What is VRF lite and How to Configure it?

VRF Lite is a networking feature that enables multiple virtual routing tables on a single router, allowing for overlapping IP addresses across different VPNs. This VRF Lite configuration is particularly useful for service providers to manage customer traffic securely and efficiently.

In this Cisco enterprise training article article, we will understand what is VRF  lite and how to configure VRF lite in a Cisco Router. The VRF configuration is not only limited to Cisco applications but we have used Cisco router in the configuration example.

What is VRF Lite?

VRF Lite is a simplified version of Virtual Routing and Forwarding (VRF) that allows multiple virtual routing tables on a single router without requiring MPLS or MP-BGP.

It enables overlapping IP addresses across different VPNs, facilitating secure traffic segregation within enterprise networks or data centers, making it ideal for environments where multiple customers share the same infrastructure.

VRF vs VRF Lite

VRF (Virtual Routing and Forwarding) and VRF Lite are both technologies that allow for multiple routing instances within a single device, but they differ significantly in their implementation and use cases. The table below shows the difference between VRF and VRF Lite.

CCNP Training CourseLearn more such networking concepts.Explore course

How to Configure VRF Lite?

You can assign any interface of a router to a VRF using the command "ip vrf forwarding ". Please note that this command will erase all existing IP addresses already configured on the interface to avoid potential address duplication in the new routing table.

Once configuration is done and assigned that particular interface in a VRF then all packets received on this interface are routed and forwarded using the associated VRF table. You can compare this concept to the way VLAN trunking works at Layer 2.

VRF Lite Configuration on Cisco Routers

To understand the VRF Lite step-by-step configuration on Cisco routers, let's consider a scenario where two routers are connected via two physical links (these links can be sub-interfaces as well) but for simplicity

I have taken two physical links as shown in the below diagram. Based on the scenario some tasks are designed to configure respective VRFs and achieve a result. 

Cisco VRF Lite Configuration Example

● Configure the IP addresses on the two interfaces of R01 and R02 connected per the topology.

● Configure interface GigabitEthernet0/0 on both R01 and R02 so that it belongs to vrf VPN_A.

● Configure interface GigabitEthernet0/1 on both R01 and R02 so that it belongs to vrf VPN_B.

● Configure the following interfaces on R02: 

 ✓ Loopback101 with IP address of 172.16.2.2/24, assigned to vrf VPN_A.

 ✓ Loopback102 with IP address of 192.168.2.2/24, assigned to vrf VPN_B (As a part of VRF lite configuration)

● Configure default routes on R02 for both VRFs toward R01.

● Configure R01 so that from R02, you have IP connectivity between Loopback101 and Loopback102.

VRF Lite on Cisco Routers - Topology Diagram

Before moving to the Cisco VRF lite, ensure you have the IP addressing configured as per the diagram above. Here is the initial configuration for the same.

R01:

R02:

Now as per tasks, here are the steps of Cisco VRF lite configuration for both the routers.

R01:

R02:

Verify VRF Lite Configuration

Start by checking the VRF interfaces and basic IPv4 connectivity. Notice that the verification commands now use the vrf argument to select the specific routing table.

Let’s look at inter-VRF connectivity in detail. First, check the CEF table for VRF VPN_A in R01

It appears accurate and complete. Now ping 172.16.2.2 from within VRF VPN_B in R02 and vice-versa.

VRF Lite Working

VRF Lite operates by allowing packets entering a specific VRF to follow only the routes in that VRF's routing table. Similar to how a Layer 2 trunk spans multiple switches, VRF can extend across multiple devices.

By properly mapping VRFs to links between routers, it enables parallel VPNs across devices, making it the simplest method for creating non-overlapping VPNs in a network.

This configuration supports multiple customers on shared infrastructure while maintaining isolated routing tables for each VPN, enhancing security and efficiency.

VRF Lite Scalability

Cisco VRF Lite has a limited scope of scalability due to its requirement for a dedicated inter-router link for each VPN. For instance, if you have two routers and need to support 100 VPNs, you must provision 100 connections between the routers—one for each VPN.

These connections can be established using separate interfaces or Layer 2 virtualization techniques, such as Frame-Relay PVC or Ethernet VLANs.

This design can lead to significant management overhead and complexity as the number of VPNs increases, making VRF Lite less suitable for larger-scale deployments compared to full VRF implementations that leverage MPLS.

Cisco VRF Lite Capable Routers

In a router, all interfaces (physical or sub-interfaces) are in a global VRF by default which is the regular routing table used in non-VRF capable routers.

In a VRF (lite) capable router, you can create a new VRF by issuing the command "ip vrf ", which opens the VRF lite configuration context mode on Cisco routers. After this initial step, you must define a route distinguisher (RD) for this particular VRF using the command rd X:Y , where X and Y are 32-bit numbers.

A Route Distinguisher is a special 64-bit prefix prepended to every route in the respective VRF routing table.

VRF Lite - Purpose of Route Distinguisher (RD) 

The primary purpose of a Route Distinguisher (RD) in VRF Lite is to distinguish prefixes within a router and avoid collisions if two VRFs contain the same prefixes. This is achieved by prepending an 8-byte RD to the 4-byte IPv4 prefix, creating a unique 12-byte VPNv4 address.

There are two common formats for configuring an RD:

1. ASN:NN format: Combines the Autonomous System Number (ASN) and a unique number (NN) representing the VRF within the router or the VPN within the ASN. This format is more popular and commonly used.

2. IP-Address:NN format: Uses the router's IP address and a unique number (NN) representing the VRF name. This format reflects the local significance of the RD, but the ASN:NN format is more widely adopted.

By assigning unique RDs to each VRF, VRF Lite ensures that even if two customers are using the same IPv4 address space, their prefixes are distinguished within the MPLS network, allowing for proper routing and forwarding of traffic

VRF Lite - Static and Dynamic Routing

It is possible to associate static routes or dynamic routing protocol processes with the VRFs. In this lab, we work with static routing only. The syntax for a VRF-bound static route is ip route vrf PREFIX MASK [interface] [next-hop] , where [nexthop] is an IP address resolvable through the VRF.

It is also possible to use static routes for inter-VRF communications. If you are using a static route with the [interface] specification, the interface could belong to any VRF.

Note that with multi-access interfaces, you must also specify the next-hop associated with the interface subnet because Cisco IOS will install a CEF entry in the source VRF using the information provided and will not attempt to resolve the next-hop recursively.

Remember that this trick only works with the non-recursive static routes that use directly connected interfaces. 

VRF Lite and Configuration - Summing Up

VRF Lite enables the creation of multiple virtual routing tables on a single router, allowing for isolated networks with separate interfaces. Each VRF has its Routing Information Base (RIB) and Forwarding Information Base (FIB).

VRF Lite configuration involves assigning interfaces to VRFs using commands like "ip vrf forwarding." However, scalability is limited, as a dedicated inter-router link is required for each VPN. This can lead to significant management overhead when supporting numerous VPNs across multiple routers.

To learn more about such technologies, check out our IT infrastructure courses.