Basic WAN VRF Routing Configuration on Cisco ISR

In this basic VRF configuration tutorial, we will look at how to set up a VRF for a WAN interface, and get routing from the Internet to the router, or from the default Global VRF out out to the internet and back into the Global VRF. There are a number of reasons you might do this, but I generally configure this to make traffic destined to the router from the Internet be routed independently instead of having the reply traffic be routed according to the routing table in the Global VRF. This helps when you want to have VPN tunnels terminated to different interfaces simultaneously.

A simple example of a communication from the Internet to the router would be having an echo request from the Internet hit Gig 0/1 on R1. You would normally want a reply to go back out Gig 0/1 regardless of what the current route to the echo request's source address is in the Global VRF. Otherwise, your routing is asymmetric. Unfortunately, an echo request coming in on Gig0/1 would normally have the reply sent using routes from the routing table in the Global VRF, even if that means sending the echo reply out on Gig 0/2 (and with the source address of Gig 0/1). See the diagram below.

Now, apply this to a scenario where you are terminating IKEv2 tunnels to each of the WAN interfaces. As long as your ISP allows the traffic through with an invalid source IP, which most do in my experience, you will appear to have tunnels connecting across two completely independent routes. In reality, you are sending traffic to both interfaces, but getting all the traffic back through whichever interface is used for the default route. Now, let's look at a simple configuration for a single interface to be in its own VRF, and how that would affect the echo request/reply behavior.

Now communication sourced from the Internet to the router will no longer have asymmetric routes since it is contained within its own VRF. Unfortunately, this has also made it so that traffic sourced from the Global VRF on R1 has no valid return path. There are a few ways to leak routes between the VRFs. The easiest is to use the ip route command inside the VRF to select the next hop for traffic on the VRF and send it to a core router. For example: ip route '10.0.0.0 255.0.0.0 GigabitEthernet0/0 10.0.0.10' would send traffic for 10.x.x.x out of the Gig 0/0 interface to a router with the IP of 10.0.0.10. The core router would then route it appropriately. Unfortunately, this won't work if you want to send to directly connected networks, is not very easy to scale if you have a lot of different routes, and doesn't take advantage of any dynamically generated routes in the Global VRF (think routing protocols). You also can't just point it to an interface and IP for R1 that is in the Global VRF because it will be detected as a routing loop. Here is a full example of my preferred method which uses Policy Based Routing to match traffic that should go into the Global VRF, and moves it there. The exact line that places it into the Global VRF is the 'set global' line in the route-map.

Now, you have symmetric routing from the internet to R1, and symmetric routing from the Global VRF to the internet. Keep in mind that traffic you are NATing to servers inside the Global VRF will still be routed asymmetrically, and this does not address this scenario. See the Full config below.

ip vrf WAN1
!
Interface GigabitEthernet0/1
 ip vrf forwarding WAN1
!
ip route vrf WAN1 0.0.0.0 0.0.0.0 1.1.1.1
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 1.1.1.1 10
!
ip access-list extended WAN_TO_GLOBAL_ACL
 permit ip any 10.0.0.0 0.255.255.255
!
route-map WAN_TO_GLOBAL permit 10
 match ip address WAN_TO_GLOBAL_ACL
 set global
!
interface GigabitEthernet0/1
 ip policy route-map WAN_TO_GLOBAL

If you want to make a second VRF on Gig 0/2, you can just reuse the PBR. So, you would just need the following lines.

ip vrf WAN2
!
Interface GigabitEthernet0/2
 ip vrf forwarding WAN2
!
ip route vrf WAN2 0.0.0.0 0.0.0.0 2.2.2.1
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 2.2.2.1 20
!
interface GigabitEthernet0/2
 ip policy route-map WAN_TO_GLOBAL
Tutorial Tags: