Network Virtualization makes most modern Path Isolation techniques in networking possible. Network Virtualization and Path Isolation are crucial in modern network design and implementation.
网络虚拟化使大多数现代化路径隔离技术在网络中成为可能. 网络虚拟化和路径隔离是现代网络设计和实现有着至关重要作用.
Tips: Virtualization is VRF in the router, VLAN in the switch, trunk (dot1q tagging) on the Ethernet link, context or VDOM on the firewall and VM on the server.
虚拟化 是 VRF之于路由器, VLAN之于交换机,trunk之于以太网连接,VDOM之于防火墙,VM之于服务器
VRF
This was good enough reason for creating a blog post series which is giving an organized overview of different approaches in implementation of separated logical network partitions which are implemented over the enterprise physical network.
所以有足够好的理由来创建一个blog系列,此系列对在企业物理网络上实现分离的逻辑网络分区的不同方法做了一个系统性的概述。
EVER NEEDED ONE EXTRA ROUTER? IT’S POSSIBLE TO SPLIT THE ROUTER INTO MORE LOGICAL ROUTERS BY USING VRF. HOW? HERE’S HOW!
Virtual Routing and Forwarding or VRF allows a router to run more that one routing table simultaneously. When running more routing tables in the same time, they are completely independent. For example, you could use overlapping IP addresses inside more VRFs on the same router and they will function independently without conflict (You can see this kind of overlap in the example below). It is possible to use same VRF instance on more routers and connect every instance separately using VRF dedicated router port or only a sub-interface.
虚拟路由转发允许同时运行多个路由表。当同一时间运行多个路由表时,它们完全是各自独立的。 比如,你可以在同一台路由器上使用多个VRFs内的重叠IP地址,并且它们将独立运行而不会发生冲突(您可以在下面的示例中看到这种重叠) 可以在更多路由器上使用相同的VRF实例,并使用VRF专用路由器端口或仅子接口分别连接每个实例。
You can find VRFs to be used on ISP side. Provider Edge (PE) routers are usually running one VRF per customer VPN so that one router can act as a PE router for multiple Customer Edge (CE) routers even with more customers exchanging the same subnets across the VPN. By running VRF per customer, those subnets will never mix in-between them.
你可以找到网络服务提供商(Internet Service Provider)端使用的VRF。 供应商端路由器通常为每个客户VPN运行一个VRF,以便一个路由器可以充当多个客户端(CE)路由器的PE路由器,即使有更多客户通过VPN交换相同的子网。 通过为每个客户运行VRF,这些子网绝不会混合在它们之间。
VRFs are used to create multiple virtual routers from one physical router.
VRFs 被用来在单个实体物理路由上新建多个虚拟路由器
Every VRF is creating his own Routing table and CEF table, basically a separate RIB andFIB.
每个VRF会新建它自身的路由表及转发表,基本上是一个独立的RIB(Routing Information Base)和FIB(Forwarding Info Base)。 What is RIB and FIB ?
VRF is simply created by entering this command into Cisco router supporting VRFs:
VRF可以在cisco路由器上这样简单的创建:
ip vrf MYTESTVRF
When created, VRF needs route distinguisher in order to become functional. Route distinguishers are described a bit later. Route distinguisher (RD) for this VRF MYTESTVRF are configured with:
创建时,VRF需要路由标识符才能生效。 稍后介绍路由标识符。 此VRF MYTESTVRF的路由标识符配置为:
rd 111:1
When created and configured with RD, VRF needs some interfaces which will then be dedicated to this VRF and could bring some traffic into this VRF. Router interface (or most probably subinterface), will be assigned to a VRF like this:
在创建和配置RD时,VRF需要一些专用的接口,并可能会将一些流量引入此VRF。 路由器接口(或者最可能的子接口)将被分配给一个VRF,如下
int gi1/0/1
ip vrf forwarding MYTESTVRF
On L3 switch which is also a clever router, when we want a VLAN to become part of the VRF, we need to add VLAN interface to VRF and all members of the VLAN will then be part of that special VRF:
L3交换机也是一个智能的路由器,当我们想要一个VLAN成为VRF的一部分时,我们需要添加VLAN接口到VRF, VLAN的所有成员将会特别的多联机的一部分:
int VLAN 20
ip vrf forwarding MYTESTVRF
You need to take into account that addition of interface to VRF will remove all existing IP addresses configured on the interface. It is done in this way because it can help to avoid address duplication in the new routing table if some incautious engineer is entering interface with IP address into VRF that already has an interface with this same IP.
需要考虑添加到VRF的接口将删除接口上配置的所有现有IP地址。 这样做是因为如果一些不小心的工程师正在将具有IP地址的接口输入到已经具有与该相同IP的接口的VRF中,则可以避免在新路由表中的地址重复。
When configured, traffic received on the interface which is member of VRF is routed and forwarded with that VRF table.
配置后,VRF成员接口上的接收的流量将会随着VRF表路由和转发。
When thinking of VRFs, best example of something similar is VLAN trunking between two switches. Packet with VLAN tag entering the trunk interconnection in-between two switches can only enter the same VLAN when arriving on the other switch side. With VRFs is the same but done on L3 rather L2 for VLANs, and there are no trunk ports but L3 sub-interfaces (or physical interfaces). Packets that enter a specific VRF will be forwarded with routes from that VRF’s routing table.
Example goes even further. Like VLANs that span across multiple switches through trunk port, VRFs can be extended across multiple devices as well through sub-interfaces of two router interconnection or with separate interconnections.
The connections are L3 sub-interfaces, usually Ethernet VLAN interfaces with dot1q encapsulation. Most common Layer 2 virtualisation technique used these days.
VRF
FIRST EXAMPLE (TWO INTERCONNECTIONS)
R1:
ip vrf MYTESTVRF
rd 111:1
interface Gi 1/0/1
description Global Routing Table Interconnect
ip address 10.10.10.1 255.255.255.252
interface Gi 1/0/2
description VRF MYTESTVRF Interconnect
ip vrf forwarding MYTESTVRF
ip address 10.10.10.1 255.255.255.252
R2:
ip vrf MYTESTVRF
rd 111:1
interface Gi 1/0/1
description Global Routing Table Interconnect
ip address 10.10.10.2 255.255.255.252
interface Gi 1/0/2
description VRF MYTESTVRF Interconnect
ip vrf forwarding MYTESTVRF
ip address 10.10.10.2 255.255.255.252
R1:
ip vrf MYTESTVRF
rd 111:1
interface Gi 1/0/1.10
description Global Routing Table Interconnect
encapsulation dot1q 10
ip address 10.10.10.1 255.255.255.252
interface Gi 1/0/1.20
description VRF MYTESTVRF Interconnect
encapsulation dot1q 20
ip vrf forwarding MYTESTVRF
ip address 10.10.10.1 255.255.255.252
R2:
ip vrf MYTESTVRF
rd 111:1
interface Gi 1/0/1.10
description Global Routing Table Interconnect
encapsulation dot1q 10
ip address 10.10.10.2 255.255.255.252
interface Gi 1/0/1.20
description VRF MYTESTVRF Interconnect
encapsulation dot1q 20
ip vrf forwarding MYTESTVRF
ip address 10.10.10.2 255.255.255.252
Pinging from Gi 1/0/1 to Gi 1/0/1 on other side within Global Routing Table is straight forward ping:
R1:
ping 10.10.10.2
If you want to ping the same (but other) ip address. The one that is inside VRF MYTESTVRF you neet to initiate the ping within that VRF on R1:
ping vrf MYTESTVRF 10.10.10.2
Example above shows both solutions, although the subinterface example is the one that is used in the real world most of the time. We are extending VRF **MYTESTVRF **to other router (R2) by configuring interfaces of interconnection with VRF mapping configuration (ip vrf forwarding inside interface configuration). In this way every one of the interconnection will forward the traffic for mapped VRF.
Global Routing table is basically a VRF 0. The first RIB and FIB with no need of mapping as they exist by default and all L3 interfaces on the router are by default part of Global Routing table. When expanding VRF MYTESTVRF
we use one interconnection but we need to use another interconnection for Global routing table.
We can look at Global Routing table as first (native) VRF on the router with more VRF configured. This is also known as Global VRF, existing on all routers, with all interfaces assigned to it by default.
Method of expanding several VRFs across multiple devices by using separate sub-interfaces or separate interconnection links is known as VRF Lite. This is basically the most lightweight way of running VPNs.
Being the simplest way of creating non-overlapping VPNs in a network is having some downsides to. This way of doing VRF expansion has poor scalability. You need dedicated link between two routers for every VPN (or dedicated sub-interface of one link). If you have the need for many VRFs, you will need many provisioned connections between routers.
作为在网络中创建不重叠的VPN的最简单的方法有一些缺点。 这种做VRF扩展的方式灵活性差。 每个VPN(或一个链路的专用子接口)需要两台路由器之间的专用链路。 如果您需要多个VRF,则需要在路由器之间提供很多配置的连接。
Remember from above, this is basic VRF config:
ip vrf MYTESTVRF rd 111:1
111 and 1 are 32-bit integers. Route Distinguisher is used to label every route from an VRF routing table with 64-bit prefix. It is done so that router can distinguish which prefixes are member of which VRF (different routing tables) avoiding that prefixes from different VRFs are mixed up.
Format for RD should be ASN:NN, with ASN meaning autonomous system and NN VRF number inside the router. Other way to configure it is
IP-Address:NN, IP being the router IP address and NN VRF number.
作者:LiamBao
链接:https://www.jianshu.com/p/312f290aeb4d
来源:简书
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。