VRF-Virtual Routing & Forwarding

原文 译

Network Virtualization – Path Isolation

Network Virtualization makes most modern Path Isolation techniques in networking possible. Network Virtualization and Path Isolation are crucial in modern network design and implementation.
网络虚拟化使大多数现代化路径隔离技术在网络中成为可能. 网络虚拟化和路径隔离是现代网络设计和实现有着至关重要作用.

Tips: Virtualization is VRF in the router, VLAN in the switch, trunk (dot1q tagging) on the Ethernet link, context or VDOM on the firewall and VM on the server.
虚拟化 是 VRF之于路由器, VLAN之于交换机,trunk之于以太网连接,VDOM之于防火墙,VM之于服务器

VRF

This was good enough reason for creating a blog post series which is giving an organized overview of different approaches in implementation of separated logical network partitions which are implemented over the enterprise physical network.
所以有足够好的理由来创建一个blog系列,此系列对在企业物理网络上实现分离的逻辑网络分区的不同方法做了一个系统性的概述。

EVER NEEDED ONE EXTRA ROUTER? IT’S POSSIBLE TO SPLIT THE ROUTER INTO MORE LOGICAL ROUTERS BY USING VRF. HOW? HERE’S HOW!

Virtual Routing and Forwarding or VRF allows a router to run more that one routing table simultaneously. When running more routing tables in the same time, they are completely independent. For example, you could use overlapping IP addresses inside more VRFs on the same router and they will function independently without conflict (You can see this kind of overlap in the example below). It is possible to use same VRF instance on more routers and connect every instance separately using VRF dedicated router port or only a sub-interface.

虚拟路由转发允许同时运行多个路由表。当同一时间运行多个路由表时,它们完全是各自独立的。 比如,你可以在同一台路由器上使用多个VRFs内的重叠IP地址,并且它们将独立运行而不会发生冲突(您可以在下面的示例中看到这种重叠) 可以在更多路由器上使用相同的VRF实例,并使用VRF专用路由器端口或仅子接口分别连接每个实例。

You can find VRFs to be used on ISP side. Provider Edge (PE) routers are usually running one VRF per customer VPN so that one router can act as a PE router for multiple Customer Edge (CE) routers even with more customers exchanging the same subnets across the VPN. By running VRF per customer, those subnets will never mix in-between them.
你可以找到网络服务提供商(Internet Service Provider)端使用的VRF。 供应商端路由器通常为每个客户VPN运行一个VRF,以便一个路由器可以充当多个客户端(CE)路由器的PE路由器,即使有更多客户通过VPN交换相同的子网。 通过为每个客户运行VRF,这些子网绝不会混合在它们之间。

VRFs are used to create multiple virtual routers from one physical router.
VRFs 被用来在单个实体物理路由上新建多个虚拟路由器

Every VRF is creating his own Routing table and CEF table, basically a separate RIB andFIB.
每个VRF会新建它自身的路由表及转发表,基本上是一个独立的RIB(Routing Information Base)和FIB(Forwarding Info Base)。 What is RIB and FIB ?

VRF is simply created by entering this command into Cisco router supporting VRFs:
VRF可以在cisco路由器上这样简单的创建:

   ip vrf  MYTESTVRF 

When created, VRF needs route distinguisher in order to become functional. Route distinguishers are described a bit later. Route distinguisher (RD) for this VRF MYTESTVRF are configured with:
创建时,VRF需要路由标识符才能生效。 稍后介绍路由标识符。 此VRF MYTESTVRF的路由标识符配置为:

  rd 111:1

When created and configured with RD, VRF needs some interfaces which will then be dedicated to this VRF and could bring some traffic into this VRF. Router interface (or most probably subinterface), will be assigned to a VRF like this:
在创建和配置RD时,VRF需要一些专用的接口,并可能会将一些流量引入此VRF。 路由器接口(或者最可能的子接口)将被分配给一个VRF,如下

  int gi1/0/1
    ip vrf forwarding MYTESTVRF

On L3 switch which is also a clever router, when we want a VLAN to become part of the VRF, we need to add VLAN interface to VRF and all members of the VLAN will then be part of that special VRF:
L3交换机也是一个智能的路由器,当我们想要一个VLAN成为VRF的一部分时,我们需要添加VLAN接口到VRF, VLAN的所有成员将会特别的多联机的一部分:

  int VLAN 20
      ip vrf forwarding MYTESTVRF

You need to take into account that addition of interface to VRF will remove all existing IP addresses configured on the interface. It is done in this way because it can help to avoid address duplication in the new routing table if some incautious engineer is entering interface with IP address into VRF that already has an interface with this same IP.
需要考虑添加到VRF的接口将删除接口上配置的所有现有IP地址。 这样做是因为如果一些不小心的工程师正在将具有IP地址的接口输入到已经具有与该相同IP的接口的VRF中,则可以避免在新路由表中的地址重复。

When configured, traffic received on the interface which is member of VRF is routed and forwarded with that VRF table.
配置后,VRF成员接口上的接收的流量将会随着VRF表路由和转发。

When thinking of VRFs, best example of something similar is VLAN trunking between two switches. Packet with VLAN tag entering the trunk interconnection in-between two switches can only enter the same VLAN when arriving on the other switch side. With VRFs is the same but done on L3 rather L2 for VLANs, and there are no trunk ports but L3 sub-interfaces (or physical interfaces). Packets that enter a specific VRF will be forwarded with routes from that VRF’s routing table.

Example goes even further. Like VLANs that span across multiple switches through trunk port, VRFs can be extended across multiple devices as well through sub-interfaces of two router interconnection or with separate interconnections.

The connections are L3 sub-interfaces, usually Ethernet VLAN interfaces with dot1q encapsulation. Most common Layer 2 virtualisation technique used these days.

VRF

CONFIGURATION FOR BOTH EXAMPLES

FIRST EXAMPLE (TWO INTERCONNECTIONS)

R1:

ip vrf MYTESTVRF
  rd 111:1

interface Gi 1/0/1
description Global Routing Table Interconnect
ip address 10.10.10.1 255.255.255.252

interface Gi 1/0/2
description VRF MYTESTVRF Interconnect
ip vrf forwarding MYTESTVRF
ip address 10.10.10.1 255.255.255.252

R2:

ip vrf MYTESTVRF
  rd 111:1

interface Gi 1/0/1
description Global Routing Table Interconnect
ip address 10.10.10.2 255.255.255.252

interface Gi 1/0/2
description VRF MYTESTVRF Interconnect
ip vrf forwarding MYTESTVRF
ip address 10.10.10.2 255.255.255.252

SECOND EXAMPLE (DOT1Q TAGGED SUBINTERFACES)

R1:

ip vrf MYTESTVRF
  rd 111:1
interface Gi 1/0/1.10
description Global Routing Table Interconnect
encapsulation dot1q 10
ip address 10.10.10.1 255.255.255.252

interface Gi 1/0/1.20
description VRF MYTESTVRF Interconnect
encapsulation dot1q 20
ip vrf forwarding MYTESTVRF
ip address 10.10.10.1 255.255.255.252

R2:

ip vrf MYTESTVRF
  rd 111:1
interface Gi 1/0/1.10
description Global Routing Table Interconnect
encapsulation dot1q 10
ip address 10.10.10.2 255.255.255.252

interface Gi 1/0/1.20
description VRF MYTESTVRF Interconnect
encapsulation dot1q 20
ip vrf forwarding MYTESTVRF
ip address 10.10.10.2 255.255.255.252

ICMP TEST EXAMPLE

Pinging from Gi 1/0/1 to Gi 1/0/1 on other side within Global Routing Table is straight forward ping:

R1:

ping 10.10.10.2

If you want to ping the same (but other) ip address. The one that is inside VRF MYTESTVRF you neet to initiate the ping within that VRF on R1:

ping vrf MYTESTVRF 10.10.10.2

Example above shows both solutions, although the subinterface example is the one that is used in the real world most of the time. We are extending VRF **MYTESTVRF **to other router (R2) by configuring interfaces of interconnection with VRF mapping configuration (ip vrf forwarding inside interface configuration). In this way every one of the interconnection will forward the traffic for mapped VRF.

Global Routing table is basically a VRF 0. The first RIB and FIB with no need of mapping as they exist by default and all L3 interfaces on the router are by default part of Global Routing table. When expanding VRF MYTESTVRF

we use one interconnection but we need to use another interconnection for Global routing table.

We can look at Global Routing table as first (native) VRF on the router with more VRF configured. This is also known as Global VRF, existing on all routers, with all interfaces assigned to it by default.

VRF LITE

Method of expanding several VRFs across multiple devices by using separate sub-interfaces or separate interconnection links is known as VRF Lite. This is basically the most lightweight way of running VPNs.

Being the simplest way of creating non-overlapping VPNs in a network is having some downsides to. This way of doing VRF expansion has poor scalability. You need dedicated link between two routers for every VPN (or dedicated sub-interface of one link). If you have the need for many VRFs, you will need many provisioned connections between routers.
作为在网络中创建不重叠的VPN的最简单的方法有一些缺点。 这种做VRF扩展的方式灵活性差。 每个VPN(或一个链路的专用子接口)需要两台路由器之间的专用链路。 如果您需要多个VRF,则需要在路由器之间提供很多配置的连接。

ROUTE DISTINGUISHERS

Remember from above, this is basic VRF config:

ip vrf MYTESTVRF rd 111:1

111 and 1 are 32-bit integers. Route Distinguisher is used to label every route from an VRF routing table with 64-bit prefix. It is done so that router can distinguish which prefixes are member of which VRF (different routing tables) avoiding that prefixes from different VRFs are mixed up.

Format for RD should be ASN:NN, with ASN meaning autonomous system and NN VRF number inside the router. Other way to configure it is

IP-Address:NN, IP being the router IP address and NN VRF number.

©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 203,937评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 85,503评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 150,712评论 0 337
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,668评论 1 276
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,677评论 5 366
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,601评论 1 281
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 37,975评论 3 396
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,637评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 40,881评论 1 298
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,621评论 2 321
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,710评论 1 329
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,387评论 4 319
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 38,971评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,947评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,189评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 44,805评论 2 349
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,449评论 2 342

推荐阅读更多精彩内容