Configure VRF in Cisco IOS Router

Spread the love




Virtual Routing and Forwarding or VRF is a technology that supports multiple routing instance inside a single router (or layer-3 switch). This means a single router can have multiple separated routing table and each one is completely independent. Due to its independency, it also allows the usage of overlapping IP address. Cisco IOS router supports VRF by default. In this article, we are going to configure VRF in Cisco IOS router to establish connection for two LANs with overlapping network address.

How to Configure VRF in Cisco IOS Router

Usage of overlapping address should be avoided as much as possible. However, there are certain causes where this condition is unavoidable (usually happens in a service provider network), and this is one of the reasons why understanding the way to configure VRF in Cisco IOS router is important. The scenario below is the example where overlapping network address is used (pointed by the red arrow):

Configure VRF in Cisco IOS Router

In this scenario, a service provider named MustBeGeek have two customers, namely “Company A” and “Company B”. MustBeGeek uses a single router named MBG001 and it is shared for both company “A” and “B”. Interface f0/0 on MBG001 connected to a switch and the switch connected to each of the company network.

The goal is to make company “A” network able to access Loopback1 address and “B” must be able to access Loopback2 address. However, for some reason both companies needs to use the same network address but they refuse to expose their network to each other. Therefore, separate VLAN is used where VLAN81 is for Company-A and VLAN82 is for Company-B. Unfortunately, there’s just one problem as message below appears on MBG001 when trying to configure the gateway interface for those VLANs:



MBG001#configure terminal
MBG001(config)#interface f0/0
MBG001(config-if)#no shut
MBG001(config-if)#exit
MBG001(config)#interface f0/0.81
MBG001(config-if)#description Connection-to-Company-A
MBG001(config-if)#encapsulation dot1q 81
MBG001(config-if)#ip address 10.10.10.1 255.255.255.0
MBG001(config-if)#exit
MBG001(config)#interface f0/0.82
MBG001(config-if)#description Connection-to-Company-B
MBG001(config-if)#encapsulation dot1q 82
MBG001(config-if)#ip address 10.10.10.1 255.255.255.0
% 10.10.10.0 overlaps with FastEthernet0/0.81
MBG001(config-if)#

From the output above, it is clear that the router rejects the IP address assignment for subinterface f0/0.82 because the IP address is overlap with what already assigned on f0/0.81. In this condition, the solution is to configure VRF on MBG001.

VRF configuration is easy and consists of 2 simple steps, as explained below:

1. Creating the VRF instance

The first thing to do is creating the VRF instance. To do so, use command ip vrf [VRF name] in the global configuration mode. In this example VRF for company A named “Company-A” is created on MBG001:

MBG001(config)#ip vrf Company-A
MBG001(config-vrf)#

Notice that after creating a VRF, the router will enter VRF configuration mode. In here, there are several advanced options that can be configured but for basic VRF implementation, this configuration can be skipped. In this example, command exit is used to escape the VRF configuration mode, and then another VRF named “Company-B” is created for company B:

MBG001(config-vrf)#exit
MBG001(config)#ip vrf Company-B
MBG001(config-vrf)#exit

To see list of VRF that has been created, use command show ip vrf in the privileged exec mode.

MBG001#show ip vrf
 Name             Default RD          Interfaces
 Company-A        <not set> 
 Company-B        <not set>

On the output above, the interfaces column is blank because we haven’t assigned the VRF to any interface yet. This will be done in the next step.

2. Assigning VRF to an interface

After creating the VRF, the next step is assigning the VRF to an interface, or in this example is a sub-interface. Note that VRF can be assigned to any kind of interface including VLAN and Loopback. Simply enter the interface configuration mode then use command ip vrf forwarding [VRF name]. In this example, the VRF for each company is assigned to its corresponding interface:

MBG001(config)#interface f0/0.81
MBG001(config-if)#ip vrf forwarding Company-A
% Interface FastEthernet0/0.81 IP address 10.10.10.1 removed due to enabling VRF Company-A
MBG001(config-if)#ip address 10.10.10.1 255.255.255.0
MBG001(config-if)#exit
MBG001(config)#interface f0/0.82
MBG001(config-if)#ip vrf forwarding Company-B
MBG001(config-if)#ip address 10.10.10.1 255.255.255.0

Notice that when VRF is assigned to an interface associated with an IP address, that IP will be removed but can be easily re-added. Also notice that after applying VRF, the IP overlap error message no longer appears despite using an overlap (or duplicate) IP address in the same router.

Now issue the command show ip vrf once again to verify that VRF has been assigned to the correct interface

MBG001#show ip vrf
 Name             Default RD          Interfaces
 Company-A        <not set>           Fa0/0.81
 Company-B        <not set>           Fa0/0.82

It can be seen from the output above that VRF has been correctly configured on MBG001. However, there is still one more requirement in this scenario, which is to make hosts in company A able to reach Loopback1 IP address and hosts in company B able to reach Loopback2 IP address. To do that, simply assign the respective VRF to the loopback interface with the same way as above (remember that the IP address also needs to be reconfigured after assigning VRF).

When it is done, the final output of show ip vrf in this example will be like this:

MBG001#show ip vrf
 Name             Default RD          Interfaces
 Company-A        <not set>           Fa0/0.81
                                      Lo1
 Company-B        <not set>           Fa0/0.82
                                      Lo2

Working with VRF in Cisco IOS router

Ping from host on each company network to the router IP address can be done normally:

Host-A001>ping 10.10.10.1
Pinging 10.10.10.1 with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255
Reply from 10.10.10.1: bytes=32 time=2ms TTL=255
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255
Host-B001>ping 10.10.10.1
Pinging 10.10.10.1 with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255
Reply from 10.10.10.1: bytes=32 time=2ms TTL=255
Reply from 10.10.10.1: bytes=32 time=2ms TTL=255
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255

Notice that even though it is pinging to the same IP address, it is actually communicating with different VRF instance on the router. On the flipside, to perform ping test from the router to host on the LAN, use command ping vrf [VRF name] [target IP] so that the router knows which network that you are trying to reach.

MBG001#ping vrf Company-A 10.10.10.50

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

MBG001#ping vrf Company-B 10.10.10.50

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Notice that hosts on Company A and B can also have the same IP address. This because their network is completely separated. To prove it and also to verify the last requirement in the scenario has been completed, hosts in company A can reach to 10.1.1.1 (destination in the same VRF instance) but not to 10.2.2.2, and the reverse is applied for hosts in company B.

Host-A001>ping 10.1.1.1
Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time=2ms TTL=255
Reply from 10.1.1.1: bytes=32 time=3ms TTL=255
Reply from 10.1.1.1: bytes=32 time=2ms TTL=255
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255

Host-A001>ping 10.2.2.2
Pinging 10.1.1.1 with 32 bytes of data:
Request timed out
Request timed out
Request timed out
Request timed out

And that’s all the basics you need to configure VRF in Cisco IOS router.




The following two tabs change content below.

Arranda Saputra

ITIL Certified, CCNA, CCDA, VCP6-DCV, MCSA Administering Windows Server 2012
I am IT practitioner in real life with specialization in network and server infrastructure. I have years of experience in design, analysis, operation, and optimization of infrastructure solutions for enterprise-scaled network. You can send me a message on LinkedIn or email to arranda.saputra@outlook.com for further inquiry regarding stuffs that I wrote or opportunity to collaborate in a project.

Latest posts by Arranda Saputra (see all)

scroll to top