What are VRFs and why to use them?

Virtual Routing and Forwarding (VRF) is an IP technology that allows multiple instances of a routing table to coexist on the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflict. "VRF" is also used to refer to a routing table instance that can exist in one or multiple instances per each VPN on a Provider Edge (PE) router. Scaling limitations of VRFs can be resolved with the implementation of IP VPNs. IP VPNs are most commonly deployed across an MPLS backbone as the inherent labeling of packets in MPLS lends itself to the identification of the customer VRF.

In the network below there is simply one router and four end-user computers. In real world deployments a network could have dozens or hundreds of routers and devices depending on the scale of the network. Regardless of the network complexity VRF provides the same fundamental separation of routing instances. A typical example would be an ISP using same router to route traffic for various customer traffic while using VRFs to separate each customer's traffic from each other. In the below example e will configure VRFs to separate routing instances as needed so that only hosts within each VRF can communicate with each other.

Steps to configure VRFs

Step 1: Create two VRFs, one named VRF-1 and a second named VRF-2.

R1(config)#ip vrf vrf-1
!
R1(config)#ip vrf vrf-2

Step 2: Assign the VRF-1 to FastEthernet0/0 and FastEthernet1/0.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip vrf forwarding vrf-1
!
R1(config)#interface FastEthernet1/0
R1(config-if)#ip vrf forwarding vrf-1

Step 3: Assign the VRF-2 to FastEthernet0/1 and FastEthernet1/1.

R1(config)#interface FastEthernet0/1
R1(config-if)#ip vrf forwarding vrf-2
!
R1(config)#interface FastEthernet1/1
R1(config-if)#ip vrf forwarding vrf-2

Step 4: Configure a IP address all applicable router interfaces.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
!
R1(config)#interface FastEthernet0/1
R1(config-if)#ip address 172.16.1.1 255.255.255.0
!
R1(config)#interface FastEthernet1/0
R1(config-if)#ip address 192.168.2.1 255.255.255.0
!
R1(config)#interface FastEthernet1/1
R1(config-if)#ip address 172.16.2.1 255.255.255.0

NOTE: You must configure IP addressing on an interface after a VRF is assigned to the interface. Adding or removing a VRF from an interface will remove all IP addressing from the interface to which the VRF was added or removed.

Verify the configuration

Now that the configuration is finished lets verify our VRF deployment. Using the show ip route, show ip route vrf WORDshow ip vrf WORD commands on R1 you can verify the global and separate vrf routing tables as well as VPN routing/forwarding instance information. Use the ping command to verify connectivity.


As designed the VRFs are separating traffic between vrf-1 and vrf-2. Using ping we can verify only hosts within each VRF are able to communicate with one another. All other traffic external to the VRF is isolated.



Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Cisco Networking

BGP Load Sharing

What is load sharing and why to use it?Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP Read more…

Cisco Firewall

Configuring Dynamic Multipoint VPN and Zone Based Firewall

What is a Dynamic Multipoint VPN and why to use it?DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) Read more…

Cisco Networking

Configuring Layer 2 MPLS VPN

What is a Layer 2 MPLS VPN and why to use it?Layer 2 VPNs are a type of Virtual Private Network (VPN) that uses MPLS labels to transport data. The communication occurs between routers that Read more…