Welcome to Jeremy’s IT Lab. This is a complete course for the CCNA. In this video we will cover Virtual Routing and Forwarding, VRF. VRF allows us to divide one physical router into multiple virtual routers. You can think of it like VLANs for routers. VLANs divide a switch into multiple virtual switches each with their own broadcast domain, and VRF divides a router into multiple virtual routers each with their own routing table. Here’s what we’ll cover in this video. First I will introduce the concept of VRF and its capabilities, and then introduce VRF configuration. Note that VRF configuration isn’t actually a CCNA exam topic, but I think seeing the configurations will help you understand how it works. Unfortunately VRF isn’t supported in Packet Tracer, so if you want to try it in a lab you’ll need to use something like Cisco Modeling Labs, CML, or real Cisco devices. Let’s get started. The diagram at the bottom gives an idea of how VRFs work. The black box in the middle represents R1, a single physical router. The blue, green, and red router icons inside represent three virtual routers inside R1, three VRFs. Let’s call them VRF1, VRF2, and VRF3. So, Virtual Routing and Forwarding is used to divide a single router into multiple virtual routers. This is similar to how VLANs are used to divide a single switch, a LAN, into multiple virtual switches, virtual LANs. By default, all interfaces on a switch are in the same LAN, the same broadcast domain. When using VLANs, we can divide that one broadcast domain into multiple virtual broadcast domains. Similarly, by default all router interfaces are all in the same ‘routing domain’. By ‘routing domain’ I mean, by default traffic received on one router interface can be forwarded out of any other interface on the router, if the routing table says to do so. For example, without using VRF, in the diagram below traffic received on R1’s G0/0 interface can be routed to and forwarded out of R1’s G1/2 interface. However, with VRF that won’t be possible. G0/0 is in VRF1 and G1/2 is in VRF3, so traffic cannot be forwarded between them. How does VRF accomplish this? It does this allowing a router to build separate routing tables. Normally a router has one routing table, but with VRF it has multiple. Interfaces, specifically layer 3 interfaces, are configured to be in a specific VRF, also known as a VRF Instance. Keep in mind that VRF does not apply to Layer 2 interfaces on a switch. Only router interfaces, SVIs, and routed ports on multilayer switches can be configured in a VRF. It’s a Layer 3 concept. As I mentioned before, traffic in one VRF cannot be forwarded out of an interface in another VRF. However, as an exception VRF Leaking can be configured to allow traffic to pass between VRFs. That is a more advanced concept though and I won’t cover it in this video. So, what is the main purpose of VRF? Well VRF is commonly used to facilitate MPLS, multi-protocol label switching. However, that’s actually not the kind of VRF we are talking about here. The kind of VRF we are talking about is VRF-lite, VRF without MPLS. So, keep in mind that when I say ‘VRF’ in this video, I’m really referring to ‘VRF-lite’. VRF is commonly used by service providers to allow one device to carry traffic from multiple customers. How does it help with that? Well, there are two main points. First, each customer’s traffic is isolated from the others, because each customer connects to their own virtual router within the service provider’s physical router. In the diagram below, let’s say the blue, green, and red devices represent three different customers. All customers connect to the same service provider router, R1, but each connects to a different virtual router, a different VRF instance. And another major point is that customer IP addresses can overlap without issues. For example, the blue customer uses subnets 192.168.1.0/24 and 192.168.2.0/24. The green customer also uses 192.168.1.0/24 and 2.0/24. And so does the red customer. Without VRF, this kind of configuration is not possible on a router. But with VRF, it works fine even though the IP addresses all overlap. Okay, now let’s try configuring VRF to help understand how it works. To demonstrate VRF configuration I’ll use the network below. SPR1 is a service provider router providing WAN services to two customers, Customer 1 and Customer 2. C1R1 and C1R2 belong to Customer 1 and C2R1 and C2R2 belong to customer 2. Note the subnets being used. Both Customer 1 and Customer 2 use subnet 192.168.1.0/30. First, let’s see what happens when we try to configure this without using VRF. First I configured SPR1’s G0/0 and G0/1, both connected to Customer 1’s routers. No problems yet. But when I try to configure G0/2, I get an error message, 192.168.1.0 overlaps with G0/0. G0/2 cannot use IP address 192.168.1.1 because it is in the same subnet as G0/0. In this case it’s the exact same IP address, but even if the IP address is different it won’t work. Let me demonstrate that. To prove that point I tried to configure it as 192.168.1.2, but again it didn’t work. Even if the IP address is different, G0/2 cannot be configured in the same subnet as G0/0. So, without the use of VRF, two interfaces on the same router cannot be in the same subnet. Next let’s use VRF to configure this network properly. First we have to create the VRFs, which can be done in global config mode with the command IP VRF, followed by the VRF name. Here I created two VRFs, one named CUSTOMER1 and the other CUSTOMER2. I then used the command SHOW IP VRF which shows all of the VRFs on the router. As you can see, the CUSTOMER1 and CUSTOMER2 VRFs were created. The next step is to assign interfaces to each VRF. So, from interface config mode for G0/0 I used the command IP VRF FORWARDING CUSTOMER1. G0/0 is now part of the CUSTOMER1 VRF, however I also got this message. Interface G0/0 IPv4 disabled and addresses removed due to enabling VRF CUSTOMER1. If an interface has an IP address configured, the IP address will be removed when you assign the interface to a VRF. So, I then re-configured the IP address, 192.168.1.1/30. I then configured G0/1. Again, the IP address I configured before was removed when I assigned it to the VRF, so I had to re-configure it. I then configured the G0/2 interface. Note that this time it worked, I was able to configure G0/2 as 192.168.1.1/30 even though it overlaps with G0/0. That’s because they are in separate VRFs. I then configured G0/3 as well. I then once again confirmed the VRFs and now you can see the interfaces listed in the output. So, SPR1 is now divided into two separate virtual routers: the CUSTOMER1 VRF, which includes G0/0 and G0/1, and the CUSTOMER2 VRF, which includes G0/2 and G0/3. So, basic configuration of VRF-lite is simple: create VRFs with the IP VRF command, and then assign interfaces to VRFs with the IP VRF FORWARDING command. There is of course a lot more depth to VRFs, but that’s all we’ll look at for now. I then used SHOW IP ROUTE on SPR1, but I don’t see any routes. Usually you’d expect to see connected and local routes after configuring IP addresses on interfaces, so why is nothing displayed here? SHOW IP ROUTE displays the ‘global routing table’, that’s the normal routing table you’re used to when not using VRFs. In this case, all of SPR1’s interfaces are configured in VRFs, so nothing displays here. By the way, you can have a mix of interfaces using and not using VRFs. So, I then used the command SHOW IP ROUTE VRF CUSTOMER1, and now we can see some routes, the connected and local routes for G0/0 and G0/1. So, if you want to see a VRF’s routing table you have to add VRF and the VRF’s name to the end of the command. Here I viewed the CUSTOMER2 VRF’s routing table. So, these are separate routing tables from each other and from the global routing table. By the way, if an interface is not in a VRF its routes will appear in the global routing table, and it will be isolated from the interfaces in VRFs, just like interfaces in different VRFs are isolated from each other. To test reachability, I tried some pings from SPR1. I first pinged 192.168.1.2, but all the pings failed. Why is that? It’s because, in the global routing table, there are no routes. As I showed in the previous slide, the global routing table is empty. You can specify the VRF when pinging like this, PING VRF, the VRF name, and then the destination. This time the pings worked. Which device was SPR1 pinging in this case? There are two devices with the IP address 192.168.1.2; C1R1 and C2R1, but in this case SPR1 was pinging C1R1 because I specified the CUSTOMER1 VRF. In the CUSTOMER1 VRF again I pinged 192.168.11.2, C1R2, which worked, and then 192.168.12.2, C2R2, which didn’t work. That’s because, in the CUSTOMER1 VRF’s routing table, there is no route to the destination .12.2. This time I pinged 192.168.1.2 and specified the CUSTOMER2 VRF. Who is SPR1 pinging this time? C2R1, connected to G0/2 in the CUSTOMER2 VRF. And I pinged 192.168.12.2, C2R2, which worked this time because I pinged in the proper VRF. So, to sum it up, hosts in the same VRF can communicate with each other, and hosts in different VRFs can’t. SPR1 was divided into two separate virtual routers. Here’s what we covered in this video. I introduced VRFs and showed the basics of how they are configured in Cisco IOS. But remember, what we mentioned in this video is more accurately called ‘VRF-lite’, which means we’re not using VRF with MPLS. VRF is used to split a router up into multiple virtual routers, each with their own routing table. Service providers can use VRFs to allow multiple customers to connect to the same infrastructure while still allowing their traffic to be isolated. Plus, it doesn’t matter if customers use the same IP addresses in their networks, because each VRF is a separate routing table. For the CCNA, it’s enough to just understand the basic purpose of VRF, but if you go further to study at the CCNP level and beyond you’ll definitely have to study VRF in more depth. Okay, let’s go to the quiz, here’s question