Abstract
Cisco provides a wide array of connectivity and isolation tools within the datacenter. This white paper addresses Virtual Routing and Forwarding (VRF), which is a Layer 3 isolation mechanism for routing protocols.
Sample
In the past six years, Cisco has developed a wide array of leading-edge technologies for the data center with a focus on the Nexus switches and UCS servers. Within the Nexus switches, Cisco has created many different technical approaches to achieve the two high-level objectives of connectivity or isolation. Simply put, for users to access email on servers, query a database, or open a web page, they must have connectivity into the data center. However, the obvious benefit of connectivity also creates the same opportunity to spread viruses, Trojans, worms, and denial of service (DOS) attacks as well as the full array of potential security breaches. Therefore, a secure data center design must also implement isolation for all networking devices, hosts, and virtual machines that don't have a productive need for connectivity amongst each other.
Cisco provides a wide array of connectivity and isolation tools within the datacenter. This white paper addresses Virtual Routing and Forwarding (VRF), which is a Layer 3 isolation mechanism for routing protocols.
Virtual Routing and Forwarding (VRF)
In a very simple sense, a VRF provides a Layer 3 isolation mechanism within routing protocols or static routes.
In the Cisco Nexus 7000 series of data center switches, the highest level of isolation mechanisms is a Virtual Device Context (VDC). A VDC creates a totally different and fully isolated set of switches within the entire physical switch. This white paper addresses VRFs within a VDC when implemented on the Nexus 7000 series of switches.
A common use of VRFs is to isolate the management network from the production network. In the event that a production network experiences any severe problems, to fix the network remotely, an engineer would need the "broken network" to fix the network. Before VRFs, network designers often solved this dilemma by building a network called a management network separate from the production network to aid troubleshooting with remote connectivity. VRFs create a cost-effective management network fully isolated from the production network while sharing the same hardware and cabling.
Another common use of VRFs is for isolation for multitenant cloud providers. Many public and private cloud providers can create a single common data center infrastructure to provide services to several different customers or tenants. VRFs can be implemented to ensure that the different tenants have a secure isolation from other tenants while benefiting from the cost savings of a common infrastructure.
On any newly installed Nexus switch, there are two VRFs that exist by default, which are named default and management. This first example is on a Nexus 5548 switch named Nexus5k.
Shown next are the same default (original) VRFs within a VDC named N7K-VDC-2 on a Cisco Nexus 7010 switch.
Any other VRFs on a Nexus device need to be manually configured.
Note that even basic connectivity from or through a Nexus device requires an understanding of VRFs. The following two different ping tests to the same destination get different responses based solely on the VRF being referenced, or not referenced.
VRF Configurations
The first configuration step is to create the VRF in the Nexus config mode. In this example, a custom VRF is created with the name OSPFPrivate.
VRFs require Switch Virtual Interfaces (SVI) for inter-VLAN routing which is enabled with the feature interface-vlan command. The example shown here will be based on the routing protocol OSPF, which also needs to be enabled. Then the VRF is applied to all applicable Layer 3 interfaces within the device.
OSPF is also enabled on the SVI of VLAN 10 in this example.
This example also shows enabling OSPF on a loopback interface.
Note the output of the OSPF routing protocol differs entirely based on the VRF. The following output includes the VRF OSPFPrivate. There are no other OSPF routers in this simple example.
The next output does not include the VRF. Note the lack of specific OSPF information within area 0.
The OSPF protocol creates a database of entries in the Layer 3 (router) device. Again, note the content of the database is VRF specific.