VRF-lite 配置介绍

 

    VRF，通常与MPLS相联系。在这样的网络中，MPLS封装被用来分割用户流量，每个用户维护一个独立的VRF。但是，VRF的配置并不是必须依靠MPLS，对这样的VRF我们称为VRF lite，

这里讨论的就是这样一个方案。

   假设下面的图形就是一个公司的网络，正如你的预期，正常的公司流量是必须通过防火墙的，以此增强公司网络的安全性。但是，目前第二个网络连接被加入到这个网络：一个不受限的ADSL线路被专门的用户用来访问公司内网。10.0.0.0/16网段是受信任的网络，而192.168.0.0/16是给专门的用户用的。

    

     

       所有的路由器接口都配置两个子接口；.10用于VLAN10， .20用于VLAN20。例如：下面是R1的F2/0口的配置。

interface FastEthernet2/0

 description R2

 no ip address

interface FastEthernet2/0.10

 encapsulation dot1Q 10

 ip address 10.0.12.1 255.255.255.252

interface FastEthernet2/0.20

 encapsulation dot1Q 20

 ip address 192.168.12.1 255.255.255.252

 这样的话，明显是有安全漏洞的，可以通过VRF来解决，利用VRF将网络分割成两个虚拟的，独立的网络。

   现在，在R1上开始创建VRF BLUE和RED

R1(config)# ip vrf BLUE

R1(config-vrf)# description Trusted Traffi

R1(config-vrf)# ip vrf RED

R1(config-vrf)# description Guest Traffic

下一步将添加F1/0到VRF RED 

R1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

如果在边界不运行OSPF动态协议，可以在R1上创建两个静态路由，如下：

R1(config)# ip route vrf BLUE 0.0.0.0 0.0.0.0 10.0.0.1

R1(config)# ip route vrf RED 0.0.0.0 0.0.0.0 192.168.0.1

在各自的VRF里，可以验证通过OSPF学到的静态路由。

R1# show ip route vrf BLUE

Routing Table: BLUE

[...]

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks 

    C       10.0.12.0/30 is directly connected, FastEthernet2/0.10

    C       10.0.13.0/30 is directly connected, FastEthernet2/1.10

    O       10.0.2.0/24 [110/2] via 10.0.12.2, 00:04:52, FastEthernet2/0.10

    O      10.0.3.0/24 [110/2] via 10.0.13.2, 00:04:52, FastEthernet2/1.10

    C       10.0.0.0/30 is directly connected, FastEthernet1/1

    O       10.0.1.0/24 [110/2] via 10.0.12.2, 00:04:52, FastEthernet2/0.10

    O       10.0.23.0/30 [110/2] via 10.0.13.2, 00:04:52, FastEthernet2/1.10

                 [110/2] via 10.0.12.2, 00:04:52, FastEthernet2/0.10

S*   0.0.0.0/0 [1/0] via 10.0.0.1

R1# show ip route vrf RED

Routing Table: RED

[...] 

192.168.12.0/30 is subnetted, 1 subnets

    C       192.168.12.0 is directly connected, FastEthernet2/0.20

 192.168.13.0/30 is subnetted, 1 subnets

    C       192.168.13.0 is directly connected, FastEthernet2/1.20

 192.168.23.0/30 is subnetted, 1 subnets

    O       192.168.23.0 [110/2] via 192.168.13.2, 00:04:16, FastEthernet2/1.20

                 [110/2] via 192.168.12.2, 00:04:16, FastEthernet2/0.20

 192.168.0.0/30 is subnetted, 1 subnets

    C       192.168.0.0 is directly connected, FastEthernet1/0

    O    192.168.1.0/24 [110/2] via 192.168.12.2, 00:04:16, FastEthernet2/0.20

    O    192.168.2.0/24 [110/2] via 192.168.12.2, 00:04:16, FastEthernet2/0.20

    O    192.168.3.0/24 [110/2] via 192.168.13.2, 00:04:17, FastEthernet2/1.20

S*   0.0.0.0/0 [1/0] via 192.168.0.1

最后，我们需要在OSPF进程下宣告静态路由： 

R1(config)# router ospf 1

R1(config-router)# default-information originate

R1(config-router)# router ospf 2

R1(config-router)# default-information originate

R2# show ip route vrf BLUE

Routing Table: BLUE

 

[...]

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

    C       10.0.12.0/30 is directly connected, FastEthernet1/0.10

    O       10.0.13.0/30 [110/2] via 10.0.23.2, 00:14:23, FastEthernet1/1.10

                 [110/2] via 10.0.12.1, 00:13:53, FastEthernet1/0.10

    C       10.0.2.0/24 is directly connected, FastEthernet2/1.10

    O       10.0.3.0/24 [110/2] via 10.0.23.2, 00:14:23, FastEthernet1/1.10

    O       10.0.0.0/30 [110/2] via 10.0.12.1, 00:13:53, FastEthernet1/0.10

    C       10.0.1.0/24 is directly connected, FastEthernet2/0.10

    C       10.0.23.0/30 is directly connected, FastEthernet1/1.10

O*E2 0.0.0.0/0 [110/1] via 10.0.12.1, 00:03:33, FastEthernet1/0.10

R2# show ip route vrf RED

Routing Table: RED

[...] 

192.168.12.0/30 is subnetted, 1 subnets

    C       192.168.12.0 is directly connected, FastEthernet1/0.20

 192.168.13.0/30 is subnetted, 1 subnets 

    O       192.168.13.0 [110/2] via 192.168.23.2, 00:36:59, FastEthernet1/1.20 

                 [110/2] via 192.168.12.1, 00:20:54, FastEthernet1/0.20

 192.168.23.0/30 is subnetted, 1 subnets 

    C       192.168.23.0 is directly connected, FastEthernet1/1.20

 192.168.0.0/30 is subnetted, 1 subnets

    O       192.168.0.0 [110/2] via 192.168.12.1, 00:20:54, FastEthernet1/0.20

    C    192.168.1.0/24 is directly connected, FastEthernet2/0.20

    C    192.168.2.0/24 is directly connected, FastEthernet2/1.20

    O    192.168.3.0/24 [110/2] via 192.168.23.2, 00:41:13, FastEthernet1/1.20

    O*E2 0.0.0.0/0 [110/1] via 192.168.12.1, 00:01:41, FastEthernet1/0.20

 现在，我们的两个VRF已经完全起作用了，一个从交换机2 BLUEvlan主机过来的数据包，进入在R2上BLUE VRF子接口，然后通过R1的BLUE VRF得到去往防火墙的路由。

R2# ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: 

.....

Success rate is 0 percent (0/5)

R2# ping vrf BLUE 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/20 ms

Below are the final configurations from all three routers.

 

R1(config)# int f1/0

R1(config-if)# ip vrf forwarding RED

% Interface FastEthernet1/0 IP address 192.168.0.2 removed due to enabling VRF RED

    这里当我们分配一个接口给VRF后，IOS自动删除了之前的IP地址，从路由表中也移除了这个地址。现在，当一个IP地址被分配给这个接口，将会给这个VRF特定的路由表。

    因此，我们需要重新给F1/0 IP地址。

 

R1# show ip route

[...]

192.168.12.0/30 is subnetted, 1 subnets

    C       192.168.12.0 is directly connected, FastEthernet2/0.20

 192.168.13.0/30 is subnetted, 1 subnets

    C       192.168.13.0 is directly connected, FastEthernet2/1.20

 10.0.0.0/30 is subnetted, 3 subnets

    C       10.0.12.0 is directly connected, FastEthernet2/0.10

    C       10.0.13.0 is directly connected, FastEthernet2/1.10

    C       10.0.0.0 is directly connected, FastEthernet1/1

192.168.0.0/30路由已经被去除，被放在VRF RED的表中。

R1# show ip route vrf RED

[...]

192.168.0.0/30 is subnetted, 1 subnets

    C       192.168.0.0 is directly connected, FastEthernet1/0

interface FastEthernet1/0

 description RX

 ip vrf forwarding RED

 ip address 192.168.0.2 255.255.255.252

!

interface FastEthernet1/1

 description FW

 ip vrf forwarding BLUE

 ip address 10.0.0.2 255.255.255.252

!

interface FastEthernet2/0

 description R2

 no ip address

!         

interface FastEthernet2/0.10

 encapsulation dot1Q 10

 ip vrf forwarding BLUE

 ip address 10.0.12.1 255.255.255.252

!

interface FastEthernet2/0.20

 encapsulation dot1Q 20

 ip vrf forwarding RED

 ip address 192.168.12.1 255.255.255.252

!

interface FastEthernet2/1

 description R3

 no ip address

!

interface FastEthernet2/1.10

 encapsulation dot1Q 10

 ip vrf forwarding BLUE

 ip address 10.0.13.1 255.255.255.252

!

interface FastEthernet2/1.20

 encapsulation dot1Q 20

 ip vrf forwarding RED

 ip address 192.168.13.1 255.255.255.252

所有的接口现在属于独立的VRF，现在全局路由表是完全空的。可以验证下所有的10.0.0.0/16路由存在于VRF BLUE，所有的192.168.0.0/16存在于VRF RED：

R1# show ip route vrf BLUE

Routing Table: BLUE

[...]

10.0.0.0/30 is subnetted, 3 subnets

    C       10.0.12.0 is directly connected, FastEthernet2/0.10

    C       10.0.13.0 is directly connected, FastEthernet2/1.10

    C       10.0.0.0 is directly connected, FastEthernet1/1

R1# show ip route vrf RED

Routing Table: RED

[...]

192.168.12.0/30 is subnetted, 1 subnets

    C       192.168.12.0 is directly connected, FastEthernet2/0.20

 192.168.13.0/30 is subnetted, 1 subnets

    C       192.168.13.0 is directly connected, FastEthernet2/1.20

 192.168.0.0/30 is subnetted, 1 subnets

    C       192.168.0.0 is directly connected, FastEthernet1/0

   此时，尽管只有R1配置了VRF，它仍然可以路由流量到R2和R3。就像vlan,VRF对路由器仅仅是本地有意义。

    同样的方法，在其他两台路由器上配置VRF之后，就可以配置IGP了。这里我们使用OSPF协议。

R1(config)# router ospf 1 vrf BLUE

R1(config-router)# router-id 0.0.1.1

R1(config-router)# network 10.0.0.0 0.0.255.255 area 0

R1(config-router)# router ospf 2 vrf RED

R1(config-router)# router-id 0.0.1.2

R1(config-router)# network 192.168.0.0 0.0.255.255 area 0

这些是完全独立的OSPF进程：每个VRF都需要一个独立的router ID

R1(config-if)# ip add 192.168.0.2 255.255.255.252

R1(config-if)# ^Z

 

R1# show run interface f1/0

 

Building configuration...

 

Current configuration : 137 bytes

interface FastEthernet1/0

 description RX

 ip vrf forwarding RED

 ip address 192.168.0.2 255.255.255.252

 duplex auto

 speed auto

end

But look at our routing table now:

此时看R1的路由表

 

      VRF lite是很简单的：每个路由接口（物理接口或者虚拟接口）属于特定的一个VRF。除非import/export map被应用，否则路由不会从一个VRF到另外一个。进入VRF A的数据包仅查看路由表A。

   在VRF配置之前，所有的路由器都有自己的所有的连接路由表项： 

R1# show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

   E1 - OSPF external type 1, E2 - OSPF external type 2

   i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

   ia - IS-IS inter area, * - candidate default, U - per-user static route 

Gateway of last resort is not set

192.168.12.0/30 is subnetted, 1 subnets 

 192.168.13.0/30 is subnetted, 1 subnets

 

 10.0.0.0/30 is subnetted, 3 subnets

    C       10.0.12.0 is directly connected, FastEthernet2/0.10

    C       10.0.13.0 is directly connected, FastEthernet2/1.10

    C       10.0.0.0 is directly connected, FastEthernet1/1

 192.168.0.0/30 is subnetted, 1 subnets

    C       192.168.0.0 is directly connected, FastEthernet1/0

  

转载于:https://blog.51cto.com/nalushenxian/660561