2.2 Configure and verify data path virtualization technologies
📘CCNP Encore (350-401-v1.1)
1. What is VRF?
VRF (Virtual Routing and Forwarding) is a technology that allows a single physical router or Layer 3 device to maintain multiple separate routing tables.
- Each VRF is like a separate “virtual router” inside the physical router.
- VRFs keep traffic separate even if it’s using the same physical interface.
- Think of it as network segmentation at Layer 3.
Key points:
- Each VRF has its own routing table.
- Each VRF can have its own interfaces.
- VRFs allow overlapping IP addresses between VRFs, because the traffic is isolated.
2. Why VRF is used in IT environments
VRFs are common in IT networks for segmentation and security:
- Multi-tenant environments:
- A data center or service provider may host multiple customers on the same router.
- Each customer gets its own VRF, keeping their traffic isolated.
- Network segmentation in enterprises:
- Different departments (HR, Finance, IT) can have their own VRFs for security.
- Even if IP ranges overlap between departments, traffic is isolated.
- Connecting to multiple service providers:
- VRFs allow the same router to connect to multiple ISPs with overlapping IPs without conflicts.
- MPLS networks:
- VRFs are widely used in MPLS VPNs to separate customer traffic over a shared backbone.
3. VRF Components
When you configure VRFs, you mainly deal with these components:
- VRF name – The unique identifier for the virtual routing instance.
- Routing table – Each VRF maintains its own routing table.
- Interfaces – Each VRF can have one or more interfaces assigned.
- RD (Route Distinguisher) – Used in MPLS environments to make IP addresses unique per VRF.
- RT (Route Target) – Used for importing/exporting routes between VRFs.
4. How VRF Works
- Interface assignment:
- You assign an interface to a VRF.
- Example:
interface GigabitEthernet0/1→vrf forwarding HR-VRF.
- Routing isolation:
- The interface now uses HR-VRF’s routing table, not the global routing table.
- Routes in HR-VRF are invisible to Finance-VRF.
- Forwarding:
- Packets coming into the interface are forwarded according to the VRF’s routing table.
- Packets leaving must belong to the same VRF unless you configure a route leak.
5. VRF Configuration (Basic)
Step 1: Create VRF
ip vrf HR-VRF
rd 100:1
rdis optional if you’re not using MPLS, but required in MPLS VPNs.
Step 2: Assign Interface
interface GigabitEthernet0/1
ip vrf forwarding HR-VRF
ip address 192.168.1.1 255.255.255.0
- Now this interface belongs to HR-VRF, isolated from the global routing table.
Step 3: Add routes
ip route vrf HR-VRF 0.0.0.0 0.0.0.0 192.168.1.254
- Adds a default route for HR-VRF only.
6. Verifying VRF Configuration
- Check VRF table
show ip vrf
- Lists all VRFs and assigned interfaces.
- Check routes per VRF
show ip route vrf HR-VRF
- Displays only routes inside the specific VRF.
- Ping inside VRF
ping vrf HR-VRF 192.168.1.2
- Allows testing connectivity within the VRF.
7. VRF Key Exam Points
- VRFs isolate routing; same IPs can exist in different VRFs.
- VRFs are not just MPLS; can be used in standalone Layer 3 devices.
- Interfaces must be explicitly assigned to a VRF.
- Routing leaks (sharing routes between VRFs) require import/export configuration.
- VRFs are commonly used for:
- Security segmentation
- Multi-tenant networks
- Service provider VPNs
Summary Table
| Feature | Description |
|---|---|
| VRF | Virtual routing table inside a router |
| Purpose | Traffic isolation and segmentation |
| Interface | Must be assigned to a VRF to use it |
| Overlapping IPs | Allowed between VRFs |
| MPLS | RD & RT used for route identification and import/export |
| Verification | show ip vrf, show ip route vrf <name>, ping vrf <name> |
VRFs are all about logical separation of networks. Once your students understand interfaces + routing tables + isolation, they can easily answer exam questions.
