Virtaul Route Forwarding (VRF) on CISCO Routers

-

So in this Lab we are going to implement basic VRFs on Cisco devices.

We will handle the scenario as a real world implementation scenario.

Problem statement:

As a service provider we are tasked with handling 3 customer & their routes.

Customer are using private IP addresses.

You are to devise a solution so that the customer's routes don't inter-mingle with one another.

Suggested Solution:

• Globally define three VRFs 

• Configure sub-interfaces for Gig 0/1 on the Common SP router(vIOS) 

• Assign sub-interfaces to VLAN and VRF instances 

• Associate an OSPF routing process with each VRF 

• Customer A (vIOS4) must be assigned to VLAN 2 

• Customer B (vIOS3) must be assigned to VLAN 3 

• Customer C (vIOS2) must be assigned to VLAN 4 

Consider you have the following topology:


Let's begin by assigning basic configs on the devices:

Common SP Router Configs:

==================================================================

 !   Change the name of the Router

 !

      hostname COMMON-SP 

      !

!

!   Change the admin state of port to UP

!

interface GigabitEthernet0/0

no shutdown

!

!  Configure the VRFs on the Router

!

vrf definition Cust-A

 description "For Customer A Routes"

 !

 address-family ipv4

 exit-address-family

!

!  Configure a Sub-interface for the customer 

!

interface GigabitEthernet0/0.2

 description "VRF Customer A"

 encapsulation dot1Q 2

 vrf forwarding Cust-A

 ip address 192.0.2.1 255.255.255.252

end

!

!  Configure a vrf aware IGP Protocol

!

router ospf 1 vrf Cust-A

 network 0.0.0.0 255.255.255.255 area 0

!

!  Note : The OSPF runs on all the possible network interface associated with Cust-A

! As OSPF runs on range of networks, the above commands allows it on all possible networks

==================================================================

Do the above for other 2 customers as well.

Switch 6 Configs:

=================================================================

!Change the name of the Switch

!

      hostname SW6

      !

! Configure trunk port with the COMMON SP Router, and allow relevant VLANs

 !

      interface GigabitEthernet0/0

       switchport trunk allowed vlan 2-4

       switchport trunk encapsulation dot1q

       switchport mode trunk

       media-type rj45

       negotiation auto

       no cdp enable

      !

! Configure Access ports to receive packets from respective customers connected with the switch

!

      interface GigabitEthernet0/1

       switchport access vlan 2

       media-type rj45

       negotiation auto

       no cdp enable

      !

      interface GigabitEthernet0/2

       switchport access vlan 3

       media-type rj45

       negotiation auto

       no cdp enable

      !

      interface GigabitEthernet0/3

       switchport access vlan 4

       media-type rj45

       negotiation auto

       no cdp enable

      !

==============================================================

Customer A side Configs:

! Change the name of the device

!

      hostname Cust-A

      !

!

! Configure the interface | No VRF config Required on Client side 

!

      interface GigabitEthernet0/1

       no shutdown

       ip address 192.0.2.2 255.255.255.252

       duplex auto

       speed auto

       media-type rj45

      !

! Configure OSPF

      !

      router ospf 1

       network 0.0.0.0 255.255.255.255 area 0

      !

Do the same for other 2 customers the peers should be UP on both sides.

The OSPF peers should be up and we can verify the results.

You can see that the network command in OSPF takes a range of IPs and runs OSPF on the interfaces that lie in that range.


We can see that there is no routes in the Global Routing Table (GRT).


And the Routes are present in separate routing table which don't inter-mingle with one another.



And the OSPF peering are up and kicking as well.

So the Customer can introduce as many IP prefixes as he requires.

So we have learnt that VRF creates virtual routers on a physical router.

Comments

Post a Comment

Popular posts from this blog

Denial of Service : Ping of Death [Kali Linux]

-
Image
Ping of Death (PoD) Attack: The Ping of Death (PoD) is a specific type of DoS attack. In a PoD attack, an attacker sends a malformed or oversized packet to a targeted machine, causing the system to crash, freeze, or reboot. Here's how it works: A correct Internet Protocol version 4 (IPv4) packet comprises a maximum of 65,535 bytes, and most legacy computers cannot handle larger packets. Sending a ping larger than this violates the IP rules, so attackers send packets in fragments which, when the targeted system attempts to reassemble, results in an oversized payload that can cause the system to crash, freeze, or reboot. Routers with no security mechanism (like a Firewall) to protect them from this flood of packets are also vulnerable.  The vulnerability can be exploited by any source that sends IP datagrams, which include an ICMP echo. Let us see through a simple lab demonstration, how it might play out. Here we have Linux with Kali distribution on EVE-NG. Directly connected to a ro...
Read more

GRE over IPSEC Tunnel

-
Image
When it comes to enhancing VPN security, the combination of GRE (Generic Routing Encapsulation) and IPsec (Internet Protocol Security) is a powerful duo that significantly boosts data protection and network efficiency. Let’s dive into the benefits: Enhanced Security : By merging GRE with IPsec, network engineers can ensure not only the versatility of GRE tunnels but also the robust security measures provided by IPsec. This amalgamation is crucial for creating secure VPNs that are resilient against cyber threats while maintaining high performance and reliability. Protocol Agnostic : GRE can encapsulate a variety of protocols, making it extremely versatile in multi-protocol environments. It simplifies the setup of VPNs over diverse networks by providing a straightforward way to encapsulate different protocols. Performance Optimization : GRE’s lightweight encapsulation minimizes overhead, resulting in improved performance. It allows efficient transport of packets over heterogeneous networ...
Read more

OSPF Special Areas

-
Image
  OSPF areas and Special Areas Use in Networking: 1. Scalability: As networks grow, the number of routers and links can increase exponentially. This can lead to large routing tables and high CPU utilization due to frequent SPF calculations. By dividing a network into smaller areas, OSPF can limit the impact of topology changes and keep routing tables manageable. 2. Reduced Routing Traffic: OSPF uses Link State Advertisements (LSAs) to share information about network topology. By confining LSAs within an area, OSPF can reduce routing traffic across the network. 3. Security and Administrative Control: Areas can be used to implement administrative boundaries within a network, allowing different departments or locations to manage their own networks. Now, let's discuss the special areas in OSPF: Stub Area: A stub area is an area that does not accept external LSAs. This means that routers in a stub area only know about networks within their area and a default route to the rest of the n...
Read more