Thursday, November 5, 2015

Front VRF (FVRF) Technology



Front-VRF Feature is essentially is a feature that will make us enable to inject Default Route from IGP within Tunnel Interface, in VPN Deployment. Where normally our router will have static route configured to the upstream Internet Router / having Default route from DHCP Router.

In that case, we cannot afford to install the Dynamic Route from IGP, in our case EIGRP, because the AD is bigger than the static, if we tend to change the AD on the EIGRP side, then the tunnel between R1 and R6 will be break down….

One study case that will fit this FVRF Feature is this, imagine that you are the one who responsible to manage HQ and Branch network in the Bank XYZ. The XYZ Bank has the compliance, stated that all traffic from the branch (Either Internal and Internet Access) MUST be traverse to the HQ. With this style of compliance, meaning that all the Security and other Technical stuff, most of the part, will be done in the HQ, and branch offices will just configure the route that will lead to the HQ WAN Router, simply right?

But with the deployment of direct internet on the Branch, this will lead to the difficulty to managed the traffic, especially from Branch to the Internet, because now they CAN directly access to the Internet without to traverse to the HQ WAN Router. Meaning that you, as a IT Service guy should make a Compliance & Security configuration template and must be configured on every single Branch Network and or security Equipment right? Yaiks, that is gonna be a lot of work.

What if we can make, even when the branch offices having direct Internet Connection, their internet traffic SHOULD traverse to the HQ WAN Router, then Internet Access from branch will be treated as a traverse through WAN link, which is now gonna be VPN Tunnel (through GRE for example). This mean that we can achieve the Compliance of this XYZ Bank, eventhough the every Branch Offices now having direct Internet connection, is it very compelling?

Let’s get down to our simple example here

Our scenario consist of 4 Devices, where they have the following roles
  • R1 (HQ WAN Router) --> Advertise Lo1 (172.16.1.1/24), Router that will have tunnel with R6.
  • R6 (Branch Router with Direct Internet Access) --> Advertise Lo1 (172.16.6.6/24), Router that will have tunnel with R1.
  • SW1 (Internal Network that having default route to HQ Internet) --> Internal EIGRP Router that adjacent with R1, this Switch is advertise default-route to the EIGRP 100 (11.11.11.11/32)
  • R99 --> Dummy Internet Router that only recognize the IP Public Subnet (exclude 11.11.11.11/32)


So in this case, the default route to the Internet will be handled by the FVRF and the default route from the IGP will be handle by the global routing table on each Router.



R1 Configuration
!
interface Loopback1
 ip address 172.16.1.1 255.255.255.255
 ipv6 address 2001:172:16:1::1/128
!
interface Ethernet0/3
 //Connection to SW1
 ip address 10.1.11.1 255.255.255.0
!
vrf definition FVRF
 rd 1:1
 !
 address-family ipv4
 exit-address-family
!
interface Serial2/0
 //Connection to the Internet
 vrf forwarding FVRF
 ip address 123.1.99.1 255.255.255.0
 encapsulation ppp
 serial restart-delay 0
!
ip route vrf FVRF 0.0.0.0 0.0.0.0 123.1.99.99
!
interface Tunnel16
 ip address 192.168.16.1 255.255.255.0
 tunnel source Serial2/0
 tunnel destination 123.6.99.6
 tunnel vrf FVRF
!
router eigrp 100
 network 10.1.11.1 0.0.0.0
 network 172.16.1.1 0.0.0.0
 network 192.168.16.1 0.0.0.0
!

R6
!
interface Loopback1
 ip address 172.16.6.6 255.255.255.255
 ipv6 address 2001:172:16:6::6/128
!
vrf definition FVRF
 rd 6:6
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!   
interface Serial2/0
//Connection to the Internet
 vrf forwarding FVRF
 ip address 123.6.99.6 255.255.255.0
 encapsulation ppp
 serial restart-delay 0
!
ip route vrf FVRF 0.0.0.0 0.0.0.0 123.6.99.99
!
interface Tunnel16
 ip address 192.168.16.6 255.255.255.0
 tunnel source Serial2/0
 tunnel destination 123.1.99.1
 tunnel vrf FVRF
!
router eigrp 100
 network 172.16.6.6 0.0.0.0
 network 192.168.16.6 0.0.0.0
!

SW1
!
interface Loopback0
 ip address 11.11.11.11 255.255.255.255
 ipv6 address 2001:11:11:11::11/128
!
interface Loopback1
 ip address 172.16.11.11 255.255.255.255
 ipv6 address 2001:172:16:11::11/128
!
interface Vlan101
 ip address 10.1.11.11 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 Loopback1
!
router eigrp 100
 network 10.1.11.11 0.0.0.0
 redistribute static metric 1 1 1 1 1
!


R1 Verification
R1#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 10.1.11.11 to network 0.0.0.0

D*EX  0.0.0.0/0 [170/2560025856] via 10.1.11.11, 00:11:10, Ethernet0/3
      172.16.0.0/32 is subnetted, 2 subnets
D        172.16.6.6 [90/27008000] via 192.168.16.6, 00:05:19, Tunnel16
R1#
R1#ping 11.11.11.11 sou lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms

R1#sh ip route vrf FVRF

Routing Table: FVRF
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 123.1.99.99 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 123.1.99.99
      123.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        123.1.99.0/24 is directly connected, Serial2/0
L        123.1.99.1/32 is directly connected, Serial2/0
C        123.1.99.99/32 is directly connected, Serial2/0
R1#
R1#ping vrf FVRF 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms


R6 Verification
R6#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.16.1 to network 0.0.0.0

D*EX  0.0.0.0/0 [170/2561305856] via 192.168.16.1, 00:06:06, Tunnel16
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D        10.1.11.0/24 [90/26905600] via 192.168.16.1, 00:06:06, Tunnel16
      172.16.0.0/32 is subnetted, 2 subnets
D        172.16.1.1 [90/27008000] via 192.168.16.1, 00:06:06, Tunnel16
R6#
R6#ping 11.11.11.11 sou lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
Packet sent with a source address of 172.16.6.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 19/19/21 ms
R6#
R6#traceroute 11.11.11.11 sou lo1
Type escape sequence to abort.
Tracing the route to 11.11.11.11
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.16.1 19 msec 18 msec 18 msec
  2 10.1.11.11 18 msec *  20 msec
R6#
R6#sh ip route vrf FVRF

Routing Table: FVRF
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 123.6.99.99 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 123.6.99.99
      123.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        123.6.99.0/24 is directly connected, Serial2/0
L        123.6.99.6/32 is directly connected, Serial2/0
C        123.6.99.99/32 is directly connected, Serial2/0
R6#
R6#ping vrf FVRF 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms


You may add encryption to the tunnel between R1 and R6 as well, we are going to discuss this in separate topics.

I hope it has been informative for you and I’d like to thank you for reading.

No comments: