Kentik’s Aaron Kagawa and Crystal Li explain VRF (virtual routing and forwarding) and Kentik’s unique solution for understanding where VRF traffic exits your network.
Virtual routing and forwarding (VRF) has been around for years as a technology. However, for those in charge of monitoring a network, there has never been a solution capable of providing full visibility into the end-to-end VRF traffic that flows in and out of a network.
Kentik is changing that. We now offer an industry-first VRF visibility solution to show where VRF traffic will exit your network. This functionality goes beyond the local device VRF configurations and utilizes route tables, BGP peering, and other sources to bring end-to-end visibility of VRFs that no other network monitoring tool can provide.
A Refresh: What is VRF?
Virtual routing and forwarding (VRF) is a technology that allows multiple instances of a routing table to coexist within the same router at the same time. You can think of VRFs as “logical routers” residing in one physical router, serving to automatically segregate the traffic.
VRF is one of the earliest networking virtualization techniques that creates multiple virtual networks within a single network entity (as illustrated above). In a single network component, multiple VRF resources create isolation between virtual networks. That’s why VRF is widely used in the infrastructure of ISPs, enterprises, research & education, and many other verticals, as the technique supports the data center, peering, interconnection, and traffic engineering.
The VRF Traffic Visibility Challenge
Network engineers across industries often struggle with visibility into VRF. As just one example: Consider the case of ISPs. ISPs use the same physical router-to-router traffic for various customers, and they configure VRF to separate their various customers’ traffic in order to achieve multi-tenancy.
As a network engineer, there are many challenges to solve in order to make sure all end customers transmit business data through the pipe without any possible traffic leaking.
Without VRF visibility, network engineers struggle to answer questions such as:
- What does my inbound or outbound traffic at the provider edge (PE) segmented by VRFs look like?
- How can I ensure no traffic is leaking by verifying network partitions using VRF/VRF-lite function correctly?
- Can I visualize all traffic associated with a specific route distinguisher?
- Do the names of the VRFs that I created for a specific route distinguisher make sense?
- Can an alert be raised for a sudden change (e.g., an increase or decrease) in bandwidth for my customers at the PE distinguished by VRFs?
VRF Visibility from Kentik
Kentik is set to solve end-to-end VRF visibility challenges with comprehensive coverage:
- VRF Awareness: The first phase of our VRF implementation includes support for providing local device VRF visibility by enhancing flow records with VRF information. We are doing this by polling for the VRF information from the standard L3VPN mibs. As shown in the screenshot below, there are eight new dimensions associated with VRF support, including source and destination VRF Name, VRF Route Distinguisher, VRF Route Target, and VRF Extended Route Distinguisher.
2. VRF Manual API & Alerting Capability: To give users programmatic control of VRF attributes associated with each interface, we added support for VRF attributes in the interface methods of our device API, which can be experimented with in the Kentik API tester. Moreover, all these VRF dimensions are also supported in alert policies.
3. Associate VRF with BGP Attributes: Recently, we also added the functions to correlate information of VRF with BGP, which is true differentiation. This means we can now calculate various BGP and Ultimate Exit attributes correctly in VRF L3VPN configurations.
A quick recap on Kentik-patented feature Ultimate Exit (UE): Ultimate Exit enables end-to-end visibility of the traffic, providing an easy way to visualize what volumes of traffic are flowing in and out of your network, from any source to any destination network. You can then use that information to cut costs (e.g., peering) and to more accurately estimate the cost of carrying any set of traffic for any given customer.
Now, you can do even more with VRF visibility, such as (1) obtain VRF routing table via BGP peering, (2) enhance flow records with correct BGP UE and AS path from VRF routing tables, and (3) associate VRF information with the right routing tables to correctly associated UE.
With this capability, Kentik customers can now see, on a per-VRF basis, where the traffic is entering the network, how far they are carrying it, where it is leaving, what type of interface (e.g., transit/peer/customer), and what the volume is. This enables them to figure out the cost to provide the customer service in a VRF service.
With VRF visibility supported by Kentik:
- An infrastructure/network planner can see inbound or outbound traffic at the provider edge (PE) segmented by VRFs.
- A network operator can see all traffic associated with a specific route distinguisher (RD) or verify the names of the VRFs that are associated with a specific RD.
- A network operator can get alerts for changes (e.g., increase/decrease) in traffic volume per customer using VRF IDs to distinguish customers at the PE.
- An enterprise network can verify that VRF-lite network partitions are functioning correctly (e.g., to ensure there is no traffic leaking).
As a result, in today’s complex network deployments, end-to-end VRF traffic visibility from Kentik allows network operations teams to understand and manage traffic in networks of all types, from source to destination, so to gain more accurate calculations on cost for any given customer.