USD ($)
$
United States Dollar
India Rupee

What is VRF lite and How to Configure it?

Created by Deepak Sharma in Articles 11 Nov 2024
Share
«Cisco Default Route Configuration ...

VRF Lite is a networking feature that enables multiple virtual routing tables on a single router, allowing for overlapping IP addresses across different VPNs. This VRF Lite configuration is particularly useful for service providers to manage customer traffic securely and efficiently.

In this Cisco enterprise training article article, we will understand what is VRF  lite and how to configure VRF lite in a Cisco Router. The VRF configuration is not only limited to Cisco applications but we have used Cisco router in the configuration example.

What is VRF Lite?

VRF Lite is a simplified version of Virtual Routing and Forwarding (VRF) that allows multiple virtual routing tables on a single router without requiring MPLS or MP-BGP.

It enables overlapping IP addresses across different VPNs, facilitating secure traffic segregation within enterprise networks or data centers, making it ideal for environments where multiple customers share the same infrastructure.

VRF vs VRF Lite

VRF (Virtual Routing and Forwarding) and VRF Lite are both technologies that allow for multiple routing instances within a single device, but they differ significantly in their implementation and use cases. The table below shows the difference between VRF and VRF Lite.


FeatureVRFVRF Lite
MPLS RequirementRequires MPLS and MP-BGP for operationDoes not require MPLS or MP-BGP
Use CasePrimarily used in service provider environments for WANs, allowing overlapping IP addresses across multiple customersCommonly used in enterprise networks and data centers for traffic segmentation without the complexity of MPLS
Route SharingRoute details can be shared between devicesRoute details are locally significant and not shared
Configuration ComplexityMore complex, often requires route targets and dynamic routing protocolsSimpler configuration, can use static or dynamic routing without route targets
ScalabilityHighly scalable solution suitable for large networksLess scalable, suitable for smaller networks or specific segments
Traffic SegregationProvides robust traffic isolation through MPLS VPNsSegregates traffic within a single network environment without MPLS
CCNP Training CourseLearn more such networking concepts.Explore course
custom banner static image

How to Configure VRF Lite?

You can assign any interface of a router to a VRF using the command "ip vrf forwarding ". Please note that this command will erase all existing IP addresses already configured on the interface to avoid potential address duplication in the new routing table.

Once configuration is done and assigned that particular interface in a VRF then all packets received on this interface are routed and forwarded using the associated VRF table. You can compare this concept to the way VLAN trunking works at Layer 2.

VRF Lite Configuration on Cisco Routers

To understand the VRF Lite step-by-step configuration on Cisco routers, let's consider a scenario where two routers are connected via two physical links (these links can be sub-interfaces as well) but for simplicity

I have taken two physical links as shown in the below diagram. Based on the scenario some tasks are designed to configure respective VRFs and achieve a result. 

Cisco VRF Lite Configuration Example

● Configure the IP addresses on the two interfaces of R01 and R02 connected per the topology.

● Configure interface GigabitEthernet0/0 on both R01 and R02 so that it belongs to vrf VPN_A.

● Configure interface GigabitEthernet0/1 on both R01 and R02 so that it belongs to vrf VPN_B.

● Configure the following interfaces on R02: 

 ✓ Loopback101 with IP address of 172.16.2.2/24, assigned to vrf VPN_A.

 ✓ Loopback102 with IP address of 192.168.2.2/24, assigned to vrf VPN_B (As a part of VRF lite configuration)

● Configure default routes on R02 for both VRFs toward R01.

● Configure R01 so that from R02, you have IP connectivity between Loopback101 and Loopback102.

VRF Lite on Cisco Routers - Topology Diagram

banner image

Before moving to the Cisco VRF lite, ensure you have the IP addressing configured as per the diagram above. Here is the initial configuration for the same.

R01:

!
enable
configure terminal
!
hostname R01
!
no ip domain lookup
ip routing
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 192.1.12.1 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 192.1.21.1 255.255.255.0
!
line con 0
 exec-timeout 0 0
 logging synchronous
 privilege level 15
 no login
!
line vty 0 4
 privilege level 15
 no login
!
end
!
write
!

R02:

!
enable
configure terminal
!
hostname R02
!
no ip domain lookup
ip routing
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 192.1.12.2 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 192.1.21.2 255.255.255.0
!
line con 0
 exec-timeout 0 0
 logging synchronous
 privilege level 15
 no login
!
line vty 0 4
 privilege level 15
 no login
!
end
!
write
!

Now as per tasks, here are the steps of Cisco VRF lite configuration for both the routers.

R01:

!

ip vrf VPN_A

 rd 100:1

!

ip vrf VPN_B

 rd 100:2

!

interface GigabitEthernet0/0

 ip vrf forwarding VPN_A

 ip address 192.1.12.1 255.255.255.0

!

interface GigabitEthernet0/1

 ip vrf forwarding VPN_B

 ip address 192.1.21.1 255.255.255.0

!

ip route vrf VPN_A 192.168.2.0 255.255.255.0 GigabitEthernet0/1 192.1.21.2

ip route vrf VPN_B 172.16.2.0 255.255.255.0 GigabitEthernet0/0 192.1.12.2

!

R02:

!

ip vrf VPN_A

 rd 100:1

!

ip vrf VPN_B

 rd 100:2 

!

interface GigabitEthernet0/0

 ip vrf forwarding VPN_A

 ip address 192.1.12.2 255.255.255.0

!

interface GigabitEthernet0/1

 ip vrf forwarding VPN_B

 ip address 192.1.21.2 255.255.255.0

!

interface Loopback101

 ip vrf forwarding VPN_A

 ip address 172.16.2.2 255.255.255.0

!

interface Loopback102

 ip vrf forwarding VPN_B

 ip address 192.168.2.2 255.255.255.0

!

ip route vrf VPN_A 0.0.0.0 0.0.0.0 192.1.12.1

ip route vrf VPN_B 0.0.0.0 0.0.0.0 192.1.21.1

!

Verify VRF Lite Configuration

Start by checking the VRF interfaces and basic IPv4 connectivity. Notice that the verification commands now use the vrf argument to select the specific routing table.


banner image

Let’s look at inter-VRF connectivity in detail. First, check the CEF table for VRF VPN_A in R01

banner image

It appears accurate and complete. Now ping 172.16.2.2 from within VRF VPN_B in R02 and vice-versa.

banner image

VRF Lite Working

VRF Lite operates by allowing packets entering a specific VRF to follow only the routes in that VRF's routing table. Similar to how a Layer 2 trunk spans multiple switches, VRF can extend across multiple devices.

By properly mapping VRFs to links between routers, it enables parallel VPNs across devices, making it the simplest method for creating non-overlapping VPNs in a network.

This configuration supports multiple customers on shared infrastructure while maintaining isolated routing tables for each VPN, enhancing security and efficiency.

VRF Lite Scalability

Cisco VRF Lite has a limited scope of scalability due to its requirement for a dedicated inter-router link for each VPN. For instance, if you have two routers and need to support 100 VPNs, you must provision 100 connections between the routers—one for each VPN.

These connections can be established using separate interfaces or Layer 2 virtualization techniques, such as Frame-Relay PVC or Ethernet VLANs.

This design can lead to significant management overhead and complexity as the number of VPNs increases, making VRF Lite less suitable for larger-scale deployments compared to full VRF implementations that leverage MPLS.

Cisco VRF Lite Capable Routers

In a router, all interfaces (physical or sub-interfaces) are in a global VRF by default which is the regular routing table used in non-VRF capable routers.

In a VRF (lite) capable router, you can create a new VRF by issuing the command "ip vrf ", which opens the VRF lite configuration context mode on Cisco routers. After this initial step, you must define a route distinguisher (RD) for this particular VRF using the command rd X:Y , where X and Y are 32-bit numbers.

A Route Distinguisher is a special 64-bit prefix prepended to every route in the respective VRF routing table.

VRF Lite - Purpose of Route Distinguisher (RD) 

The primary purpose of a Route Distinguisher (RD) in VRF Lite is to distinguish prefixes within a router and avoid collisions if two VRFs contain the same prefixes. This is achieved by prepending an 8-byte RD to the 4-byte IPv4 prefix, creating a unique 12-byte VPNv4 address.

There are two common formats for configuring an RD:

1. ASN:NN format: Combines the Autonomous System Number (ASN) and a unique number (NN) representing the VRF within the router or the VPN within the ASN. This format is more popular and commonly used.

2. IP-Address:NN format: Uses the router's IP address and a unique number (NN) representing the VRF name. This format reflects the local significance of the RD, but the ASN:NN format is more widely adopted.

By assigning unique RDs to each VRF, VRF Lite ensures that even if two customers are using the same IPv4 address space, their prefixes are distinguished within the MPLS network, allowing for proper routing and forwarding of traffic

VRF Lite - Static and Dynamic Routing

It is possible to associate static routes or dynamic routing protocol processes with the VRFs. In this lab, we work with static routing only. The syntax for a VRF-bound static route is ip route vrf PREFIX MASK [interface] [next-hop] , where [nexthop] is an IP address resolvable through the VRF.

It is also possible to use static routes for inter-VRF communications. If you are using a static route with the [interface] specification, the interface could belong to any VRF.

Note that with multi-access interfaces, you must also specify the next-hop associated with the interface subnet because Cisco IOS will install a CEF entry in the source VRF using the information provided and will not attempt to resolve the next-hop recursively.

Remember that this trick only works with the non-recursive static routes that use directly connected interfaces. 

VRF Lite and Configuration - Summing Up

VRF Lite enables the creation of multiple virtual routing tables on a single router, allowing for isolated networks with separate interfaces. Each VRF has its Routing Information Base (RIB) and Forwarding Information Base (FIB).

VRF Lite configuration involves assigning interfaces to VRFs using commands like "ip vrf forwarding." However, scalability is limited, as a dedicated inter-router link is required for each VPN. This can lead to significant management overhead when supporting numerous VPNs across multiple routers.

To learn more about such technologies, check out our IT infrastructure courses.

Deepak Sharma

He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...

More... | Author`s Bog | Book a Meeting

Related Articles

#Explore latest news and articles

Top Hardware Devices in Computer Networks- Router, Hub, Switches 12 Dec 2024

Top Hardware Devices in Computer Networks- Router, Hub, Switches

List of network hardware devices & understand their components in computer networks like router, switch, wifi access point. Read More! 
Router on a Stick Configuration: Complete Guide 8 Nov 2024

Router on a Stick Configuration: Complete Guide

Understand router on a stick configuration and concept based on a scenario of Cisco router & switch CCNA Lab at UniNets.

FAQ

VRF Lite is a feature on Cisco routers that enables the creation of multiple virtual routing tables on a single device, allowing for overlapping IP addresses across different VPNs without requiring MPLS or MP-BGP.
The primary purpose of VRF Lite is to provide traffic segmentation and isolation within enterprise networks and data centers, enabling secure separation of customer or application traffic on shared infrastructure.
The key differences are: 1. VRF Lite does not require MPLS or MP-BGP, while full VRF relies on these technologies 2. VRF Lite is less scalable and suitable for smaller networks, while full VRF is highly scalable for large service provider environments 3. VRF Lite uses locally significant route details, while full VRF allows sharing of route information between devices
VRF Lite supports static routing or dynamic routing protocols like OSPF, EIGRP, and BGP within each VRF instance. However, it does not support MPLS or MP-BGP, which are required for full VRF functionality.

Comments (2)

Ankit verma Student
13 Oct 2023 | 01:00 pm

Great post with configuration scenario example. I do not have 2 physical links to connect two routers to each other. can this work with sub-interfaces i.e. if router interface is connected to a switch port as trunk port.

Deepak Sharma User
13 Oct 2023 | 01:12 pm

Hello Ankit, yes you can configure vrf lite using sub-interfaces of the routers but make sure you have enough bandwidth on these interfaces.

sanchit thareja Student
31 Oct 2023 | 08:38 pm

Why do require to use vrf lite anyways ?

Deepak Sharma User
2 Mar 2024 | 10:13 pm

Most of the cases it is not required however in some corner cases where you may require to extend your virtual routing table from one router to another then VRF lite is to be configured.
There may be a case when you do not have a budget to have other router for separate routing table then you can divide the router into multiple routing table using VRF and extend that to other router using vrf lite.

Share

Share this post with others

Contact learning advisor

Captcha image