18.1.2 Lab – Implement VRF-Lite Answers

18.1.2 Lab – Implement VRF-Lite Answers

Lab – Implement VRF-Lite (Answers Version)

Answers Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

This topology has 3 routers, 3 switches and 2 PCs. R1 G0/0/0 is connected to R2 G0/0/0. R1 S0/1/0 is connected to R3 S0/1/0. R1 G0/0/1 is connected to A1 F0/11. A1 F0/1 is connected to D1 G1/0/5. A1 F0/3 is connected to D2 G1/0/5. PC1 is connected via D1 G1/0/23. PC3 is connected via D2 G1/0/23.

Addressing Table

Device

Interface

IPv4 Address

IPv6 Address

IPv6 Link-Local

R1

G0/0/0

10.1.2.1/24

2001:db8:acad:1012::1/64

fe80::1:1

R1

G0/0/1.5

10.1.2.1/24

2001:db8:acad:1012::1/64

fe80::1:2

R1

G0/0/1.8

10.1.3.1/24

2001:db8:acad:1013::1/64

fe80::1:4

R1

S0/1/0

10.1.3.1/25

2001:db8:acad:1013::1/64

fe80::1:2

R2

G0/0/0

10.2.3.2/24

2001:db8:acad:1023::2/64

fe80::2:1

R2

Loopback0

192.168.2.1/24

2001:db8:acad:2000::1/64

fe80::2:2

R3

S0/1/0

10.1.3.3/25

2001:db8:acad:1013::3/64

fe80::3:1

R3

Loopback0

192.168.3.1/27

2001:db8:acad:3000::1/64

fe80::3:2

D1

G1/0/5

10.1.2.2/24

2001:db8:acad:1012::2/64

fe80::d1:1

D1

VLAN 11

192.168.2.1/24

2001:db8:acad:2000::2/64

fe80::d1:2

D2

G1/0/5

10.1.3.2/24

2001:db8:acad:1013::2/64

fe80::d2:1

D2

VLAN 11

192.168.3.1/24

2001:db8:acad:3000::1/64

fe80::d2:2

Objectives

Part 1: Build the Network and Configure Basic Device Settings

Part 2: Configure and Verify VRF and Interface Addressing

Part 3: Configure and Verify Static Routing for Reachability Inside Each VRF

Background / Scenario

By default, all interfaces on a router are included in the global routing table. Service providers must be able to virtualize the router, thus creating multiple, virtual routing tables. Virtual Routing and Forwarding (VRF) can do just that. VRF-Lite is VRF without the MPLS component.

In this lab, you will work on R1, playing the part of a service provider router, as it supports two customers who have the same addressing scheme configured. Your task is to deploy VRF-Lite and static routing so that the customers have full reachability within their network.

Note: This lab is an exercise in developing, deploying, and verifying VRF-Lite, and does not reflect networking best practices.

Note: The routers and switches used with CCNP hands-on labs are Cisco 4221 and Cisco 3650, both with Cisco IOS XE Release 16.9.4 (universalk9 image), and Cisco 2960+ with IOS release 15.2 (lanbase image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs

Note: Ensure that the routers and switches have been erased and have no startup configurations. If you are unsure contact your instructor.

Note: The PCs used in this lab do not require addressing. They are needed to bring interface VLAN 11 up.

Answers Note: Refer to the Answers Lab Manual for the procedures to initialize and reload devices.

Required Resources

  • 3 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
  • 2 Switches (Cisco 3650 with Cisco IOS XE release 16.9.4 universal image or comparable)
  • 1 Switch (Cisco 2960+ with Cisco IOS release 15.2 lanbase image or comparable)
  • 2 PCs (Windows with a terminal emulation program, such as Tera Term)
  • Console cables to configure the Cisco IOS devices via the console ports
  • Ethernet and serial cables as shown in the topology

Part 1:Build the Network and Configure Basic Device Settings

In Part 1, you will set up the network topology and configure basic settings on all devices.

Step 1:Cable the network as shown in the topology.

Attach the devices as shown in the topology diagram, and cable as necessary.

Step 2:Configure basic settings for each device.

  1. Console into each device, enter global configuration mode, and apply the basic settings. A command list for each device using the following startup configurations.

Open configuration window

Router R1

enable

configure terminal

hostname R1

no ip domain lookup

ipv6 unicast-routing

banner motd # R1, Implement VRF-Lite #

line con 0

exec-timeout 0 0

logging synchronous

exit

line vty 0 4

privilege level 15

password cisco123

exec-timeout 0 0

logging synchronous

login

exit

Router R2

enable

configure terminal

hostname R2

no ip domain lookup

ipv6 unicast-routing

banner motd # R2, Implement VRF-Lite #

line con 0

exec-timeout 0 0

logging synchronous

exit

line vty 0 4

privilege level 15

password cisco123

exec-timeout 0 0

logging synchronous

login

exit

interface g0/0/0

ip address 10.1.2.2 255.255.255.0

ipv6 address fe80::2:1 link-local

ipv6 address 2001:db8:acad:1012::2/64

no shutdown

exit

interface loopback 0

ip address 192.168.2.1 255.255.255.0

ipv6 address fe80::2:2 link-local

ipv6 address 2001:db8:acad:2000::1/64

no shutdown

exit

ip route 0.0.0.0 0.0.0.0 g0/0/0 10.1.2.1

ipv6 route ::/0 g0/0/0 2001:db8:acad:1012::1

Router R3

enable

configure terminal

hostname R3

no ip domain lookup

ipv6 unicast-routing

banner motd # R3, Implement VRF-Lite #

line con 0

exec-timeout 0 0

logging synchronous

exit

line vty 0 4

privilege level 15

password cisco123

exec-timeout 0 0

logging synchronous

login

exit

interface s0/1/0

ip address 10.1.3.2 255.255.255.0

ipv6 address fe80::3:1 link-local

ipv6 address 2001:db8:acad:1013::2/64

no shutdown

exit

interface loopback 0

ip address 192.168.3.1 255.255.255.0

ipv6 address fe80::3:2 link-local

ipv6 address 2001:db8:acad:3000::1/64

no shutdown

exit

ip route 0.0.0.0 0.0.0.0 s0/1/0 10.1.3.1

ipv6 route ::/0 s0/1/0 2001:db8:acad:1013::1

Switch D1

enable

configure terminal

hostname D1

no ip domain lookup

ip routing

ipv6 unicast-routing

banner motd # D1, Implement VRF-Lite #

line con 0

exec-timeout 0 0

logging synchronous

exit

line vty 0 4

privilege level 15

password cisco123

exec-timeout 0 0

logging synchronous

login

exit

interface range g1/0/1-24, g1/1/1-4, g0/0

shutdown

exit

interface g1/0/5

no switchport

ip address 10.1.2.2 255.255.255.0

ipv6 address fe80::d1:1 link-local

ipv6 address 2001:db8:acad:1012::2/64

no shutdown

exit

vlan 11

name LOCAL_VLAN

exit

interface vlan 11

ip address 192.168.2.1 255.255.255.0

ipv6 address fe80::d1:2 link-local

ipv6 address 2001:db8:acad:2000::1/64

no shutdown

exit

interface g1/0/23

switchport mode access

switchport access vlan 11

no shutdown

exit

ip route 0.0.0.0 0.0.0.0 g1/0/5 10.1.2.1

ipv6 route ::/0 g1/0/5 2001:db8:acad:1012::1

Switch D2

enable

configure terminal

hostname D2

no ip domain lookup

ip routing

ipv6 unicast-routing

banner motd # D2, Implement VRF-Lite #

line con 0

exec-timeout 0 0

logging synchronous

exit

line vty 0 4

privilege level 15

password cisco123

exec-timeout 0 0

logging synchronous

login

exit

interface range g1/0/1-24, g1/1/1-4, g0/0

shutdown

exit

interface g1/0/5

no switchport

ip address 10.1.3.2 255.255.255.0

ipv6 address fe80::d2:1 link-local

ipv6 address 2001:db8:acad:1013::2/64

no shutdown

exit

vlan 11

name LOCAL_VLAN

exit

interface vlan 11

ip address 192.168.3.1 255.255.255.0

ipv6 address fe80::d2:2 link-local

ipv6 address 2001:db8:acad:3000::1/64

no shutdown

exit

interface g1/0/23

switchport mode access

switchport access vlan 11

no shutdown

exit

ip route 0.0.0.0 0.0.0.0 g1/0/5 10.1.3.1

ipv6 route ::/0 g1/0/5 2001:db8:acad:1013::1

Switch A1

enable

configure terminal

hostname A1

no ip domain lookup

banner motd # A1, Implement VRF-Lite #

line con 0

exec-timeout 0 0

logging synchronous

exit

line vty 0 4

privilege level 15

password cisco123

exec-timeout 0 0

logging synchronous

login

exit

interface range f0/1-24, g0/1-2

shutdown

exit

vlan 5

name D1

exit

vlan 8

name D2

exit

interface f0/11

switchport mode trunk

switchport nonegotiate

no shutdown

exit

interface f0/1

switchport mode access

switchport access vlan 5

no shutdown

exit

interface f0/3

switchport mode access

switchport access vlan 8

no shutdown

  1. Set the clock on each router to UTC time.
  2. Save the running configuration to startup-config.

Close configuration window

Part 2:Configure and Verify VRF and Interface Addressing

In Part 2, you will configure and verify VRF-Lite on R1. The other devices, R2, R3, D1, D2, and A1 require no additional configuration. Once again, the configuration being used here is not meant to represent best practice, but to assess your ability to complete the required configurations.

Step 1:On R1, create the required VRFs.

  1. Create the Customer_A and Customer_B VRFs, and initialize them for both IPv4 and IPv6. The VRF names are case sensitive.

Open configuration window

R1(config)# vrf definition Customer_A

R1(config-vrf)# address-family ipv4

R1(config-vrfaf)# address-family ipv6

R1(config-vrfaf)# exit

R1(configvrf)# vrf definition Customer_B

R1(config-vrf)# address-family ipv4

R1(config-vrfaf)# address-family ipv6

R1(config-vrfaf)# exit

  1. Configure interfaces G0/0/0 and S0/1/0 for the Customer_A network.

R1(config)# interface g0/0/0

R1(config-if)# vrf forwarding Customer_A

R1(config-if)# ip address 10.1.2.1 255.255.255.0

R1(config-if)# ipv6 address fe80::1:1 link-local

R1(config-if)# ipv6 address 2001:db8:acad:1012::1/64

R1(config-if)# no shutdown

R1(config-if)# exit

R1(config)# interface s0/1/0

R1(config-if)# vrf forwarding Customer_A

R1(config-if)# ip address 10.1.3.1 255.255.255.0

R1(config-if)# ipv6 address fe80::1:4 link-local

R1(config-if)# ipv6 address 2001:db8:acad:1013::1/64

R1(config-if)# no shutdown

R1(config-if)# exit

  1. Configure R1 interface G0/0/1 to support the Customer_B networks. G0/0/1 will be performing inter-VLAN routing between VLANs 5 and 8.

R1(config)# interface g0/0/1

R1(config-if)# no shutdown

R1(config-if)# exit

R1(config)# interface g0/0/1.5

R1(config-subif)# encapsulation dot1q 5

R1(config-subif)# vrf forwarding Customer_B

R1(config-subif)# ip address 10.1.2.1 255.255.255.0

R1(config-subif)# ipv6 address fe80::1:2 link-local

R1(config-subif)# ipv6 address 2001:db8:acad:1012::1/64

R1(config-subif)# exit

R1(config)# interface g0/0/1.8

R1(config-subif)# encapsulation dot1q 8

R1(config-subif)# vrf forwarding Customer_B

R1(config-subif)# ip address 10.1.3.1 255.255.255.0

R1(config-subif)# ipv6 address fe80::1:3 link-local

R1(config-subif)# ipv6 address 2001:db8:acad:1013::1/64

R1(config-subif)# end

Step 2:Verify the VRF-Lite configuration.

  1. Verify the interface assignments using the show ip vrf interfaces command.

R1# show ip vrf interfaces

InterfaceIP-AddressVRFProtocol

Gi0/0/010.1.2.1Customer_Aup

Se0/1/010.1.3.1Customer_Aup

Gi0/0/1.510.1.2.1Customer_Bup

Gi0/0/1.810.1.3.1Customer_Bup

  1. Verify the VRF routing tables with the show ip route vrf vrf_name and show ipv6 route vrf vrf_name command.

R1# show ip route vrf Customer_A | begin Gateway

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C10.1.2.0/24 is directly connected, GigabitEthernet0/0/0

L10.1.2.1/32 is directly connected, GigabitEthernet0/0/0

C10.1.3.0/24 is directly connected, Serial0/1/0

L10.1.3.1/32 is directly connected, Serial0/1/0

R1# show ipv6 route vrf Customer_B

IPv6 Routing Table – Customer_B – 5 entries

Codes: C – Connected, L – Local, S – Static, U – Per-user Static route

<output omitted>

a – Application

C2001:DB8:ACAD:1012::/64 [0/0]

via GigabitEthernet0/0/1.5, directly connected

L2001:DB8:ACAD:1012::1/128 [0/0]

via GigabitEthernet0/0/1.5, receive

C2001:DB8:ACAD:1013::/64 [0/0]

via GigabitEthernet0/0/1.8, directly connected

L2001:DB8:ACAD:1013::1/128 [0/0]

via GigabitEthernet0/0/1.8, receive

LFF00::/8 [0/0]

via Null0, receive

  1. Verify next-hop reachability within each vrf with the ping vrf vrf_name address command.

R1# ping vrf Customer_A 10.1.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

R1# ping vrf Customer_A 2001:db8:acad:1012::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:1012::2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

R1#ping vrf Customer_A 10.1.3.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.3.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

R1# ping vrf Customer_A 2001:db8:acad:1013::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:1013::2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

Close configuration window

Part 3:Configure and Verify Static Routing for Reachability Inside Each VRF

In Part 3, you will configure static routing so that all networks are reachable within their respective VRFs. At the end of this part, R1 should be able to successfully source a ping from interface loopback0 to R3 interface loopback0, and D1 should be able to successfully source a ping from interface VLAN 11 to D2 interface VLAN 11. Once again, the way these networks are being implemented is not meant to represent best practice, but to assess your ability to complete the required configurations.

Step 1:Verify that distant networks are not reachable within each VRF.

In this step, you will check to make sure that distant networks are not reachable from R1 within each VRF.

  1. On R1, issue the commands ping vrf Customer_A 192.168.2.1 and ping vrf Customer_A 192.168.3.1. Neither should succeed.

Open configuration window

R1# ping vrf Customer_A 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

…..

Success rate is 0 percent (0/5)

R1# ping vrf Customer_A 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

…..

Success rate is 0 percent (0/5)

  1. On R1, issue the commands ping vrf Customer_A 2001:db8:acad:2000::1 and ping vrf Customer_A 2001:db8:acad:3000::1. Neither should succeed.

R1# ping vrf Customer_A 2001:db8:acad:2000::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:2000::1, timeout is 2 seconds:

% No valid route for destination

Success rate is 0 percent (0/1)

R1# ping vrf Customer_A 2001:db8:acad:3000::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:3000::1, timeout is 2 seconds:

% No valid route for destination

Success rate is 0 percent (0/1)

  1. On R1, issue the commands ping vrf Customer_B 192.168.2.1 and ping vrf Customer_B 192.168.3.1. Neither should succeed.

R1# ping vrf Customer_B 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

…..

Success rate is 0 percent (0/5)

R1# ping vrf Customer_B 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

…..

Success rate is 0 percent (0/5)

  1. On R1, issue the commands ping vrf Customer_B 2001:db8:acad:2000::1 and ping vrf Customer_B 2001:db8:acad:3000::1. Neither should succeed.

R1# ping vrf Customer_B 2001:db8:acad:2000::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:2000::1, timeout is 2 seconds:

% No valid route for destination

Success rate is 0 percent (0/1)

R1# ping vrf Customer_B 2001:db8:acad:3000::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:3000::1, timeout is 2 seconds:

% No valid route for destination

Success rate is 0 percent (0/1)

Step 2:Configure static routing at R1 for each VRF.

In this step, you will configure R1 so that it can reach distant networks in each VRF. The neighbor systems (D1, D2, R2, and R3) have static routes already configured, so as soon as you correctly install these static routes, there will be full reachability within each VRF.

  1. On R1, create static routes for the distant networks in the Customer_A VRF using the ip route vrf vrf_name destination_network next-hop command.

R1(config)# ip route vrf Customer_A 192.168.2.0 255.255.255.0 g0/0/0 10.1.2.2

R1(config)# ip route vrf Customer_A 192.168.3.0 255.255.255.0 s0/1/0 10.1.3.2

R1(config)# ipv6 route vrf Customer_A 2001:db8:acad:2000::/64 g0/0/0 2001:db8:acad:1012::2

R1(config)# ipv6 route vrf Customer_A 2001:db8:acad:3000::/64 s0/1/0 2001:db8:acad:1013::2

  1. Use the example above to correctly configure fully specified static routes for the Customer_B network.

R1(config)# ip route vrf Customer_B 192.168.2.0 255.255.255.0 GigabitEthernet0/0/1.5 10.1.2.2

R1(config)# ip route vrf Customer_B 192.168.3.0 255.255.255.0 GigabitEthernet0/0/1.8 10.1.3.2

R1(config)# ipv6 route vrf Customer_B 2001:DB8:ACAD:2000::/64 GigabitEthernet0/0/1.5 2001:DB8:ACAD:1012::2

R1(config)# ipv6 route vrf Customer_B 2001:DB8:ACAD:3000::/64 GigabitEthernet0/0/1.8 2001:DB8:ACAD:1013::2

Step 3:Verify full reachability within each VRF.

  1. On R2, ping the IPv4 and IPv6 addresses of R3 interface Loopback0 using a source address of R2 interface Loopback0. All pings should be successful.

R2# ping 192.168.3.1 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

R2# ping 2001:db8:acad:3000::1 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:3000::1, timeout is 2 seconds:

Packet sent with a source address of 2001:DB8:ACAD:2000::1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms

  1. On D1, ping the IPv4 and IPv6 addresses of D2 interface VLAN 11 using a source address of D1 interface VLAN 11. All pings should be successful.

D1# ping 192.168.3.1 source vlan11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

D1# ping 2001:db8:acad:3000::1 source vlan11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:3000::1, timeout is 2 seconds:

Packet sent with a source address of 2001:DB8:ACAD:2000::1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/5/17 ms

Close configuration window

Router Interface Summary Table

Router Model

Ethernet Interface #1

Ethernet Interface #2

Serial Interface #1

Serial Interface #2

1800

Fast Ethernet 0/0 (F0/0)

Fast Ethernet 0/1 (F0/1)

Serial 0/0/0 (S0/0/0)

Serial 0/0/1 (S0/0/1)

1900

Gigabit Ethernet 0/0 (G0/0)

Gigabit Ethernet 0/1 (G0/1)

Serial 0/0/0 (S0/0/0)

Serial 0/0/1 (S0/0/1)

2801

Fast Ethernet 0/0 (F0/0)

Fast Ethernet 0/1 (F0/1)

Serial 0/1/0 (S0/1/0)

Serial 0/1/1 (S0/1/1)

2811

Fast Ethernet 0/0 (F0/0)

Fast Ethernet 0/1 (F0/1)

Serial 0/0/0 (S0/0/0)

Serial 0/0/1 (S0/0/1)

2900

Gigabit Ethernet 0/0 (G0/0)

Gigabit Ethernet 0/1 (G0/1)

Serial 0/0/0 (S0/0/0)

Serial 0/0/1 (S0/0/1)

4221

Gigabit Ethernet 0/0/0 (G0/0/0)

Gigabit Ethernet 0/0/1 (G0/0/1)

Serial 0/1/0 (S0/1/0)

Serial 0/1/1 (S0/1/1)

4300

Gigabit Ethernet 0/0/0 (G0/0/0)

Gigabit Ethernet 0/0/1 (G0/0/1)

Serial 0/1/0 (S0/1/0)

Serial 0/1/1 (S0/1/1)

Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.

End of document

Device Configs – Final

Router R1

R1# show run

Building configuration…

Current configuration : 3151 bytes

!

version 16.9

service timestamps debug datetime msec

service timestamps log datetime msec

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

!

hostname R1

!

boot-start-marker

boot-end-marker

!

vrf definition Customer_A

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

vrf definition Customer_B

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

no aaa new-model

!

no ip domain lookup

!

login on-success log

!

subscriber templating

!

!

ipv6 unicast-routing

multilink bundle-name authenticated

!

spanning-tree extend system-id

!

redundancy

mode none

!

interface GigabitEthernet0/0/0

vrf forwarding Customer_A

ip address 10.1.2.1 255.255.255.0

negotiation auto

ipv6 address FE80::1:1 link-local

ipv6 address 2001:DB8:ACAD:1012::1/64

!

interface GigabitEthernet0/0/1

no ip address

negotiation auto

!

interface GigabitEthernet0/0/1.5

encapsulation dot1Q 5

vrf forwarding Customer_B

ip address 10.1.2.1 255.255.255.0

ipv6 address FE80::1:2 link-local

ipv6 address 2001:DB8:ACAD:1012::1/64

!

interface GigabitEthernet0/0/1.8

encapsulation dot1Q 8

vrf forwarding Customer_B

ip address 10.1.3.1 255.255.255.0

ipv6 address FE80::1:3 link-local

ipv6 address 2001:DB8:ACAD:1013::1/64

!

interface Serial0/1/0

vrf forwarding Customer_A

ip address 10.1.3.1 255.255.255.0

ipv6 address FE80::1:3 link-local

ipv6 address 2001:DB8:ACAD:1013::1/64

!

interface Serial0/1/1

no ip address

!

ip forward-protocol nd

no ip http server

ip http secure-server

ip tftp source-interface GigabitEthernet0

ip route vrf Customer_A 192.168.2.0 255.255.255.0 GigabitEthernet0/0/0 10.1.2.2

ip route vrf Customer_A 192.168.3.0 255.255.255.0 Serial0/1/0 10.1.3.2

ip route vrf Customer_B 192.168.2.0 255.255.255.0 GigabitEthernet0/0/1.5 10.1.2.2

ip route vrf Customer_B 192.168.3.0 255.255.255.0 GigabitEthernet0/0/1.8 10.1.3.2

!

ipv6 route vrf Customer_B 2001:DB8:ACAD:2000::/64 GigabitEthernet0/0/1.5 2001:DB8:ACAD:1012::2

ipv6 route vrf Customer_A 2001:DB8:ACAD:2000::/64 GigabitEthernet0/0/0 2001:DB8:ACAD:1012::2

ipv6 route vrf Customer_B 2001:DB8:ACAD:3000::/64 GigabitEthernet0/0/1.8 2001:DB8:ACAD:1013::2

ipv6 route vrf Customer_A 2001:DB8:ACAD:3000::/64 Serial0/1/0 2001:DB8:ACAD:1013::2

!

control-plane

!

banner motd ^C R1, Implement VRF-Lite ^C

!

line con 0

exec-timeout 0 0

logging synchronous

transport input none

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 0 0

privilege level 15

password cisco123

logging synchronous

login

!

end

Router R2

R2# show run

Building configuration…

Current configuration : 1760 bytes

!

! Last configuration change at 04:14:23 UTC Wed Jan 8 2020

!

version 16.9

service timestamps debug datetime msec

service timestamps log datetime msec

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

no ip domain lookup

!

login on-success log

!

subscriber templating

!

ipv6 unicast-routing

multilink bundle-name authenticated

!

spanning-tree extend system-id

!

redundancy

mode none

!

interface Loopback0

ip address 192.168.2.1 255.255.255.0

ipv6 address FE80::2:2 link-local

ipv6 address 2001:DB8:ACAD:2000::1/64

!

interface GigabitEthernet0/0/0

ip address 10.1.2.2 255.255.255.0

negotiation auto

ipv6 address FE80::2:1 link-local

ipv6 address 2001:DB8:ACAD:1012::2/64

!

interface GigabitEthernet0/0/1

no ip address

negotiation auto

!

ip forward-protocol nd

no ip http server

ip http secure-server

ip tftp source-interface GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 10.1.2.1

!

ipv6 route ::/0 GigabitEthernet0/0/0 2001:DB8:ACAD:1012::1

!

control-plane

!

banner motd ^C R2, Implement VRF-Lite ^C

!

line con 0

exec-timeout 0 0

logging synchronous

transport input none

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 0 0

privilege level 15

password cisco123

logging synchronous

login

!

end

Router R3

R3# show run

Building configuration…

Current configuration : 1821 bytes

!

version 16.9

service timestamps debug datetime msec

service timestamps log datetime msec

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

!

hostname R3

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

no ip domain lookup

!

login on-success log

!

subscriber templating

!

ipv6 unicast-routing

multilink bundle-name authenticated

!

spanning-tree extend system-id

!

redundancy

mode none

!

interface Loopback0

ip address 192.168.3.1 255.255.255.0

ipv6 address FE80::3:2 link-local

ipv6 address 2001:DB8:ACAD:3000::1/64

!

interface GigabitEthernet0/0/0

no ip address

negotiation auto

!

interface GigabitEthernet0/0/1

no ip address

negotiation auto

!

interface Serial0/1/0

ip address 10.1.3.2 255.255.255.0

ipv6 address FE80::3:1 link-local

ipv6 address 2001:DB8:ACAD:1013::2/64

!

interface Serial0/1/1

no ip address

!

ip forward-protocol nd

no ip http server

ip http secure-server

ip tftp source-interface GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 Serial0/1/0 10.1.3.1

!

ipv6 route ::/0 Serial0/1/0 2001:DB8:ACAD:1013::1

!

control-plane

!

banner motd ^C R3, Implement VRF-Lite ^C

!

line con 0

exec-timeout 0 0

logging synchronous

transport input none

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 0 0

privilege level 15

password cisco123

logging synchronous

login

!

end

Switch D1

D1# show run

Building configuration…

Current configuration : 9267 bytes

!

version 16.9

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

! Call-home is enabled by Smart-Licensing.

service call-home

no platform punt-keepalive disable-kernel-core

!

hostname D1

!

vrf definition Mgmt-vrf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

no aaa new-model

switch 1 provision ws-c3650-24ts

!

ip routing

!

no ip domain lookup

!

login on-success log

ipv6 unicast-routing

!

license boot level ipservicesk9

!

diagnostic bootup level minimal

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

redundancy

mode sso

!

transceiver type all

monitoring

!

class-map match-any system-cpp-police-topology-control

description Topology control

class-map match-any system-cpp-police-sw-forward

description Sw forwarding, L2 LVX data, LOGGING

class-map match-any system-cpp-default

description Inter FED, EWLC control, EWLC data

class-map match-any system-cpp-police-sys-data

description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed

class-map match-any system-cpp-police-punt-webauth

description Punt Webauth

class-map match-any system-cpp-police-l2lvx-control

description L2 LVX control packets

class-map match-any system-cpp-police-forus

description Forus Address resolution and Forus traffic

class-map match-any system-cpp-police-multicast-end-station

description MCAST END STATION

class-map match-any system-cpp-police-multicast

description Transit Traffic and MCAST Data

class-map match-any system-cpp-police-l2-control

description L2 control

class-map match-any system-cpp-police-dot1x-auth

description DOT1X Auth

class-map match-any system-cpp-police-data

description ICMP redirect, ICMP_GEN and BROADCAST

class-map match-any system-cpp-police-stackwisevirt-control

description Stackwise Virtual

class-map match-any non-client-nrt-class

class-map match-any system-cpp-police-routing-control

description Routing control and Low Latency

class-map match-any system-cpp-police-protocol-snooping

description Protocol snooping

class-map match-any system-cpp-police-dhcp-snooping

description DHCP snooping

class-map match-any system-cpp-police-system-critical

description System Critical and Gold Pkt

!

policy-map system-cpp-policy

!

interface GigabitEthernet0/0

vrf forwarding Mgmt-vrf

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet1/0/1

shutdown

!

interface GigabitEthernet1/0/2

shutdown

!

interface GigabitEthernet1/0/3

shutdown

!

interface GigabitEthernet1/0/4

shutdown

!

interface GigabitEthernet1/0/5

no switchport

ip address 10.1.2.2 255.255.255.0

ipv6 address FE80::D1:1 link-local

ipv6 address 2001:DB8:ACAD:1012::2/64

!

interface GigabitEthernet1/0/6

shutdown

!

interface GigabitEthernet1/0/7

shutdown

!

interface GigabitEthernet1/0/8

shutdown

!

interface GigabitEthernet1/0/9

shutdown

!

interface GigabitEthernet1/0/10

shutdown

!

interface GigabitEthernet1/0/11

shutdown

!

interface GigabitEthernet1/0/12

shutdown

!

interface GigabitEthernet1/0/13

shutdown

!

interface GigabitEthernet1/0/14

shutdown

!

interface GigabitEthernet1/0/15

shutdown

!

interface GigabitEthernet1/0/16

shutdown

!

interface GigabitEthernet1/0/17

shutdown

!

interface GigabitEthernet1/0/18

shutdown

!

interface GigabitEthernet1/0/19

shutdown

!

interface GigabitEthernet1/0/20

shutdown

!

interface GigabitEthernet1/0/21

shutdown

!

interface GigabitEthernet1/0/22

shutdown

!

interface GigabitEthernet1/0/23

switchport access vlan 11

switchport mode access

!

interface GigabitEthernet1/0/24

shutdown

!

interface GigabitEthernet1/1/1

shutdown

!

interface GigabitEthernet1/1/2

shutdown

!

interface GigabitEthernet1/1/3

shutdown

!

interface GigabitEthernet1/1/4

shutdown

!

interface Vlan1

no ip address

shutdown

!

interface Vlan11

ip address 192.168.2.1 255.255.255.0

ipv6 address FE80::D1:2 link-local

ipv6 address 2001:DB8:ACAD:2000::1/64

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0/5 10.1.2.1

!

ipv6 route ::/0 GigabitEthernet1/0/5 2001:DB8:ACAD:1012::1

!

control-plane

service-policy input system-cpp-policy

!

banner motd ^C D1, Implement VRF-Lite ^C

!

line con 0

exec-timeout 0 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 0 0

privilege level 15

password cisco123

logging synchronous

login

line vty 5 15

login

!

end

Switch D2

D2# show run

Building configuration…

Current configuration : 9267 bytes

!

version 16.9

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

! Call-home is enabled by Smart-Licensing.

service call-home

no platform punt-keepalive disable-kernel-core

!

hostname D2

!

vrf definition Mgmt-vrf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

no aaa new-model

switch 1 provision ws-c3650-24ts

!

ip routing

!

no ip domain lookup

!

login on-success log

ipv6 unicast-routing

!

license boot level ipservicesk9

!

!

diagnostic bootup level minimal

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

redundancy

mode sso

!

transceiver type all

monitoring

!

class-map match-any system-cpp-police-topology-control

description Topology control

class-map match-any system-cpp-police-sw-forward

description Sw forwarding, L2 LVX data, LOGGING

class-map match-any system-cpp-default

description Inter FED, EWLC control, EWLC data

class-map match-any system-cpp-police-sys-data

description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed

class-map match-any system-cpp-police-punt-webauth

description Punt Webauth

class-map match-any system-cpp-police-l2lvx-control

description L2 LVX control packets

class-map match-any system-cpp-police-forus

description Forus Address resolution and Forus traffic

class-map match-any system-cpp-police-multicast-end-station

description MCAST END STATION

class-map match-any system-cpp-police-multicast

description Transit Traffic and MCAST Data

class-map match-any system-cpp-police-l2-control

description L2 control

class-map match-any system-cpp-police-dot1x-auth

description DOT1X Auth

class-map match-any system-cpp-police-data

description ICMP redirect, ICMP_GEN and BROADCAST

class-map match-any system-cpp-police-stackwisevirt-control

description Stackwise Virtual

class-map match-any non-client-nrt-class

class-map match-any system-cpp-police-routing-control

description Routing control and Low Latency

class-map match-any system-cpp-police-protocol-snooping

description Protocol snooping

class-map match-any system-cpp-police-dhcp-snooping

description DHCP snooping

class-map match-any system-cpp-police-system-critical

description System Critical and Gold Pkt

!

policy-map system-cpp-policy

!

interface GigabitEthernet0/0

vrf forwarding Mgmt-vrf

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet1/0/1

shutdown

!

interface GigabitEthernet1/0/2

shutdown

!

interface GigabitEthernet1/0/3

shutdown

!

interface GigabitEthernet1/0/4

shutdown

!

interface GigabitEthernet1/0/5

no switchport

ip address 10.1.3.2 255.255.255.0

ipv6 address FE80::D2:1 link-local

ipv6 address 2001:DB8:ACAD:1013::2/64

!

interface GigabitEthernet1/0/6

shutdown

!

interface GigabitEthernet1/0/7

shutdown

!

interface GigabitEthernet1/0/8

shutdown

!

interface GigabitEthernet1/0/9

shutdown

!

interface GigabitEthernet1/0/10

shutdown

!

interface GigabitEthernet1/0/11

shutdown

!

interface GigabitEthernet1/0/12

shutdown

!

interface GigabitEthernet1/0/13

shutdown

!

interface GigabitEthernet1/0/14

shutdown

!

interface GigabitEthernet1/0/15

shutdown

!

interface GigabitEthernet1/0/16

shutdown

!

interface GigabitEthernet1/0/17

shutdown

!

interface GigabitEthernet1/0/18

shutdown

!

interface GigabitEthernet1/0/19

shutdown

!

interface GigabitEthernet1/0/20

shutdown

!

interface GigabitEthernet1/0/21

shutdown

!

interface GigabitEthernet1/0/22

shutdown

!

interface GigabitEthernet1/0/23

switchport access vlan 11

switchport mode access

!

interface GigabitEthernet1/0/24

shutdown

!

interface GigabitEthernet1/1/1

shutdown

!

interface GigabitEthernet1/1/2

shutdown

!

interface GigabitEthernet1/1/3

shutdown

!

interface GigabitEthernet1/1/4

shutdown

!

interface Vlan1

no ip address

shutdown

!

interface Vlan11

ip address 192.168.3.1 255.255.255.0

ipv6 address FE80::D2:2 link-local

ipv6 address 2001:DB8:ACAD:3000::1/64

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0/5 10.1.3.1

!

ipv6 route ::/0 GigabitEthernet1/0/5 2001:DB8:ACAD:1013::1

!

control-plane

service-policy input system-cpp-policy

!

banner motd ^C D2, Implement VRF-Lite ^C

!

line con 0

exec-timeout 0 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 0 0

privilege level 15

password cisco123

logging synchronous

login

line vty 5 15

login

!

end

Switch A1

A1# show run

Building configuration…

Current configuration : 1883 bytes

!

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname A1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

system mtu routing 1500

!

no ip domain-lookup

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/2

shutdown

!

interface FastEthernet0/3

switchport access vlan 8

switchport mode access

!

interface FastEthernet0/4

shutdown

!

interface FastEthernet0/5

shutdown

!

interface FastEthernet0/6

shutdown

!

interface FastEthernet0/7

shutdown

!

interface FastEthernet0/8

shutdown

!

interface FastEthernet0/9

shutdown

!

interface FastEthernet0/10

shutdown

!

interface FastEthernet0/11

switchport mode trunk

switchport nonegotiate

!

interface FastEthernet0/12

shutdown

!

interface FastEthernet0/13

shutdown

!

interface FastEthernet0/14

shutdown

!

interface FastEthernet0/15

shutdown

!

interface FastEthernet0/16

shutdown

!

interface FastEthernet0/17

shutdown

!

interface FastEthernet0/18

shutdown

!

interface FastEthernet0/19

shutdown

!

interface FastEthernet0/20

shutdown

!

interface FastEthernet0/21

shutdown

!

interface FastEthernet0/22

shutdown

!

interface FastEthernet0/23

shutdown

!

interface FastEthernet0/24

shutdown

!

interface GigabitEthernet0/1

shutdown

!

interface GigabitEthernet0/2

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip http server

ip http secure-server

!

banner motd ^C A1, Implement VRF-Lite ^C

!

line con 0

exec-timeout 0 0

logging synchronous

line vty 0 4

exec-timeout 0 0

privilege level 15

password cisco123

logging synchronous

login

line vty 5 15

login

!

end

Leave a comment