کد:
http://www.nil.com/ipcorner/EnterpriseMultiVRF/
Let’s assume that you’re the Chief Information Officer (CIO) of a large corporation with numerous small sites spread throughout the world. Financial pressures have forced management to outsource non-core services, including physical site security. The security vendor you’re using would like to implement video surveillance on the remote sites, and it’s your task to provide a transport path between the sites and the gateway located in your data center. The connectivity requirements of the external vendor are displayed in Figure 1.
Figure 1 Connectivity requirements
In most cases, modern video cameras support IP transport, and the initial implementation plan seems easy enough: connect the remote cameras to your network, give the outside vendor controlled access and you’re done. Not so fast; there might be all sorts of privacy and security implications. For example, do you want your employees to access the cameras? Do you want them to be able to access the video equipment on other remote sites? Are you sure the video equipment cannot be used as a backdoor into your network? Once you work through all the potential issues, the best option will likely be to build a dedicated Virtual Private Network (VPN) for the video surveillance equipment (see Figure 2).
Figure 2 VPN is used to transport video data across the enterprise network
If you’ve decided to build your network with Cisco routers, you already have all the building blocks you need to implement this project. You could build a fully functional MPLS VPN network (but this would require extensive MPLS VPN and BGP knowledge), or you could add a simple VPN to your existing network with the Multi-VRF functionality available in all Cisco routers.
Important
The Multi-VRF design does not scale if you have to add numerous VPNs to your network. In this case, it’s easier to convert your core network into a full-blown MPLS VPN network. If you need assistance with the MPLS VPN technology, you can get
consulting,
design and
deployment help from NIL’s professional services team.
Case Study Description
Throughout this article, we’ll use a simple non-redundant network with a single remote site. The remote site and the core router are connected with a point-to-point link; the gateway to the external vendor (the
CGW router in Figure 3) is connected to the data center LAN. The physical connectivity of the sample network and its IP addressing are shown in Figure 3.Should you mention what “CGW” stands for in Figure 3?
Figure 3 Case study topology and addressing
Multi-VRF Design
The Multi-VRF functionality allows you to implement multiple independent routing tables on a single physical router without full-blown MPLS VPN functionality. Each VRF (or the global IP routing table) has its own set of associated interfaces and routing processes. In our scenario, the
video VRF on a remote site needs a LAN interface (where the camera will be connected) and an uplink (see Figure 4).
Figure 4 Global and VRF interfaces on the Site router
The LAN interface on the remote site could be a dedicated router interface (more expensive, but ideal from a security perspective) or a VLAN connected to the router through an existing switch. The uplink interface has to reuse the existing infrastructure of the enterprise network. Unless you’re running a private Layer-2 WAN (for example, Frame Relay or ATM network), you’ll be forced to use IP-over-IP tunneling; the IP packets routed in the
video VRF will be encapsulated in an IP header that will allow them to traverse the enterprise network. You can use simple Generic Routing Encapsulation (GRE) tunnels (as shown in Figure 5) or multipoint tunnels using the Dynamic Multipoint Virtual Private Network (DMVPN) technology.
Figure 5 Physical and logical interfaces on the remote site
On the central site, it’s best to terminate the GRE tunnels on a dedicated set of devices (a non-redundant solution is displayed in Figure 6). This design provides better security (core devices are not exposed to raw IP packets traversing the VPN) and clear isolation between the IP transport in the enterprise network and the transport of VPN packets belonging to an external organization.
Figure 6 GRE tunnel termination on the central site
After you’ve created the VPN transport interfaces, you have to propagate the IP routing information across the VPN. To simplify our scenario, we’ll use static routes across GRE tunnels. If you decided to implement DMVPN tunnels, you should use a dynamic routing protocol in the VPN.
Important
The case study uses a non-redundant design to simplify the description of the architecture. Readers familiar with high-availability IPSec or GRE designs will easily extend the architecture to redundant scenarios. NIL’s professional services team can help you to
select the ideal routing technology,
design the network and
implement the selected solution.
Remote Site Implementation
The initial router configuration of the
Site router (Listing 1) should be familiar to any enterprise networking engineer: we need to configure the router’s LAN and WAN interfaces, create a loopback interface and start an IP routing process that will be used in the enterprise network.
Listing 1 Initial configuration of the Site router
کد:
hostname Site
!
interface Loopback0
ip address 10.0.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.5.3.1 255.255.255.0
!
interface Serial1/0
description WAN uplink
ip address 10.0.7.5 255.255.255.252
encapsulation ppp
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
end
The Multi-VRF configuration might be a bit unfamiliar if you have never configured MPLS VPN. Before working on anything else, we have to create the Virtual Routing and Forwarding table (VRF) with the
ip vrf command. Each VRF needs a unique
route distinguisher (RD) and (optionally) a set of
route targets (RT). In most cases, RT and RD are specified in the
AS:nnformat, where
AS is the autonomous system number allocated to your organization and
nnis an internal 32-bit number identifying the VPN.
Note
Route targets should not be required for proper operation of Multi-VRF functionality, but I still recommend that you configure them in order to avoid potential Cisco IOS bugs.
If you don’t have a public AS number, you can use a private AS number (they range from 64512 to 65535). 65000 will be used as the AS number in the sample configurations. Now that we have the RD/RT values, we can configure VRF on the
Site router (Listing 2).
Listing 2 VRF configuration on the Site router
کد:
ip vrf Video
rd 65000:1
route-target both 65000:1
When the VRF is configured, you can attach individual interfaces to it with the
ip vrf forwarding interface configuration command. We have to create a VLAN subinterface for the VLAN (to which the camera will be connected) and a tunnel interface for the WAN uplink (Listing 3).
Listing 3 VPN interfaces on the Site router
کد:
interface Tunnel0
ip vrf forwarding Video
ip unnumbered FastEthernet0/0.20
tunnel source Loopback0
tunnel destination 10.0.1.3
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding Video
ip address 192.168.3.1 255.255.255.0
Finally, we have to configure a dynamic routing protocol or static routing in the VRF to give the router the information it needs to forward the IP packets received through the VRF interfaces. A simple default route pointing to the tunnel interface is enough for our needs (Listing 4).
Listing 4 Static routing in the Video VRF
کد:
ip route vrf Video 0.0.0.0 0.0.0.0 Tunnel0
Important
Although the devices connected to a VRF cannot access devices connected to other VRFs or global interfaces, they can nonetheless access the router’s services, including its
Telnet,
SSHor
HTTP server. Whenever you connect an untrusted device to an interface of your router, you should protect the router. NIL’s professional services team can help you to
select the optimal security mechanism as well as to
design and
implement the selected solution.
Monitoring Multi-VRF Implementation
When you have to troubleshoot a Multi-VRF implementation, you can use the usual monitoring commands; most of the commands you’ll find useful are either VRF-independent or include a
vrf keyword. For example, the
show ip route command can be used to inspect the global IP routing table (Listing 5) as well as the VRF routing table (Listing 6).
Listing 5 Global IP routing table on the Site router
کد:
Site#show ip route | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C 10.0.7.4/30 is directly connected, Serial1/0
O 10.0.1.2/32 [110/65] via 10.0.7.6, 00:00:14, Serial1/0
O 10.2.2.0/24 [110/65] via 10.0.7.6, 00:00:14, Serial1/0
C 10.0.1.1/32 is directly connected, Loopback0
C 10.0.7.6/32 is directly connected, Serial1/0
C 10.5.3.0/24 is directly connected, FastEthernet0/0
Listing 6 VRF routing table on the Site router
کد:
Site#show ip route vrf Video | begin Gateway
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 192.168.3.0/24 is directly connected, FastEthernet0/0.20
S* 0.0.0.0/0 is directly connected, Tunnel0
You can also use two monitoring commands specific to the VRF implementation:
showip vrf namedisplays the VRF parameters and the associated interfaces (Listing 7).
showip vrf interfaces nameis very similar to the show ip interface brief command, but displays only the interfaces associated with the specified VRF (Listing 8).
Listing 7 Brief description of the Video VRF on the Site router
کد:
Site#show ip vrf Video
Name Default RD Interfaces
Video 65000:1 Tu0
Fa0/0.20
Listing 8
Interface status for the Video VRF on the Site router
Site#show ip vrf interfaces Video
Interface IP-Address VRF Protocol
Tu0 192.168.3.1 Video up
Fa0/0.20 192.168.3.1 Video up
Finally, the
show running vrf name command (first available in IOS releases 12.2SRC and 12.4(22)T) displays the VRF-related router configuration. This command displays the VRF definition, interface configuration, routing protocol configuration and static routes associated with the specified VRF. The VRF-related configuration on the
Site router is shown in Listing 9.
Listing 9 VRF-related configuration on the Site router
کد:
Site#show running vrf Video
Building configuration...
Current configuration : 504 bytes
ip vrf Video
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding Video
ip address 192.168.3.1 255.255.255.0
!
interface Tunnel0
ip vrf forwarding Video
ip unnumbered FastEthernet0/0.20
tunnel source Loopback0
tunnel destination 10.0.1.3
!
ip route vrf Video 0.0.0.0 0.0.0.0 Tunnel0
end
Implementing the Central Gateway
The central gateway implementation is as straightforward as the remote site implementation: you have to configure the global interfaces, the global routing process, the VRF interfaces and the VRF routing. Static routes will be used for the VRF routing. The VRF default route points to the interface connecting the enterprise network with the external vendor. A static host route pointing to the correct tunnel interface is used for each remote site video camera. The relevant parts of the central gateway configuration are included in Listing 10.
Note
Using static host routes instead of subnet routes further limits the number of devices the external vendor can access in your network. For example, the external vendor cannot access remote site routers due to routing constraints.
Listing 10 Configuration of the central gateway
کد:
hostname CGW
!
ip vrf Video
rd 65000:0
route-target export 65000:0
route-target import 65000:0
!
interface Loopback0
ip address 10.0.1.3 255.255.255.255
!
interface Tunnel0
description Remote Site
ip vrf forwarding Video
ip unnumbered FastEthernet0/1
tunnel source Loopback0
tunnel destination 10.0.1.1
!
interface FastEthernet0/0
description Data Center LAN interface
ip address 10.2.2.2 255.255.255.0
!
interface FastEthernet0/1
description Link to physical security vendor
ip vrf forwarding Video
ip address 192.168.0.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip route vrf Video 0.0.0.0 0.0.0.0 192.168.0.2
ip route vrf Video 192.168.3.2 255.255.255.255 Tunnel0
!
end
Implementing Local Inter-VRF Connectivity
Sometimes users local to a particular site will need access to the video equipment located at that site. In our scenario, users connected to the LAN interface of the
Site router would like to access the web camera connected to the VLAN interface belonging to the
Video VRF. The desired traffic flow is displayed in Figure 7.
Figure 7 Desired inter-VRF traffic flow
Traditionally you could implement this request in the MPLS VPN framework with an
overlapping VPN solution or route leaking between VRFs. In this section, you’ll see how you can use Network Address Translation (NAT) to achieve the same results.
Note
It’s highly recommended that you read the
IP Corner article “
Flexible Extranet Implementation” before continuing with this section.
To allow communication between the LAN users and the camera, the router needs to forward packets sent to IP address
192.168.3.2 from the global IP routing table to the
FastEthernet0/1.20 subinterface. The easiest way to implement this requirement is with a static host route installed in the global IP routing table pointing to the VRF interface. You can see the relevant router configuration in Listing 11 and the resulting entry in the IP routing table in Listing 12.
Listing 11 Static host route from the global IP routing table to the Video VRF
کد:
Site#show run | include ip route
ip route 192.168.3.2 255.255.255.255 FastEthernet0/0.20 192.168.3.2
Listing 12 The host route toward the camera in the global IP routing table
کد:
Site#show ip route 192.168.3.2
Routing entry for 192.168.3.2/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.3.2, via FastEthernet0/0.20
Route metric is 0, traffic share count is 1
The
IP Corner article “
Flexible Extranet Implementation” has used classic NAT configuration commands to implement NAT between source hosts in VRFs and a server in the global IP routing table. We need to implement reverse functionality (the server is in the VRF). The classic NAT does not work from the global IP routing table to a VRF; you have to use the
NAT Virtual Interface (NVI) configuration commands.
The NVI configuration commands are similar to the classic NAT configuration commands, but do not impose a strict
inside/outside view; every interface on which NAT has to be performed is marked with the
ipnat enable command. Furthermore, the
ipnat inside source command is replaced with the
ipnat source command. As you can see from the NAT-related configuration of the Site router (Listing 13), NAT configuration using NVI configuration commands is no more complex than the traditional NAT.
Listing 13 NAT configuration on the Site router
کد:
interface FastEthernet0/0
ip address 10.5.3.1 255.255.255.0
ip nat enable
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding Video
ip address 192.168.3.1 255.255.255.0
ip nat enable
!
ip nat log translations syslog
ip nat source list Camera interface FastEthernet0/0.20 overload
!
ip access-list extended Camera
permit ip any host 192.168.3.2
Summary
Multi-VRF functionality, available on almost all modern routers produced by Cisco Systems, gives you the ability to configure multiple Virtual Routing and Forwarding tables on a single router without deploying full-blown MPLS VPN functionality.
You can use Multi-VRF functionality to implement tightly controlled VPNs across a traditional enterprise IP network without changing the network core or introducing MPLS VPN functionality in the network. The VRFs configured on the edge routers have to be connected with distinct logical or physical interfaces; if you want to leverage an existing IP infrastructure, your only option is to implement GRE or DMVPN tunnels.
Note
If you’re running a private Frame Relay or ATM network, you can implement the VPN links across the network core with a separate set of virtual circuits. In pure switched-LAN environments, you can use separate VLANs for the VPN links.
The Multi-VRF solution does not scale well if you want to deploy numerous VPNs across a common infrastructure. If your network is evolving in that direction, consider deploying the MPLS VPN technology in your network