What is VRF and why should you care?


VRF: An overview

So, what exactly is VRF and how does it pertain to your network? VRF stands for Virtual Routing and Forwarding and is a technology found in Internet Protocol (IP) that allows for the presence of multiple independent routing tables working simultaneously on the same router or switch. This permits multiple network paths without the need for multiple switches. By allowing multiple instances of a routing table, flexibility and functionality is greatly improved. Think of this feature as VLAN for layer 3, but unlike VLANs, there is no field in the IP header carrying it. Other implementations call this feature VRF-Lite which is a simple form of VRF implementation.

VRF allows a single router to run and isolate multiple networks even if they have overlapping or conflicting IP addresses. The primary use cases for VRF in a data center are similar to VLANs at layer 2: using common physical infrastructure to carry multiple isolated traffic streams for multi-tenant environments, where these streams are allowed to cross over only at configured boundary points, typically firewalls or IDS.

Benefits at a glance:

  • Multiple customers can leverage the same IP address 
  • Improved network functionality
  • Potential cost savings

A brief history of VRF:

VRF was revolutionary in the networking world because it allowed virtualization and the merging of instances on a single IP address. Organizations and networks can now leverage the same IP address yet  Virtual Routing and Forwarding (VRF) provides traffic isolation at layer 3 for routing, similar to how you use VLANs to isolate traffic at layer 2. VRF is a fundamental feature for a network OS which has been around for nearly 2 decades, and yet only recently gained a formal implementation for the networking stack.

Details of VRF (specific to Cumulus NVIDIA Linux):

  • The VRF is presented as a layer 3 master network device with its own associated routing table.
  • The VRF device can have its own IP address, known as a VRF-local loopback.
  • A VRF does not map to its own network namespace; however, you can nest VRFs in a network namespace.
  • VRFs are locally significant.
  • Applications can use existing interfaces to operate in a VRF context - by binding sockets to the VRF device or passing the ifindex using cmsg. 
  • Neighbor entries continue to be per-interface, and you can view all entries associated with the VRF device.
  • You can use existing Linux tools to interact with it, such as tcpdump.

Management VRF is a subset of Virtual Routing and Forwarding - VRF (virtual routing tables and forwarding) and provides a separation between the out-of-band management network and the in-band data plane network.

Configuring a VRF (specific to Cumulus NVIDIA Linux):

Each routing table is called a VRF table, and has its own table ID.

To configure VRF, you associate each subset of interfaces to a VRF routing table and configure an instance of the routing protocol (BGP or OSPFv2) for each routing table. Configuring a VRF is similar to configuring other network interfaces. Keep in mind the following:

  • A VRF table can have an IP address, which is a loopback interface for the VRF.
  • Associated rules are added automatically.
  • You can also add a default route to avoid skipping across tables when the kernel forwards the packet.

Names for VRF tables can be a maximum of 15 characters. However, you cannot use the name mgmt, as this name can only be used for the management VRF.