Virtual Routing and Forwarding (VRF) – Cisco Switch Virtualization

by

Virtual Routing and Forwarding (VRF)

Cisco NX-OS supports multiple virtual routing and forwarding instances (VRFs). Each VRF contains a separate address space with unicast and multicast route tables for IPv4 and IPv6 and makes routing decisions independent of any other VRF. Each NX-OS device has a default VRF and a management VRF. All Layer 3 interfaces and routing protocols exist in the default VRF until you assign them to another VRF. The mgmt0 interface exists in the management VRF. You can create additional VRFs as needed.

Figure 5-1 shows Cisco NX-OS VRF instances.

  

Figure 5-1 Cisco NX-OS VRF Instances

Following are the characteristics of the management VRF:

  • The management VRF is for management purposes only.
  • Only the mgmt0 interface can be in the management VRF.
  • The mgmt0 interface cannot be assigned to another VRF.
  • No routing protocols can run in the management VRF (static only).

Following are the characteristics of the default VRF:

  • All Layer 3 interfaces exist in the default VRF until they are assigned to another VRF.
  • Routing protocols run in the default VRF context unless another VRF context is specified.
  • The default VRF uses the default routing context for all show commands.
  • The default VRF is similar to the global routing table concept in Cisco IOS.

All unicast and multicast routing protocols support VRFs. When you configure a routing protocol in a VRF, you set routing parameters for the VRF that are independent of routing parameters in another VRF for the same routing protocol instance. You can assign interfaces and route protocols to a VRF to create virtual Layer 3 networks. An interface exists in only one VRF.

By default, Cisco NX-OS uses the VRF of the incoming interface to select which routing table to use for a route lookup. You can configure a route policy to modify this behavior and set the VRF that Cisco NX-OS uses for incoming packets.

A fundamental feature of the Cisco NX-OS architecture is that every IP-based feature is “VRF aware.” Table 5-2 shows VRF-aware services that can select a particular VRF to reach a remote server or to filter information based on the selected VRF.

  

Table 5-2 VRF-Aware Services

Authentication, Authorization, and Accounting (AAA)

Open Shortest Path First (OSPF)

Bidirectional Forwarding Detection (BFD)

Ping and traceroute

Border Gateway Protocol (BGP)

Remote Authentication Dial-In User Service (RADIUS)

Call Home

Simple Network Management Protocol (SNMP)

Domain Name System (DNS)

Secure Shell (SSH)

Enhanced Interior Gateway Routing Protocol (EIGRP)

Syslog

Hot Standby Router Protocol (HSRP)

Terminal Access Controller Access Control System Plus (TACACS+)

Hypertext Transfer Protocol (HTTP)

Trivial File Transfer Protocol (TFTP)

Intermediate System-to-Intermediate System (IS-IS)

Virtual Port Channel (vPC)

Locator/ID Separation Protocol (LISP)

Virtual Private Networks (VPN)

NetFlow

Virtual Router Redundancy Protocol (VRRP)

Network Time Protocol (NTP)

 

VRFs have the following configuration guidelines and limitations:

  • When you make an interface a member of an existing VRF, Cisco NX-OS removes all Layer 3 configurations. You should configure all Layer 3 parameters after adding an interface to a VRF.
  • If you configure an interface for a VRF before the VRF exists, the interface is operationally down until you create the VRF.
  • Cisco NX-OS creates the default and management VRFs by default. You should add the mgmt0 interface to the management VRF and configure the mgmt0 IP address and other parameters after you add it to the management VRF.
  • The write erase boot command does not remove the management VRF configurations. You must use the write erase command and then the write erase boot command to remove the management VRF configurations.

Table 5-3 summarizes the NX-OS CLI commands that are related to basic VRF configuration and verification.

 

Table 5-3 Summary of NX-OS CLI Commands for VRF Configuration and Verification

CommandPurpose

configure terminal

Enters global configuration mode.

[
no
]
vrf context
 
name

Creates a new VRF and enters VRF configuration mode. The
name
 can be any case-sensitive, alphanumeric string up to 32 characters.

Using the
no
 option with this command deletes the VRF and all associated configurations.

interface
interface-type
slot
/
port		Enters interface configuration mode.

vrf member
vrf-name		Adds this interface to a VRF.

show vrf
 [vrf-name]		Displays VRF information.

Examples 5-2 to 5-6 show the basic VRF configuration and verification on the sample topology shown in Figure 5-2. OSPF area 0 is preconfigured on the topology, and OSPF neighborship is already fully functional. We will concentrate only on the VRF configuration and its impact on the OSPF routing in this example.

  

Figure 5-2 Sample Topology for VRF Configuration and Verification

Note

OSPF fundamentals, along with configuration and verification, are covered in detail in Chapter 6, “Nexus Switch Routing.”

In Example 5-2, we verify the management VRF on N9K-A.

Example 5-2 Management VRF Verification on N9K-A

Click here to view code image


! Verifying the VRFs configured on N9K-A
N9K-A#
show vrf

VRF-Name                           VRF-ID State Reason
default
                                 1 Up —
management
                              2 Up —

! Verifying configuration of management interface mgmt 0. Management interface is
under vrf management and have IP address 10.10.1.6.

N9K-A#
show run interface mgmt 0

!Command: show running-config interface mgmt0
!Running configuration last done at: Tue Jan 4 15:36:03 2022
!Time: Wed Jan 5 06:31:13 2022
version 10.2(1) Bios:version 05.45
interface mgmt0
  
vrf member management
  ip address 10.10.1.6/24
! If you don’t specify the vrf, a simple ping to the management interface will initiate
the ping from the default vrf. Since the interface is under vrf management,
the ping will fail as default vrf is not aware of the management vrf interfaces.

N9K-A#
ping 10.10.1.6
PING 10.10.1.6 (10.10.1.6): 56 data bytes
ping: sendto 10.10.1.6 64 chars, No route to host
Request 0 timed out
ping: sendto 10.10.1.6 64 chars, No route to host
Request 1 timed out
ping: sendto 10.10.1.6 64 chars, No route to host
Request 2 timed out
ping: sendto 10.10.1.6 64 chars, No route to host
Request 3 timed out
ping: sendto 10.10.1.6 64 chars, No route to host
Request 4 timed out


— 10.10.1.6 ping statistics —
5 packets transmitted, 0 packets received, 100.00% packet loss
! Default vrf routing table is not aware of the management interface IP address.
N9K-A#
show ip route
IP Route Table for VRF “default”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
10.10.10.10/32, ubest/mbest: 2/0, attached
    *via 10.10.10.10, Lo0, [0/0], 15:08:39, local
    *via 10.10.10.10, Lo0, [0/0], 15:08:39, direct
192.168.1.44/30, ubest/mbest: 1/0, attached
    *via 192.168.1.45, Eth1/3, [0/0], 15:07:27, direct
192.168.1.45/32, ubest/mbest: 1/0, attached
    *via 192.168.1.45, Eth1/3, [0/0], 15:07:27, local


! Pinging the management interface specifying the correct vrf. This time, the ping
will succeed as management vrf routing table have reachability information for
all the IP addresses in the management vrf.

N9K-A#
ping 10.10.1.6 vrf management
PING 10.10.1.6 (10.10.1.6): 56 data bytes
64 bytes from 10.10.1.6: icmp_seq=0 ttl=255 time=0.295 ms
64 bytes from 10.10.1.6: icmp_seq=1 ttl=255 time=0.178 ms
64 bytes from 10.10.1.6: icmp_seq=2 ttl=255 time=0.172 ms
64 bytes from 10.10.1.6: icmp_seq=3 ttl=255 time=0.169 ms
64 bytes from 10.10.1.6: icmp_seq=4 ttl=255 time=0.258 ms

— 10.10.1.6 ping statistics —
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.169/0.214/0.295 ms

N9K-A#
show ip route vrf management
IP Route Table for VRF “management”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
0.0.0.0/0, ubest/mbest: 1/0
    *via 10.10.1.254, [1/0], 3w2d, static
10.10.1.0/24, ubest/mbest: 1/0, attached
    *via 10.10.1.6, mgmt0, [0/0], 3w2d, direct
10.10.1.6/32, ubest/mbest: 1/0, attached
*via 10.10.1.6, mgmt0, [0/0], 3w2d, local
N9K-A#

In Examples 5-3 and 5-4, we verify the OSPF configuration and end-to-end connectivity.

Example 5-3 Verification of OSPF Configuration and End-to-End Connectivity on N9K-A

Click here to view code image


! Verifying if the interfaces are configured correctly. Note that all interfaces

are in vrf default.
N9K-A#
show ip interface brief
IP Interface Status for VRF “default”(1)
Interface            IP Address      Interface Status
Lo0                  10.10.10.10     protocol-up/link-up/admin-up
Eth1/3               192.168.1.45    protocol-up/link-up/admin-up
! Verifying pre-configured OSPF configuration.

N9K-A#
show running-config ospf
!Command: show running-config ospf
!Running configuration last done at: Wed Jan 5 07:44:58 2022
!Time: Wed Jan 5 09:22:03 2022
version 10.2(1) Bios:version 05.45
feature ospf

router ospf 1
  router-id 1.1.1.1
interface loopback0
  ip router ospf 1 area 0.0.0.0
interface Ethernet1/3
  ip router ospf 1 area 0.0.0.0


! Verifying OSPF neighbors. Note that the OSPF neighborship is formed under vrf

default.
N9K-A#
show ip ospf neighbors
OSPF Process ID 1 VRF default
 Total number of neighbors: 1
 Neighbor ID     Pri State           Up Time  Address          Interface
 2.2.2.2           1 FULL/BDR        01:36:30 192.168.1.46     Eth1/3
! Verifying OSPF routing table under vrf default.

N9K-A#
show ip route ospf
IP Route Table for VRF “default”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>

20.20.20.20/32, ubest/mbest: 1/0
*via 192.168.1.46, Eth1/3, [110/5], 01:36:57, ospf-1, intra
! End-to-End connectivity between Loopback interfaces of N9K-A and N9K-B is

achieved using OSPF routing under vrf default.
N9K-A#
ping 20.20.20.20 source 10.10.10.10
PING 20.20.20.20 (20.20.20.20) from 10.10.10.10: 56 data bytes
64 bytes from 20.20.20.20: icmp_seq=0 ttl=254 time=0.894 ms
64 bytes from 20.20.20.20: icmp_seq=1 ttl=254 time=0.459 ms
64 bytes from 20.20.20.20: icmp_seq=2 ttl=254 time=0.474 ms
64 bytes from 20.20.20.20: icmp_seq=3 ttl=254 time=0.454 ms
64 bytes from 20.20.20.20: icmp_seq=4 ttl=254 time=0.51 ms
— 20.20.20.20 ping statistics —
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.454/0.558/0.894 ms
N9K-A#

Example 5-4 Verification of OSPF Configuration and End-to-End Connectivity on N9K-B

Click here to view code image


! Verifying if the interfaces are configured correctly. Note that all interfaces
are in vrf default.
N9K-B#
show ip interface brief
IP Interface Status for VRF “default”(1)
Interface            IP Address      Interface Status
Lo0                  20.20.20.20     protocol-up/link-up/admin-up
Eth1/3               192.168.1.46    protocol-up/link-up/admin-up
! Verifying pre-configured OSPF configuration.

N9K-B#
show running-config ospf
!Command: show running-config ospf
!Running configuration last done at: Wed Jan 5 07:46:27 2022
!Time: Wed Jan 5 09:25:05 2022
version 10.2(1) Bios:version 05.45
feature ospf
router ospf 1
  router-id 2.2.2.2
interface loopback0
  ip router ospf 1 area 0.0.0.0
interface Ethernet1/3
  ip router ospf 1 area 0.0.0.0

! Verifying OSPF neighbors. Note that the OSPF neighborship is formed under vrf
default.

N9K-B#
show ip ospf neighbors
OSPF Process ID 1 VRF default

 Total number of neighbors: 1
 Neighbor ID     Pri State          Up Time  Address           Interface
 1.1.1.1           1 FULL/DR        01:38:43 192.168.1.45      Eth1/3
! Verifying OSPF routing table under vrf default.
N9K-B#
show ip route ospf
IP Route Table for VRF “default”

‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
10.10.10.10/32, ubest/mbest: 1/0

    *via 192.168.1.45, Eth1/3, [110/5], 01:38:49, ospf-1, intra
! End-to-End connectivity between Loopback interfaces of N9K-A and N9K-B is achieved
using OSPF routing under vrf default.

N9K-B#
ping 10.10.10.10 source 20.20.20.20
PING 10.10.10.10 (10.10.10.10) from 20.20.20.20: 56 data bytes
64 bytes from 10.10.10.10: icmp_seq=0 ttl=254 time=1.001 ms
64 bytes from 10.10.10.10: icmp_seq=1 ttl=254 time=0.751 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=254 time=0.674 ms
64 bytes from 10.10.10.10: icmp_seq=3 ttl=254 time=0.665 ms
64 bytes from 10.10.10.10: icmp_seq=4 ttl=254 time=0.967 ms


— 10.10.10.10 ping statistics —
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.665/0.811/1.001 ms
N9K-B#

In Examples 5-5 and 5-6, we configure the nondefault VRF DCFNDU on the Loopback 0 and Ethernet 1/3 interfaces on N9K-A and N9K-B and verify its impact on OSPFv2 routing. Since adding an interface to a VRF wipes its configuration, we need to reconfigure the IP address and the OSPF configuration.

Example 5-5 Nondefault VRF Configuration on N9K-A and N9K-B

Click here to view code image

N9K-A
! Creating vrf DCFNDU.
N9K-A#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
N9K-A(config)#
vrf context DCFNDU
N9K-A(config-vrf)#
exit
! Verifying the new non-default vrf DCFNDU creation.
N9K-A(config)#
show vrf
VRF-Name                          VRF-ID State    Reason
DCFNDU                                 3 Up
       —
default                                1 Up       —
management                             2 Up       —
! Placing the Loopback 0 and Ethernet 1/3 interface into vrf instance DCFNDU.

N9K-A(config)#
interface Loopback 0
N9K-A(config-if)#
vrf member DCFNDU

Warning: Deleted all L3 config on interface loopback0
N9K-A(config-if)#
ip address 10.10.10.10/32
N9K-A(config-if)#
ip router ospf 1 area 0
N9K-A(config-if)#
interface Ethernet 1/3

N9K-A(config-if)# vrf member DCFNDU
Warning: Deleted all L3 config on interface Ethernet1/3
N9K-A(config-if)#
ip address 192.168.1.45/30
N9K-A(config-if)#
ip router ospf 1 area 0

N9K-A(config-if)#
end

N9K-A#

N9K-B
! Creating vrf DCFNDU.

N9K-B#
configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
N9K-B(config)#
vrf context DCFNDU

N9K-B(config-vrf)#
exit
! Verifying the new non-default vrf DCFNDU creation.
N9K-B(config)#
show vrf

VRF-Name                          VRF-ID State    Reason
DCFNDU                                 3 Up
       —
default                                1 Up       —
management                             2 Up       —
! Placing the Loopback 0 and Ethernet 1/3 interface into vrf instance DCFNDU.

N9K-B(config)#
interface Loopback 0
N9K-B(config-if)#
vrf member DCFNDU
Warning: Deleted all L3 config on interface loopback0
N9K-B(config-if)#
ip address 20.20.20.20/32
N9K-B(config-if)#
ip router ospf 1 area 0
N9K-B(config-if)#
interface Ethernet 1/3
N9K-B(config-if)#
vrf member DCFNDU
Warning: Deleted all L3 config on interface Ethernet1/3
N9K-B(config-if)#
ip address 192.168.1.46/30

N9K-B(config-if)#
ip router ospf 1 area 0
N9K-B(config-if)#
end
N9K-B#

Example 5-6 Verification of Impact of Nondefault VRF Configuration on N9K-A

Click here to view code image ! Once the interfaces are moved under vrf instance DCFNDU, the ospf neighborship is
formed under vrf DCFNDU and not under default vrf.
N9K-A#
show ip ospf neighbors

N9K-A#
show ip ospf neighbors vrf DCFNDU

OSPF Process ID 1 VRF DCFNDU
 Total number of neighbors: 1
 Neighbor ID     Pri State            Up Time    Address        Interface
 192.168.1.46      1
FULL/BDR
         00:15:55   192.168.1.46   Eth1/3

! OSPF routing table under vrf default don’t show any routes as there is no neighborship
formed under vrf instance default. All OSPF routes are showing up under vrf
instance DCFNDU.

N9K-A#
show ip route ospf
IP Route Table for VRF “default”

‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
N9K-A#
show ip route ospf vrf DCFNDU
IP Route Table for VRF “DCFNDU”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>

20.20.20.20/32, ubest/mbest: 1/0
*via 192.168.1.46, Eth1/3, [110/5], 00:00:07, ospf-1, intra
! Ping between Loopback interfaces of N9K-A and N9K-B fails under vrf instance
default. End-to-End reachability between Loopback interfaces of N9K-A and N9K-B is
achieved only under vrf instance DCFNDU.

N9K-A#
ping 20.20.20.20 source 10.10.10.10
ping: can’t bind to address 10.10.10.10
N9K-A#
ping 20.20.20.20 source 10.10.10.10 vrf DCFNDU

PING 20.20.20.20 (20.20.20.20) from 10.10.10.10: 56 data bytes
64 bytes from 20.20.20.20: icmp_seq=0 ttl=254 time=0.947 ms
64 bytes from 20.20.20.20: icmp_seq=1 ttl=254 time=0.497 ms
64 bytes from 20.20.20.20: icmp_seq=2 ttl=254 time=0.732 ms
64 bytes from 20.20.20.20: icmp_seq=3 ttl=254 time=0.612 ms
64 bytes from 20.20.20.20: icmp_seq=4 ttl=254 time=0.447 ms

— 20.20.20.20 ping statistics —
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.447/0.647/0.947 ms
N9K-A#
! Note that similar verification can be done on N9K-B.

Leave a Comment