VRF Lite leakage

Let’s say we have a situation, as I encountered one, where we need to use VRF lite between two interfaces, each one on different VRF, and we need to have connectivity between the two VRF’s.

This  is the network topology:

The configuration is pretty much the same as working with PE/MPLS-VPN network but with slight difference.

R1 is the router which connected to 3 interfaces, Fa1/0 is connected to VRF RED, Fa1/1 is connected to VRF BLUE and Fa2/0 is connected to R4 through the global routing table.

So first configure the VRF’s on R1 with the corresponding interfaces:

ip vrf BLUE  rd 200:200  route-target export 200:200  route-target import 200:200 ! ip vrf RED  rd 100:100  route-target export 100:100  route-target import 100:100 ! interface FastEthernet1/0  ip vrf forwarding RED  ip address 10.1.12.1 255.255.255.0  duplex auto  speed auto ! interface FastEthernet1/1  ip vrf forwarding BLUE  ip address 10.1.13.1 255.255.255.0  duplex auto  speed auto !

Then configure BGP, without peers, but with address-families:

router bgp 65000  no synchronization  bgp log-neighbor-changes  no auto-summary  !  address-family ipv4 vrf RED   redistribute connected   redistribute static   no synchronization  exit-address-family  !  address-family ipv4 vrf BLUE   redistribute connected   redistribute static   no synchronization  exit-address-family !

Then add route import/export between the two VRF’s:

ip vrf BLUE  rd 200:200  route-target import 100:100 ! ip vrf RED  route-target import 200:200 !

VRF BLUE import VRF RED (100:100) while VRF RED import VRF BLUE (200:200).

The routing table on VRF RED (on R1):

R1#show ip route vrf RED Routing Table: RED Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route Gateway of last resort is not set B    192.168.31.0/24 [20/0] via 10.1.13.3 (BLUE), 00:21:10 S    192.168.21.0/24 [1/0] via 10.1.12.2      10.0.0.0/24 is subnetted, 2 subnets B       10.1.13.0 is directly connected, 00:20:25, FastEthernet1/1 C       10.1.12.0 is directly connected, FastEthernet1/0

Note route 192.168.31.0/24 via 10.1.13.3 (BLUE) which has just imported to VRF RED.

Now let’s advertise the networks in VRF RED to the global:

ip route 192.168.21.0 255.255.255.0 FastEthernet1/0 ip route 192.168.31.0 255.255.255.0 FastEthernet1/1 ip route vrf RED 0.0.0.0 0.0.0.0 10.1.14.4 global ip route vrf BLUE 0.0.0.0 0.0.0.0 10.1.14.4 global !

Note the first 2 lines route networks 192.168.21.0/24 and 192.168.31.0/24 to interface next-hop Fa1/0 and Fa1/1 accordingly. This way the global routing table knows how to reach these networks.

The next 2 lines insert default route into the VRF’s routing table allowing them access to the global routing table for every network that they doesn’t know.

Let’s test R2 connectivity:

R2#ping 192.168.41.1 source lo1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.41.1, timeout is 2 seconds: Packet sent with a source address of 192.168.21.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/43/48 ms R2#ping 192.168.41.1           Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.41.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

Note that only when using source interface Loopback1, R2 can reach network 192.168.41.0/24 on R4, the reason is because I have configured only network 192.168.21.0/24 on the global routing table.

VRF lite helps to create separate routing instances on a single device but as we can see we can share networks and routes between the VRF’s as needed.