VRF (Virtual Routing and Forwading) 簡析

轉載地址
 
Network Virtualization – Path Isolation
Network Virtualization makes most modern Path Isolation techniques in networking possible. Network Virtualization and Path Isolation are crucial in modern network design and implementation.
網絡虛擬化使大多數現代化路徑隔離技術在網絡中成爲可能. 網絡虛擬化和路徑隔離是現代網絡設計和實現有着相當重要做用.
 

Tips: Virtualization is VRF in the router, VLAN in the switch, trunk (dot1q tagging) on the Ethernet link, context or VDOM on the firewall and VM on the server.
虛擬化 是 VRF之於路由器， VLAN之於交換機，trunk之於以太網鏈接，VDOM之於防火牆，VM之於服務器

 
This was good enough reason for creating a blog post series which is giving an organized overview of different approaches in implementation of separated logical network partitions which are implemented over the enterprise physical network.
因此有足夠好的理由來建立一個blog系列，此係列對在企業物理網絡上實現分離的邏輯網絡分區的不一樣方法作了一個系統性的概述。
 
EVER NEEDED ONE EXTRA ROUTER? IT’S POSSIBLE TO SPLIT THE ROUTER INTO MORE LOGICAL ROUTERS BY USING VRF. HOW? HERE’S HOW!

 
Virtual Routing and Forwarding or VRF allows a router to run more that one routing table simultaneously. When running more routing tables in the same time, they are completely independent. For example, you could use overlapping IP addresses inside more VRFs on the same router and they will function independently without conflict (You can see this kind of overlap in the example below). It is possible to use same VRF instance on more routers and connect every instance separately using VRF dedicated router port or only a sub-interface.

虛擬路由轉發容許同時運行多個路由表。當同一時間運行多個路由表時，它們徹底是各自獨立的。 好比，你能夠在同一臺路由器上使用多個VRFs內的重疊IP地址，而且它們將獨立運行而不會發生衝突（您能夠在下面的示例中看到這種重疊） 能夠在更多路由器上使用相同的VRF實例，並使用VRF專用路由器端口或僅子接口分別鏈接每一個實例。
 
You can find VRFs to be used on ISP side. Provider Edge (PE) routers are usually running one VRF per customer *** so that one router can act as a PE router for multiple Customer Edge (CE) routers even with more customers exchanging the same subnets across the ***. By running VRF per customer, those subnets will never mix in-between them.
你能夠找到網絡服務提供商(Internet Service Provider)端使用的VRF。 供應商端路由器一般爲每一個客戶***運行一個VRF，以便一個路由器能夠充當多個客戶端（CE）路由器的PE路由器，即便有更多客戶經過***交換相同的子網。 經過爲每一個客戶運行VRF，這些子網毫不會混合在它們之間。
 

VRFs are used to create multiple virtual routers from one physical router.
VRFs 被用來在單個實體物理路由上新建多個虛擬路由器

 
Every VRF is creating his own Routing table and CEF table, basically a separate RIB andFIB.
每一個VRF會新建它自身的路由表及轉發表，基本上是一個獨立的RIB(Routing Information Base)和FIB(Forwarding Info Base)。 What is RIB and FIB ?
 
VRF is simply created by entering this command into Cisco router supporting VRFs:
VRF能夠在cisco路由器上這樣簡單的建立：

ip vrf  MYTESTVRF

 
When created, VRF needs route distinguisher in order to become functional. Route distinguishers are described a bit later. Route distinguisher (RD) for this VRF MYTESTVRF are configured with:
建立時，VRF須要路由標識符才能生效。 稍後介紹路由標識符。 此VRF MYTESTVRF的路由標識符配置爲：

rd 111:1

 
When created and configured with RD, VRF needs some interfaces which will then be dedicated to this VRF and could bring some traffic into this VRF. Router interface (or most probably subinterface), will be assigned to a VRF like this:
在建立和配置RD時，VRF須要一些專用的接口，並可能會將一些流量引入此VRF。 路由器接口（或者最可能的子接口）將被分配給一個VRF，以下

int gi1/0/1
    ip vrf forwarding MYTESTVRF

 
On L3 switch which is also a clever router, when we want a VLAN to become part of the VRF, we need to add VLAN interface to VRF and all members of the VLAN will then be part of that special VRF:
L3交換機也是一個智能的路由器,當咱們想要一個VLAN成爲VRF的一部分時,咱們須要添加VLAN接口到VRF, VLAN的全部成員將會特別的多聯機的一部分:

int VLAN 20
      ip vrf forwarding MYTESTVRF

You need to take into account that addition of interface to VRF will remove all existing IP addresses configured on the interface. It is done in this way because it can help to avoid address duplication in the new routing table if some incautious engineer is entering interface with IP address into VRF that already has an interface with this same IP.
須要考慮添加到VRF的接口將刪除接口上配置的全部現有IP地址。 這樣作是由於若是一些不當心的工程師正在將具備IP地址的接口輸入到已經具備與該相同IP的接口的VRF中，則能夠避免在新路由表中的地址重複。

 
When configured, traffic received on the interface which is member of VRF is routed and forwarded with that VRF table.
配置後，VRF成員接口上的接收的流量將會隨着VRF表路由和轉發。

 
When thinking of VRFs, best example of something similar is VLAN trunking between two switches. Packet with VLAN tag entering the trunk interconnection in-between two switches can only enter the same VLAN when arriving on the other switch side. With VRFs is the same but done on L3 rather L2 for VLANs, and there are no trunk ports but L3 sub-interfaces (or physical interfaces). Packets that enter a specific VRF will be forwarded with routes from that VRF’s routing table.
 
Example goes even further. Like VLANs that span across multiple switches through trunk port, VRFs can be extended across multiple devices as well through sub-interfaces of two router interconnection or with separate interconnections.
 
The connections are L3 sub-interfaces, usually Ethernet VLAN interfaces with dot1q encapsulation. Most common Layer 2 virtualisation technique used these days.
 

CONFIGURATION FOR BOTH EXAMPLES
FIRST EXAMPLE (TWO INTERCONNECTIONS)
R1:

ip vrf MYTESTVRF
  rd 111:1

interface Gi 1/0/1
description Global Routing Table Interconnect
ip address 10.10.10.1 255.255.255.252

interface Gi 1/0/2
description VRF MYTESTVRF Interconnect
ip vrf forwarding MYTESTVRF
ip address 10.10.10.1 255.255.255.252

 
R2:

ip vrf MYTESTVRF
  rd 111:1

interface Gi 1/0/1
description Global Routing Table Interconnect
ip address 10.10.10.2 255.255.255.252

interface Gi 1/0/2
description VRF MYTESTVRF Interconnect
ip vrf forwarding MYTESTVRF
ip address 10.10.10.2 255.255.255.252

SECOND EXAMPLE (DOT1Q TAGGED SUBINTERFACES)
 
R1:

ip vrf MYTESTVRF
  rd 111:1
interface Gi 1/0/1.10
description Global Routing Table Interconnect
encapsulation dot1q 10
ip address 10.10.10.1 255.255.255.252

interface Gi 1/0/1.20
description VRF MYTESTVRF Interconnect
encapsulation dot1q 20
ip vrf forwarding MYTESTVRF
ip address 10.10.10.1 255.255.255.252

 
R2:

ip vrf MYTESTVRF
  rd 111:1
interface Gi 1/0/1.10
description Global Routing Table Interconnect
encapsulation dot1q 10
ip address 10.10.10.2 255.255.255.252

interface Gi 1/0/1.20
description VRF MYTESTVRF Interconnect
encapsulation dot1q 20
ip vrf forwarding MYTESTVRF
ip address 10.10.10.2 255.255.255.252

 
ICMP TEST EXAMPLE
Pinging from Gi 1/0/1 to Gi 1/0/1 on other side within Global Routing Table is straight forward ping:
R1:

ping 10.10.10.2

If you want to ping the same (but other) ip address. The one that is inside VRF MYTESTVRF you neet to initiate the ping within that VRF on R1:
 

ping vrf MYTESTVRF 10.10.10.2

Example above shows both solutions, although the subinterface example is the one that is used in the real world most of the time. We are extending VRF MYTESTVRF to other router (R2) by configuring interfaces of interconnection with VRF mapping configuration (ip vrf forwarding inside interface configuration). In this way every one of the interconnection will forward the traffic for mapped VRF.
 
Global Routing table is basically a VRF 0. The first RIB and FIB with no need of mapping as they exist by default and all L3 interfaces on the router are by default part of Global Routing table. When expanding VRF MYTESTVRF
 
we use one interconnection but we need to use another interconnection for Global routing table.
 

We can look at Global Routing table as first (native) VRF on the router with more VRF configured. This is also known as Global VRF, existing on all routers, with all interfaces assigned to it by default.

 
VRF LITE
Method of expanding several VRFs across multiple devices by using separate sub-interfaces or separate interconnection links is known as VRF Lite. This is basically the most lightweight way of running ***s.
 
Being the simplest way of creating non-overlapping ***s in a network is having some downsides to. This way of doing VRF expansion has poor scalability. You need dedicated link between two routers for every *** (or dedicated sub-interface of one link). If you have the need for many VRFs, you will need many provisioned connections between routers.
做爲在網絡中建立不重疊的***的最簡單的方法有一些缺點。 這種作VRF擴展的方式靈活性差。 每一個***（或一個鏈路的專用子接口）須要兩臺路由器之間的專用鏈路。 若是您須要多個VRF，則須要在路由器之間提供不少配置的鏈接。
 

ROUTE DISTINGUISHERS
Remember from above, this is basic VRF config:

ip vrf MYTESTVRF rd 111:1

 111 and 1 are 32-bit integers. Route Distinguisher is used to label every route from an VRF routing table with 64-bit prefix. It is done so that router can distinguish which prefixes are member of which VRF (different routing tables) avoiding that prefixes from different VRFs are mixed up. Format for RD should be ASN:NN, with ASN meaning autonomous system and NN VRF number inside the router. Other way to configure it is IP-Address:NN, IP being the router IP address and NN VRF number. 關於RIB 與 FIB的概述·RIB = Routing Information Base - technically, each and every routing protocol has it's own RIB (routing database) all of which are tied together to make the Main RIB or routing table. ·The FIB = Forwarding Information Base - essentially this is your CEF table, prepopulated with all information needed for actual forwarding to occur, which includes L2 reachability information for the next-hop addresses in the RIB.