Virtual routing and forwarding extends virtual networks

In this tip, learn how virtual routing and forwarding (VRF) divides a router or Layer 3 switch into multiple independent virtual devices, how VRF-equipped routers provide gateways to MPLS, and where VRF fits in with secure tunnelling.

Virtual systems have become popular as a result of the flexibility and cost savings they bring:

Virtual networks enable administrators to divide a physical link into multiple virtual links. Each virtual link is completely isolated from the others. Typically, a virtual network will be dedicated to traffic from a specific application or from a specific group of users.

As the application mix varies and processing loads shift over the course of a day, network traffic patterns change. Virtual network administrators can vary the fraction of bandwidth on a link assigned to each application. Also, multiple physical links can be combined to provide adequate bandwidth where no single physical link will suffice.

Techniques for dividing local area networks (LANs) into multiple virtual networks were developed and standardized by the IEEE in the 1990s. These techniques have been widely adopted.

IEEE standard 802.1q defines how a single LAN is divided into multiple virtual LANs (VLANs). IEEE 802.1p is used in conjunction with 802.1q. It specifies eight priority levels for traffic. Administrators assign traffic to appropriate priority levels to provide adequate bandwidth for each application.

But VLANs are a Layer 2 technology. Techniques to extend a Layer 2 network across a wide area do exist, but a VLAN is a broadcast domain. The effective throughput of a broadcast domain will decrease as it is loaded with too many nodes and too much traffic. A large VLAN must be divided into segments using Layer 3 routing protocols in order to remain manageable.

VRF-capable routers subdivide a virtual network

VRF divides a router or Layer 3 switch into multiple independent virtual devices. Each virtual router supports a single virtual network.

Virtual routers support standard routing protocols such as OSPF or BGP. Routing protocol operation on each virtual router is independent of routing operation on the other virtual routers in the same physical device. Each virtual router maintains a separate set of routing and forwarding tables with no need for all of the virtual routers to support the same set of routing protocols.

Since individual virtual networks are completely separate, functions such as Network Address Translation (NAT) and firewall functions must operate independently for each virtual network. NAT and firewall functions in VRF-equipped routers operate within a virtual router. As a result, each virtual network can have its own firewall policies and maintain a separate IP address space.

VRF-equipped routers provide gateways to MPLS

An MPLS network often provides the wide area link between sites. MPLS enables network managers to specify the bandwidth and Quality of Service (QoS) provided. One or more Customer Edge (CE) routers at each site connect to the MPLS network at one or more Provider Edge (PE) routers. Both the CE and PE routers must support VRF.

In the simplest configuration, multiple CE routers are used, with each router supporting a single virtual network. But this configuration makes it impossible to shift bandwidth from one virtual network to another.

To regain the ability to shift bandwidth, a single CE router can connect to a single PE router through a single physical link. Traffic from all of the virtual networks traverses the link, so bandwidth allocation on the link can be modified to match load requirements. Individual virtual networks are configured as subinterfaces within a single interface on each router.

More commonly, multiple CE routers link to multiple PE routers to maintain the ability to shift bandwidth and to add protection in the event of a link failure. In this case, all of the CE and PE routers support all of the virtual networks. VRF is independent of the type of link technology. Any link technology that supports the required total throughput can be chosen.

Connecting IP tunnels

Tunnel protocols such as IPsec are better suited than VLANs to situations where encryption and authentication are required. Consider a single human resources (HR) staff member located in a remote facility. He or she might be the only employee at the site who is granted access to a central personnel database. The nature of the information in the database requires secure access.

An IPsec tunnel carries traffic from the HR staffer's workstation to a VRF-equipped router. As in the case of a VLAN, the tunnel is configured as a subinterface on the router. Traffic then traverses the wide area network to another router supporting VRF and finally onto a link connected to the personnel database.

VRF within a campus network

VRF functionality on Layer 3 switches can be used to link VLANs within a campus. When a large campus wide virtual network becomes too large to remain a single broadcast domain, it must be subdivided. Layer 3 switches supporting VRF are used to break the virtual network into separate VLANs, each of manageable size.

As administrators gain more experience, virtual systems will grow to include larger numbers of servers and storage, and components will spread across the wide area. VRF is the enabling technology for subdividing virtual networks that connect virtual servers with storage.

About the author: David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies, as well as software startups.

Read more on Data centre networking