VRF-lite 配置介紹

 

    VRF，通常與MPLS相聯繫。在這樣的網絡中，MPLS封裝被用來分割用戶流量，每個用戶維護一個獨立的VRF。但是，VRF的配置並不是必須依靠MPLS，對這樣的VRF我們稱爲VRF lite，

這裏討論的就是這樣一個方案。

   假設下面的圖形就是一個公司的網絡，正如你的預期，正常的公司流量是必須通過防火牆的，以此增強公司網絡的安全性。但是，目前第二個網絡連接被加入到這個網絡：一個不受限的ADSL線路被專門的用戶用來訪問公司內網。10.0.0.0/16網段是受信任的網絡，而192.168.0.0/16是給專門的用戶用的。

    

     

       所有的路由器接口都配置兩個子接口；.10用於VLAN10， .20用於VLAN20。例如：下面是R1的F2/0口的配置。

interface FastEthernet2/0

 description R2

 no ip address

interface FastEthernet2/0.10

 encapsulation dot1Q 10

 ip address 10.0.12.1 255.255.255.252

interface FastEthernet2/0.20

 encapsulation dot1Q 20

 ip address 192.168.12.1 255.255.255.252

 這樣的話，明顯是有安全漏洞的，可以通過VRF來解決，利用VRF將網絡分割成兩個虛擬的，獨立的網絡。

   現在，在R1上開始創建VRF BLUE和RED

R1(config)# ip vrf BLUE

R1(config-vrf)# description Trusted Traffi

R1(config-vrf)# ip vrf RED

R1(config-vrf)# description Guest Traffic

下一步將添加F1/0到VRF RED 

R1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

如果在邊界不運行OSPF動態協議，可以在R1上創建兩個靜態路由，如下：

R1(config)# ip route vrf BLUE 0.0.0.0 0.0.0.0 10.0.0.1

R1(config)# ip route vrf RED 0.0.0.0 0.0.0.0 192.168.0.1

在各自的VRF裏，可以驗證通過OSPF學到的靜態路由。

R1# show ip route vrf BLUE

Routing Table: BLUE

[...]

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks 

    C       10.0.12.0/30 is directly connected, FastEthernet2/0.10

    C       10.0.13.0/30 is directly connected, FastEthernet2/1.10

    O       10.0.2.0/24 [110/2] via 10.0.12.2, 00:04:52, FastEthernet2/0.10

    O      10.0.3.0/24 [110/2] via 10.0.13.2, 00:04:52, FastEthernet2/1.10

    C       10.0.0.0/30 is directly connected, FastEthernet1/1

    O       10.0.1.0/24 [110/2] via 10.0.12.2, 00:04:52, FastEthernet2/0.10

    O       10.0.23.0/30 [110/2] via 10.0.13.2, 00:04:52, FastEthernet2/1.10

                 [110/2] via 10.0.12.2, 00:04:52, FastEthernet2/0.10

S*   0.0.0.0/0 [1/0] via 10.0.0.1

R1# show ip route vrf RED

Routing Table: RED

[...] 

192.168.12.0/30 is subnetted, 1 subnets

    C       192.168.12.0 is directly connected, FastEthernet2/0.20

 192.168.13.0/30 is subnetted, 1 subnets

    C       192.168.13.0 is directly connected, FastEthernet2/1.20

 192.168.23.0/30 is subnetted, 1 subnets

    O       192.168.23.0 [110/2] via 192.168.13.2, 00:04:16, FastEthernet2/1.20

                 [110/2] via 192.168.12.2, 00:04:16, FastEthernet2/0.20

 192.168.0.0/30 is subnetted, 1 subnets

    C       192.168.0.0 is directly connected, FastEthernet1/0

    O    192.168.1.0/24 [110/2] via 192.168.12.2, 00:04:16, FastEthernet2/0.20

    O    192.168.2.0/24 [110/2] via 192.168.12.2, 00:04:16, FastEthernet2/0.20

    O    192.168.3.0/24 [110/2] via 192.168.13.2, 00:04:17, FastEthernet2/1.20

S*   0.0.0.0/0 [1/0] via 192.168.0.1

最後，我們需要在OSPF進程下宣告靜態路由： 

R1(config)# router ospf 1

R1(config-router)# default-information originate

R1(config-router)# router ospf 2

R1(config-router)# default-information originate

R2# show ip route vrf BLUE

Routing Table: BLUE

 

[...]

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

    C       10.0.12.0/30 is directly connected, FastEthernet1/0.10

    O       10.0.13.0/30 [110/2] via 10.0.23.2, 00:14:23, FastEthernet1/1.10

                 [110/2] via 10.0.12.1, 00:13:53, FastEthernet1/0.10

    C       10.0.2.0/24 is directly connected, FastEthernet2/1.10

    O       10.0.3.0/24 [110/2] via 10.0.23.2, 00:14:23, FastEthernet1/1.10

    O       10.0.0.0/30 [110/2] via 10.0.12.1, 00:13:53, FastEthernet1/0.10

    C       10.0.1.0/24 is directly connected, FastEthernet2/0.10

    C       10.0.23.0/30 is directly connected, FastEthernet1/1.10

O*E2 0.0.0.0/0 [110/1] via 10.0.12.1, 00:03:33, FastEthernet1/0.10

R2# show ip route vrf RED

Routing Table: RED

[...] 

192.168.12.0/30 is subnetted, 1 subnets

    C       192.168.12.0 is directly connected, FastEthernet1/0.20

 192.168.13.0/30 is subnetted, 1 subnets 

    O       192.168.13.0 [110/2] via 192.168.23.2, 00:36:59, FastEthernet1/1.20 

                 [110/2] via 192.168.12.1, 00:20:54, FastEthernet1/0.20

 192.168.23.0/30 is subnetted, 1 subnets 

    C       192.168.23.0 is directly connected, FastEthernet1/1.20

 192.168.0.0/30 is subnetted, 1 subnets

    O       192.168.0.0 [110/2] via 192.168.12.1, 00:20:54, FastEthernet1/0.20

    C    192.168.1.0/24 is directly connected, FastEthernet2/0.20

    C    192.168.2.0/24 is directly connected, FastEthernet2/1.20

    O    192.168.3.0/24 [110/2] via 192.168.23.2, 00:41:13, FastEthernet1/1.20

    O*E2 0.0.0.0/0 [110/1] via 192.168.12.1, 00:01:41, FastEthernet1/0.20

 現在，我們的兩個VRF已經完全起作用了，一個從交換機2 BLUEvlan主機過來的數據包，進入在R2上BLUE VRF子接口，然後通過R1的BLUE VRF得到去往防火牆的路由。

R2# ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: 

.....

Success rate is 0 percent (0/5)

R2# ping vrf BLUE 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/20 ms

Below are the final configurations from all three routers.

 

R1(config)# int f1/0

R1(config-if)# ip vrf forwarding RED

% Interface FastEthernet1/0 IP address 192.168.0.2 removed due to enabling VRF RED

    這裏當我們分配一個接口給VRF後，IOS自動刪除了之前的IP地址，從路由表中也移除了這個地址。現在，當一個IP地址被分配給這個接口，將會給這個VRF特定的路由表。

    因此，我們需要重新給F1/0 IP地址。

 

R1# show ip route

[...]

192.168.12.0/30 is subnetted, 1 subnets

    C       192.168.12.0 is directly connected, FastEthernet2/0.20

 192.168.13.0/30 is subnetted, 1 subnets

    C       192.168.13.0 is directly connected, FastEthernet2/1.20

 10.0.0.0/30 is subnetted, 3 subnets

    C       10.0.12.0 is directly connected, FastEthernet2/0.10

    C       10.0.13.0 is directly connected, FastEthernet2/1.10

    C       10.0.0.0 is directly connected, FastEthernet1/1

192.168.0.0/30路由已經被去除，被放在VRF RED的表中。

R1# show ip route vrf RED

[...]

192.168.0.0/30 is subnetted, 1 subnets

    C       192.168.0.0 is directly connected, FastEthernet1/0

interface FastEthernet1/0

 description RX

 ip vrf forwarding RED

 ip address 192.168.0.2 255.255.255.252

!

interface FastEthernet1/1

 description FW

 ip vrf forwarding BLUE

 ip address 10.0.0.2 255.255.255.252

!

interface FastEthernet2/0

 description R2

 no ip address

!         

interface FastEthernet2/0.10

 encapsulation dot1Q 10

 ip vrf forwarding BLUE

 ip address 10.0.12.1 255.255.255.252

!

interface FastEthernet2/0.20

 encapsulation dot1Q 20

 ip vrf forwarding RED

 ip address 192.168.12.1 255.255.255.252

!

interface FastEthernet2/1

 description R3

 no ip address

!

interface FastEthernet2/1.10

 encapsulation dot1Q 10

 ip vrf forwarding BLUE

 ip address 10.0.13.1 255.255.255.252

!

interface FastEthernet2/1.20

 encapsulation dot1Q 20

 ip vrf forwarding RED

 ip address 192.168.13.1 255.255.255.252

所有的接口現在屬於獨立的VRF，現在全局路由表是完全空的。可以驗證下所有的10.0.0.0/16路由存在於VRF BLUE，所有的192.168.0.0/16存在於VRF RED：

R1# show ip route vrf BLUE

Routing Table: BLUE

[...]

10.0.0.0/30 is subnetted, 3 subnets

    C       10.0.12.0 is directly connected, FastEthernet2/0.10

    C       10.0.13.0 is directly connected, FastEthernet2/1.10

    C       10.0.0.0 is directly connected, FastEthernet1/1

R1# show ip route vrf RED

Routing Table: RED

[...]

192.168.12.0/30 is subnetted, 1 subnets

    C       192.168.12.0 is directly connected, FastEthernet2/0.20

 192.168.13.0/30 is subnetted, 1 subnets

    C       192.168.13.0 is directly connected, FastEthernet2/1.20

 192.168.0.0/30 is subnetted, 1 subnets

    C       192.168.0.0 is directly connected, FastEthernet1/0

   此時，儘管只有R1配置了VRF，它仍然可以路由流量到R2和R3。就像vlan,VRF對路由器僅僅是本地有意義。

    同樣的方法，在其他兩臺路由器上配置VRF之後，就可以配置IGP了。這裏我們使用OSPF協議。

R1(config)# router ospf 1 vrf BLUE

R1(config-router)# router-id 0.0.1.1

R1(config-router)# network 10.0.0.0 0.0.255.255 area 0

R1(config-router)# router ospf 2 vrf RED

R1(config-router)# router-id 0.0.1.2

R1(config-router)# network 192.168.0.0 0.0.255.255 area 0

這些是完全獨立的OSPF進程：每個VRF都需要一個獨立的router ID

R1(config-if)# ip add 192.168.0.2 255.255.255.252

R1(config-if)# ^Z

 

R1# show run interface f1/0

 

Building configuration...

 

Current configuration : 137 bytes

interface FastEthernet1/0

 description RX

 ip vrf forwarding RED

 ip address 192.168.0.2 255.255.255.252

 duplex auto

 speed auto

end

But look at our routing table now:

此時看R1的路由表

 

      VRF lite是很簡單的：每個路由接口（物理接口或者虛擬接口）屬於特定的一個VRF。除非import/export map被應用，否則路由不會從一個VRF到另外一個。進入VRF A的數據包僅查看路由表A。

   在VRF配置之前，所有的路由器都有自己的所有的連接路由表項： 

R1# show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

   E1 - OSPF external type 1, E2 - OSPF external type 2

   i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

   ia - IS-IS inter area, * - candidate default, U - per-user static route 

Gateway of last resort is not set

192.168.12.0/30 is subnetted, 1 subnets 

 192.168.13.0/30 is subnetted, 1 subnets

 

 10.0.0.0/30 is subnetted, 3 subnets

    C       10.0.12.0 is directly connected, FastEthernet2/0.10

    C       10.0.13.0 is directly connected, FastEthernet2/1.10

    C       10.0.0.0 is directly connected, FastEthernet1/1

 192.168.0.0/30 is subnetted, 1 subnets

    C       192.168.0.0 is directly connected, FastEthernet1/0