Front VRF (FVRF) Technology

Front-VRF Feature is essentially is a feature that will make us enable to inject Default Route from IGP within Tunnel Interface, in VPN Deployment. Where normally our router will have static route configured to the upstream Internet Router / having Default route from DHCP Router.

In that case, we cannot afford to install the Dynamic Route from IGP, in our case EIGRP, because the AD is bigger than the static, if we tend to change the AD on the EIGRP side, then the tunnel between R1 and R6 will be break down….

One study case that will fit this FVRF Feature is this, imagine that you are the one who responsible to manage HQ and Branch network in the Bank XYZ. The XYZ Bank has the compliance, stated that all traffic from the branch (Either Internal and Internet Access) MUST be traverse to the HQ. With this style of compliance, meaning that all the Security and other Technical stuff, most of the part, will be done in the HQ, and branch offices will just configure the route that will lead to the HQ WAN Router, simply right?

But with the deployment of direct internet on the Branch, this will lead to the difficulty to managed the traffic, especially from Branch to the Internet, because now they CAN directly access to the Internet without to traverse to the HQ WAN Router. Meaning that you, as a IT Service guy should make a Compliance & Security configuration template and must be configured on every single Branch Network and or security Equipment right? Yaiks, that is gonna be a lot of work.

What if we can make, even when the branch offices having direct Internet Connection, their internet traffic SHOULD traverse to the HQ WAN Router, then Internet Access from branch will be treated as a traverse through WAN link, which is now gonna be VPN Tunnel (through GRE for example). This mean that we can achieve the Compliance of this XYZ Bank, eventhough the every Branch Offices now having direct Internet connection, is it very compelling?

Let’s get down to our simple example here

Our scenario consist of 4 Devices, where they have the following roles

• R1 (HQ WAN Router) --> Advertise Lo1 (172.16.1.1/24), Router that will have tunnel with R6.
• R6 (Branch Router with Direct Internet Access) --> Advertise Lo1 (172.16.6.6/24), Router that will have tunnel with R1.
• SW1 (Internal Network that having default route to HQ Internet) --> Internal EIGRP Router that adjacent with R1, this Switch is advertise default-route to the EIGRP 100 (11.11.11.11/32)
• R99 --> Dummy Internet Router that only recognize the IP Public Subnet (exclude 11.11.11.11/32)

So in this case, the default route to the Internet will be handled by the FVRF and the default route from the IGP will be handle by the global routing table on each Router.

R1 Configuration

! interface Loopback1  ip address 172.16.1.1 255.255.255.255  ipv6 address 2001:172:16:1::1/128 ! interface Ethernet0/3  //Connection to SW1  ip address 10.1.11.1 255.255.255.0 ! vrf definition FVRF  rd 1:1  !  address-family ipv4  exit-address-family ! interface Serial2/0  //Connection to the Internet  vrf forwarding FVRF  ip address 123.1.99.1 255.255.255.0  encapsulation ppp  serial restart-delay 0 ! ip route vrf FVRF 0.0.0.0 0.0.0.0 123.1.99.99 ! interface Tunnel16  ip address 192.168.16.1 255.255.255.0  tunnel source Serial2/0  tunnel destination 123.6.99.6  tunnel vrf FVRF ! router eigrp 100  network 10.1.11.1 0.0.0.0  network 172.16.1.1 0.0.0.0  network 192.168.16.1 0.0.0.0 !

R6

! interface Loopback1  ip address 172.16.6.6 255.255.255.255  ipv6 address 2001:172:16:6::6/128 ! vrf definition FVRF  rd 6:6  !  address-family ipv4  exit-address-family  !  address-family ipv6  exit-address-family !    interface Serial2/0 //Connection to the Internet  vrf forwarding FVRF  ip address 123.6.99.6 255.255.255.0  encapsulation ppp  serial restart-delay 0 ! ip route vrf FVRF 0.0.0.0 0.0.0.0 123.6.99.99 ! interface Tunnel16  ip address 192.168.16.6 255.255.255.0  tunnel source Serial2/0  tunnel destination 123.1.99.1  tunnel vrf FVRF ! router eigrp 100  network 172.16.6.6 0.0.0.0  network 192.168.16.6 0.0.0.0 !

SW1

! interface Loopback0  ip address 11.11.11.11 255.255.255.255  ipv6 address 2001:11:11:11::11/128 ! interface Loopback1  ip address 172.16.11.11 255.255.255.255  ipv6 address 2001:172:16:11::11/128 ! interface Vlan101  ip address 10.1.11.11 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 Loopback1 ! router eigrp 100  network 10.1.11.11 0.0.0.0  redistribute static metric 1 1 1 1 1 !

R1 Verification

R1#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        + - replicated route, % - next hop override Gateway of last resort is 10.1.11.11 to network 0.0.0.0 D*EX  0.0.0.0/0 [170/2560025856] via 10.1.11.11, 00:11:10, Ethernet0/3       172.16.0.0/32 is subnetted, 2 subnets D        172.16.6.6 [90/27008000] via 192.168.16.6, 00:05:19, Tunnel16 R1# R1#ping 11.11.11.11 sou lo1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms R1#sh ip route vrf FVRF Routing Table: FVRF Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        + - replicated route, % - next hop override Gateway of last resort is 123.1.99.99 to network 0.0.0.0 S*    0.0.0.0/0 [1/0] via 123.1.99.99       123.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C        123.1.99.0/24 is directly connected, Serial2/0 L        123.1.99.1/32 is directly connected, Serial2/0 C        123.1.99.99/32 is directly connected, Serial2/0 R1# R1#ping vrf FVRF 4.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms

R6 Verification

R6#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        + - replicated route, % - next hop override Gateway of last resort is 192.168.16.1 to network 0.0.0.0 D*EX  0.0.0.0/0 [170/2561305856] via 192.168.16.1, 00:06:06, Tunnel16       10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D        10.1.11.0/24 [90/26905600] via 192.168.16.1, 00:06:06, Tunnel16       172.16.0.0/32 is subnetted, 2 subnets D        172.16.1.1 [90/27008000] via 192.168.16.1, 00:06:06, Tunnel16 R6# R6#ping 11.11.11.11 sou lo1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: Packet sent with a source address of 172.16.6.6 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 19/19/21 ms R6# R6#traceroute 11.11.11.11 sou lo1 Type escape sequence to abort. Tracing the route to 11.11.11.11 VRF info: (vrf in name/id, vrf out name/id)   1 192.168.16.1 19 msec 18 msec 18 msec   2 10.1.11.11 18 msec *  20 msec R6# R6#sh ip route vrf FVRF Routing Table: FVRF Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        + - replicated route, % - next hop override Gateway of last resort is 123.6.99.99 to network 0.0.0.0 S*    0.0.0.0/0 [1/0] via 123.6.99.99       123.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C        123.6.99.0/24 is directly connected, Serial2/0 L        123.6.99.6/32 is directly connected, Serial2/0 C        123.6.99.99/32 is directly connected, Serial2/0 R6# R6#ping vrf FVRF 4.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms

You may add encryption to the tunnel between R1 and R6 as well, we are going to discuss this in separate topics.

I hope it has been informative for you and I’d like to thank you for reading.