抱歉,您的浏览器无法访问本站
本页面需要浏览器支持(启用)JavaScript
了解详情 >


VRF 虚拟路由转发

VRF

VRF: 虚拟路由转发,在三层将路由环境分割成多个虚拟环境,每个虚拟环境之间都是完全隔离的。通过用于 MPLS VPN 以及 VRF 中实现应用的隔离.

又称为 VPN 实例,是一种虚拟化技术,每个 VPN 实例拥有独立的接口,路由表和路由协议进程.

应用场景

公司具备两张网络,管理网络和生产网络,此时如果两个网络需要隔离可以采用如下方案:

1. 通过 ACL 实现隔离:

缺点:配置繁琐,扩展性较差.

无法解决两张网络中网段重叠的问题

2. 物理隔离:

缺点:需要增加新的设备,造成额外的投入成本.

3.VRF: 通过部署虚拟实例,让两个网络完全隔离,并且无需增加新的设备投入.

VRF 实现过程

VRF 是对物理设备的一个逻辑划分。每个逻辑单元称为一个 VPN 实例,实例之间在路由层面上是完全隔离的

1. 创建实例,并且将三层接口绑定到实例中.

ip vpn-instance XXXX
ipv4-family 

interface GigabitEthernet0/0/x
 ip binding vpn-instance XXXX

2. 配置实例绑定的路由信息.

ip route-static vpn-instance GUANLI 2.2.2.2 24 12.1.1.2
ip route-static vpn-instance SHENGCHAN 3.3.3.3 24 13.1.1.3

3. 基于与实例绑定的接口和路由协议建立路由转发表,并依据该转发表来转发数据.

在 VRF 中如果需要使用 ping 或 tracert 命令,需要注意添加对应的 VPN 实例名,否则默认会根据 public 路由表来进行查表.

ping -vpn-instance GUANLI 12.1.1.2

实验 - 静态

#
sysname R1
#
ip vpn-instance GUANLI
 ipv4-family
#
ip vpn-instance SHENGCHAN
 ipv4-family
#
interface GigabitEthernet0/0/0
 ip binding vpn-instance GUANLI
 ip address 12.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip binding vpn-instance GUANLI
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance SHENGCHAN
 ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance SHENGCHAN
 ip address 13.1.1.1 255.255.255.0
#
ip route-static vpn-instance GUANLI 2.2.2.0 255.255.255.0 12.1.1.2
ip route-static vpn-instance SHENGCHAN 3.3.3.0 255.255.255.0 13.1.1.3
----------------------------------------
#
sysname R2
#
interface GigabitEthernet0/0/0
 ip address 12.1.1.2 255.255.255.0
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
#
ip route-static 10.1.1.0 255.255.255.0 12.1.1.1
------------------------------------------
#
sysname R3
#
interface GigabitEthernet0/0/0
 ip address 13.1.1.3 255.255.255.0
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
#
ip route-static 20.1.1.0 255.255.255.0 13.1.1.1
---------------------------------------------
PC>ping 2.2.2.2

Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=254 time=47 ms
From 2.2.2.2: bytes=32 seq=2 ttl=254 time=47 ms
From 2.2.2.2: bytes=32 seq=3 ttl=254 time=62 ms
From 2.2.2.2: bytes=32 seq=4 ttl=254 time=31 ms
From 2.2.2.2: bytes=32 seq=5 ttl=254 time=62 ms

--- 2.2.2.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/49/62 ms

PC>
------------------
[R1]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 6        Routes : 6        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

       10.1.1.0/24  Direct  0    0           D   10.1.1.1        GigabitEthernet0/0/1
       10.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
       20.1.1.0/24  Direct  0    0           D   20.1.1.1        GigabitEthernet0/0/2
       20.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/2
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

------------------------
[R1]display ip routing-table vpn-instance SHENGCHAN
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: SHENGCHAN
         Destinations : 3        Routes : 3        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        3.3.3.3/32  Static  60   0          RD   13.1.1.3        GigabitEthernet0/0/3
       13.1.1.0/24  Direct  0    0           D   13.1.1.1        GigabitEthernet0/0/3
       13.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/3

实验 - OSPF

#
sysname R1
#
ip vpn-instance GUANLI
 ipv4-family
#
ip vpn-instance SHENGCHAN
 ipv4-family

interface GigabitEthernet0/0/0
 ip binding vpn-instance GUANLI
 ip address 12.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance SHENGCHAN
 ip address 13.1.1.1 255.255.255.0
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#
ospf 1 router-id 1.1.1.1 vpn-instance GUANLI
 area 0.0.0.0
  network 12.1.1.1 0.0.0.0
  network 10.1.1.1 0.0.0.0
#
ospf 2 router-id 1.1.1.1 vpn-instance SHENGCHAN
 area 0.0.0.0
  network 13.1.1.1 0.0.0.0
  network 20.1.1.1 0.0.0.0
----------------------------------------------------
#
sysname R2
#
interface GigabitEthernet0/0/0
 ip address 12.1.1.2 255.255.255.0
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
#
ospf 1 router-id 2.2.2.2
 area 0.0.0.0
  network 2.2.2.2 0.0.0.0
  network 12.1.1.2 0.0.0.0
----------------------------------------------------
#
sysname R3
#
interface GigabitEthernet0/0/0
 ip address 13.1.1.3 255.255.255.0
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
 area 0.0.0.0
  network 3.3.3.3 0.0.0.0
  network 13.1.1.3 0.0.0.0
------------------------------------------
[R1]dis ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 7        Routes : 7        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  Direct  0    0           D   127.0.0.1       LoopBack0
       10.1.1.0/24  Direct  0    0           D   10.1.1.1        GigabitEthernet0/0/1
       10.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
       20.1.1.0/24  Direct  0    0           D   20.1.1.1        GigabitEthernet0/0/2
       20.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/2
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

[R1]dis ip routing-table vpn-instance GUANLI
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: GUANLI
         Destinations : 3        Routes : 3        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        2.2.2.2/32  OSPF    10   1           D   12.1.1.2        GigabitEthernet0/0/0
       12.1.1.0/24  Direct  0    0           D   12.1.1.1        GigabitEthernet0/0/0
       12.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0

实验 - 冲突

[R1-GigabitEthernet0/0/0]ip add 10.1.1.1 24
Mar 11 2024 15:45:28-08:00 R1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP 
on the interface GigabitEthernet0/0/0 has entered the UP state. 
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 10.1.1.2 24
Error: The specified address conflicts with another address.
----------------------
#
 sysname R1
#
ip vpn-instance vpna
 ipv4-family
#
ip vpn-instance vpnb
 ipv4-family
#
interface GigabitEthernet0/0/0
 ip binding vpn-instance vpna
 ip address 10.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip binding vpn-instance vpnb
 ip address 10.1.1.2 255.255.255.0 
#
interface LoopBack1
 ip binding vpn-instance vpna
 ip address 11.1.1.1 255.255.255.255 
#
interface LoopBack2
 ip binding vpn-instance vpnb
 ip address 11.1.1.2 255.255.255.255 
---------------------------------------
PC>ping 11.1.1.1

Ping 11.1.1.1: 32 data bytes, Press Ctrl_C to break
From 11.1.1.1: bytes=32 seq=1 ttl=255 time=31 ms
From 11.1.1.1: bytes=32 seq=2 ttl=255 time=15 ms
From 11.1.1.1: bytes=32 seq=3 ttl=255 time=16 ms
From 11.1.1.1: bytes=32 seq=4 ttl=255 time=16 ms
From 11.1.1.1: bytes=32 seq=5 ttl=255 time=31 ms

--- 11.1.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 15/21/31 ms

实验 - 旁挂防火墙

#
sysname R1
#
ip vpn-instance vpna
 ipv4-family
#
interface GigabitEthernet0/0/0
 ip binding vpn-instance vpna
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 12.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance vpna
 ip address 21.1.1.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 12.1.1.2
ip route-static vpn-instance vpna 100.1.1.0 255.255.255.0 21.1.1.2
-----------------------------------
#
sysname R2
#
interface GigabitEthernet0/0/0
 ip address 12.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 21.1.1.2 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 21.1.1.1
ip route-static 100.1.1.0 255.255.255.0 12.1.1.1
#
--------------------------------------
PC>ping 100.1.1.2

Ping 100.1.1.2: 32 data bytes, Press Ctrl_C to break
From 100.1.1.2: bytes=32 seq=1 ttl=125 time=125 ms
From 100.1.1.2: bytes=32 seq=2 ttl=125 time=125 ms
From 100.1.1.2: bytes=32 seq=3 ttl=125 time=125 ms
From 100.1.1.2: bytes=32 seq=4 ttl=125 time=141 ms
From 100.1.1.2: bytes=32 seq=5 ttl=125 time=141 ms

--- 100.1.1.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 125/131/141 ms

PC>tracert 100.1.1.2

traceroute to 100.1.1.2, 8 hops max
(ICMP), press Ctrl+C to stop
 1  10.1.1.1   31 ms  47 ms  47 ms
 2  21.1.1.2   62 ms  63 ms  62 ms
 3  12.1.1.1   109 ms  110 ms  94 ms
 4  100.1.1.2   93 ms  110 ms  109 ms
推荐阅读
IP路由基础 IP路由基础 DHCP DHCP OSPF路由计算 OSPF路由计算 BFD协议原理与配置 BFD协议原理与配置 实现VLAN间通信 实现VLAN间通信 OSPF基础 OSPF基础

留言区

Are You A Robot?