How to route between VRFs on a Cisco router

This guide is the simplest way to route between 2 VRFs on a Cisco router. I didn’t invent this method as someone showed it to me.

Screenshot 20180708 212015

Here’s the GNS3 project + images if you want to follow along.

https://upw.io/3uh/route-between-vrfs.gns3project

 

Essentially IOU1 is the client with 192.168.1.1, and the default gateway is IOU2. IOU2 PATs outbound via the WAN link which is in a WAN VRF. IOU2 has a static route in the global routing table pointing to 1.0.0.2, and the return traffic has a route-map applied to make sure it uses the global RIB.

So when IOU1 pings 8.8.8.8 it’s sourced from 192.168.1.1. When it reaches IOU2 it enters on the default VRF. It has the static route which uses the interface + next-hop IP thus allowing the same default even though e0/1 is in the WAN VRF. Finally, the return traffic (after being NAT’d) matches the PBR which says to use the global RIB instead of the WAN VRF.

IOU1:

R1#sh run int e0/0
Building configuration...

Current configuration : 67 bytes
!
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
end

R1#sh run | i route
ip route 0.0.0.0 0.0.0.0 192.168.1.1

 

 

IOU2:

R2#sh run int e0/0
Building configuration...

Current configuration : 108 bytes
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
end

R2#sh run int e0/1
Building configuration...

Current configuration : 152 bytes
!
interface Ethernet0/1
vrf forwarding WAN
ip address 1.0.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip policy route-map PBR
end

R2#show run | i ip nat inside
ip nat inside
ip nat inside source list 1 interface Ethernet0/1 overload

R2#show run | i access-list 101
access-list 101 permit ip any 192.168.1.0 0.0.0.255

R2#show run | i route

ip route 0.0.0.0 0.0.0.0 Ethernet0/1 1.0.0.2
ip route vrf WAN 0.0.0.0 0.0.0.0 1.0.0.2

R2#show run | s route-map

route-map PBR permit 10
match ip address 101
set global

IOU3:

R3#show run int e0/1
Building configuration...

Current configuration : 65 bytes
!
interface Ethernet0/1
ip address 1.0.0.2 255.255.255.252
end

R3#sh run int lo0
Building configuration...

Current configuration : 63 bytes
!
interface Loopback0
ip address 8.8.8.8 255.255.255.255
end

Leave a comment