原文 譯

Network Virtualization – Path Isolation

Network Virtualization makes most modern Path Isolation techniques in networking possible. Network Virtualization and Path Isolation are crucial in modern network design and implementation.
網(wǎng)絡(luò)虛擬化使大多數(shù)現(xiàn)代化路徑隔離技術(shù)在網(wǎng)絡(luò)中成為可能. 網(wǎng)絡(luò)虛擬化和路徑隔離是現(xiàn)代網(wǎng)絡(luò)設(shè)計和實現(xiàn)有著至關(guān)重要作用.

Tips: Virtualization is VRF in the router, VLAN in the switch, trunk (dot1q tagging) on the Ethernet link, context or VDOM on the firewall and VM on the server.
虛擬化 是 VRF之于路由器侨把， VLAN之于交換機上沐，trunk之于以太網(wǎng)連接茧痒，VDOM之于防火墻，VM之于服務(wù)器

VRF

This was good enough reason for creating a blog post series which is giving an organized overview of different approaches in implementation of separated logical network partitions which are implemented over the enterprise physical network.
所以有足夠好的理由來創(chuàng)建一個blog系列呻拌，此系列對在企業(yè)物理網(wǎng)絡(luò)上實現(xiàn)分離的邏輯網(wǎng)絡(luò)分區(qū)的不同方法做了一個系統(tǒng)性的概述塘揣。

EVER NEEDED ONE EXTRA ROUTER? IT’S POSSIBLE TO SPLIT THE ROUTER INTO MORE LOGICAL ROUTERS BY USING VRF. HOW? HERE’S HOW!

Virtual Routing and Forwarding or VRF allows a router to run more that one routing table simultaneously. When running more routing tables in the same time, they are completely independent. For example, you could use overlapping IP addresses inside more VRFs on the same router and they will function independently without conflict (You can see this kind of overlap in the example below). It is possible to use same VRF instance on more routers and connect every instance separately using VRF dedicated router port or only a sub-interface.

虛擬路由轉(zhuǎn)發(fā)允許同時運行多個路由表轴捎。當(dāng)同一時間運行多個路由表時般渡，它們完全是各自獨立的。 比如具钥，你可以在同一臺路由器上使用多個VRFs內(nèi)的重疊IP地址豆村，并且它們將獨立運行而不會發(fā)生沖突（您可以在下面的示例中看到這種重疊） 可以在更多路由器上使用相同的VRF實例，并使用VRF專用路由器端口或僅子接口分別連接每個實例骂删。

You can find VRFs to be used on ISP side. Provider Edge (PE) routers are usually running one VRF per customer VPN so that one router can act as a PE router for multiple Customer Edge (CE) routers even with more customers exchanging the same subnets across the VPN. By running VRF per customer, those subnets will never mix in-between them.
你可以找到網(wǎng)絡(luò)服務(wù)提供商(Internet Service Provider)端使用的VRF掌动。 供應(yīng)商端路由器通常為每個客戶VPN運行一個VRF，以便一個路由器可以充當(dāng)多個客戶端（CE）路由器的PE路由器宁玫，即使有更多客戶通過VPN交換相同的子網(wǎng)粗恢。 通過為每個客戶運行VRF，這些子網(wǎng)絕不會混合在它們之間欧瘪。

VRFs are used to create multiple virtual routers from one physical router.
VRFs 被用來在單個實體物理路由上新建多個虛擬路由器

Every VRF is creating his own Routing table and CEF table, basically a separate RIB andFIB.
每個VRF會新建它自身的路由表及轉(zhuǎn)發(fā)表眷射，基本上是一個獨立的RIB(Routing Information Base)和FIB(Forwarding Info Base)。 What is RIB and FIB ?

VRF is simply created by entering this command into Cisco router supporting VRFs:
VRF可以在cisco路由器上這樣簡單的創(chuàng)建：

   ip vrf  MYTESTVRF 

When created, VRF needs route distinguisher in order to become functional. Route distinguishers are described a bit later. Route distinguisher (RD) for this VRF MYTESTVRF are configured with:
創(chuàng)建時佛掖，VRF需要路由標(biāo)識符才能生效妖碉。 稍后介紹路由標(biāo)識符。 此VRF MYTESTVRF的路由標(biāo)識符配置為：

  rd 111:1

When created and configured with RD, VRF needs some interfaces which will then be dedicated to this VRF and could bring some traffic into this VRF. Router interface (or most probably subinterface), will be assigned to a VRF like this:
在創(chuàng)建和配置RD時芥被，VRF需要一些專用的接口欧宜，并可能會將一些流量引入此VRF。 路由器接口（或者最可能的子接口）將被分配給一個VRF撕彤，如下

  int gi1/0/1
    ip vrf forwarding MYTESTVRF

On L3 switch which is also a clever router, when we want a VLAN to become part of the VRF, we need to add VLAN interface to VRF and all members of the VLAN will then be part of that special VRF:
L3交換機也是一個智能的路由器,當(dāng)我們想要一個VLAN成為VRF的一部分時,我們需要添加VLAN接口到VRF, VLAN的所有成員將會特別的多聯(lián)機的一部分:

  int VLAN 20
      ip vrf forwarding MYTESTVRF

You need to take into account that addition of interface to VRF will remove all existing IP addresses configured on the interface. It is done in this way because it can help to avoid address duplication in the new routing table if some incautious engineer is entering interface with IP address into VRF that already has an interface with this same IP.
需要考慮添加到VRF的接口將刪除接口上配置的所有現(xiàn)有IP地址鱼鸠。 這樣做是因為如果一些不小心的工程師正在將具有IP地址的接口輸入到已經(jīng)具有與該相同IP的接口的VRF中，則可以避免在新路由表中的地址重復(fù)羹铅。

When configured, traffic received on the interface which is member of VRF is routed and forwarded with that VRF table.
配置后蚀狰，VRF成員接口上的接收的流量將會隨著VRF表路由和轉(zhuǎn)發(fā)。

When thinking of VRFs, best example of something similar is VLAN trunking between two switches. Packet with VLAN tag entering the trunk interconnection in-between two switches can only enter the same VLAN when arriving on the other switch side. With VRFs is the same but done on L3 rather L2 for VLANs, and there are no trunk ports but L3 sub-interfaces (or physical interfaces). Packets that enter a specific VRF will be forwarded with routes from that VRF’s routing table.

Example goes even further. Like VLANs that span across multiple switches through trunk port, VRFs can be extended across multiple devices as well through sub-interfaces of two router interconnection or with separate interconnections.

The connections are L3 sub-interfaces, usually Ethernet VLAN interfaces with dot1q encapsulation. Most common Layer 2 virtualisation technique used these days.

VRF

CONFIGURATION FOR BOTH EXAMPLES

FIRST EXAMPLE (TWO INTERCONNECTIONS)

R1:

ip vrf MYTESTVRF
  rd 111:1

interface Gi 1/0/1
description Global Routing Table Interconnect
ip address 10.10.10.1 255.255.255.252

interface Gi 1/0/2
description VRF MYTESTVRF Interconnect
ip vrf forwarding MYTESTVRF
ip address 10.10.10.1 255.255.255.252

R2:

ip vrf MYTESTVRF
  rd 111:1

interface Gi 1/0/1
description Global Routing Table Interconnect
ip address 10.10.10.2 255.255.255.252

interface Gi 1/0/2
description VRF MYTESTVRF Interconnect
ip vrf forwarding MYTESTVRF
ip address 10.10.10.2 255.255.255.252

SECOND EXAMPLE (DOT1Q TAGGED SUBINTERFACES)

R1:

ip vrf MYTESTVRF
  rd 111:1
interface Gi 1/0/1.10
description Global Routing Table Interconnect
encapsulation dot1q 10
ip address 10.10.10.1 255.255.255.252

interface Gi 1/0/1.20
description VRF MYTESTVRF Interconnect
encapsulation dot1q 20
ip vrf forwarding MYTESTVRF
ip address 10.10.10.1 255.255.255.252

R2:

ip vrf MYTESTVRF
  rd 111:1
interface Gi 1/0/1.10
description Global Routing Table Interconnect
encapsulation dot1q 10
ip address 10.10.10.2 255.255.255.252

interface Gi 1/0/1.20
description VRF MYTESTVRF Interconnect
encapsulation dot1q 20
ip vrf forwarding MYTESTVRF
ip address 10.10.10.2 255.255.255.252

ICMP TEST EXAMPLE

Pinging from Gi 1/0/1 to Gi 1/0/1 on other side within Global Routing Table is straight forward ping:

R1:

ping 10.10.10.2

If you want to ping the same (but other) ip address. The one that is inside VRF MYTESTVRF you neet to initiate the ping within that VRF on R1:

ping vrf MYTESTVRF 10.10.10.2

Example above shows both solutions, although the subinterface example is the one that is used in the real world most of the time. We are extending VRF **MYTESTVRF **to other router (R2) by configuring interfaces of interconnection with VRF mapping configuration (ip vrf forwarding inside interface configuration). In this way every one of the interconnection will forward the traffic for mapped VRF.

Global Routing table is basically a VRF 0. The first RIB and FIB with no need of mapping as they exist by default and all L3 interfaces on the router are by default part of Global Routing table. When expanding VRF MYTESTVRF

we use one interconnection but we need to use another interconnection for Global routing table.

We can look at Global Routing table as first (native) VRF on the router with more VRF configured. This is also known as Global VRF, existing on all routers, with all interfaces assigned to it by default.

VRF LITE

Method of expanding several VRFs across multiple devices by using separate sub-interfaces or separate interconnection links is known as VRF Lite. This is basically the most lightweight way of running VPNs.

Being the simplest way of creating non-overlapping VPNs in a network is having some downsides to. This way of doing VRF expansion has poor scalability. You need dedicated link between two routers for every VPN (or dedicated sub-interface of one link). If you have the need for many VRFs, you will need many provisioned connections between routers.
作為在網(wǎng)絡(luò)中創(chuàng)建不重疊的VPN的最簡單的方法有一些缺點职员。 這種做VRF擴展的方式靈活性差麻蹋。 每個VPN（或一個鏈路的專用子接口）需要兩臺路由器之間的專用鏈路。 如果您需要多個VRF焊切，則需要在路由器之間提供很多配置的連接扮授。

ROUTE DISTINGUISHERS

Remember from above, this is basic VRF config:

ip vrf MYTESTVRF rd 111:1

111 and 1 are 32-bit integers. Route Distinguisher is used to label every route from an VRF routing table with 64-bit prefix. It is done so that router can distinguish which prefixes are member of which VRF (different routing tables) avoiding that prefixes from different VRFs are mixed up.

Format for RD should be ASN:NN, with ASN meaning autonomous system and NN VRF number inside the router. Other way to configure it is

IP-Address:NN, IP being the router IP address and NN VRF number.