Tunnel traffic in a vrf
If you wish to tunnel traffic you will often want to ensure there is some segregation between the traffic you are trying to tunnel and the network you are tunnelling over. Examples are tunnelling confidential HR or Finance information over a LAN or tunnelling trusted LAN data over the Internet. Another reason may be tunnelling between two networks over a third network that has clashing IP address space. This is common in company mergers and the early stages of integration.
In our scenario we have three routers using EIGRP and we want to connect a fourth router and create a tunnel from R1 to R4. We want to ensure that the default routing table of R4 has no knowledge of R2 and R3.
We can achieve this simply by putting the interface carrying the tunnel into a vrf and then configuring the tunnel to go through that vrf.
hostname R1 ! interface Loopback0 ip address 172.16.0.1 255.255.255.255 ! interface Tunnel0 ip address 10.0.0.1 255.255.255.252 tunnel source Loopback0 tunnel destination 192.168.0.10 ! interface FastEthernet0/0 ip address 192.168.0.1 255.255.255.252 duplex auto speed auto ! router eigrp 1 network 172.16.0.0 network 192.168.0.0 no auto-summary !
hostname R2 ! interface Loopback0 ip address 172.16.0.2 255.255.255.255 ! interface FastEthernet0/0 ip address 192.168.0.2 255.255.255.252 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.0.5 255.255.255.252 duplex auto speed auto ! router eigrp 1 network 172.16.0.0 network 192.168.0.0 no auto-summary !
hostname R3 ! interface Loopback0 ip address 172.16.0.3 255.255.255.255 ! interface FastEthernet0/0 ip address 192.168.0.9 255.255.255.252 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.0.6 255.255.255.252 duplex auto speed auto ! router eigrp 1 network 172.16.0.0 network 192.168.0.0 no auto-summary !
hostname R4 ! ip vrf INTERNET ! interface Loopback0 ip address 172.16.0.4 255.255.255.255 ! interface Tunnel0 ip address 10.0.0.2 255.255.255.252 tunnel source FastEthernet0/0 tunnel destination 172.16.0.1 tunnel vrf INTERNET ! interface FastEthernet0/0 ip vrf forwarding INTERNET ip address 192.168.0.10 255.255.255.252 duplex auto speed auto ! ip forward-protocol nd ip route vrf INTERNET 0.0.0.0 0.0.0.0 192.168.0.9 !
The exciting stuff is in R4, particularly the bit that puts the tunnel into the vrf
interface Tunnel0 ip address 10.0.0.2 255.255.255.252 tunnel source FastEthernet0/0 tunnel destination 172.16.0.1
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 172.16.0.1
tunnel vrf INTERNET <<<<
You can see what is happening by looking at the two routing tables.
R4#
R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/32 is subnetted, 1 subnets
C 172.16.0.4 is directly connected, Loopback0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
R4#
R4#
R4#sh ip route vrf INTERNET
Routing Table: INTERNET
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.0.9 to network 0.0.0.0
192.168.0.0/30 is subnetted, 1 subnets
C 192.168.0.8 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.0.9
R4#
As you can see the routes to connect to R2 and R3 do not leak into R4’s default routing table and vice versa.