Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 4 Current »

VRF Overview

VRF (Virtual Routing and Forwarding) is a technology that virtualizes a single physical routing device into multiple virtual routing devices, each of them being (relatively) independent of each other, allowing for overlapping subnets, separate routing table to make Layer 3 segregated and separate set of Layer 3 VLAN interfaces assigned to each VRF.

Figure 1. Multiple VRF Process Modules on One Router

PICA8 switch supports multiple VRF instances: one default VRF and multiple user-defined VRFs. By default, all interfaces, including the management interface (i.e. eth0) and all VLAN interfaces, and the IP route information share one VRF - the default VRF. User can create a new VRF with the VRF definition command, and then add the Layer 3 VLAN interfaces and the static route to the VRF, the system then segregates the IP routing table, ARP table, hardware forwarding table, and host hardware forwarding table of different VRFs on customer edge (CE) device.

Figure 2. Networking diagram of VRF

In figure 2, when implementing VRF function on the CE device, users from Site1 and Site2 can use overlapping IP addresses when accessing the internet from an interface of CE and have segregated users' routing spaces on the CE device.

When the CE switch receives the data packets, it looks up the IP routing table corresponding to the VRF, which is determined by the ingress Layer 3 VLAN interface, and then forwards the data packets based on the routing entry in this VRF.

VRF realizes data traffic segregation among different customers while sharing the same physical router device, that is to say, users in the same VRF could communicate with each other, but it could not communicate with each other in different VRFs.

NOTE:

  • PICOS supports only VRF-Lite, a lighter version of VRF, referring to VRF without MPLS.

  • If a Layer 3 VLAN interface or a static route is not associated to a specified VRF, the default VRF will be used.

VRF Characteristics

  •  Each VRF has an independent routing table to implement independent routing and forwarding functions.
  •  Each VRF has an independent address space. This allows address overlapping between different VRFs without address conflicts occurring in the same device.
  •  Users in the same VRF can communicate with each other, but users in different VRFs cannot communicate with each other.

Application Scenario

This document lists several use cases one can use with VRFs as follows,

  • User can deploy VRF function to solve the problem of insufficient IP addresses, as different VRFs have different address spaces which allows address overlapping between different VRFs.
  • User can deploy VRF function to achieve traffic isolation of different users and increase data communication security, as the communication between different tenants is segregated in different VRFs.
  • VRF virtualizes a single physical routing device into multiple virtual routing devices; this can save hardware costs.

Use Case: Management VRF

NOTE:

  • Only the L3 VLAN interface in the default VRF can be set as the inband management port. If a VLAN interface has been set as an inband management port, it cannot be bound to other user-defined VRFs.

  • A maximum of four L3 VLAN interfaces in the default VRF can be set as the inband management ports by using set system inband vlan-interface <vlan-interface> command. However, we can use set system inband enable true command to enable the inband management function of all the L3 VLAN interfaces in the default VRF.

The management interface (i.e. eth0) and the inband management ports are used for Out of Band (OOB) and In Band (IB) management respectively. By default, all interfaces, including the management interface (i.e. eth0) and all VLAN interfaces share the default VRF.

For PICA8 switches, the management interface (i.e. eth0) is not associated with a specific VRF. If users want to isolate management VRF’s traffic from other VRFs’ traffic to protect the management interfaces, you can use the default VRF as management VRF, and then link the management interfaces to the default VRF to support all types of management traffic, and put non-management interfaces in other VRFs.

The following steps and example describe how to use the default VRF as management VRF and to isolate the management traffic from the data plane traffic:

1.  Create one or more new VRFs, such as DATAPLANE VRF.

2.  Then move all data plane VLAN interfaces to the new VRFs, leave only eth0, eth1 and inband VLAN interfaces in the default VRF. In this case, the management traffic and data plane traffic are segregated between different VRFs.

3.   Set the L3 VLAN interface in the default VRF as the inband management port by using set system inband enable true or set system inband vlan-interface <vlan-interface> command. Note that the inband management port should not be bound to the user-defined VRFs.


Examples

1. Default Case.

Figure 3. Default Case

In the default VRF case, there is no specific VRF assigned to management VRF on the switch. By default, all the management interfaces, including eth0, eth1 and the IB interfaces such as VLAN400, and the data plane interfaces, such as VLAN 100, VLAN 200 and VLAN 300, are all in the default VRF.

Eth0 and eth1 uses the main table. Inband interface VLAN400 and data plane VLAN interfaces, such as VLAN100, VLAN200, VLAN300, share the same routing table, the 252 table. Traffic can be routed between them.


2. Add one or more VRFs for the tenant traffic.

Figure 4. Add VRF1 for the Tenant Traffic

On top of the default setting, where no specific VRF is assigned to management interface, users can create additional VRFs for Tenant traffic. Tenant VLAN interfaces, such as VLAN500, VLAN600 and VLAN700, can be bound to the tenant VRF (VRF1).

The following CLI commands can be used to achieve the above settings:

admin@Xorplus # set vlans vlan-id 500 l3-interface VLAN500
admin@Xorplus # set vlans vlan-id 600 l3-interface VLAN600
admin@Xorplus # set vlans vlan-id 700 l3-interface VLAN700
admin@Xorplus# set ip vrf VRF1 description Tenant
admin@Xorplus# set vlan-interface interface VLAN500 vrf VRF1
admin@Xorplus# set vlan-interface interface VLAN600 vrf VRF1
admin@Xorplus# set vlan-interface interface VLAN700 vrf VRF1

 

3. Add one or more VRFs for data plane traffic.

Figure 5. Add VRF2 for the Data Plane Traffic

If users need to protect the management interfaces, they can create a new VRF, such as DATAPLANE VRF, and then move all data plane VLAN interfaces, such as VLAN100, VLAN200, VLAN300, from the default VRF to the DATAPLANE VRF. In this case, users only leave eth0, eth1 and the inband VLAN interfaces, such as VLAN400, in the default VRF. Tenant VLAN interfaces, such as VLAN500, VLAN600 and VLAN700, are in the tenant VRF (VRF1).

The following CLI commands can be used to achieve the above settings:

admin@Xorplus# set ip vrf VRF2 description DATAPLANE
admin@Xorplus# set vlan-interface interface VLAN100 vrf VRF2
admin@Xorplus# set vlan-interface interface VLAN200 vrf VRF2
admin@Xorplus# set vlan-interface interface VLAN300 vrf VRF2


4. Set the L3 VLAN interface VLAN400 in the default VRF as the inband management port.

admin@Xorplus# set system inband vlan-interface VLAN400

The above example and sample configuration shows how users can achieve management traffic isolation from the control plane traffic by using default VRF and user defined VRFs.


  • No labels

Copyright © 2025 Pica8 Inc. All Rights Reserved.