📘CCNP Enterprise – ENARSI (300-410)
1. What is VRF-Lite?
VRF-Lite (Virtual Routing and Forwarding Lite) is a technology used on routers and Layer 3 devices that allows you to create multiple separate routing tables on a single router without the need for MPLS.
Key points:
- VRF-Lite isolates traffic for different customers, departments, or services.
- Each VRF has its own routing table, interfaces, and sometimes its own routing protocols.
- It’s “Lite” because it doesn’t require MPLS; it works entirely on a standalone router.
Think of it as a way to logically separate networks on the same physical device.
2. Why use VRF-Lite?
In enterprise networks, you may have:
- Multiple tenants or departments sharing the same router.
- Security requirements to segregate traffic.
- Need to run overlapping IP addresses in different departments.
VRF-Lite allows each group to have its own isolated network environment.
3. Core Concepts
Before configuring, understand these terms:
| Term | Explanation |
|---|---|
| VRF | A separate routing table. Can have its own interfaces and routing protocols. |
| RD (Route Distinguisher) | Used in MPLS VPNs to make routes unique. Not required in pure VRF-Lite. |
| RT (Route Target) | Also mostly used in MPLS VPNs. VRF-Lite doesn’t need RTs. |
| Interfaces in VRF | Physical or logical interfaces assigned to a VRF. They belong to that VRF’s routing table. |
| Overlapping IP addresses | VRFs allow reuse of the same IP addresses in different VRFs because routing is isolated. |
For the exam, focus on VRF creation, interface assignment, and verification.
4. Configuring VRF-Lite
The configuration involves 3 main steps:
Step 1: Create the VRF
Router(config)# ip vrf <VRF_NAME>
Router(config-vrf)# rd <optional-RD> # Not required for pure VRF-Lite
<VRF_NAME>: Name of the VRF (like SALES, HR, or CUSTOMER1).rdis optional for VRF-Lite; it’s mainly used in MPLS VPN.
Example:
ip vrf SALES
Step 2: Assign interfaces to the VRF
Router(config)# interface <INTERFACE_NAME>
Router(config-if)# ip vrf forwarding <VRF_NAME>
Router(config-if)# ip address <IP_ADDRESS> <SUBNET_MASK>
- You must assign the VRF before the IP address.
- This step moves the interface into the VRF’s routing table.
Example:
interface GigabitEthernet0/1
ip vrf forwarding SALES
ip address 10.1.1.1 255.255.255.0
Step 3: Configure routing inside the VRF
VRFs can run separate routing protocols, like OSPF, EIGRP, or BGP.
Example with OSPF:
router ospf 1 vrf SALES
network 10.1.1.0 0.0.0.255 area 0
Example with static routes:
ip route vrf SALES 0.0.0.0 0.0.0.0 10.1.1.254
- The
vrf <VRF_NAME>keyword tells the router that the route belongs to that VRF.
5. Verification Commands
Cisco provides commands to check VRF-Lite configuration and functionality:
| Command | Purpose |
|---|---|
show ip vrf | Displays all VRFs, interfaces, and route counts. |
show ip route vrf <VRF_NAME> | Shows routing table for that VRF only. |
ping vrf <VRF_NAME> <IP_ADDRESS> | Tests connectivity inside a VRF. |
traceroute vrf <VRF_NAME> <IP_ADDRESS> | Trace route inside the VRF. |
| `show run | section vrf` |
Example output:
Router# show ip vrf
Name Default RD Interfaces
SALES not set Gi0/1
HR not set Gi0/2
6. Key Exam Notes
- VRF-Lite does not require MPLS.
- Interfaces cannot belong to more than one VRF.
- VRFs isolate routing tables; overlapping IPs are fine.
- Routing protocols inside VRFs are independent unless you use route leaking.
- VRF-Lite is supported on routers and Layer 3 switches.
7. Optional Advanced: Route Leaking Between VRFs
Sometimes you need controlled communication between VRFs:
ip route vrf SALES 192.168.2.0 255.255.255.0 10.1.1.2
- This is a static route leak from one VRF to another.
- Exam might include basic route leaking scenarios, but focus more on VRF isolation and verification.
8. Summary for the Exam
- VRF-Lite = multiple isolated routing tables on one router.
- Steps:
- Create VRF → Assign interfaces → Configure routing inside VRF.
- Verification:
show ip vrf,show ip route vrf <VRF>,ping vrf <VRF>. - Key concepts: Isolation, overlapping IPs allowed, independent routing protocols.
- VRF-Lite is layer 3 only, does not require MPLS.
- Optional: route leaking can connect VRFs if needed.
