1.0 0.0.0.255 area 0
SW1(config-router)# router ospf 2 vrf RED
SW1(config-router)# router-id 0.0.1.20
SW1(config-router)# network 192.168.1.10 0.0.0.0 area 0
SW1(config-router)# end
SW1#
*May 24 08:18:04.429: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
*May 24 08:18:04.492: %LINK-3-UPDOWN: Interface Vlan10, changed state to up
*May 24 08:18:05.497: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
SW1#
*May 24 08:26:26.193: %LINK-3-UPDOWN: Interface Ethernet1/1, changed state to up
*May 24 08:26:27.193: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to up
*May 24 08:18:37.433: %LINK-3-UPDOWN: Interface Vlan20, changed state to up
*May 24 08:18:38.434: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
SW1#
*May 24 08:18:41.451: %OSPF-5-ADJCHG: Process 2, Nbr 0.0.2.2 on Vlan20 from LOADING to FULL, Loading Done
SW1#
*May 24 08:18:49.151: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.2.1 on Vlan10 from LOADING to FULL, Loading Done
SW1#

 

Now I’ll add one server’s network configuration. This server is attached to SW1 on access port e1/0 which belongs to VLAN 10 (TRUSTED traffic), so after configuration I’ll try to test reachability to the 148.0.0.0/8 segment which is simulating a internet network. We expect this traffic to flow through and only through VRF PURPLE.

Windows PowerShell
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> netsh interface ip set address "Ethernet" static 10.0.1.100 255.255.255.0 10.0.1.1
PS C:\Users\Administrator> ipconfig

Windows IP Configuration

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
 IPv4 Address. . . . . . . . . . . : 10.0.1.100
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 10.0.1.1

Tunnel adapter isatap.{648B2449-4FCD-428E-9370-D56726EE2ED9}:

Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . :
PS C:\Users\Administrator> ping 148.0.0.1

Pinging 148.0.0.1 with 32 bytes of data:
Reply from 148.0.0.1: bytes=32 time=35ms TTL=253
Reply from 148.0.0.1: bytes=32 time=26ms TTL=253
Reply from 148.0.0.1: bytes=32 time=32ms TTL=253
Reply from 148.0.0.1: bytes=32 time=28ms TTL=253

Ping statistics for 148.0.0.1:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 26ms, Maximum = 35ms, Average = 30ms
PS C:\Users\Administrator> tracert -d 148.0.0.1

Tracing route to 148.0.0.1 over a maximum of 30 hops

1 9 ms 11 ms 9 ms 10.0.1.1
 2 24 ms 19 ms 19 ms 10.0.12.1
 3 27 ms 31 ms 28 ms 148.0.0.1

Trace complete.
PS C:\Users\Administrator> ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:
Reply from 10.0.0.1: Destination host unreachable.
Reply from 10.0.0.1: Destination host unreachable.
Reply from 10.0.0.1: Destination host unreachable.
Reply from 10.0.0.1: Destination host unreachable.

Ping statistics for 192.168.0.1:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
PS C:\Users\Administrator>

 

We have SW1 with full reachability throughout the network. I’ll go through some verification commands in a second but first let’s analyse the server here.

We added the server to the VLAN 10 segment with IP 10.0.1.100/24, after that we tried reaching the loopback interface of ETT router at 148.0.0.1 (PURPLE), which we did successfuly, I also issued a traceroute so we can clearly see the path to the destination network. We are routing through R2 which is directly attached to SW1 with IP 10.0.1.1, the following hop is R1’s fa2/0.10 interface with IP 10.0.12.1 and we finally reached 10.0.0.1 which is ETT’s f0/0 interface, but noticed how are not able to reach the (RED) 192.168.0.0/24 segment?

Yes, that’s because they are completely separated routing tables, just as if they are connected to different routers! We received a destination unreachable message from the gateway 10.0.0.1 which is the ETT router (PURPLE gateway), directly connected to R1 stating (there is no connection to that IP address your requesting). Zuper!

 

All routers are now configured and we can already observe the OSPF adjacencies coming up. Noticed that I have configured a default route and injected it into OSPF on each VRF instance? Yep, again, each VRF operates with it’s own IP routing table so as these are edge routers, you need to configure a default route on each VRF instance to forward traffic accordingly. Remember that each VRF instance acts as a virtual router/VPN with their own independent and separated IP routing table.

Let’s shoot some verification commands and check if everything is correct.

R1# sh ip vrf interfaces 
Interface IP-Address VRF Protocol
Fa1/0 10.0.0.2 PURPLE up 
Fa2/0.10 10.0.12.1 PURPLE up 
Fa3/0.10 10.0.13.1 PURPLE up 
Fa0/0 192.168.0.2 RED up 
Fa2/0.20 192.168.12.1 RED up 
Fa3/0.20 192.168.13.1 RED up 
R1# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.3.2 1 FULL/DR 00:00:31 192.168.13.2 FastEthernet3/0.20
0.0.2.2 1 FULL/DR 00:00:35 192.168.12.2 FastEthernet2/0.20
192.168.0.1 1 FULL/DR 00:00:30 192.168.0.1 FastEthernet0/0
0.0.3.1 1 FULL/DR 00:00:31 10.0.13.2 FastEthernet3/0.10
0.0.2.1 1 FULL/DR 00:00:35 10.0.12.2 FastEthernet2/0.10
0.0.1.254 1 FULL/DR 00:00:30 10.0.0.1 FastEthernet1/0
R1# sh ip route vrf PURPLE ospf

Routing Table: PURPLE

 10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O 10.0.2.0/24 [110/2] via 10.0.12.2, 01:21:35, FastEthernet2/0.10
O 10.0.3.0/24 [110/2] via 10.0.13.2, 01:21:35, FastEthernet3/0.10
O 10.0.1.0/24 [110/2] via 10.0.12.2, 01:21:35, FastEthernet2/0.10
O 10.0.23.0/30 [110/2] via 10.0.13.2, 01:21:35, FastEthernet3/0.10
 [110/2] via 10.0.12.2, 01:21:35, FastEthernet2/0.10
 148.0.0.0/32 is subnetted, 1 subnets
O 148.0.0.1 [110/2] via 10.0.0.1, 01:21:35, FastEthernet1/0
R1#
R1# sh ip route vrf RED ospf 

Routing Table: RED

 192.168.23.0/30 is subnetted, 1 subnets
O 192.168.23.0 [110/2] via 192.168.13.2, 01:27:14, FastEthernet3/0.20
 [110/2] via 192.168.12.2, 01:27:14, FastEthernet2/0.20
O 192.168.1.0/24 [110/2] via 192.168.12.2, 01:27:14, FastEthernet2/0.20
O 192.168.2.0/24 [110/2] via 192.168.12.2, 01:27:14, FastEthernet2/0.20
O 192.168.3.0/24 [110/2] via 192.168.13.2, 01:27:14, FastEthernet3/0.20
R1#

R1# sh ip vrf detail 
VRF PURPLE; default RD <not set>; default VPNID <not set>
 Description: TRUSTED_TRAFFIC
 Interfaces:
 Fa1/0 Fa2/0.10 Fa3/0.10
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
VRF RED; default RD <not set>; default VPNID <not set>
 Description: UNTRUSTED_TRAFFIC
 Interfaces:
 Fa0/0 Fa2/0.20 Fa3/0.20
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
R1#

 

Verification commands on R2

R2# sh ip vrf interfaces 
Interface IP-Address VRF Protocol
Fa0/0.10 10.0.12.2 PURPLE up 
Fa1/0.10 10.0.23.1 PURPLE up 
Fa2/0.10 10.0.1.1 PURPLE up 
Fa3/0.10 10.0.2.1 PURPLE up 
Fa0/0.20 192.168.12.2 RED up 
Fa1/0.20 192.168.23.1 RED up 
Fa2/0.20 192.168.1.1 RED up 
Fa3/0.20 192.168.2.1 RED up 
R2# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.1.20 1 FULL/BDR 00:00:38 192.168.1.10 FastEthernet2/0.20
0.0.3.2 1 FULL/DR 00:00:33 192.168.23.2 FastEthernet1/0.20
0.0.1.2 1 FULL/BDR 00:00:37 192.168.12.1 FastEthernet0/0.20
0.0.1.10 1 FULL/BDR 00:00:31 10.0.1.10 FastEthernet2/0.10
0.0.3.1 1 FULL/DR 00:00:33 10.0.23.2 FastEthernet1/0.10
0.0.1.1 1 FULL/BDR 00:00:37 10.0.12.1 FastEthernet0/0.10
R2# sh ip route vrf PURPLE ospf

Routing Table: PURPLE

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O 10.0.13.0/30 [110/2] via 10.0.23.2, 02:31:53, FastEthernet1/0.10
 [110/2] via 10.0.12.1, 02:31:53, FastEthernet0/0.10
O 10.0.3.0/24 [110/2] via 10.0.23.2, 02:31:53, FastEthernet1/0.10
O 10.0.0.0/30 [110/2] via 10.0.12.1, 02:31:53, FastEthernet0/0.10
 148.0.0.0/32 is subnetted, 1 subnets
O 148.0.0.1 [110/3] via 10.0.12.1, 02:31:53, FastEthernet0/0.10
O*E2 0.0.0.0/0 [110/1] via 10.0.12.1, 02:31:53, FastEthernet0/0.10
R2# sh ip route vrf RED ospf

Routing Table: RED

192.168.13.0/30 is subnetted, 1 subnets
O 192.168.13.0 [110/2] via 192.168.23.2, 02:32:04, FastEthernet1/0.20
 [110/2] via 192.168.12.1, 02:32:04, FastEthernet0/0.20
 192.168.0.0/30 is subnetted, 1 subnets
O 192.168.0.0 [110/2] via 192.168.12.1, 02:32:04, FastEthernet0/0.20
O 192.168.3.0/24 [110/2] via 192.168.23.2, 02:32:04, FastEthernet1/0.20
O*E2 0.0.0.0/0 [110/1] via 192.168.12.1, 02:32:04, FastEthernet0/0.20
R2# sh ip vrf detail
VRF PURPLE; default RD <not set>; default VPNID <not set>
 Description: TRUSTED_TRAFFIC
 Interfaces:
 Fa0/0.10 Fa1/0.10 Fa2/0.10
 Fa3/0.10 
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
VRF RED; default RD <not set>; default VPNID <not set>
 Description: UNTRUSTED_TRAFFIC
 Interfaces:
 Fa0/0.20 Fa1/0.20 Fa2/0.20
 Fa3/0.20 
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
R2#

 

Verification commands on R3

R3# sh ip vrf interfaces 
Interface IP-Address VRF Protocol
Fa0/0.10 10.0.13.2 PURPLE up 
Fa1/0.10 10.0.23.2 PURPLE up 
Fa2/0.10 10.0.3.1 PURPLE up 
Fa0/0.20 192.168.13.2 RED up 
Fa1/0.20 192.168.23.2 RED up 
Fa2/0.20 192.168.3.1 RED up 
R3# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.2.2 1 FULL/BDR 00:00:33 192.168.23.1 FastEthernet1/0.20
0.0.1.2 1 FULL/BDR 00:00:33 192.168.13.1 FastEthernet0/0.20
0.0.2.1 1 FULL/BDR 00:00:33 10.0.23.1 FastEthernet1/0.10
0.0.1.1 1 FULL/BDR 00:00:33 10.0.13.1 FastEthernet0/0.10
R3# sh ip route vrf RED ospf

Routing Table: RED

192.168.12.0/30 is subnetted, 1 subnets
O 192.168.12.0 [110/2] via 192.168.23.1, 02:39:56, FastEthernet1/0.20
 [110/2] via 192.168.13.1, 02:39:56, FastEthernet0/0.20
 192.168.0.0/30 is subnetted, 1 subnets
O 192.168.0.0 [110/2] via 192.168.13.1, 02:39:56, FastEthernet0/0.20
O 192.168.1.0/24 [110/2] via 192.168.23.1, 02:39:56, FastEthernet1/0.20
O 192.168.2.0/24 [110/2] via 192.168.23.1, 02:39:56, FastEthernet1/0.20
O*E2 0.0.0.0/0 [110/1] via 192.168.13.1, 02:39:56, FastEthernet0/0.20
R3# sh ip route vrf PURPLE ospf

Routing Table: PURPLE

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O 10.0.12.0/30 [110/2] via 10.0.23.1, 02:39:54, FastEthernet1/0.10
 [110/2] via 10.0.13.1, 02:39:54, FastEthernet0/0.10
O 10.0.2.0/24 [110/2] via 10.0.23.1, 02:39:54, FastEthernet1/0.10
O 10.0.0.0/30 [110/2] via 10.0.13.1, 02:39:54, FastEthernet0/0.10
O 10.0.1.0/24 [110/2] via 10.0.23.1, 02:39:54, FastEthernet1/0.10
 148.0.0.0/32 is subnetted, 1 subnets
O 148.0.0.1 [110/3] via 10.0.13.1, 02:39:54, FastEthernet0/0.10
O*E2 0.0.0.0/0 [110/1] via 10.0.13.1, 02:39:54, FastEthernet0/0.10
R3# sh ip vrf detail 
VRF PURPLE; default RD <not set>; default VPNID <not set>
 Description: TRUSTED_TRAFFIC
 Interfaces:
 Fa0/0.10 Fa1/0.10 Fa2/0.10
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
VRF RED; default RD <not set>; default VPNID <not set>
 Description: UNTRUSTED_TRAFFIC
 Interfaces:
 Fa0/0.20 Fa1/0.20 Fa2/0.20
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
R3#

 

Verification commands on edge router ER09. Obviously there is only one VRF configured for this router as it is purposely used for UNTRUSTED (RED) traffic flows.

ER09# sh ip vrf interfaces 
Interface IP-Address VRF Protocol
Fa0/0 192.168.0.1 RED up 
ER09# sh ip route vrf RED ospf

Routing Table: RED

192.168.12.0/30 is subnetted, 1 subnets
O 192.168.12.0 [110/2] via 192.168.0.2, 02:46:06, FastEthernet0/0
 192.168.13.0/30 is subnetted, 1 subnets
O 192.168.13.0 [110/2] via 192.168.0.2, 02:46:06, FastEthernet0/0
 192.168.23.0/30 is subnetted, 1 subnets
O 192.168.23.0 [110/3] via 192.168.0.2, 02:46:06, FastEthernet0/0
O 192.168.1.0/24 [110/3] via 192.168.0.2, 02:46:06, FastEthernet0/0
O 192.168.2.0/24 [110/3] via 192.168.0.2, 02:46:06, FastEthernet0/0
O 192.168.3.0/24 [110/3] via 192.168.0.2, 02:46:06, FastEthernet0/0
ER09# sh ip vrf detail 
VRF RED; default RD <not set>; default VPNID <not set>
 Description: UNTRUSTED_TRAFFIC
 Interfaces:
 Fa0/0 
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
ER09# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.1.2 1 FULL/BDR 00:00:33 192.168.0.2 FastEthernet0/0
ER09#

 

Verification commands on edge router ETT and again, as this is the router purposely configured for TRUSTED (PURPLE) traffic flows, it only has one VRF configured.

ETT# sh ip vrf interfaces 
Interface IP-Address VRF Protocol
Lo0 148.0.0.1 PURPLE up 
Fa0/0 10.0.0.1 PURPLE up 
ETT# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.1.1 1 FULL/BDR 00:00:39 10.0.0.2 FastEthernet0/0
ETT# sh ip route vrf PURPLE ospf

Routing Table: PURPLE

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O 10.0.12.0/30 [110/2] via 10.0.0.2, 02:51:00, FastEthernet0/0
O 10.0.13.0/30 [110/2] via 10.0.0.2, 02:51:00, FastEthernet0/0
O 10.0.2.0/24 [110/3] via 10.0.0.2, 02:51:00, FastEthernet0/0
O 10.0.3.0/24 [110/3] via 10.0.0.2, 02:51:00, FastEthernet0/0
O 10.0.1.0/24 [110/3] via 10.0.0.2, 02:51:00, FastEthernet0/0
O 10.0.23.0/30 [110/3] via 10.0.0.2, 02:51:00, FastEthernet0/0
ETT# sh ip vrf detail
VRF PURPLE; default RD <not set>; default VPNID <not set>
 Description: TRUSTED_TRAFFIC
 Interfaces:
 Lo0 Fa0/0 
 Connected addresses are not in global routing table
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No export route-map
 VRF label distribution protocol: not configured
ETT#

 

Verification commands on SW1. Notice that all switches have the same basic configuration. Two switchports accessing VLAN 10, and one switchports accessing VLAN 20 and one uplink trunk carrying traffic from those VLANs, RED and PURPLE.

SW1# sh ip vrf interfaces 
Interface IP-Address VRF Protocol
Vl10 10.0.1.10 PURPLE up 
Vl20 192.168.1.10 RED up 
SW1# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.2.2 1 FULL/DR 00:00:36 192.168.1.1 Vlan20
0.0.2.1 1 FULL/DR 00:00:36 10.0.1.1 Vlan10
SW1# sh ip route vrf RED ospf

Routing Table: RED
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 + - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 192.168.1.1, 02:56:52, Vlan20
 192.168.0.0/30 is subnetted, 1 subnets
O 192.168.0.0 [110/3] via 192.168.1.1, 02:56:52, Vlan20
O 192.168.2.0/24 [110/2] via 192.168.1.1, 02:56:52, Vlan20
O 192.168.3.0/24 [110/3] via 192.168.1.1, 02:56:52, Vlan20
 192.168.12.0/30 is subnetted, 1 subnets
O 192.168.12.0 [110/2] via 192.168.1.1, 02:56:52, Vlan20
 192.168.13.0/30 is subnetted, 1 subnets
O 192.168.13.0 [110/3] via 192.168.1.1, 02:56:52, Vlan20
 192.168.23.0/30 is subnetted, 1 subnets
O 192.168.23.0 [110/2] via 192.168.1.1, 02:56:52, Vlan20
SW1# sh ip route vrf PURPLE ospf

Routing Table: PURPLE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 + - replicated route, % - next hop override

Gateway of last resort is 10.0.1.1 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 10.0.1.1, 02:56:48, Vlan10
 10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
O 10.0.0.0/30 [110/3] via 10.0.1.1, 02:56:48, Vlan10
O 10.0.2.0/24 [110/2] via 10.0.1.1, 02:56:48, Vlan10
O 10.0.3.0/24 [110/3] via 10.0.1.1, 02:56:48, Vlan10
O 10.0.12.0/30 [110/2] via 10.0.1.1, 02:56:48, Vlan10
O 10.0.13.0/30 [110/3] via 10.0.1.1, 02:56:48, Vlan10
O 10.0.23.0/30 [110/2] via 10.0.1.1, 02:56:48, Vlan10
 148.0.0.0/32 is subnetted, 1 subnets
O 148.0.0.1 [110/4] via 10.0.1.1, 02:56:48, Vlan10
SW1# sh ip vrf detail
VRF PURPLE (VRF Id = 1); default RD <not set>; default VPNID <not set>
 Description: TRUSTED_TRAFFIC
 Interfaces:
 Vl10 
VRF Table ID = 1
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No global export route-map
 No export route-map
 VRF label distribution protocol: not configured
 VRF label allocation mode: per-prefix

VRF RED (VRF Id = 2); default RD <not set>; default VPNID <not set>
 Description: UNTRUSTED_TRAFFIC
 Interfaces:
 Vl20 
VRF Table ID = 2
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No global export route-map
 No export route-map
 VRF label distribution protocol: not configured
 VRF label allocation mode: per-prefix

SW1# sh interfaces trunk 

Port Mode Encapsulation Status Native vlan
Et0/0 on 802.1q trunking 1

Port Vlans allowed on trunk
Et0/0 1-4094

Port Vlans allowed and active in management domain
Et0/0 1,10,20

Port Vlans in spanning tree forwarding state and not pruned
Et0/0 1,10,20
SW1# sh interfaces e1/0 switchport 
Name: Et1/0
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (VRF_PURPLE_TRUSTED_TRAFFIC)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none
SW1# sh interfaces e1/2 switchport 
Name: Et1/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 20 (VRF_RED_UNTRUSTED_TRAFFIC)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none
SW1#

 

For the sake of the example, I’ll configure SW3 and Server3. Then go through the same verification commands and test reachability!

SW3# conf t
SW3(config)# hostname SW3
SW3(config)# ip vrf PURPLE
SW3(config-vrf)# description TRUSTED_TRAFFIC
SW3(config-vrf)# ip vrf RED
SW3(config-vrf)# description UNTRUSTED_TRAFFIC
SW3(config-vrf)# ip cef
SW3(config)# interface Ethernet0/0
SW3(config-if)# description TO->R3
SW3(config-if)# switchport trunk encapsulation dot1q
SW3(config-if)# switchport mode trunk
SW3(config-if)# no shut
SW3(config-if)# interface Ethernet1/0
SW3(config-if)# switchport access vlan 10
SW3(config-if)# switchport mode access
SW3(config-if)# switchport port-security maximum 3
SW3(config-if)# switchport port-security violation restrict
SW3(config-if)# switchport port-security mac-address sticky
SW3(config-if)# spanning-tree portfast
SW3(config-if)# no shut
SW3(config-if)# interface Ethernet1/1
SW3(config-if)# switchport access vlan 10
SW3(config-if)# switchport mode access
SW3(config-if)# switchport port-security maximum 3
SW3(config-if)# switchport port-security violation restrict
SW3(config-if)# switchport port-security mac-address sticky
SW3(config-if)# spanning-tree portfast
SW3(config-if)# no shut
SW3(config-if)# interface Ethernet1/2
SW3(config-if)# description TO->VLAN20_SRV3
SW3(config-if)# switchport access vlan 20
SW3(config-if)# switchport mode access
SW3(config-if)# switchport port-security maximum 3
SW3(config-if)# switchport port-security violation restrict
SW3(config-if)# switchport port-security mac-address sticky
SW3(config-if)# spanning-tree portfast
SW3(config-if)# no shut
SW3(config-if)# interface Vlan1
SW3(config-if)# no ip address
SW3(config-if)# shutdown
SW3(config-if)# interface Vlan10
SW3(config-if)# description TRUSTED_TRAFFIC
SW3(config-if)# ip vrf forwarding PURPLE
SW3(config-if)# ip address 10.0.3.10 255.255.255.0
SW3(config-if)# no shut
SW3(config-if)# interface Vlan20
SW3(config-if)# description UNTRUSTED_TRAFFIC
SW3(config-if)# ip vrf forwarding RED
SW3(config-if)# ip address 192.168.3.10 255.255.255.0
SW3(config-if)# no shut
SW3(config-if)# router ospf 1 vrf PURPLE
SW3(config-router)# router-id 0.0.3.10
SW3(config-router)# network 10.0.3.0 0.0.0.255 area 0
SW3(config-router)# router ospf 2 vrf RED
SW3(config-router)# router-id 0.0.3.20
SW3(config-router)# network 192.168.3.10 0.0.0.0 area 0
SW3(config-router)# end
SW3# sh ip vrf interfaces 
Interface IP-Address VRF Protocol
Vl10 10.0.3.10 PURPLE up 
Vl20 192.168.3.10 RED up 
SW3# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.3.2 1 FULL/DR 00:00:38 192.168.3.1 Vlan20
0.0.3.1 1 FULL/DR 00:00:38 10.0.3.1 Vlan10
SW3# sh ip route vrf RED ospf

Routing Table: RED
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 + - replicated route, % - next hop override

Gateway of last resort is 192.168.3.1 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 192.168.3.1, 00:53:13, Vlan20
 192.168.0.0/30 is subnetted, 1 subnets
O 192.168.0.0 [110/3] via 192.168.3.1, 00:53:13, Vlan20
O 192.168.1.0/24 [110/3] via 192.168.3.1, 00:53:13, Vlan20
O 192.168.2.0/24 [110/3] via 192.168.3.1, 00:53:13, Vlan20
 192.168.12.0/30 is subnetted, 1 subnets
O 192.168.12.0 [110/3] via 192.168.3.1, 00:53:13, Vlan20
 192.168.13.0/30 is subnetted, 1 subnets
O 192.168.13.0 [110/2] via 192.168.3.1, 00:53:13, Vlan20
 192.168.23.0/30 is subnetted, 1 subnets
O 192.168.23.0 [110/2] via 192.168.3.1, 00:53:13, Vlan20
SW3# sh ip route vrf PURPLE ospf

Routing Table: PURPLE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 + - replicated route, % - next hop override

Gateway of last resort is 10.0.3.1 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 10.0.3.1, 00:53:17, Vlan10
 10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
O 10.0.0.0/30 [110/3] via 10.0.3.1, 00:32:17, Vlan10
O 10.0.1.0/24 [110/3] via 10.0.3.1, 00:53:17, Vlan10
O 10.0.2.0/24 [110/3] via 10.0.3.1, 00:53:17, Vlan10
O 10.0.12.0/30 [110/3] via 10.0.3.1, 00:53:17, Vlan10
O 10.0.13.0/30 [110/2] via 10.0.3.1, 00:53:17, Vlan10
O 10.0.23.0/30 [110/2] via 10.0.3.1, 00:53:17, Vlan10
SW3# sh ip vrf detail
VRF PURPLE (VRF Id = 1); default RD <not set>; default VPNID <not set>
 Description: TRUSTED_TRAFFIC
 Interfaces:
 Vl10 
VRF Table ID = 1
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No global export route-map
 No export route-map
 VRF label distribution protocol: not configured
 VRF label allocation mode: per-prefix

VRF RED (VRF Id = 2); default RD <not set>; default VPNID <not set>
 Description: UNTRUSTED_TRAFFIC
 Interfaces:
 Vl20 
VRF Table ID = 2
 No Export VPN route-target communities
 No Import VPN route-target communities
 No import route-map
 No global export route-map
 No export route-map
 VRF label distribution protocol: not configured
 VRF label allocation mode: per-prefix

SW3# sh interfaces trunk 

Port Mode Encapsulation Status Native vlan
Et0/0 on 802.1q trunking 1

Port Vlans allowed on trunk
Et0/0 1-4094

Port Vlans allowed and active in management domain
Et0/0 1,10,20

Port Vlans in spanning tree forwarding state and not pruned
Et0/0 1,10,20
SW3# sh interfaces e1/2 switchport
Name: Et1/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 20 (VRF_RED_UNTRUSTED_TRAFFIC)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none
SW3#

 

Configuration of SRV3 network interface.

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> netsh interface ip set address "LAN" static 192.168.3.130 255.255.255.0 192.168.3.1

PS C:\Users\Administrator> ipconfig

Windows IP Configuration

Ethernet adapter LAN:

 Connection-specific DNS Suffix . :
 IPv4 Address. . . . . . . . . . . : 192.168.3.130
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 192.168.3.1

Tunnel adapter isatap.{CD0694F2-207E-4BA4-ABF0-03E073597FAD}:

 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . :
PS C:\Users\Administrator> ping 93.20.3.254

Pinging 93.20.3.254 with 32 bytes of data:
Reply from 93.20.3.254: bytes=32 time=55ms TTL=253
Reply from 93.20.3.254: bytes=32 time=43ms TTL=253
Reply from 93.20.3.254: bytes=32 time=44ms TTL=253
Reply from 93.20.3.254: bytes=32 time=38ms TTL=253

Ping statistics for 93.20.3.254:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 38ms, Maximum = 55ms, Average = 45ms
PS C:\Users\Administrator> tracert -d 93.20.3.254

Tracing route to 93.20.3.254 over a maximum of 30 hops

 1 3 ms 10 ms 10 ms 192.168.3.1
 2 26 ms 20 ms 21 ms 192.168.13.1
 3 43 ms 42 ms 41 ms 93.20.3.254

Trace complete.
PS C:\Users\Administrator> ping 148.0.0.1

Pinging 148.0.0.1 with 32 bytes of data:
Reply from 192.168.0.1: Destination host unreachable.
Reply from 192.168.0.1: Destination host unreachable.
Reply from 192.168.0.1: Destination host unreachable.
Reply from 192.168.0.1: Destination host unreachable.

Ping statistics for 148.0.0.1:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
PS C:\Users\Administrator>

 

So let’s sum it up, I’ve configured SW3 in the network with the same VLANs and appropriate VRFs (RED and PURPLE). SW3’s e1/2 switchport is configured to accept traffic from SRV3 only on VLAN 20 (VRF RED – UNTRUSTED traffic), and flow throughout the network on VRF RED UNTRUSTED Traffic only! We can confirm this with the traceroute command. SRV3 is flowing out of VLAN 20 through R3 VRF RED f2/0.20 interface with IP 192.168.3.1, it exits R3 to R1’s f3/0.20 with IP 192.168.13.1 and R1 uses the static default route from VRF RED IP routing table to flow the packets to the destination address 93.20.3.254, in this case router ER09 loopback 0.

When we try reachability to the 148.0.0.1 network, which is the loopback inerface configured on router ETT, (the default gateway to VRF PURPLE), the traffic is just dropped and we get the message from ER09 router, the gateway from VRF RED.

 

Looks like we have exactly what we wanted. Complete segmentation of the different types of traffic patterns. This is the very basic of VRF Lite. I’ll get back with more labs on VRFs later on another post.

Hope this helps someone else.

Advertisements

One response to “CCNP ROUTE 300-101 Part 3.8 – Configure and Verify VRF-Lite

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s