MPLS VPN VRF Selection Based on Source IP Address
MPLS VPN VRF Selection Based on Source IP Address
Last Updated: June 6, 2012
The VPN Routing and Forwarding (VRF) Selection feature allows a specified interface on a provider edge (PE) router to route packets to different Virtual Private Networks (VPNs) based on the source IP address of the packet. This feature is an improvement over using a policy-based router to route packets to different VPNs.
History for the MPLS VPN: VRF Selection Based on Source IP Address Feature
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for MPLS VPN VRF Selection Based on Source IP Address
Restrictions for MPLS VPN VRF Selection Based on Source IP Address
Information About MPLS VPN VRF Selection Based on Source IP Address
The VRF Selection feature allows packets arriving on an interface to be switched into the appropriate VRF table based upon the source IP address of the packets. Once the packets have been "selected" into the correct VRF routing table, they are processed normally, based on the destination address and forwarded through the rest of the Multiprotocol Label Switching (MPLS) VPN.
In most cases, the VRF Selection feature is a "one way" feature; it works on packets coming from the end users to the PE router.
VRF Selection Process
The VRF Selection feature uses the process described in this section to route packets from the customer networks to the PE router and into the provider network.
A two-table lookup mechanism is used at the ingress interface of the PE router to determine the routing and forwarding of packets coming from the customer networks, which use IP protocols, to the MPLS VPN networks, which use MPLS protocols.
If no match is found in the table for the source IP address of the packet, the packet is either routed via the global routing table used by the PE router (this is the default behavior), or is dropped. See the Configuring a VRF to Eliminate Unnecessary Packet Forwarding Example for more information.
The VRF Selection process removes the association between the VPN and the interface and allows more than one MPLS VPN to be associated with the interface.
VRF Selection Examples
Here is an example of the VRF Selection feature. It is based on a network carrier that allows subscribers to the carrier to choose from multiple Internet service providers (ISPs) for Internet access. The figure below provides an example of the VRF Selection feature with an IP-based host network, an MPLS VPN network, and three ISPs connected to the MPLS VPN network.
In the figure above, Carrier X represents the network carrier; Host A, Host B and Host C represent the carrier subscribers; and ISP 1, ISP 2 and ISP 3 represent the ISPs.
The figure illustrates a packet traveling from Host A to ISP 1. The dashed line represents the travel of the packet.
Host A chooses ISP 1 to use as its ISP. Carrier X will provide an IP address to Host A that falls within the range of the ISP 1 registered network addresses. Based upon this IP address allocation, the VRF Selection criteria are set.
The POOL network, by using default routes, forwards traffic from the Carrier X IP-based (POOL) network to the Carrier X MPLS-based VPN network. The MPLS VPN network forwards (shunts) the traffic from Host A into the correct VPN, which is VPN 1 (ISP 1), by using the VRF Selection-enabled router PE2.
To enable the VRF Selection feature on the routers PE1 and PE2, enter the following commands:
Router(config)# vrf selection source 10.1.0.0 255.255.0.0 vrf vpn1 Router(config)# vrf selection source 172.16.0.0 255.255.0.0 vrf vpn2 Router(config)# interface POS1/0 Router(config-if)# description Link to CE POS1/0 Router(config-if)# ip vrf select source
For more information on the commands used to configure the VRF Selection feature, see the Command Reference.
The VRF Selection feature is a one-way (unidirectional) feature in most implementations; it only works on packets coming from the customer networks to a PE router. See the VRF Selection is a Unidirectional Feature for more information.
Traffic coming from the ISPs to the hosts (in the example, traffic traveling from the ISPs on the right to the hosts on the left) is not affected by the VRF Selection feature and does not have to be returned via an MPLS path. This traffic can return via the shortest available IP path.
Another example of VRF Selection in use might involve a cable modem termination system (CMTS). If the owner of the CMTS wants to allow cable modem subscribers to choose their ISP from a group of ISPs, the VRF Selection feature provides a fast and scalable solution.
VRF Selection is a Unidirectional Feature
In the figure above, the end users are typical Internet home users. If the VRF Selection feature were a two-way (bidirectional) feature, traffic coming from the ISPs to the hosts would be required to use only the PE routers that have VRF Selection enabled, which might cause performance issues.
When traffic from the POOL network goes through the carrier network to the ISP networks for Internet access, the traffic in the carrier network must be forwarded by means of MPLS VPN paths, because the VRF Selection-enabled router has "selected" the traffic into the correct MPLS VPN.
Traffic from the ISP networks to the POOL network does not have to use MPLS VPN paths in the carrier network and can use the path that seems most efficient to return to the POOL network. This traffic can use a path that uses either MPLS or IP for routing and forwarding and does not have to travel via an MPLS VPN.
Traffic from the ISP networks to the POOL networks can be forwarded by the global routing table used by every interface. One way to accomplish this is to enter VRF static routes on the PE router interfaces connected to the ISPs. The VRF static routes would route traffic from the ISPs to the carrier network. See Establishing IP Static Routes for a VRF Instance for information on placing a default VRF static route onto an interface.
Establishing static VRF routes allows traffic from the ISPs to enter the carrier network as traffic that can only be routed by using the global routing table toward the POOL network.
If the ISPs are not providing global host address space, or the VRF feature is not being used to route Internet traffic, the PE interfaces connected to the ISPs must be placed into a VRF. If the PE interfaces are using VRFs for routing traffic from the ISPs, all traffic from the ISPs to the hosts through the carrier network would be forwarded by MPLS VPN paths, and performance would not be as good as if IP forwarding were used.
Normal IP-based VPN operations, such as populating the routing information base (RIB) and forwarding information base (FIB) from a routing protocol such as Border Gateway Protocol (BGP), are used to route and forward packets within the various VPNs in the customer networks. The provider network uses MPLS-based routing protocols to perform VPN routing and forwarding inside the provider network.
See the Configuring VRF Selection for a sample configuration of the VRF Selection feature.
Conditions Under Which VRF Selection Becomes Bidirectional
Forwarding of traffic from the carrier network to the POOL network by using the global routing table is possible only if the ISPs have provided registered IP address space for all of the subscribed users within the POOL network.
If the POOL network uses IP addresses that are not globally routeable and are designed for a nonconnected enterprise (defined by RFC1918), the VRF Selection feature becomes bidirectional. All traffic being sent and received by the host would have to travel via a router that has the VRF Selection feature enabled. The POOL network cannot be addressed with overlapping address space, regardless of the type of address space being used.
Advantages of VRF Selection over Per-Interface IP VPN Configuration
The VRF Selection feature removes the association between a VPN and an interface. Before the VRF Selection feature was introduced, the following implementation was used to route outgoing MPLS VPN packets to different destinations:
The following limitations apply to PBR-based solutions that use this implementation:
The VRF Selection feature addresses the limitations of and problems with using a PBR for packet routing and forwarding.
Benefits of VRF Selection Based on Source IP Address
The following are benefits to using the VRF Selection method of VPN routing and forwarding.
How to Configure VRF Selection Based on Source IP Address
Configuring VRF Selection
To add a source IP address to a VRF Selection table, use the following commands, beginning in global configuration mode.
Establishing IP Static Routes for a VRF Instance
Traffic coming from the ISPs to the hosts does not require the use of the MPLS VPN paths; this traffic can use the shortest IP route back to the host.
VPN static routes for traffic returning to the customer networks are only necessary if VPN traffic returning to the customer networks is being forwarded from the VRF Selection interface. The remote PE router could also be configured to route return traffic to the customer networks directly by using the global routing table.
Verifying VRF Selection
Enter the show ip route vrf command in EXEC mode to display the IP routing table associated with a VRF instance. This example shows the IP routing table associated with the VRF vrf1:
Router# show ip route vrf vpn1 Routing Table: vpn1 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR Gateway of last resort is not set B 10.0.0.0/8 [200/0] via 10.10.10.10, 00:00:37 172.16.0.0/16 is subnetted, 1 subnets B 10.19.0.0 [200/0] via 10.10.10.10, 00:00:37 10.0.0.0/32 is subnetted, 1 subnets B 10.14.14.14 [200/0] via 10.10.10.10, 00:00:37 10.0.0.0/32 is subnetted, 1 subnets S 10.15.15.15 [1/0] via 10.0.0.1, POS1/1
Router(config)# vrf selection source 172.16.2.1 255.255.255.255 vrf RED
To enable VRF, first remove VRF Select from the interface
To enable VRF Select, first remove VRF from the interface
Configuration Examples for VRF Selection Based on Source IP Address
Enabling MPLS VPNs Example
Creating a VRF Routing Table Example
The following example shows how to create two VRF Selection tables (vpn1 and vpn2):
Router(config)# ip vrf vpn1 Router(config-vrf)# rd 1000:1 Router(config-vrf)# route-target export 1000:1 Router(config-vrf)# route-target import 1000:1 Router(config-vrf)# exit Router(config)# ip vrf vpn2 Router(config-vrf)# rd 1000:2 Router(config-vrf)# route-target export 1000:2 Router(config-vrf)# route-target export 1000:2
Defining VRF Selection Entries Example
The following example shows two entries (vpn1 and vpn2) being defined in the VRF Selection table. In this example, packets with the source address of 10.16.0.0 will be routed to the VRF vpn1, and packets with the source address of 10.17.0.0 will be routed to the VRF vpn2:
Router(config)# vrf selection source 10.16.0.0 255.255.0.0 vrf vpn1 Router(config)# vrf selection source 10.17.0.0 255.255.0.0 vrf vpn2
Defining IP Static Routes for a VRF Example
Configuring an Interface for VRF Selection Example
The following example shows the POS1/0 interface being configured for the VRF Selection feature and the configured IP address (126.96.36.199) being added to the VRFs vpn1 and vpn2 as connected routes:
Router(config)# interface POS1/0 Router(config-if)# description Link to CE1 POS1/0 (eng2) Router(config-if)# ip vrf select source Router(config-if)# ip vrf receive vpn1 Router(config-if)# ip vrf receive vpn2 Router(config-if)# ip address 10.0.0.1 255.0.0.0 Router(config-if)# no ip directed-broadcast Router(config-if)# load-interval 30 Router(config-if)# crc 32 Router(config-if)# end
Configuring a BGP Router for VRF Selection Example
A router that is VRF Selection-enabled requires an MPLS VPN BGP configuration. The following example configures a router that is using BGP for the VRF Selection feature:
Router(config)# router bgp 1000 Router(config-router)# no bgp default ipv4-unicast Router(config-router)# bgp log-neighbor-changes Router(config-router)# timers bgp 10 30 Router(config-router)# neighbor 10.11.11.11 remote-as 1000 Router(config-router)# neighbor 10.11.11.11 update-source Loopback0 Router(config-router)# no auto-summary Router(config-router)# address-family vpnv4 Router(config-router-af)# neighbor 10.11.11.11 activate Router(config-router-af)# neighbor 10.11.11.11 send-community extended Router(config-router-af)# exit-address-family Router(config-router)# address-family ipv4 vrf vpn2 Router(config-router-af)# redistribute static Router(config-router-af)# no auto-summary Router(config-router-af)# no synchronization Router(config-router-af)# exit-address-family
Router(config-router)# address-family ipv4 vrf vpn1 Router(config-router-af)# redistribute static Router(config-router-af)# no auto-summary Router(config-router-af)# no synchronization Router(config-router-af)# exit-address-family
Configuring a VRF to Eliminate Unnecessary Packet Forwarding Example
If a packet arrives at an interface that has VRF Selection enabled, and the packet source IP address does not match any VRF Selection definition, that packet will be forwarded by means of the global routing table. This default behavior could cause problems if IP address spoofing is being implemented. Unnecessary traffic could be forwarded by the global routing table. To eliminate this unnecessary routing of packets, create a VRF Selection definition that will forward all unknown incoming traffic to a null interface.
The following configuration causes all traffic not matching a more specific VRF Selection definition to be routed to the Null0 interface, thus causing the packets to be dropped.
Router(config)# ip vrf VRF_DROP Router(config-vrf)# rd 999:99 Router(config-vrf)# route-target export 999:99 Router(config-vrf)# route-target import 999:99 Router(config-vrf)# exit Router(config)# vrf selection source 0.0.0.0 0.0.0.0 vrf VRF_DROP Router(config)# ip route vrf VRF_DROP 0.0.0.0 0.0.0.0 Null0
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Multiprotocol Label Switching Command Reference. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.