VRF(virtual routing and forwarding)
理论
基本概念
In IP-based computer networks, virtual routing and forwarding (VRF) is a technology that allows multiple instances of a routing table to co-exist within the same router at the same time. One or more logical or physical interfaces may have a VRF and these VRFs do not share routes therefore the packets are only forwarded between interfaces on the same VRF. VRFs are the TCP/IP layer 3 equivalent of a VLAN. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. Network functionality is improved because network paths can be segmented without requiring multiple routers.[1]
在基于IP的计算机网络中,虚拟路由和转发(VRF)是一种技术,它允许一个路由表的多个实例同时存在于同一台路由器中。一个或多个逻辑或物理接口可以有一个VRF,这些VRF不共享路由,因此数据包只在同一VRF的接口之间转发。VRF是TCP/IP第三层的VLAN的等同物。因为路由实例是独立的,所以可以使用相同或重叠的IP地址,而不会相互冲突。网络功能得到了改善,因为网络路径可以被分割而不需要多个路由器[1]。
- VRF:virtual routing and forwording 虚拟路由转发,又称为VPN instance
- 在物理设备上创建多个VPN实例,每个VPN实例拥有独立的接口,路由表和路由协议进程等,相当于又虚拟出一台同等关系的路由器,基本上完全独立
- 可以看做是一台新的设备来使用。这种虚拟类型属于一虚多。
应用场景
- 公司需要部署两台防火墙,一台外网防火墙和一台内网防火墙,为了节省成本,我们可以购买一台物理防火墙,然后将其虚拟成两台。
- 运营商为了不同的客户网段重叠的问题,在做MPLS的时候,单独使用一个VRF系统针对一个客户。
作用:通过一台三层转发设备上创建多张路由表实现业务的隔离,常用于MPLS VPN、防火墙。
实验
实验目的
实验PC1访问AR2、PC2访问AR3流量完全隔离
配置思路
想要在一台路由器实现流量的完全隔离,这只能使用VRF,先把这一点定下来。路由器的上联接口分别划分到一个VRF,这没有问题,但是路由器的下连接口就一个呀,一个接口怎么划分到不同的VRF呢?这不,单臂路由功能这就用上了,我们可以在路由器的下联接口使用两个子接口,这样的话下联接口就成了两个了,然后这两个子接口分别是两个PC VLAN的网关,就算网关IP地址一样也没问题。
最终,我们实现了通过VRF功能将路由器划分成两个虚拟路由器,将vlan10对应的子接口和某一个上联接口放置到同一个VRF,VLAN20对应的子接口和另一个上联接口放置到另一个VRF,这样就实现了完全隔离。
配置思路:
-
交换机的配置
-
新增两个vlan:10和20
-
接PC的接口分别配置不同的VLAN
-
连接路由器的接口配置成trunk
-
-
路由器的配置
- 新增两个vlan:10和20
- 新增两个VRF:VRF_10和VRF_20
- 新增两个子接口int g0/0/2.10和g0/0/2.20分别划入不同的VRF当中
- 在两个子接口上分别进行配置
- IP地址和网关
- 开启ARP广播
- 使能802.1q功能
- 将路由器的上联接口g0/0/0划分成VRF_10,将g0/0/1划分成到VRF_20当中
-
路由的配置
- 在AR2与AR1之间使用静态路由
- 在AR3与AR1之间使用OSPF
配置重点:
- 知道在VRF内部进行各项操作
- 查看VRF内部的路由
- 在VRF内部配置OSPF
- 查看VRF内的接口
实验过程
# 交换机的配置
vlan 10
vlan 20
int g0/0/1
port link-ty access
port default vlan 10
int g0/0/2
port link-ty access
port default vlan 20
int g0/0/3
port link-ty trunk
port trunk allow vlan all
# R1的配置
## 创建VRF_10和VRF_20
[R1]ip vpn-instance VRF_10
[R1-vpn-instance-VRF_10]ipv4-family # 注意,要使能IPV4
[R1]ip vpn-instance VRF_20
[R1-vpn-instance-VRF_20]ipv4-family
[R1]dis ip vpn-instance
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
Total IPv6 VPN-Instances configured : 0
VPN-Instance Name RD Address-family
VRF_10 IPv4
VRF_20 IPv4
---
## 创建子接口,将路由器的下联子接口划分到VRF
[R1]int g0/0/2.10
[R1-GigabitEthernet0/0/2.10]ip binding vpn-instance VRF_10
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R1]int g0/0/2.20
[R1-GigabitEthernet0/0/2.20]ip bin
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R1]dis ip vpn-instance interface
Total VPN-Instances configured : 2
VPN-Instance Name and ID : VRF_10, 1
Interface Number : 1
Interface list : GigabitEthernet0/0/2.10
VPN-Instance Name and ID : VRF_20, 2
Interface Number : 1
Interface list : GigabitEthernet0/0/2.20
## 下联子接口配置网关,使能ARP和dot1q
vlan 10
vlan 20
quit
int g0/0/2.10
undo shutdown
ip add 192.168.10.1 24
dot1q termi vid 10
arp broadcast enable
int g0/0/2.20
undo shutdown
ip add 192.168.10.1 24
dot1q termi vid 20
arp broadcast enable
[R1]dis ip int bri
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.12.1/24 up up
GigabitEthernet0/0/1 10.0.13.1/24 up up
GigabitEthernet0/0/2 unassigned up down
GigabitEthernet0/0/2.10 192.168.10.1/24 up up
GigabitEthernet0/0/2.20 192.168.10.1/24 up up
NULL0 unassigned up up(s)
# 上联接口也要划分到VRF
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip binding vpn-instance VRF_10
[R1-GigabitEthernet0/0/0]ip add 10.0.12.1 24
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip binding vpn-instance VRF_20
[R1-GigabitEthernet0/0/1]ip add 10.0.13.1 24
[R1]dis ip vpn-instance interface
Total VPN-Instances configured : 2
VPN-Instance Name and ID : VRF_10, 1
Interface Number : 2
Interface list : GigabitEthernet0/0/0,
GigabitEthernet0/0/2.10
VPN-Instance Name and ID : VRF_20, 2
Interface Number : 2
Interface list : GigabitEthernet0/0/1,
GigabitEthernet0/0/2.20
# 查看全局路由表,发现划入VRF的接口路由信息全都不见了
[R1]dis ip routing-table
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# 查看VRF内部的路由信息
[R1]dis ip routing-table vpn-instance VRF_10
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF_10
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.12.0/24 Direct 0 0 D 10.0.12.1 GigabitEthernet
0/0/0
10.0.12.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.0.12.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.10.0/24 Direct 0 0 D 192.168.10.1 GigabitEthernet
0/0/2.10
192.168.10.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2.10
192.168.10.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2.10
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# 如果R2上有一个LOOKBACK接口,从PC1直接过去的话R1上我们使用静态路由
[R1]ip route-static vpn-instance VRF_10 10.0.2.2 32 10.0.12.2
[R1]dis ip routing-table protocol stati
10.0.2.2/32 Static 60 0 RD 10.0.12.2 GigabitEthernet
0/0/0
[R2]ip route-static 192.168.10.0 24 10.0.12.1
[R2-LoopBack0]dis th
ip address 10.0.2.2 255.255.255.255
# 如果R3上有一个LOOKBACK接口,从PC1直接过去的话R1上我们使用OSPF
[R1]ospf vpn-instance VRF_20 1 router-id 10.0.1.1
[R1-ospf-1]a 0
[R1-ospf-1-area-0.0.0.0]network 10.0.13.1 0.0.0.0
# R3的ospf配置
[R3]int l0
[R3-LoopBack0]ip add 10.0.3.3 32
[R3-LoopBack0]qu
[R3]
[R3]ospf 1 router-id 10.0.3.3
[R3-ospf-1]a 0
[R3-ospf-1-area-0.0.0.0]network 10.0.3.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 10.0.13.3 0.0.0.0
[R3]ip route-static 192.168.10.0 24 10.0.13.1
常用查看
# 配置静态路由
[R1]ip route-static vpn-instance VRF_10 10.0.2.2 32 10.0.12.2
# PING的时候,注意不是从物理机上PING了,而是VRF当中
R1]ping 10.0.12.2
Request time out
[R1]ping -vpn-instance VRF_10 10.0.12.2
Reply from 10.0.12.2: bytes=56 Sequence=1 ttl=255 time=20 ms
# 查看VRF的静态路由信息
[R1]dis ip routing-table vpn-instance VRF_10 | incl 10.0.2.2
10.0.2.2/32 Static 60 0 RD 10.0.12.2 GigabitEthernet0/0/0
# 查看VRF的OSPF路由信息
[R1]dis ip routing-table vpn-instance VRF_20 | incl OSPF
10.0.3.3/32 OSPF 10 1 D 10.0.13.3 GigabitEthernet0/0/1
附件_单臂路由
IEEE 802.1Q, often referred to as Dot1q, is the networking standard that supports virtual local area networking (VLANs) on an IEEE 802.3 Ethernet network. Portions of the network which are VLAN-aware (i.e., IEEE 802.1Q conformant) can include VLAN tags.
电脑发出的报文二层使用ethernetv2的封装,从交换机上如果带着tag发出来时,那二层会多出一个802.1q的封装,那路由器默认是不识别的,如果你想让路由的接口识别,那得在物理接口下创建子接口,并且在子接口之下使用使能dot1q,并且还要开启arp广播功能,否则子接口不能向外发送arp广播,影响通信。
vlan 10
vlan 20
quit
int g0/0/2.10
undo shutdown
ip add 192.168.10.1 24
dot1q termi vid 10
arp broadcast enable
int g0/0/2.20
undo shutdown
ip add 192.168.20.1 24
dot1q termi vid 20
arp broadcast enable
视频演示
后续放置