Table of Contents
VPN Routing and Forwarding (VRF)-Lite Software Configuration Guide for Cisco 1000 Series Connected Grid Routers (Cisco IOS)
Information About VRF-lite
VRF-Aware Services
Prerequisites
Guidelines and Limitations
D efault Settings
Configuring VRF-lite
V erifying Configuration
Configuration Exampl e
R elated Documents
VPN Routing and Forwarding (VRF)-Lite Software Configuration Guide for Cisco 1000 Series Connected Grid Routers (Cisco IOS)
First Published: March 2014
OL-31240-01
With the VRF-lite feature, the Connected Grid 1000 Series Router (hereafter referred to as CGR 1000) supports multiple VPN routing and forwarding (VRF) instances to provide traffic isolation in an enterprise network. In this implementation, VRFs are used to segment a private physical infrastructure into virtual, isolated networks.
This document addresses both IPv4 and IPv6 VRF-lite.
Note The CGR 1000 does not use Multiprotocol Label Switching (MPLS) for VRF-lite.
This chapter includes the following topics:
Information About VRF-lite
VRF-lite provides traffic isolation by using input interfaces to distinguish routes for different VLANs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs and loopback interfaces, but a Layer 3 interface cannot belong to more than one VRF at any time.
Note VRF-lite interfaces must be Layer 3 interfaces.
Figure 1 shows an example of a VRF-lite implementation for the CGR 1000.
Figure 1 VRF-lite Example
In Figure 1, two CGR 1000 routers are connected to the head-end router in a FlexVPN hub-and-spoke configuration. VRF Green is mapped to VLAN1, and VRF Orange is mapped to VLAN2. Each router has a serial interface, associated with a local IP address, to transport raw socket traffic from Remote Terminal Units (RTUs). Ethernet ports in VLAN2 and the loopback interface used by raw socket on each CGR 1000 are configured in VRF Orange so that traffic from those interfaces can be isolated and routed to SCADA Server A according to the FlexVPN tunnel configuration.
For more information about FlexVPN, see
FlexVPN Software Configuration Guide for Cisco 1000 Series Connected Grid Routers (Cisco IOS)
.
VRF-Aware Services
VRF-Aware services are services that run on multiple routing instances and that can be configured on a per-VRF basis. A VRF-aware service uses a VRF table rather than the global routing table for routing traffic associated with the service. Any configured VRF in the system can be specified for a VRF-aware service.
VRF-aware services are implemented in platform-independent modules. Each platform has its own limit on the number of VRFs it supports.
VRF-aware Domain Name System (DNS) is an example of a VRF-aware service. In VRF-aware DNS, a VRF table can be configured so that DNS can forward queries to name servers using the VRF table rather than the named DNS server in the global IP address space.
Ping is another example of a VRF-aware service. You can ping a host in a user-specified VRF.
In addition to services such as DNS and ping, the following CGR 1000 features are VRF-aware:
-
Raw Socket Transport
-
T101-T104 and DNP3-DNP3/IP protocol translation
Prerequisites
Planning for the network, including IP addressing, interface and VLAN details, traffic types, etc. must be completed.
Guidelines and Limitations
IPv4 and IPv6
-
VRF-lite interfaces must be Layer 3 interfaces.
-
Multiple VLANs share a router with VRF-lite, and each VLAN is associated with a VRF.
-
VRF-lite on the CGR 1000 does not support MPLS.
-
The CGR 1000 supports configuring VRF by using physical ports, VLAN SVIs, loopback interface, or a combination. You can connect SVIs through an access port or a trunk port.
-
A single VRF can be configured for both IPv4 and IPv6.
-
You can associate an interface with only one VRF. You cannot configure a VRF for IPv4 and a different VRF for IPv6 on the same interface.
-
IPv4 and/or IPv6 routing for a given VRF needs to be configured. You can use most routing protocols (BGP, OSPF, EIGRP, RIP and static routing).
IPv4-Specific
-
VRF-lite does not support IGRP and ISIS.
IPv6-Specific
-
VRF-aware ISISv6, RIPng, IPv6 Multicast Routing (MVRF), and PIMv6 are not supported.
Default Settings
If no commands have yet been entered to specify a VRF, the system's default configuration is as follows:
|
|
VRF
|
Disabled. No VRFs are defined.
|
Maps
|
No import maps, export maps, or route maps are defined.
|
VRF maximum routes
|
None.
|
Forwarding table
|
The default for an interface is the global routing table.
|
Configuring VRF-lite
In earlier Cisco IOS releases, you created a VRF to be applied only to an IPv4 address family (single-protocol VRF) by entering the
ip vrf
command. To activate the single-protocol VRF on an interface, you entered the
ip vrf forwarding
(interface configuration) command.
You can now define multiple address families under the same VRF or configure separate VRFs for each IPv4 or IPv6 address family by entering the
vrf definition
command. To activate the multiprotocol VRF on an interface, you enter the
vrf forwarding
command. A given VRF, identified by its name and a set of policies, can apply to both an IPv4 VPN and an IPv6 VPN at the same time. This VRF can be activated on a given interface, even though the routing and forwarding tables are different for the IPv4 and IPv6 protocols.
The procedure and examples in this document use the multiprotocol CLI.
Note You can still use the single-protocol CLI to define an IPv4 address within a VRF and an IPv6 address in the global routing table on the same interface.
DETAILED STEPS
|
|
|
Step 1
|
configure terminal
|
Enters global configuration mode.
|
Step 2
|
ipv6 unicast-routing
|
Enables IPv6 routing.
This command is mandatory for IPv6 routing; IPv4 routing is enabled by default.
|
Step 3
|
vrf definition
vrf-name
|
Names the VRF and enters VRF configuration mode.
|
Step 4
|
rd
route-distinguisher
|
(Optional) Creates a VRF table by specifying a route distinguisher. Enter either an Autonomous System number and an arbitrary number (xxx:y) or an IP address and arbitrary number (A.B.C.D:y).
|
Step 5
|
address-family
ipv4
|
ipv6
|
(Optional) IPv4 by default. You must specify ipv6 for IPv6 VRFs.
|
Step 6
|
route-target
{
export
|
import
|
both
}
route-target-ext-community
|
(Optional) Creates a list of import, export, or import and export route target communities for the specified VRF. Enter either an AS system number and an arbitrary number (xxx:y) or an IP address and an arbitrary number (A.B.C.D:y).
Note This command is effective only if BGP is running.
|
Step 7
|
exit-address-family
|
Exits from address-family configuration mode.
|
Step 8
|
import map
route-map
|
(Optional) Associates a route map with the VRF.
|
Step 9
|
interface
{
interface-id | subinterface-id | vlan-id
}
|
Enters interface configuration mode and specifies the Ethernet interface, subinterface, or VLAN to be associated with the VRF.
|
Step 10
|
vrf forwarding
vrf-name
|
Associates the VRF with the Layer 3 interface.
|
Step 11
|
end
|
Returns to privileged EXEC mode.
|
Step 12
|
show vrf [ipv4 | ipv6] [interface | brief | detail | id | select | lock] [
vrf-name
]
|
Displays information about the configured VRFs.
|
Step 13
|
copy running-config startup-config
|
(Optional) Saves your entries in the configuration file.
|
Use the
no vrf definition
vrf-name
global configuration command to delete a VRF and to remove all interfaces from it.
Use the
no vrf forwarding
interface configuration command to remove an interface from the VRF.
EXAMPLE
This example configures an IPv6 VRF on an Ethernet interface:
Router# configure terminal Router(config)# ipv6 unicast-routing Router(config)# vrf definition red Router(config-vrf)# rd 100:1 Router(config-vrf)# address family ipv6 Router(config-vrf-af)# route-target both 200:1 Router(config-vrf-af)# exit-address-family Router(config-vrf)# interface Ethernet0/1 Router(config-if)# vrf forwarding red Router(config-if)# ipv6 address 5000::72B/64
This example configures an IPv4 VRF on an Ethernet subinterface:
Router# configure terminal Router(config)# ip routing Router(config)# vrf definition vrf1 Router(config-vrf)# rd 100:1 Router(config-vrf)# address family ipv4 Router(config-vrf)# route-target export 100:1 Router(config-vrf-af)# exit-address-family Router(config-vrf)# interface Fa0/0.1 Router(config-subif)# vrf forwarding vrf1 Router(config-subif)# end
This example configures an IPv6 VRF on a VLAN:
Router(config)# ipv6 routing Router(config)# vrf definition red Router(config-vrf)# rd 100:1 Router(config-vrf)# address family ipv6 Router(config-vrf-af)# route-target both 200:1 Router(config-vrf-af)# exit-address-family Router(config-vrf)# interface vlan vlan1 Router(config-if)# vrf forwarding red Router(config-if)# ipv6 address 5000::72B/64
Verifying Configuration
|
|
show vrf [ipv4 | ipv6] [interface | brief | detail | id | select | lock] [
vrf-name
]
|
Displays information about the defined VRF instances.
|
show ip protocols vrf
vrf-name
|
Displays routing protocol information associated with a VRF.
|
show ip route vrf
vrf-name
[
connected
] [
protocol
[
as-number
] [
list
[
list-number
]] [
mobile
] [
odr
] [
profile
] [
static
] [
summary
][
supernets-only
]
|
Displays IP routing table information associated with a VRF.
|
show ipv6 route vrf
{
vrf-name
|
vrf-number
} [
tag
{
tag-value
|
tag-value-dotted-decimal
[
mask
] } ]
|
Displays the routing protocol information associated with a VRF.
|
When you configure VRF table “a” with the IPv6 address family and attach the VRF to the interface with IPv6 address 1::2/64, the
show ipv6 route vrf a
command displays the following output:
Router# show ipv6 route vrf a IPv6 Routing Table - a - 3 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 via GigabitEthernet7/1, directly connected via GigabitEthernet7/1, receive
Configuration Example
This section shows an example VRF-lite configuration with FlexVPN tunnels. In this example, a CGR 1000 acts as the FlexVPN spoke where end devices such as meters and RTUs are attached. The CGR is connected to redundant ASR hubs and has the following VRFs defined:
-
VRF METER is defined for forwarding IPv6 traffic from smart meters through a GRE IPv4 over FlexVPN tunnel.
-
VRF RTU is defined for IEC 101 to 104 protocol translation and TCP raw socket traffic. This configuration uses the VRF-aware and VRF-lite features to forward the RTU traffic to redundant hubs over IPSec tunnels.
-
VRF CC is defined for forwarding the protocol translation traffic to the SCADA control center.
aaa authentication login default local aaa authorization network default local multilink bundle-name authenticated username cisco privilege 15 password 0 cisco crypto ikev2 authorization policy METER-POL route set access-list ipv6 IPV6_Default_Route crypto ikev2 authorization policy CC-POL no crypto ikev2 policy default match identity remote address 0.0.0.0 identity local fqdn 1.scada.com authentication remote pre-share authentication local pre-share aaa authorization group psk list default CC-POL crypto ikev2 profile METER match identity remote address 0.0.0.0 identity local fqdn 1.ams.com authentication remote pre-share authentication local pre-share aaa authorization group psk list default METER-POL crypto ikev2 dpd 10 3 periodic crypto ipsec transform-set trans esp-3des esp-sha-hmac crypto ipsec profile METER no crypto ipsec profile default ip address 209.165.200.225 255.255.255.254 ipv6 address 2001:DB8:1::1/128 description Tunnel to ASR-1 for METER ip address 10.12.8.2 255.255.255.0 ipv6 address FE80::10 link-local tunnel source GigabitEthernet2/1 tunnel destination 172.16.0.1 tunnel protection ipsec profile METER description Tunnel to ASR-2 for METER ip address 10.12.9.2 255.255.255.0 ipv6 address FE80::20 link-local tunnel source GigabitEthernet2/1 tunnel destination 172.16.1.0 tunnel protection ipsec profile METER description Tunnel to ASR-1 for CC ip address 10.1.1.1 255.255.255.0 tunnel source GigabitEthernet2/1 tunnel destination 172.17.0.1 tunnel protection ipsec profile CC description Tunnel to ASR-2 for CC ip address 10.1.20.2 255.255.255.0 tunnel source GigabitEthernet2/1 tunnel destination 172.16.0.1 tunnel protection ipsec profile CC interface GigabitEthernet0/1 interface FastEthernet2/3 interface FastEthernet2/4 interface FastEthernet2/5 interface FastEthernet2/6 interface FastEthernet2/7 ip address 10.31.7.17 255.255.255.252 interface FastEthernet2/8 interface GigabitEthernet2/1 service-policy output OUTBOUND interface GigabitEthernet2/2 ip address 10.108.1.27 255.255.255.0 interface Virtual-Template1 type tunnel tunnel path-mtu-discovery tunnel protection ipsec profile AMI interface Virtual-Template2 type tunnel tunnel path-mtu-discovery tunnel protection ipsec profile AMI interface Virtual-Template31 type tunnel tunnel path-mtu-discovery tunnel protection ipsec profile CC interface Virtual-Template32 type tunnel tunnel path-mtu-discovery tunnel protection ipsec profile CC ! Interface used for TCP Raw-sockets ip address 10.31.7.28 255.255.255.252 ! Interface used for IEC 60870-101 to 104 conversion ipv6 access-list FlexVPN_Client_v6_LAN sequence 20 permit ipv6 2001:DB8:0:1:FFFF:1234::/64 any permit ipv6 host 2001:DB8:1::1 any ipv6 access-list IPV6_Default_Route permit ipv6 2001:DB8:2::1/48 any bind-to-interface Async1/2 attach-to-channel t101_ch1 attach-to-session t101_ch1_ss1 tcp-connection 0 local-port default remote-ip 10.31.7.49/0 vrf CC attach-to-channel t104_ch1 attach-to-session t104_ch1_ss1 map-to-sector t101_ch1_ss1_sc1 raw-socket tcp client 10.31.7.3 5001
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see
What’s New in Cisco Product Documentation
at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
.
Subscribe to
What’s New in Cisco Product Documentation
, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the
“Related Documents” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks
. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
No combinations are authorized or intended under this document.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2014 Cisco Systems, Inc. All rights reserved.