Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S (ASR 1000)
Configuring the VRF-Aware Software Infrastructure
Downloads: This chapterpdf (PDF - 1.39MB) The complete bookPDF (PDF - 6.9MB) | The complete bookePub (ePub - 1.3MB) | Feedback

Configuring the VRF-Aware Software Infrastructure

The VRF-Aware Software Infrastructure feature allows you to apply services such as access control lists (ACLs), Network Address Translation (NAT), policing, and zone-based firewalls to traffic that flows across two different virtual routing and forwarding (VRF) instances. VRF-Aware Software Infrastructure (VASI) interfaces support the redundancy of Route Processors (RPs) and Forwarding Processors (FPs) as well as IPv4 and IPv6 unicast traffic.

This module describes how to configure VASI interfaces.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Configuring the VRF-Aware Software Infrastructure

  • Multiprotocol Label Switching (MPLS) traffic over VRF-Aware Software Infrastructure (VASI) interfaces is not supported.
  • IPv4 and IPv6 multicast traffic is not supported.
  • VASI interfaces do not support the attachment of queue-based features. The following commands are not supported on Modular QoS CLI (MQC) policies that are attached to VASI interfaces:
    • bandwidth (policy-map class)
    • fair-queue
    • priority
    • queue-limit
    • random-detect
    • shape
  • VASI 2000 pairs are not supported on Open Shortest Path First (OSPF).

Information About Configuring the VRF-Aware Software Infrastructure

VASI Overview

VRF-Aware Software Infrastructure (VASI) provides the ability to apply services like a firewall, IPsec, and Network Address Translation (NAT) to traffic that flows across different virtual routing and forwarding (VRF) instances. VASI is implemented by using virtual interface pairs, where each of the interfaces in the pair is associated with a different VRF instance. The VASI virtual interface is the next-hop interface for any packet that needs to be switched between these two VRF instances. VASI interfaces provide the framework to configure a firewall or NAT between VRF instances.

Each interface pair is associated with two different VRF instances. The association of the pairing is done automatically based on the two interface indexes such that vasileft interface is automatically paired to vasiright interface. For example, in the figure below, vasileft1 and vasiright1 are automatically paired, and a packet entering vasileft1 is internally handed over to vasiright1.

On VASI interfaces, you can configure either static routing or dynamic routing with Internal Border Gateway Protocol (IBGP), Enhanced Interior Gateway Routing Protocol (EIGRP), or Open Shortest Path First (OSPF). IBGP dynamic-routing protocol restrictions and configurations are valid for IBGP routing configurations between VASI interfaces.

The following figure shows an inter-VRF VASI configuration on the same device.

Figure 1. Inter-VRF VASI Configuration

When an inter-VRF VASI is configured on the same device, the packet flow happens in the following order:
  1. A packet enters the physical interface that belongs to VRF1 (Gigabit Ethernet 0/2/0.3).
  2. Before forwarding the packet, a forwarding lookup is done in the VRF 1 routing table. Vasileft1 is chosen as the next hop, and the Time to Live (TTL) value is decremented from the packet. Usually, the forwarding address is selected on the basis of the default route in the VRF. However, the forwarding address can also be a static route or a learned route. The packet is sent to the egress path of vasileft1 and then automatically sent to the vasiright1 ingress path.
  3. When the packet enters vasiright1, a forwarding lookup is done in the VRF 2 routing table, and the TTL is decremented again (second time for this packet).
  4. VRF 2 forwards the packet to the physical interface, Gigabit Ethernet 0/3/0.5.

The following figure shows how VASI works in a Multiprotocol Label Switching (MPLS) VPN configuration.


Note


In the following figure, MPLS is enabled on the Gigabit Ethernet interface, but MPLS traffic is not supported across VASI pairs.


Figure 2. VASI with an MPLS VPN Configuration

When VASI is configured with a Multiprotocol Label Switching (MPLS) VPN, the packet flow happens in the following order:
  1. A packet arrives on the MPLS interface with a VPN label.
  2. The VPN label is stripped from the packet, a forwarding lookup is done within VRF 2, and the packet is forwarded to vasiright1. The TTL value is decremented from the packet.
  3. The packet enters vasileft1 on the ingress path, and another forwarding lookup is done in VRF 1. The packet is sent to the egress physical interface in VRF1 (Gigabit Ethernet 0/2/0.3). The TTL is again decremented from the packet.

How to Configure the VRF-Aware Software Infrastructure

Configuring a VASI Interface Pair

To configure a VRF-Aware Software Infrastructure (VASI) interface pair, you must configure the interface vasileft command on one interface and the interface vasiright command on the second interface. You can configure a virtual routing and forwarding (VRF) instance on any VASI interface.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface type number

    4.    vrf forwarding table-name

    5.    ip address {ip-address mask [secondary] | pool pool-name}

    6.    exit

    7.    ip route [vrf vrf-name] destination-prefix destination-prefix-mask interface-type interface-number

    8.    interface type number

    9.    vrf forwarding table-name

    10.    ip address {ip-address mask [secondary] | pool pool-name}

    11.    exit

    12.    ip route [vrf vrf-name] destination-prefix destination-prefix-mask interface-type interface-number

    13.    end


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface type number


    Example:
    Device(config)# interface vasileft 200
     
    Configures a VASI interface and enters interface configuration mode.
    • In this example, the vasileft interface is configured.
     
    Step 4 vrf forwarding table-name


    Example:
    Device(config-if)# vrf forwarding VRFLEFT
     

    Configures a VRF table.

    Note   

    You can configure VRF forwarding on any VASI interface. You need not configure VRF instances on both VASI interfaces.

     
    Step 5 ip address {ip-address mask [secondary] | pool pool-name}


    Example:
    Device(config-if)# ip address 192.168.0.1 255.255.255.0
     

    Configures a primary or secondary IP address for an interface.

     
    Step 6 exit


    Example:
    Device(config-if)# exit
     

    Exits interface configuration mode and enters global configuration mode.

     
    Step 7 ip route [vrf vrf-name] destination-prefix destination-prefix-mask interface-type interface-number


    Example:
    Device(config)# ip route vrf VRFLEFT 10.0.0.2 255.255.255.0 vasiright 200
     

    Establishes a static route for a VRF instance and a VASI interface.

    Note   

    To add an IP route for a VRF instance, you must specify the vrf keyword.

     
    Step 8 interface type number


    Example:
    Device(config)# interface vasiright 200
     
    Configures a VASI interface and enters interface configuration mode.
    • In this example, the vasiright interface is configured.
     
    Step 9 vrf forwarding table-name


    Example:
    Device(config-if)# vrf forwarding VRFRIGHT
     

    Configures the VRF table.

     
    Step 10 ip address {ip-address mask [secondary] | pool pool-name}


    Example:
    Device(config-if)# ip address 192.168.1.1 255.255.255.0
     

    Configures a primary or secondary IP address for an interface.

     
    Step 11 exit


    Example:
    Device(config-if)# exit
     

    Exits interface configuration mode and enters global configuration mode.

     
    Step 12 ip route [vrf vrf-name] destination-prefix destination-prefix-mask interface-type interface-number


    Example:
    Device(config)# ip route vrf VRFRIGHT 10.0.0.1 255.255.0.0 vasileft 200
     

    Establishes a static route for a VRF instance and a VASI interface.

    Note   

    To add an IP route for a VRF instance, you must specify the vrf keyword.

     
    Step 13 end


    Example:
    Device(config)# end
     

    Exits global configuration mode and returns to privileged EXEC mode.

     

    Configuration Examples for the VRF-Aware Software Infrastructure

    Example: Configuring a VASI Interface Pair

    A virtual routing and forwarding (VRF) instance must be enabled for each interface of the VASI pair (vasileft and vasiright).

    Device(config)# interface vasileft 200
    Device(config-if)# vrf forwarding VRFLEFT
    Device(config-if)# ip address 192.168.0.1 255.255.255.0
    Device(config-if)# exit
    Device(config)# ip route vrf VRFLEFT 10.0.0.2 255.255.0.0 vasiright 200
    Device(config)# interface vasiright 200
    Device(config-if)# vrf forwarding VRFRIGHT
    Device(config-if)# ip address 192.168.1.1 255.255.255.0
    Device(config-if)# exit
    Device(config)# ip route vrf VRFRIGHT 10.0.0.1 255.255.255.0 vasileft 200
    Device(config)# end

    Additional References for Configuring the VRF-Aware Software Infrastructure

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for Configuring the VRF-Aware Software Infrastructure

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for Configuring the VRF-Aware Software Infrastructure

    Feature Name

    Releases

    Feature Information

    VRF-Aware Software Infrastructure

    Cisco IOS XE Release 2.6

    The VRF-Aware Software Infrastructure feature allows you to apply services such as ACLs, NAT, policing, and zone-based firewalls to traffic that flows across two different VRF instances. The VRF-Aware Software Infrastructure (VASI) interfaces support redundancy of the RP and FP. This feature supports IPv4 and IPv6 unicast traffic on VASI interfaces.

    VASI (VRF-Aware Software Infrastructure) Enhancements Phase I

    Cisco IOS XE Release 3.1S

    The VASI Enhancements Phase I feature provides the following enhancements to VASI:

    • Support for 500 VASI interfaces.
    • Support for IBGP dynamic routing between VASI interfaces.

    VASI (VRF-Aware Software Infrastructure) Enhancements Phase II

    Cisco IOS XE Release 3.2S

    The VASI Enhancements Phase II feature provides the following enhancements to VASI:

    • Support for IPv6 unicast traffic over VASI interfaces.
    • Support for OSPF and EIGRP dynamic routing between VASI interfaces.

    VASI (VRF-Aware Software Infrastructure) Scale

    Cisco IOS XE Release 3.3S

    The VASI Scale feature provides support for 1000 VASI interfaces.

    The following command was introduced or modified: interface (VASI).

    VASI 2000 Pair Scale

    Cisco IOS XE Release 3.10S

    The VASI 2000 Pair Scale feature provides support for 2000 VASI interfaces. VASI 2000 interfaces are supported on Border Gateway Protocol (BGP).

    The following command was introduced or modified: interface (VASI).