Skip to main content

Are you VRF aware?

Virtual Routing and Forwarding


VRFs Virtual Routing and Forwarding Instances have been about for a long time in the world of service providers, we are now seeing VRFs capabilities as part of the world outside service providers.

VRFs have their own routing instance in a router (own routing table) and the instance is assigned generally assigned to an interface, the interface then only applys to that particular VRF. So for example you could have a Management VRF and this is connected to a separate management network.

Management Processes need to know


If you assign an interface in a VRF for management then the management processes:

  • TACACS

  • SNMP

  • SSH

  • TELNET

  • NTP

  • NETFLOW

  • etc.....


need to know "be VRF aware", because typically they will be running against the Global (Default) routing table.

Examples


TACACS


aaa group server tacacs+ Management
server-private 10.100.100.1 timeout 15 key mysecretket
ip vrf forwarding Management-VRF
ip tacacs source-interface Loopback10

NETFLOW


flow exporter MYFLOW destination 10.100.100.1 vrf Management-VRF

Logging


logging host 10.100.100.1 vrf Management-VRF

SNMP


snmp-server host 10.100.100.1 vrf Management-VRF

VTY


access-class 10 in vrf-also


These example are based on ASR 1000s IOS 15.1

Don't be complacent


So now you are thinking easy, well not all version of code support VRF across all function e.g. ASR 9000 v 4.0.1 ISO XR current version does not support TACACS+ on a vrf. So don't take it for granted. Check you IOS.

 

Summary


I have ran into some issues recently be defining management loopbacks in their own VRF, only to find out that not everything is VRF "aware" by default, and in some cases cannot be VRF aware-ified. So I though I would put up some pointer so you can be VRF aware.

 

 
Labels:

Comments

Post a Comment

Popular posts from this blog

VMWARE ESXi 5.0 Command line quickies

Hi, It has been a long time since my last posts, but recently I have been working on my home ESXi lab so I thought I would share. I switched over to using Apple Mac just over a year ago, so I don't have a windows machine running by default to run the vSphere client software and generally all I want to do is startup VMs and switch off the ESXi server when I am done. I did some searching and found that I could use vmware vim-cmd if I SSHed into the ESXi server. This need to be enabled at the console, then you can use putty or your tool of choice to connect. Anyway there are several commands the following to me are most useful. List all Virtual Machines vim-cmd vmsvc/getallvms Get a Virtual Machines state (on/off etc) vim-cmd  vmsvc/power.getstate Power on a virtual machine vim-cmd vmsvc/power.on Combining command to a one liner you can find out the power on state of all Virtual Machines vim-cmd vmsvc/getallvms && for x in `vim-cmd vmsvc/getallvms|
Post a Comment
Read more

ASR1006 Dual Route Processors Password Recovery - Tip

I recently ran into an issue when trying to perform dual route processors password recovery on a Cisco  ASR1006 Problem After breaking into rommon mode and using confreg to ignore the startup configuration, during the rest the ASR1006 loaded the startup configuration!!!!!!!! Solution So quick and simple, I pulled one of the RP and preformed password recovery running on a single RP. All went according to the Cisco documentation http://www.cisco.com/en/US/docs/routers/asr1000/install/guide/routers/asr1_hwc.html#wp1045971   After the system running on a single RP was recovered and fully booted I waiting for 5 minutes just to be sure; then I inserted the second RP and allowed everything to sync up.   All was well again :) phew   Note: The system was previously fully functioning with dual RPs; a configuration error was made during Tacacs+ configuration which resulted in lockout.   Summary I hit an issue recovering and ASR with dual RPs, so rather that spending hour researching, I decided ve
Post a Comment
Read more

Break the Network Emulators out of the Cloud

Cisco IOU and JunoSphere Recently both Cisco and Juniper have announced the availability of online resources to provide hands on training over the internet. They have built software emulators in the cloud that can be accessed remotely for a cost. These solutions are based purely around the certification programs and therefore are pretty rigid in the topology that are provided, not to mention the re-occurring cost. http://www.juniper.net/us/en/company/press-center/press-releases/2011/pr_2011_05_16-03_01.html https://learningnetworkstore.cisco.com/market/prod/listSubCatLearnLab.se.work?TRGT=85&/nxt/rcrs/=2559 Rack Rentals There are training providers such as Internetwork Expert (http://www.ine.com/) and IPexpert (http://www.ipexpert.com/) who provide rack rentals based on their training materials. These guy cannot possibly compete going forward. To keep these sustainable they will need to reduce the overhead of building physical racks, providing power and space for the racks. Using e
8 comments
Read more