Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home/safekom/domains/safekom.pl/public_html/blog/wp-content/plugins/revslider/includes/operations.class.php on line 2734

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home/safekom/domains/safekom.pl/public_html/blog/wp-content/plugins/revslider/includes/operations.class.php on line 2738

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home/safekom/domains/safekom.pl/public_html/blog/wp-content/plugins/revslider/includes/output.class.php on line 3679
LAB - VRF Cisco - SafeKom Blog

LAB – VRF Cisco

Ostatnio bardzo dużo słyszymy o wirtualizacji sieci.  Warto zatem wrócić do jej podstaw kiedy to już wtedy w pewien sposób “wirtualizacja” była stosowana na  urządzeniach, na których separuje się tablice routingu. Separacja ta jest ukryta pod nazwą VRF (Virtual Routing and Forwarding). Drugim wariatem na “wirtualizację” jest tworzenie tzw. wirtualnych systemów czy routerów. Dziś, kiedy to routery mają dużą moc obliczeniową możemy pozwolić sobie na tworzenie osobnych vrf’ów czy wirtualnych routerów per usługa czy klient.

W tej chwili skupimy się na Cisco.
Do tego laba wykorzystam Cisco CSR1000v uruchomione na w mym labie.

Założenia:

uruchamiamy 3 vrfy mgmt ,dc1 oraz Internet na jednym urządzeniu.

vrf

Konfiguracja:

tworzymy VFR’y:

VRF DC1

csr1kv01(config)#ip vrf dc1
csr1kv01(config-vrf)#rd 65000:2

VRF MGMT

csr1kv01(config)#ip vrf mgmt
csr1kv01(config-vrf)#rd 65000:1

VRF Internet

csr1kv01(config)#ip vrf Internet
csr1kv01(config-vrf)#rd 65000:99
Weryfikacja skonfigurowanych VRF’ów
csr1kv01#show vrf
  Name                             Default RD            Protocols   Interfaces
  Internet                         65000:99              ipv4        
  dc1                              65000:2               ipv4        
  mgmt                             65000:1               ipv4
Konfigurujemy interfejsy:

Mała porada

Pamiętajmy, że najpierw przypisujemy interfejs do vrf’u, a następnie adresujemy interfejs. Jak zrobimy odwrotnie będziemy musieli jeszcze raz adresować interfejs.

interface GigabitEthernet1
 ip vrf forwarding mgmt
 ip address 10.10.0.11 255.255.255.0
interface GigabitEthernet2.100
 encapsulation dot1Q 100
 ip vrf forwarding dc1
 ip address 10.20.100.10 255.255.255.0
interface GigabitEthernet3
 ip vrf forwarding Internet
 ip address 192.168.0.50 255.255.255.0
Wyświetlamy VRF’y z przypisaniem do Interfejsu oraz IP:
csr1kv01#show ip vrf int
Interface              IP-Address      VRF                              Protocol
Gi3                    192.168.0.50    Internet                         up      
Gi2.100                10.20.100.10    dc1                              up      
Gi1                    10.10.0.11      mgmt                             up
 Konfigurujemy routing:
ip route vrf mgmt 0.0.0.0 0.0.0.0 10.10.0.1
ip route vrf dc1 0.0.0.0 0.0.0.0 10.20.100.1
Wyświetlamy tablicę routingu dla vrf’ów:
csr1kv01#show ip route vrf mgmt

Routing Table: mgmt
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.10.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.10.0.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.0.0/24 is directly connected, GigabitEthernet1
L        10.10.0.11/32 is directly connected, GigabitEthernet1
csr1kv01#show ip route vrf Internet

Routing Table: Internet
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet3
L        192.168.0.50/32 is directly connected, GigabitEthernet3
csr1kv01#show ip route vrf dc1     

Routing Table: dc1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.20.100.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.100.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.20.100.0/24 is directly connected, GigabitEthernet2.100
L        10.20.100.10/32 is directly connected, GigabitEthernet2.100
Konfigurujemy routing pomiędzy vrf’ami:

Są dwie metody łączenia vrf’ów. Najprostszą jest połączenie za pomocą kabla i interfejsu l3 pomiędzy vrfami oraz wklepanie routingu statycznego. Drugą metodą jest wykorzystanie MPBGP. Poniżej przedstawię jej konfigurację:

router bgp 65000 //konfigurujemy bgp z AS'em prywtnym
 bgp log-neighbor-changes
 
 address-family ipv4 vrf Internet //configurujemy vrf Internet
  redistribute connected //określamy jakie sieci mają być dystrybuwane
 exit-address-family
 
 address-family ipv4 vrf dc1
  redistribute connected
  redistribute static
 exit-address-family
 
 address-family ipv4 vrf mgmt
  redistribute connected
 exit-address-family

Po skonfigurowaniu MP BGP przechodzimy do konfiguracji wymiany routingu pomiędzy VRF’ami

Konfigurujemy Import i Export dla VRF’ów:

Założenie: DC1 i MGMT mogą komunikować się ze sobą a Internet tylko z MGMT

ip vrf dc1
route-target export 65000:2
route-target import 65000:1

ip vrf mgmt
route-target export 65000:1
route-target import 65000:2
route-target import 65000:99

ip vrf Internet
 rd 65000:99
 route-target import 65000:1
 route-target export 65000:99

Weryfikacja:

sprawdzamy sesję MPBGP

csr1kv01#show bgp vpnv4 unicast all 
BGP table version is 14, local router ID is 172.16.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65000:1 (default for vrf mgmt)
 *>  10.10.0.0/24     0.0.0.0                  0         32768 ?
 *>  10.20.100.0/24   0.0.0.0                  0         32768 ?
 *>  192.168.0.0      0.0.0.0                  0         32768 ?
Route Distinguisher: 65000:2 (default for vrf dc1)
 *>  10.10.0.0/24     0.0.0.0                  0         32768 ?
 *>  10.20.100.0/24   0.0.0.0                  0         32768 ?
Route Distinguisher: 65000:99 (default for vrf Internet)
 *>  10.10.0.0/24     0.0.0.0                  0         32768 ?
 *>  192.168.0.0      0.0.0.0                  0         32768 ?

Wyświetlamy routing dla poszczególnych vrf’ów:

csr1kv01#show ip route vrf ?
  WORD  VPN Routing/Forwarding instance name

csr1kv01#show ip route vrf mgmt

Routing Table: mgmt
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.10.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.10.0.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.10.0.0/24 is directly connected, GigabitEthernet1
L        10.10.0.11/32 is directly connected, GigabitEthernet1
B        10.20.100.0/24 is directly connected, 00:05:33, GigabitEthernet2.100
L        10.20.100.10/32 is directly connected, GigabitEthernet2.100
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
B        192.168.0.0/24 is directly connected, 00:01:33, GigabitEthernet3
L        192.168.0.50/32 is directly connected, GigabitEthernet3
csr1kv01#show ip route vrf Internet

Routing Table: Internet
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B        10.10.0.0/24 is directly connected, 00:05:53, GigabitEthernet1
L        10.10.0.11/32 is directly connected, GigabitEthernet1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet3
L        192.168.0.50/32 is directly connected, GigabitEthernet3
Routing Table: dc1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.20.100.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.20.100.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B        10.10.0.0/24 is directly connected, 00:06:10, GigabitEthernet1
L        10.10.0.11/32 is directly connected, GigabitEthernet1
C        10.20.100.0/24 is directly connected, GigabitEthernet2.100
L        10.20.100.10/32 is directly connected, GigabitEthernet2.100

W kolejnym wpisie pokażę konfigurację VRF na innym urządzeniu.

LAB – Huwaei VRF (vpn-instance)

Pasjonat komputerowy od zawsze oraz maniak w zakresie sieci, wirtualizacji oraz bezpieczeństwa IT. Kompetentny inżynier z dużym doświadczeniem w realizacji projektów informatycznych i telekomunikacyjnych. Wieloletni administrator IT, który utrzymuje systemy informatyczne dostosowując je do wymogów biznesowych z zapewnieniem dostępności 24/7/365.
Posts created 126

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top