Virtual routing and forwarding
|This article does not cite any references or sources. (January 2014)|
||It has been suggested that VPN routing and forwarding be merged into this article. (Discuss) Proposed since July 2014.|
In IP-based computer networks, virtual routing and forwarding (VRF) is a technology that allows multiple instances of a routing table to co-exist within the same router at the same time. This increases functionality by allowing network paths to be segmented without using multiple devices. Because traffic is automatically segregated, VRF also increases network security and can eliminate the need for encryption and authentication. Internet service providers (ISPs) often take advantage of VRF to create separate virtual private networks (VPNs) for customers; thus the technology is also referred to as VPN routing and forwarding. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other.
VRF may be in a network device by distinct routing tables known as forwarding information bases (FIBs), one per routing instance. Alternatively, a network device may have the ability to configure different virtual routers, where each one has its own FIB that is not accessible to any other virtual router instance on the same device.
The simplest form of VRF implementation is VRF Lite. In this implementation, each router within the network participates in the virtual routing environment in a peer-based fashion. While simple to deploy and appropriate for small to medium enterprises and shared data centres, VRF Lite does not scale to the size required by global enterprises or large carriers, as there is the need to implement each VRF instance on every router, including intermediate routers. VRFs were initially introduced in combination with MPLS, but on local installation it proved too much use for VRF without MPLS. This is the historical explanation of the term VRF Lite: usage of VRFs without MPLS.
The scaling limitations of VRF Lite are resolved by the implementation of IPVPNs[clarification needed]. In this implementation, a core backbone network is responsible for the transmission of data across the wide area between VRF instances at each edge location. IPVPNs have been traditionally deployed by carriers to provide a shared wide-area backbone network for multiple customers. They are also appropriate in large enterprise, multi-tenant and shared data centre environments.
In a typical deployment, Customer Edge (CE) routers handle local routing in a traditional fashion and disseminate[clarification needed] routing information into Provider Edge (PE) where the routing tables are virtualized. The PE router then encapsulates the traffic, marks it to identify the VRF instance, and transmits it across the provider backbone network to the destination PE router. The destination PE router then decapsulates the traffic and forwards it to the CE router at the destination. The backbone network is completely transparent to the customer equipment, allowing multiple customers or user communities to utilize the common backbone network while maintaining end-to-end traffic separation.
Routes across the provider backbone network are maintained using an Interior Gateway Protocol - typically IBGP. IBGP uses extended community attributes in a common routing table to differentiate the customers' routes with overlapping IP addresses.
IPVPN is most commonly deployed across a Multi-protocol Label Switching (MPLS) backbone as the inherent labeling of packets in MPLS lends itself to the identification of the customer VRF. Some IPVPN implementations (notably Nortel's IP-VPN Lite) utilize a simpler IP-in-IP encapsulation over a pure IP backbone, eliminating the need to maintain and support an MPLS environment.