Skip to main content

Are you VRF aware?

Virtual Routing and Forwarding


VRFs Virtual Routing and Forwarding Instances have been about for a long time in the world of service providers, we are now seeing VRFs capabilities as part of the world outside service providers.

VRFs have their own routing instance in a router (own routing table) and the instance is assigned generally assigned to an interface, the interface then only applys to that particular VRF. So for example you could have a Management VRF and this is connected to a separate management network.

Management Processes need to know


If you assign an interface in a VRF for management then the management processes:

  • TACACS

  • SNMP

  • SSH

  • TELNET

  • NTP

  • NETFLOW

  • etc.....


need to know "be VRF aware", because typically they will be running against the Global (Default) routing table.

Examples


TACACS


aaa group server tacacs+ Management
server-private 10.100.100.1 timeout 15 key mysecretket
ip vrf forwarding Management-VRF
ip tacacs source-interface Loopback10

NETFLOW


flow exporter MYFLOW destination 10.100.100.1 vrf Management-VRF

Logging


logging host 10.100.100.1 vrf Management-VRF

SNMP


snmp-server host 10.100.100.1 vrf Management-VRF

VTY


access-class 10 in vrf-also


These example are based on ASR 1000s IOS 15.1

Don't be complacent


So now you are thinking easy, well not all version of code support VRF across all function e.g. ASR 9000 v 4.0.1 ISO XR current version does not support TACACS+ on a vrf. So don't take it for granted. Check you IOS.

 

Summary


I have ran into some issues recently be defining management loopbacks in their own VRF, only to find out that not everything is VRF "aware" by default, and in some cases cannot be VRF aware-ified. So I though I would put up some pointer so you can be VRF aware.

 

 

Comments

Popular posts from this blog

ASR1006 Dual Route Processors Password Recovery - Tip

I recently ran into an issue when trying to perform dual route processors password recovery on a Cisco  ASR1006
Problem
After breaking into rommon mode and using confreg to ignore the startup configuration, during the rest the ASR1006 loaded the startup configuration!!!!!!!!
Solution
So quick and simple, I pulled one of the RP and preformed password recovery running on a single RP. All went according to the Cisco documentation

http://www.cisco.com/en/US/docs/routers/asr1000/install/guide/routers/asr1_hwc.html#wp1045971



After the system running on a single RP was recovered and fully booted I waiting for 5 minutes just to be sure; then I inserted the second RP and allowed everything to sync up.



All was well again :) phew



Note: The system was previously fully functioning with dual RPs; a configuration error was made during Tacacs+ configuration which resulted in lockout.


Summary
I hit an issue recovering and ASR with dual RPs, so rather that spending hour researching, I decided very quickly to go …

NetGuruSubnetCalc

This is a straightforward no nonsense Subnet Calculator. It does however allow you to pull up the subnet information you have been working on in the iPhone Todays Widget View. This means that the subnet information is just a slide away.




Developed my me. Now Available

http://itunes.apple.com/gb/app/id941632787

From IOS to Junos – JNCIA Result - PASS

I done the exam, and I am please to say I passed. So the lab-ing and the two PDFs

JNCIA-Junos_SG_part_1_09-16-2010.pdf
JNCIA-Junos_SG_part_2_09-16-2010.pdf

And a bit of surfing the web were enough. That is not to say everything in the exam was familiar, I did have to think seriously about some questions which puzzled me.
So the next step will be to go for specialist, but because of workload, it's going to take a little longer that 15 Days.