VRF-lite

What is VRF-lite?

VRF (Virtual Routing and Forwarding) is an advanced IP routing feature that allows multiple routing instances. It provides distinct IP routing and forwarding tables for each VPN and operates alongside MP-iBGP (Multi-Protocol Internal BGP) between provider edge (PE) routers to support Layer 3 MPLS-VPN. However, in certain implementations, VRF is utilized without MP-iBGP. Here, VRF-lite functions as both a PE-extension and a customer equipment (CE)-extension.

PE-Extension and CE-Extension

VRF-lite is regarded as a PE-extension because it supports VRF functionality without MP-iBGP. At the same time, it acts as a CE-extension since the CE can manage multiple VRFs, enabling one CE device to serve many customers. Under VRF-lite, a CE can establish multiple interfaces or subinterfaces with the PE for different customers, unlike a traditional CE that typically serves only one customer. The CE retains routing information locally within its VRFs and does not share this information with connected PEs. Instead, it utilizes the VRF data to direct incoming traffic from customer routers or ISP PE routers to the correct interfaces or subinterfaces.

Key Features of VRF-lite

VRF-lite enables service providers to support multiple VPNs where IP addresses can overlap. It distinguishes routes for different VPNs using input interfaces and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. These interfaces can be physical (like Ethernet ports) or logical (like VLAN SVIs), but a Layer 3 interface cannot belong to more than one VRF simultaneously.

Components of VRF-lite

• Customer Edge (CE) Devices: These provide customer access to the service provider network via a data link to one or more PE routers. CE devices advertise local routes to PE and learn remote VPN routes.

• Provider Edge (PE) Routers: PE routers exchange routing information with CE devices using static routing or various routing protocols. Each PE only needs to maintain VPN routes for the VPNs it is directly connected to, simplifying its routing responsibilities. Each PE router manages a VRF for every directly connected site, allowing multiple interfaces on a PE to be associated with a single VRF if they belong to the same VPN. After learning local VPN routes from CEs, PE routers share VPN routing information with other PEs via internal BGP.

• Provider (Core) Routers: These are routers within the service provider network that do not connect directly to CE devices.

With VRF-lite, multiple customers can share a single CE device. The shared CE maintains separate VRF tables for each customer and routes packets based on its specific routing table. This setup enhances the privacy and security of VPNs, extending them to branch offices. Since VRF-lite is a Layer 3 feature, all interfaces within a VRF must be Layer 3 interfaces. To configure VRF, create a VRF table and specify the associated Layer 3 interface.

Configuring VRF-lite: Best Practices

IPv4 and IPv6 Considerations

• A switch utilizing VRF-lite can be shared by multiple customers, each with their own unique routing tables.

• Since different customers operate on separate VRF tables, the same IP addresses can be reused across different customers.

• VRF-lite allows multiple customers to share a single physical link between the provider edge (PE) and customer edge (CE) devices.

• The switch supports VRF configuration via physical ports, VLAN SVIs, or a combination of both, with SVIs connectable through access or trunk ports.

• Customers may utilize multiple VLANs, provided these do not overlap with VLANs from other customers. Each customer's VLANs are mapped to a specific routing table ID, which identifies the corresponding routing tables stored on the switch.

• The Layer 3 TCAM resource is shared across all VRFs. To ensure that any one VRF has adequate CAM space, use the maximum routes command.

• A switch using VRF can maintain one global network along with multiple VRFs, though the total number of supported routes is limited by TCAM size.

• A single VRF can support both IPv4 and IPv6 protocols.

• If the destination address of an incoming packet is not present in the VRF table, the packet will be dropped. Additionally, if there is insufficient TCAM space for a VRF route, hardware switching for that VRF will be disabled, resulting in corresponding data packets being processed in software.

IPv4 and IPv6 Support Features

The switch supports PIM-SM and PIM-SSM protocols for IPv4 routing, while also accommodating VRF-aware protocols such as OSPFv3, EIGRPv6, and static routing for IPv6. Additionally, VRF-aware IPv6 applications include ping, telnet, SSH, TFTP, FTP, and traceroute. It's important to note that the management interface operates differently, even though both IPv4 and IPv6 VRF configurations can be applied.