VRF Configuration Guide

introduction introduction vrf (virtual routing forwarding) is also known as a vpn instance vrf is a logical division of physical devices using vrf, we can create multiple virtual devices on a single physical device, each of which is like a separate device with a separate route table, separate route process and separate interfaces, etc this technology allows for complete isolation of data or services in mpls vpns, vrf enable operators to provide vpn services to multiple customers on the same pe (provider engine) device, adding customers to different vrfs, making the route data between these customers completely isolated and not conflicting even if they use the same ip address space basic concepts basic concepts a physical machine can maintain multiple vrfs, each of which can be seen as a virtual router that contains the following elements a separate route table, a collection of interfaces belonging to this vrf, and a set of route rules that belong only to this vrf configuring service port vrfs can assign different users to different vrfs, solving the problems of overlapping addresses and local route conflicts vrf configuration vrf configuration table 1 overview of vrf configuration tasks table 1 overview of vrf configuration tasks configuration tasks description refer to service port vrf configure vrf for service port optional docid\ sezqsdym nnewbd8kxf01 bind the interface to vrf optional docid\ sezqsdym nnewbd8kxf01 configure specified vrf route optional docid\ sezqsdym nnewbd8kxf01 set mac of vrf optional docid\ sezqsdym nnewbd8kxf01 configure vrf for service port configure vrf for service port naming rules only upper and lower case letters, numbers, , , , e g vrf100 table 2 configure vrf of the service port table 2 configure vrf of the service port purpose commands description enter global configuration view configure terminal create vrf vrf vrf name note when deleting vrf, if there are still interfaces bound to this vrf, this vrf will not be deleted; if this vrf is configured with vni, this vrf will not be deleted bind the interface to vrf bind the interface to vrf table 3 bind the interface to vrf table 3 bind the interface to vrf purpose commands description enter global configuration view configure terminal enter interface configuration view interface interface type interface number interface type optional vlan, ethernet, link aggregation, sub interface, loopback, mgmt vrf binds to the specified interface vrf vrf name configure specified vrf route configure specified vrf route users are isolated between different vrfs, and to communicate across vrfs, you need to configure the appropriate vrf routes, specifying the vrf where the route is located and the vrf where the next hop is located table 4 configure specified vrf route table 4 configure specified vrf route purpose commands description enter global configuration view configure terminal enter vrf configuration view vrf vrf name add a specified vrf route ip route a b c d/m a b c d \[ nexthop vrf vrfname ] optional in \[ ] \<a b c d/m> is the destination ip of the route \<a b c d> is the ip address of the next hop of the route op vrf means that the vrf where the next hop is located is the same as the vrf where the route is located set vrf mac set vrf mac table 5 set vrf mac table 5 set vrf mac purpose commands description enter global configuration view configure terminal enter vrf configuration view vrf vrf name set the mac of vrf mac hh\ hh\ hh\ hh\ hh hh display and maintenance display and maintenance vrf configuration display vrf configuration display table 6 vrf configuration display table 6 vrf configuration display purpose commands description show vrf basic information show vrf brief show information about vrf and interface show vrf interface typical configuration example typical configuration example configure service port vrf configure service port vrf networking requirements a large number of hosts in an enterprise's network center are causing ip address conflicts vm1 and vm2 belong to department 1, vm3 and vm4 belong to department 2 please configure vrf to solve the problem, requiring that hosts in the same department can access each other and cannot access hosts in other departments to achieve logical division and security isolation topology procedure \#create vrf100, 200 sonic# configure terminal sonic(config)# vrf 100 sonic(config)# vrf 100 \#bind the corresponding port sonic# configure terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# vrf 100 sonic(config)# interface ethernet 0/1 sonic(config if 0/1)# vrf 100 sonic(config)# interface ethernet 0/2 sonic(config if 0/2)# vrf 200 sonic(config)# interface ethernet 0/3 sonic(config if 0/3)# vrf 200 \#configure port ip sonic# configure terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 10 0 0 1/24 sonic(config)# interface ethernet 0/1 sonic(config if 0/1)# ip address 11 0 0 1/24 sonic(config)# interface ethernet 0/2 sonic(config if 0/2)# ip address 12 0 0 1/24 sonic(config)# interface ethernet 0/3 sonic(config if 0/3)# ip address 13 0 0 1/24 verify configuration sonic# show vrf interface vm1 ping vm2 can be pinged, vm1 ping vm4 cannot be pinged