Sunday, January 8, 2012

VRF Lite Implementation with IPSec Tunnels & OSPF Default Route Injection


  • VRF Lite - Virtual Routing and Forwarding. Simple form of VRF routing. VRF provides multiple routing table instances within same router. Consider this as Layer-3 VLAN's. Keyword based routing table instances and VRF routing plane interfaces are configured here.
  • VRF provides more flexible control over Network due to Layer-3 operation. Advance operations like IPSec VPN Tunnels can be performed over VRF's.
  • Layer-3 Switch's VRF_SW1 & VRF_SW2 are configured to provide Layer-2 VLAN and VRF Routing Tables at the same time.
  • VRF "RED" used for all 10.1.x.x traffic & VRF "BLUE" for all 192.168.x.x traffic.
  • 192.168.x.x network has no Internet Access as per policy.
  • VRF_SW1, VRF_SW2, VRF_R1 & VRF_R2 all has two routing tables as RED & BLUE.
  • VRF's do not share their routes unless Inter-VRF route-targets are configured.
  • Each site has its own Internet Routers. Traffic from 10.1.x.x network will follow the default route of Internet Routers to reach internet. 10.1.1.0 internet traffic will go through 14.1.1.0 network & 10.1.2.0 internet traffic will go through 15.1.1.0 network.
  • Serial Link used here is just for traversal of loopback networks on VRF_R1 & VRF_R2.
  • Two Loopback interfaces created on both the VRF_R1 & VRF_R2 routers. GRE Tunnel SRC/DST terminated at Loopback interfaces.
Lets analyze the configurations in detail:
VRF_R1:
(Lines omitted for brevity)
ip cef
ip vrf BLUE
 description VPN Traffic
 rd 192.168.108.0:20
!
ip vrf RED
 description Internet Traffic
 rd 14.1.1.0:10
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key awesomeness address 70.1.1.2
crypto isakmp key awesomeness1 address 71.1.1.2
!
crypto ipsec transform-set awesomeset esp-3des esp-sha-hmac 
!
crypto ipsec profile awesomeprofile
 set transform-set awesomeset 
!
interface Loopback0
 description For Tunnel 0 SRC/DST RED
 ip address 70.1.1.1 255.255.255.255
!
interface Loopback1
 description For Tunnel 1 SRC/DST BLUE
 ip address 71.1.1.1 255.255.255.255
!
interface Tunnel0
 description For 10.x.x.x RED Network
 ip vrf forwarding RED
 ip address 80.1.1.1 255.255.255.252
 tunnel source 70.1.1.1
 tunnel destination 70.1.1.2
 tunnel protection ipsec profile awesomeprofile
!
interface Tunnel1
 description for VPN BLUE Network
 ip vrf forwarding BLUE
 ip address 81.1.1.1 255.255.255.252
 tunnel source 71.1.1.1
 tunnel destination 71.1.1.2
 tunnel protection ipsec profile awesomeprofile
!
interface FastEthernet0/0
 ip vrf forwarding RED
 ip address 14.1.1.2 255.255.255.252
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 192.168.108.1 255.255.255.252
!
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet1/0.10
 encapsulation dot1Q 10
 ip vrf forwarding RED
 ip address 112.1.1.2 255.255.255.252
!
interface FastEthernet1/0.20
 encapsulation dot1Q 20
 ip vrf forwarding BLUE
 ip address 12.1.1.2 255.255.255.252
!
router ospf 10 vrf RED
 log-adjacency-changes
 redistribute static
 network 80.1.1.0 0.0.0.255 area 0
 network 112.1.1.0 0.0.0.255 area 0
 default-information originate
!
router ospf 20 vrf BLUE
 log-adjacency-changes
 network 12.1.1.0 0.0.0.255 area 0
 network 81.1.1.0 0.0.0.255 area 0
!
ip classless
ip route 70.1.1.0 255.255.255.0 192.168.108.2
ip route 71.1.1.0 255.255.255.0 192.168.108.2
ip route vrf RED 0.0.0.0 0.0.0.0 FastEthernet0/0 14.1.1.1
!
no cdp run
!
end
  • VRF Route Distinguisher (RD) used here to identify the VRF tables. In future, route-target export/import can be configured for Inter-VRF route sharing.
  • IPSec pre-share authentication policy applied on both the RED & BLUE Tunnels with different keys.
  • Tunnel endpoints are loopback addresses of respective routers.
  • Tunnel interfaces are part of VRF routing Tables. Hence, tunnel 0 network will only be seen in VRF RED routing table. Similarly tunnel 1 network will only be seen in VRF BLUE routing table.
  • Interface F0/0 pointing towards 14.1.1.0 network which belongs to RED network only.
  • Interface F1/0 carrying two networks with help of encapsulation. VLAN 10 & 20 is brought over here from VRF_SW1.
  • OSPF Router process also has two instances for RED & BLUE, However the process ID's are locally significant.
  • For RED OSPF process, RED networks are included using "network" command. For Internet Traffic there is VRF aware version of static route command. This statement specifies default route for VRF RED through F0/0 interface of VRF_R1 router. Interface needs to be specified for VRF aware "ip route" command.
  • "default-information originate" in OSPF RED Process, redistributes static route into OSPF advertisements. 
    • Note - "always" keyword in "default-information originate" will inject static route no matter if F0/0 is up or down. In case F0/0 is down & "always" is used, internet traffic will not be able to use another working route in OSPF domain. Hence it depends upon your scenario, to inject always or not.
  • OSPF BLUE Process is not given Internet access as per policy, so default route is not injected into OSPF BLUE routing table.
  • Loopback Networks (70.1.1.0 & 71.1.1.0) along with Serial Link network (192.168.108.0) are the only networks which are visible in Global Routing table of VRF_R1 & VRF_R2 routers.
  • Global Routing Tables of VRF_SW1 & VRF_SW2 are empty.
  • IPSec encapsulation will happen through Loopback interfaces and packets with ESP(Encapsulated Security Payload) will be routed through 192.168.108.0 network to destination.
  • Serial Link carries ESP IP packets to destination addresses and loopback interfaces will encapsulate/decapsulate payloads with respective crypto keys.
VRF_SW1:
(Lines omitted for brevity)
ip cef
ip vrf BLUE
 description VPN Traffic
 rd 12.1.1.0:20
!
ip vrf RED
 description Internet Traffic
 rd 112.1.1.0:10
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip vrf forwarding RED
 ip address 112.1.1.1 255.255.255.252
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip vrf forwarding BLUE
 ip address 12.1.1.1 255.255.255.252
!
interface FastEthernet1/14
 switchport access vlan 10
 no ip address
!
interface FastEthernet1/15
 switchport access vlan 20
 no ip address
!
interface Vlan10
 ip vrf forwarding RED
 ip address 10.1.1.254 255.255.255.0
!
interface Vlan20
 ip vrf forwarding BLUE
 ip address 192.168.1.254 255.255.255.0
!
router ospf 10 vrf RED
 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 0
 network 112.1.1.0 0.0.0.255 area 0
!
router ospf 20 vrf BLUE
 log-adjacency-changes
 network 12.1.1.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
no cdp run
!
end 
  • This is an Multi-layer Switch, So Layer-2 VLAN's are configured to connect systems.
  • Ports F0/14 & F0/15 are in VLAN 10 & 20 respectively.
  • Default gateways are assigned to VLAN interfaces. VLAN 10 interface belongs to RED forwarding table & VLAN 20 interface to BLUE forwarding table.
  • OSPF processes for RED & BLUE are configured to advertise connected networks to VRF_R1 router.
Traceroute from 10.1.1.1: 
(Lines omitted for brevity)
Tracing the route to 10.1.2.1
  1 10.1.1.254 44 msec 20 msec 24 msec
  2 112.1.1.2 28 msec 20 msec 24 msec
  3 17.1.1.1 108 msec 56 msec 80 msec
  4 10.1.2.1 68 msec 120 msec *
  • As you can see, overlay networks only are shown in the trace. 70.1.1.0, 71.1.1.0 & 192.168.108.0 networks are not present here.
Global Route Table of VRF_R1:
(Lines omitted for brevity)
VRF_R1#sh ip route
Gateway of last resort is not set
     70.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S       70.1.1.0/24 [1/0] via 192.168.108.2
C       70.1.1.1/32 is directly connected, Loopback0
     71.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       71.1.1.1/32 is directly connected, Loopback1
S       71.1.1.0/24 [1/0] via 192.168.108.2
     192.168.108.0/30 is subnetted, 1 subnets
C       192.168.108.0 is directly connected, Serial0/0
  • Loopback interfaces at Router VRF_R2 are available through 192.168.108.0 network. Notice the loopback interfaces with 32 subnet prefix.
VRF RED Route Table of VRF_SW1:
(Lines omitted for brevity)
VRF_SW1#sh ip route vrf RED
Gateway of last resort is 112.1.1.2 to network 0.0.0.0
     17.0.0.0/30 is subnetted, 1 subnets
O       17.1.1.0 [110/11113] via 112.1.1.2, 00:02:27, FastEthernet0/0.10
     80.0.0.0/30 is subnetted, 1 subnets
O       80.1.1.0 [110/11112] via 112.1.1.2, 00:02:27, FastEthernet0/0.10
     112.0.0.0/30 is subnetted, 1 subnets
C       112.1.1.0 is directly connected, FastEthernet0/0.10
     10.0.0.0/24 is subnetted, 2 subnets
O       10.1.2.0 [110/11114] via 112.1.1.2, 00:02:27, FastEthernet0/0.10
C       10.1.1.0 is directly connected, Vlan10
O*E2 0.0.0.0/0 [110/1] via 112.1.1.2, 00:02:29, FastEthernet0/0.10
  • Observe the last entry which states default route can be used as 112.1.1.2 IP which is VRF_R1's RED Interface. "O*E2" states that route is OSPF-External Type 2, which is default for redistributed OSPF routes.
VRF BLUE Route Table of VRF_SW1:
(Lines omitted for brevity)
VRF_SW1#sh ip route vrf BLUE
Gateway of last resort is not set
     16.0.0.0/30 is subnetted, 1 subnets
O       16.1.1.0 [110/11113] via 12.1.1.2, 00:00:28, FastEthernet0/0.20
     81.0.0.0/30 is subnetted, 1 subnets
O       81.1.1.0 [110/11112] via 12.1.1.2, 00:00:28, FastEthernet0/0.20
     12.0.0.0/30 is subnetted, 1 subnets
C       12.1.1.0 is directly connected, FastEthernet0/0.20
C    192.168.1.0/24 is directly connected, Vlan20
O    192.168.2.0/24 [110/11114] via 12.1.1.2, 00:00:28, FastEthernet0/0.20
  • These are routes seen in BLUE routing table. 192.168.2.0 network is connected through 12.1.1.2 i.e. VRF_R1 router.
I am leaving OSPF Adjacency of this topology upto you guys. Capability of VRF Routing is exploited fully in MPLS, which we will see in upcoming posts.

All Router configuration files can be downloaded here.

Happy Networking. En-lighting packet paths everyday.