Thursday, August 29, 2013

Virtual Routing and Forwarding

Use VRF-Lite in a SDN model networks

Nowadays we are surrounded in a simplified networking models that have abstracted approach to network management and operations. This abstracted approach is called Software Defined Networking and can simplify every network design. 
Every routing node would be useless if it did not operate in separate processes for every task we configure it to su. Virtual routing and forwarding allows multiple instances of routing table to exist on the same physical device at the same time. This allows us to create VPNs that use the same address space. It also allows us to logically separate subnets inside these virtual tables. We can try do describe the VRFs as similar to the VLAN technology under the Layer 2. Every prefix is isolated in a separate VRF. In this blog I will demonstrate the VRF-Lite feature , that most certain every router can use. Te following topology uses a two customer relationship with an ISP. Each of those customers has two sites.

Subnets on each of the customer sites are in a separate prefix , but the each of the customers is using the same RFC1918 ip address space. First we need to define the links between the customers and define the VRF tables. 
Virtual routing and forwarding can be easily created on the SP router with the IP VRF <name> command.
We will use the OSPF protocol to forward routes between the sites and the Service provider network. Now let us look at the configs of the SP routers.

SERVICE_PROVIDER
ip vrf CE_1
!
ip vrf CE_2
!
interface Loopback0
 ip address 100.100.100.1 255.255.255.255
!
interface Ethernet0/0
 description LINK_TO_CE1_1
 ip vrf forwarding CE_1             >> to turn on VRF table forwarding on the router use ip vrf
 ip address 10.0.0.1 255.255.255.252
 half-duplex
!
interface Ethernet0/1
 description LINK_TO_CE2_2
 ip vrf forwarding CE_2
 ip address 10.0.0.1 255.255.255.252
 half-duplex
!
interface Ethernet0/2
 description LINK_TO_CE1_1
 ip vrf forwarding CE_1
 ip address 10.0.1.1 255.255.255.252
 half-duplex
!
interface Ethernet0/3
 description LINK_TO_CE2_1
 ip vrf forwarding CE_2
 ip address 10.0.1.1 255.255.255.252
 half-duplex
!
router ospf 1 vrf CE_1
 log-adjacency-changes
 network 10.0.0.0 0.0.0.3 area 0
 network 10.0.1.0 0.0.0.3 area 0
!
router ospf 2 vrf CE_2
 log-adjacency-changes
 network 10.0.0.0 0.0.0.3 area 0
 network 10.0.1.0 0.0.0.3 area 0

Every link to the CE_1 and CE_2 has a command IP vrf forwarding included. This tells the SP router to settle in every advertised prefix routing protocol information from that link to a particular VRF table.
We have created two VRF tables: VRF CE_1 and CE_2. With that in mind we associate every interface to its corresponding VRF table. VRF table keeps a logically separated routing prefix information, that is not known to the global table. We can see that the global table knows only the connected routs. As for the OSPF , every process can be associated with a particular VRF so OSPF calculations are kept in a VRF tables, not interleaving with other tables. This is also a good security feature.

SERVICE_PROVIDER#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     100.0.0.0/32 is subnetted, 1 subnets
C       100.100.100.1 is directly connected, Loopback0

Now let us finish the other configs on the clients routing. I will redistribute the loopacks of the CE routers with subnets shown in the graphic topology. Every CE router will also have a OSPF protocol designed to exchange routes between the CE sites.

CE1_1
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.252
 half-duplex
!
router ospf 1
 log-adjacency-changes
 redistribute connected metric 10 subnets
 network 10.0.0.0 0.0.0.3 area 0

CE2_2
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.252
 half-duplex
!
router ospf 1
 log-adjacency-changes
 redistribute connected metric 10 subnets
 network 10.0.0.0 0.0.0.3 area 0

CE2_1
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.1.2 255.255.255.252
 half-duplex
!
router ospf 1
 log-adjacency-changes
 redistribute connected metric 10 subnets
 network 10.0.1.0 0.0.0.3 area 0

CE1_2
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.1.2 255.255.255.252
 half-duplex
!
router ospf 1
 log-adjacency-changes
 redistribute connected metric 10 subnets
 network 10.0.1.0 0.0.0.3 area 0

The client routers have now stored the OSPF routes from their sites in the routing table. So every customer has connected their sites and exchanged the routes. We can test this.

CE1_2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
O E2    172.16.1.0 [110/10] via 10.0.1.1, 00:14:19, Ethernet0/0
     10.0.0.0/30 is subnetted, 2 subnets
O       10.0.0.0 [110/20] via 10.0.1.1, 00:14:19, Ethernet0/0
C       10.0.1.0 is directly connected, Ethernet0/0
C    192.168.1.0/24 is directly connected, Loopback0

CE1_1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Loopback0
     10.0.0.0/30 is subnetted, 2 subnets
C       10.0.0.0 is directly connected, Ethernet0/0
O       10.0.1.0 [110/20] via 10.0.0.1, 00:14:51, Ethernet0/0
O E2 192.168.1.0/24 [110/10] via 10.0.0.1, 00:14:51, Ethernet0/0

Let us now ping a CE_1 site to site loopback LAN address.

CE1_1#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/32/48 ms

We have a working data plane over the Service provider infrastructure. Our routes with same private address space are stored in seprate VRFs and they can communicate via the same physical router. 
We can still verify the VRF routing table on the SP routers.

SERVICE_PROVIDER#sh ip route vrf CE_1
Routing Table: CE_1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
O E2    172.16.1.0 [110/10] via 10.0.0.2, 00:17:10, Ethernet0/0
     10.0.0.0/30 is subnetted, 2 subnets
C       10.0.0.0 is directly connected, Ethernet0/0
C       10.0.1.0 is directly connected, Ethernet0/2
O E2 192.168.1.0/24 [110/10] via 10.0.1.2, 00:17:10, Ethernet0/2

This is routing Layer virtualization of routing information. It is a cool feature and heavily used under the production hood. There is much to write on this subject in complex scenarios. So more to come.

Feel free to comment.

No comments:

Post a Comment