VRF Selection Using Policy Based Routing

This is quite a powerful feature, and it most certainly could come in handy with certain corner cases.

A layer3 interface on a PE router can only be part of a single VRF. Or can it? I know a physical interface could be carved into multiple subinterfaces, each in their own VRF. But what if I want to have a single subinterface inside multiple VRFs at the same time?

With VRF selection using PBR, you can use a route-map to determine what VRF a packet belongs to based on a route-map. Generally this would match either source or destination address, but it could even match things like packet size if you really want to go crazy…

Let’s use the following topology:

R2 and R5 are my PE routers. No P router for now. They are running simple LDP and peering with each other via a VPNv4 MP-BGP session.

R3 is a customer in VRF 3. R4 is a customer in VRF 4. R1 is acting as a server with multiple loopback interface (1.1.1.3 and 1.1.1.4) – I want to ensure that when R1 sends packets with a source address of 1.1.1.3, it ends up in VRF 3. When it sends a packet with a source address of 1.1.1.4, it needs to get into VRF 3.

Configuration

CPE Config

All the CPE routers have their loopback configured and have a static route pointing to their connected PE:
R1:

interface Loopback3
 ip address 1.1.1.3 255.255.255.255
!
interface Loopback4
 ip address 1.1.1.4 255.255.255.255
!
interface GigabitEthernet1/0
 ip address 10.1.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.2.2

R3:

interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet1/0
 ip address 10.0.35.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.35.5

R4:

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet1/0
 ip address 10.0.45.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.45.5

PE Config

R5 has a relatively simple configuration. Create the two VRFs. Create two static routes to the CPE’s loopbacks. Share this information over BGP.
R5:

vrf definition 3
 rd 3:3
 route-target export 3:3
 route-target import 3:3
 !
 address-family ipv4
 exit-address-family
!
vrf definition 4
 rd 4:4
 route-target export 4:4
 route-target import 4:4
 !
 address-family ipv4
 exit-address-family
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
 ip ospf 1 area 0
!
interface GigabitEthernet1/0
 ip address 10.0.25.5 255.255.255.0
 ip ospf 1 area 0
!
interface GigabitEthernet2/0
 vrf forwarding 3
 ip address 10.0.35.5 255.255.255.0
!
interface GigabitEthernet3/0
 vrf forwarding 4
 ip address 10.0.45.5 255.255.255.0
!
router ospf 1
 mpls ldp autoconfig area 0
!
router bgp 100
 no bgp default ipv4-unicast
 neighbor 2.2.2.2 remote-as 100
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf 3
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf 4
  redistribute static
 exit-address-family
!
ip route vrf 3 3.3.3.3 255.255.255.255 10.0.35.3
ip route vrf 4 4.4.4.4 255.255.255.255 10.0.45.4

R2 is where the policy-based routing occurs. The configuration will specify that if a packet with a source address of 1.1.1.3 comes in, ensure the next-hop goes to VRF 3. If the packet comes in with a source address of 1.1.1.4, the next-hop should go off to VRF 4.

R2 will also have static routes off to both of these source addresses in each VRF and advertise that over MP-BGP.

vrf definition 3
 rd 3:3
 route-target export 3:3
 route-target import 3:3
 !
 address-family ipv4
 exit-address-family
!
vrf definition 4
 rd 4:4
 route-target export 4:4
 route-target import 4:4
 !
 address-family ipv4
 exit-address-family
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet1/0
 ip vrf receive 3
 ip vrf receive 4
 ip address 10.1.2.2 255.255.255.0
 ip policy route-map VRF_PBR
!
interface GigabitEthernet2/0
 ip address 10.0.25.2 255.255.255.0
 ip ospf 1 area 0
!
router ospf 1
 mpls ldp autoconfig area 0
!
router bgp 100
 no bgp default ipv4-unicast
 neighbor 5.5.5.5 remote-as 100
 neighbor 5.5.5.5 update-source Loopback0
 !
 address-family vpnv4
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf 3
  network 1.1.1.3 mask 255.255.255.255
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf 4
  network 1.1.1.4 mask 255.255.255.255
  redistribute static
 exit-address-family
!
ip route vrf 3 1.1.1.3 255.255.255.255 GigabitEthernet1/0 10.1.2.1
ip route vrf 4 1.1.1.4 255.255.255.255 GigabitEthernet1/0 10.1.2.1
!
access-list 3 permit 1.1.1.3
access-list 4 permit 1.1.1.4
!
route-map VRF_PBR permit 10
 match ip address 3
 set vrf 3
!
route-map VRF_PBR permit 20
 match ip address 4
 set vrf 4

The config is a bit long so let’s break it down. First of all the VRFs still need to be assigned, even though no local interface is in the VRF.

The CPE-facing interface is like so:

interface GigabitEthernet1/0
 ip vrf receive 3
 ip vrf receive 4
 ip address 10.1.2.2 255.255.255.0
 ip policy route-map VRF_PBR

Notice that the global interface is not actually in any VRF. i.e. the 10.1.2.2 address is in the global router table.

Next the PE needs routes back to R1’s loopbacks. These need to be in each local VRF.

ip route vrf 3 1.1.1.3 255.255.255.255 GigabitEthernet1/0 10.1.2.1
ip route vrf 4 1.1.1.4 255.255.255.255 GigabitEthernet1/0 10.1.2.1

We now need to set up our policy:

access-list 3 permit 1.1.1.3
access-list 4 permit 1.1.1.4
!
route-map VRF_PBR permit 10
 match ip address 3
 set vrf 3
!
route-map VRF_PBR permit 20
 match ip address 4
 set vrf 4

A source of 1.1.1.3 gets sent to VRF 3 while 1.1.1.4 gets sent to VRF 4.

Verification

So does this all work?

R1# ping 3.3.3.3 source lo3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/74/108 ms
R1# ping 4.4.4.4 source lo4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/78/92 ms

You can also check route-map hits on the PE:

R2#sh route-map
route-map VRF_PBR, permit, sequence 10
  Match clauses:
    ip address (access-lists): 3
  Set clauses:
    vrf 3
  Policy routing matches: 5 packets, 570 bytes
route-map VRF_PBR, permit, sequence 20
  Match clauses:
    ip address (access-lists): 4
  Set clauses:
    vrf 4
  Policy routing matches: 5 packets, 570 bytes

This could be handy when you had a device that could not virtualize into multiple systems, but could source traffic from different IP addresses. That device should then be shared with different VRF customers.

© 2009-2019 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright