While searching for a solution for a problem that I was facing a week ago, I stumbled upon this feature “Multi-VRF selection”, only the name was enough to make curious to go through this feature.
My problem was to route traffic that is coming from the global routing table into different VRFs based on the destination prefixes, one of the solutions for this problem is Multi-VRF selection using policy based routing.
Simply; Multi-VRF selection enables an interface to route packets to different VRFs based on a matching criteria, the criteria can be defined in a route map that matches an IP Access-list or matches a packet length.
The interface where you will apply the Multi-VRF selection can either be assigned to a VRF or not, it will work on both cases.
Lets assume the below Scenario:
Three customers needs to reach the IP address (22.214.171.124) located behind R5, each customer belongs to VRF and the IP address is in the global routing table.
On the PE, we can configure a static route for each VRF with the “global” keyword as following:
|ip route vrf cust_a 126.96.36.199 255.255.255.255 FastEthernet1/1 10.10.50.2 global
ip route vrf cust_b 188.8.131.52 255.255.255.255 FastEthernet1/1 10.10.50.2 global
ip route vrf cust_c 184.108.40.206 255.255.255.255 FastEthernet1/1 10.10.50.2 global
The “global” keyword will instruct the router to look up the next-hop address in the global routing table instead of looking it up in the VRF routing table, this will pass the traffic from the VRF and it will reach the server.
Now when R5 tries to reach it will fail, as the global routing table of the PE doesn’t have any routes for the customers, and the traffic from R5 has to enter a VRF in order to reach the customers, but which VRF !
Here is a look on the PE routing table:
|PE1#sho ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP
+ – replicated route, % – next hop override
Gateway of last resort is not set10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.50.0/30 is directly connected, FastEthernet1/1
L 10.10.50.1/32 is directly connected, FastEthernet1/1
220.127.116.11/32 is subnetted, 1 subnets
C 18.104.22.168 is directly connected, Loopback0
The PE only knows its Loopback and the Fastethernet connected to R5 only.
For the traffic sourced from R5 towards the customers we will use the destination IP addresses to identify to which VRF the traffic should enter.
First we will need to create an extended ACL to classify the traffic that is destined for each customer:
|ip access-list extended cust_a_prefix permit ip any host 22.214.171.124
ip access-list extended cust_b_prefix permit ip any host 126.96.36.199
ip access-list extended cust_c_prefix permit ip any host 188.8.131.52
Second step is to create a route-map that matches the ACLs and sets the appropriate VRF:
|route-map cust_vrf permit 10 match ip address cust_a_prefix set vrf cust_a
route-map cust_vrf permit 20 match ip address cust_b_prefix set vrf cust_b
route-map cust_vrf permit 30 match ip address cust_c_prefix set vrf cust_c
Third step is to apply the route-map under the interface connected to R5:
ip vrf forwarding cust_a
ip address 10.10.50.1 255.255.255.252
ip policy route-map cust_vrf
Fourth step is test the reachability:
ip address 184.108.40.206 255.255.255.255
Cust_B#ping 220.127.116.11 sou lo 1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds:
Packet sent with a source address of 22.214.171.124
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/30/56 ms
ip address 126.96.36.199 255.255.255.255
R5#ping 188.8.131.52 sou lo 1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 184.108.40.206, timeout is 2 seconds:
Packet sent with a source address of 220.127.116.11
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/64 ms
You can manipulate the ACL and change the matching criteria according to your needs, and as said earlier even if you apply the PBR to an interface that belongs to a VRF this feature and the PBR is considered before the normal destination based routing, and for the traffic that doesn’t match the PBR the normal destination based routing will be performed.
Enjoy trying this feature yourself 🙂
Abdullah Medhat Salah