Monday, June 8, 2009

VRF-LITE

VRF-lite (Virtual Routing & Forwarding) is a handy construct for keeping data segregated within a network. It can be thought of as kind of a meta-VLAN thing.

At one customer site, who has a number of branch offices, has a Cisco Callmanager solution spanning those sites. Each site has an internet connection. Three sites are in a single metro area and are linked with metro-links as well as tunnels. A fourth site is in another country. The three sites are linked to the fourth site through IPSEC tunnels. Four different providers are used.

From a real usage perspective, there are six tunnels of consequence: the three tunnels from the metro area to the single site, and the three return tunnels from the single site to the three grouped metro sites. Each of those six tunnels can be categorized in terms of a voice quality metric.

The design puzzle was to come up with a mechanism to route data across a set of tunnels and route voice across a different set of tunnels, in order to make best use of measured delay, jitter, and loss metrics. Using Policy Based Routing (PBR) was one solution but was rejected due to its scaleability problems (ie, lack thereof).

The idea that was finally implemented was to use VRF's to segregate voice from data, but still allow one to get to the other. The design yielded side benefits: provided a method to keep guest traffic separate, allows a method to get external addresses to different parts of the network, and provided a mechanism to improve secure access to network devices.

VRF's allow a routing process per VRF, thus facilitating the use of routing's built in automated route selection and fail-over. And by assigning costs to certain routes, those routes can be prioritized by whatever criteria you choose.

As indicated by another auditing consultant, the configuration does turn complex, but no suitable alternative solution was offered, which says something in itself. Perhaps others can offer up something better, I am open to suggestions.

In the example, 192.18.x.x addresses simulate external addresses, and 192.168.x.x simulate internal addresses. Interface s0/0/0 is the external internet interface, f0/0 is a trunked interface to the interior network, and f0/1 is an interface to the firewall

As you can see, there is an OSPF routing process per VRF, thus facilitating independant routing of each traffic type.

The example incorporates a bunch of features I've encountered in my searches in Cisco's documentation sites, Cisco's forums, Cisco's TAC, as well as Cisco's 'Implementing MPLS VPN' two volume book set.

The example highlights a number of functions:

  • make internet connected links a member of an external vrf (vrfExterior)
  • external addresses can therefore be routed between buildings and providers
  • external addresses can therefore cross pollinate firewalls as a measure of redundancy
  • make internal links members of the global routing table with RFC1918 addresses
  • external addresses are kept separate from internal addresses
  • allows flexible use of equipment when hardware budgets are restricted
  • IPSEC encrypted tunnels are can carry VRF's between sites
  • each inter-site tunnel requires a separate loopback (per Cisco's docs)
  • a Guest VRF is kept totally separate from the Corporate Voice and Data networks
  • Multiprotocol BGP is used route between vrfData and vrfVoice
  • special attention must be paid to the redistribution statements to make best use of OSPF internal, external 1 and external 2 routes (external 2 is not redistributed)
  • with careful redistribution, 'sho ip ospf vrf vrfVoice' shows which routes originate in the vrf and which originate outside, which facilitates troubleshooting and documentation
  • some will argue that carrying guest traffic on the corporate hardware is a no-no, how do others feel about that?
!
ip cef
!
ip vrf vrfData
 description Server, Workstation, Printer data
 rd 65400:300
 route-target export 65400:300
 route-target import 65400:300
 route-target import 65400:400
!
ip vrf vrfExterior
 description Exterior BGP routed data
 rd 65400:200
 route-target export 65400:200
 route-target import 65400:200
!
ip vrf vrfGuest
 description Guest Wireless & Wired
 rd 65400:500
 route-target export 65400:500
 route-target import 65400:500
!
ip vrf vrfVoice
 description Voice Servers, Phones & Gateways
 rd 65400:400
 route-target export 65400:400
 route-target import 65400:400
 route-target import 65400:300
!
!
crypto keyring key4Exterior vrf vrfExterior
  pre-shared-key address 0.0.0.0 0.0.0.0 key 
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto ipsec transform-set transForTunnels esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile profForTunnels
 set transform-set transForTunnels 
!
interface Loopback10000
 description OSPF ID
 ip address 192.168.5.254 255.255.255.255
!
interface Loopback10001
 description eBGP ID
 ip vrf forwarding vrfExterior
 ip address 192.18.164.191 255.255.255.255
!
interface Loopback10011
 description Global Routing
 ip vrf forwarding vrfExterior
 ip address 192.18.10.1 255.255.255.255
!
interface Loopback10012
 description vrfExterior
 ip vrf forwarding vrfExterior
 ip address 192.18.10.2 255.255.255.255
!
interface Loopback10013
 description vrfData
 ip vrf forwarding vrfExterior
 ip address 192.18.10.3 255.255.255.255
!
interface Loopback10014
 description vrfVoice
 ip vrf forwarding vrfExterior
 ip address 192.18.10.4 255.255.255.255
!
interface Loopback20000
 ip vrf forwarding vrfExterior
 ip address 192.168.5.224 255.255.255.255
!
interface Loopback30000
 ip vrf forwarding vrfData
 ip address 192.168.5.225 255.255.255.255
!
interface Loopback40000
 ip vrf forwarding vrfVoice
 ip address 192.168.5.226 255.255.255.255
!
interface Loopback50000
 ip vrf forwarding vrfGuest
 ip address 192.168.5.227 255.255.255.255
!
interface Tunnel100101
 description Global Building1 - Building2
 bandwidth 1000
 ip address 192.168.5.69 255.255.255.252
 ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5 
 ip ospf mtu-ignore
 load-interval 30
 qos pre-classify
 keepalive 10 3
 tunnel source Loopback10011
 tunnel destination 192.18.20.1
 tunnel mode ipsec ipv4
 tunnel vrf vrfExterior
 tunnel protection ipsec profile profForTunnels
 max-reserved-bandwidth 100
 service-policy output pmShapeTunnels
!
!
interface Tunnel200101
 description vrfExterior Building1 - Building2
 bandwidth 1000
 ip vrf forwarding vrfExterior
 ip address 192.168.5.77 255.255.255.252
 ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5 
 ip ospf mtu-ignore
 load-interval 30
 qos pre-classify
 keepalive 10 3
 tunnel source Loopback10012
 tunnel destination 192.18.20.2
 tunnel mode ipsec ipv4
 tunnel vrf vrfExterior
 tunnel protection ipsec profile profForTunnels
 max-reserved-bandwidth 100
 service-policy output pmShapeTunnels
!
interface Tunnel300101
 description vrfData Building1 - Building2
 bandwidth 1000
 ip vrf forwarding vrfData
 ip address 192.168.5.65 255.255.255.252
 ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5 
 ip ospf mtu-ignore
 load-interval 30
 qos pre-classify
 keepalive 10 3
 tunnel source Loopback10013
 tunnel destination 192.18.20.3
 tunnel mode ipsec ipv4
 tunnel vrf vrfExterior
 tunnel protection ipsec profile profForTunnels
 max-reserved-bandwidth 100
 service-policy output pmShapeTunnels
!
interface Tunnel400101
 description vrfVoice Building1 - Building2
 bandwidth 1000
 ip vrf forwarding vrfVoice
 ip address 192.168.5.73 255.255.255.252
 ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5 
 ip ospf mtu-ignore
 load-interval 30
 qos pre-classify
 keepalive 10 3
 tunnel source Loopback10014
 tunnel destination 192.18.20.4
 tunnel mode ipsec ipv4
 tunnel vrf vrfExterior
 tunnel protection ipsec profile profForTunnels
 max-reserved-bandwidth 100
 service-policy output pmShapeTunnels
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 no ip address
 ip route-cache flow
 load-interval 30
 duplex auto
 speed auto
 service-policy output pmFastEthernet
!
interface FastEthernet0/0.199
 description Global Routing
 encapsulation dot1Q 199
 ip address 192.168.5.26 255.255.255.248
 ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5 
!
interface FastEthernet0/0.299
 description vrfExterior
 encapsulation dot1Q 299
 ip vrf forwarding vrfExterior
 ip address 192.168.5.106 255.255.255.248
 ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5 
!
interface FastEthernet0/0.399
 description vrfData 
 encapsulation dot1Q 399
 ip vrf forwarding vrfData
 ip address 192.168.5.34 255.255.255.248
 ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5 
!
interface FastEthernet0/0.499
 description vrfVoice
 encapsulation dot1Q 499
 ip vrf forwarding vrfVoice
 ip address 192.168.5.122 255.255.255.248
 ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5 
!
interface FastEthernet0/0.599
 description vrfGuest
 encapsulation dot1Q 599
 ip vrf forwarding vrfGuest
 ip address 192.168.5.130 255.255.255.248
 ip ospf authentication message-digest
! ip ospf message-digest-key 1 md5 
!
interface FastEthernet0/1
 description to Firewall
 ip vrf forwarding vrfExterior
 ip address 192.18.10.11 255.255.255.248
 ip route-cache flow
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 service-policy output pmFastEthernet
!
interface Serial0/0/0:0
 description Internet Access
 no ip address
 encapsulation frame-relay IETF
 ip route-cache flow
 load-interval 30
 frame-relay lmi-type ansi
 max-reserved-bandwidth 100
 service-policy output pmShapeSerialInterface
!
interface Serial0/0/0:0.1 point-to-point
 description Frame Relay to internet
 ip vrf forwarding vrfExterior
 ip address 192.18.10.33 255.255.255.252
 ip access-group aclBlockInbound in
 ip access-group aclBlockOutbound out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
 frame-relay interface-dlci 170 IETF   
!
router ospf 200 vrf vrfExterior
 router-id 192.168.5.224
 log-adjacency-changes
 auto-cost reference-bandwidth 10000
 capability vrf-lite
 passive-interface FastEthernet0/1
 passive-interface Serial0/0/0:0.1
 passive-interface Loopback10001
 passive-interface Loopback10011
 passive-interface Loopback10012
 passive-interface Loopback10013
 passive-interface Loopback10014
 passive-interface Loopback20000
 network 192.168.5.56 0.0.0.7 area 0
 network 192.168.5.76 0.0.0.3 area 0
 network 192.168.5.92 0.0.0.3 area 0
 network 192.168.5.104 0.0.0.7 area 0
 network 192.168.5.224 0.0.0.0 area 0
 network 192.168.197.36 0.0.0.3 area 0
!
router ospf 300 vrf vrfData
 router-id 192.168.5.225
 log-adjacency-changes
 auto-cost reference-bandwidth 10000
 capability vrf-lite
 redistribute bgp 65400 metric 120 subnets
 passive-interface Loopback30000
 network 192.168.5.32 0.0.0.7 area 0
 network 192.168.5.64 0.0.0.3 area 0
 network 192.168.5.80 0.0.0.3 area 0
 network 192.168.5.112 0.0.0.7 area 0
 network 192.168.5.225 0.0.0.0 area 0
 network 192.168.197.40 0.0.0.3 area 0
!
router ospf 400 vrf vrfVoice
 router-id 192.168.5.226
 log-adjacency-changes
 auto-cost reference-bandwidth 10000
 capability vrf-lite
 redistribute bgp 65400 metric 120 subnets
 passive-interface Loopback40000
 network 192.168.5.48 0.0.0.7 area 0
 network 192.168.5.72 0.0.0.3 area 0
 network 192.168.5.88 0.0.0.3 area 0
 network 192.168.5.120 0.0.0.7 area 0
 network 192.168.5.226 0.0.0.0 area 0
 network 192.168.197.44 0.0.0.3 area 0
 default-information originate always
!
router ospf 500 vrf vrfGuest
 router-id 192.168.5.227
 log-adjacency-changes
 auto-cost reference-bandwidth 10000
 capability vrf-lite
 passive-interface Loopback50000
 network 192.168.5.40 0.0.0.7 area 0
 network 192.168.5.68 0.0.0.3 area 0
 network 192.168.5.84 0.0.0.3 area 0
 network 192.168.5.128 0.0.0.7 area 0
 network 192.168.5.227 0.0.0.0 area 0
!
router ospf 100
 log-adjacency-changes
 auto-cost reference-bandwidth 10000
 passive-interface Loopback10000
 network 192.168.5.4 0.0.0.3 area 0
 network 192.168.5.16 0.0.0.3 area 0
 network 192.168.5.20 0.0.0.3 area 0
 network 192.168.5.24 0.0.0.7 area 0
 network 192.168.5.68 0.0.0.3 area 0
 network 192.168.5.80 0.0.0.7 area 0
 network 192.168.5.254 0.0.0.0 area 0
 network 192.168.197.32 0.0.0.3 area 0
!
router bgp 65400
 no synchronization
 bgp router-id 192.18.164.191
 bgp log-neighbor-changes
 no auto-summary
 !
 address-family ipv4 vrf vrfVoice
 redistribute ospf 400 vrf vrfVoice
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf vrfData
 redistribute ospf 300 vrf vrfData match internal external 1
 no synchronization
 exit-address-family
!
 
end
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)