Cisco Systems OL-4344-01 VPN Routing and Forwarding Tables (VRFs)

1-16

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

OL-4344-01

Chapter1 About Cisco IP Solution Center

About MPLS VPNs

VPN Routing and Forwarding Tables (VRFs)

The VPN routing and forwarding table (VRF) is a key element in the MPLS VPN technology. VRFs exist

on PEs only (except in the case of a Multi-VRF CE). A VRF is a routing table instance, and more than

one VRF can exist on a PE. A VPN can contain one or more VRFs on a PE. The VRF contains routes

that should be available to a particular set of sites. VRFs use Cisco Express Forwarding (CEF)

technology, therefore the VPN must be CEF-enabled.

A VRF is associated with the following elements:

•IP routing table

•Derived forwarding table, based on the Cisco Express Forwarding (CEF) technology

•A set of interfaces that use the derived forwarding table

•A set of routing protocols and routing peers that inject information into the VRF

Each PE maintains one or more VRFs. ISC software looks up a particular packet’s IP destination address

in the appropriate VRF only if that packet arrived directly through an interface that is associated with

that VRF. The so-called “color” MPLS label tells the destination PE to check the VRF for the appropriate

VPN so that it can deliver the packet to the correct CE and finally to the local host machine.

A VRF is named based on the VPN or VPNs it services, and on the role of the CE in the topology. The

schemes for the VRF names are as follows:

The VRF name for a hub: ip vrf Vx:[VPN_name]

The x parameter is a number assigned to make the VRF name unique.

For example, if we consider a VPN called Blue, then a VRF for a hub CE would be called:

ip vrf V1:blue

A VRF for a spoke CE in the Blue VPN would be called:

ip vrf V1:blue-s

A VRF for an extranet VPN topology in the Green VPN would be called:

ip vrf V1:green-etc

Thus, you can read the VPN name and the topology type directly from the name of the VRF.

Figure 1-9 shows a network in which two of the four sites are members of two VPNs, and illustrates

which routes are included in the VRFs for each site.