VRF Aware System Message Logging

The VRF Aware System Message Logging (Syslog) feature allows a device to send system logging (syslog) messages to a syslog server host connected through a Virtual Private Network (VPN) routing and forwarding (VRF) interface.

You can use logging information for network monitoring and troubleshooting. This feature extends this capability to network traffic connected through VRFs.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for VRF Aware System Message Logging

You must configure a Virtual Private Network (VPN) routing and forwarding (VRF) instance on a routing device and associate the VRF with an interface before you can configure the VRF Aware System Message Logging feature.

Restrictions for VRF Aware System Message Logging

You cannot specify a source address for virtual routing and forwarding (VRF) system logging messages. The VRF Aware System Message Logging feature uses the VRF interface address as the source address for all VRF-aware system logging messages.

Information About VRF Aware System Message Logging

VRF Aware System Message Logging Benefit

A Virtual Private Network (VPN) routing and forwarding (VRF) instance is an extension of IP routing that provides multiple routing instances. A VRF provides a separate IP routing and forwarding table to each VPN. You must configure a VRF on a routing device before you configure the VRF Aware System Message Logging feature.

After you configure the VRF Aware System Message Logging feature on a routing device, the device can send syslog messages to a syslog host through a VRF interface. Then you can use logging messages to monitor and troubleshoot network traffic connected through a VRF. Without the VRF Aware System Message Logging feature on a routing device, you do not have this benefit; the routing device can send syslog messages to the syslog host only through the global routing table.

You can receive system logging messages through a VRF interface on any device where you can configure a VRF, that is:

  • On a provider edge (PE) device that is used with Multiprotocol Label Switching (MPLS) and multiprotocol Border Gateway Protocol (BGP) to provide a Layer 3 MPLS VPN network service.

  • On a customer edge (CE) device that is configured for VRF-Lite, which is a VRF implementation without multiprotocol BGP.

VRF Aware System Message Logging on a Provider Edge Device in an MPLS VPN Network

You can configure the VRF Aware System Message Logging feature on a provider edge (PE) device in a Layer 3 Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) network. The PE device can then send syslog messages through a virtual routing and forwarding (VRF) interface to a syslog server located in the VPN.

The figure below shows an MPLS VPN network and the VRF Aware System Message Logging feature configured on a PE device associated with VRF VPN1. The PE device sends log messages through a VRF interface to a syslog server located in VPN1. You can display the messages from the syslog server on a terminal.

Figure 1. MPLS VPN and VRF Aware System Message Logging Configured on a Customer Edge Device

VRF Aware System Message Logging on a Customer Edge Device with VRF-Lite Configured

You can configure the VRF Aware System Message Logging feature on a customer edge (CE) device where you have configured the VRF-Lite feature. The CE device can then send syslog messages through a virtual routing and forwarding (VRF) interface to syslog servers in multiple Virtual Private Networks (VPNs). The CE device can be either a router or a switch.

The figure below shows the VRF Aware System Message Logging feature configured on a VRF-Lite CE device. The CE device can send VRF syslog messages to syslog servers in VPN1 or VPN2 or to servers in both VPN1 and VPN2. You can configure multiple VRFs on a VRF-Lite CE device, and the device can serve many customers.

Figure 2. VRF Aware System Message Logging Configured on a VRF-Lite Customer Edge Device

Message Levels for Logging Commands

The table below lists message levels for logging commands that you can use when you configure the VRF Aware System Message Logging feature. Information provided by the table below includes keyword level names and numbers, their description, and the associated syslog definitions. You can use either the level keyword name or number with the logging trap level and logging buffered severity-level commands.

Table 1 Message Levels for logging Commands

Level Name

Level Number

Description

Syslog Definition

emergencies

0

System unusable

LOG_EMERG

alerts

1

Immediate action needed

LOG_ALERT

critical

2

Critical conditions

LOG_CRIT

errors

3

Error conditions

LOG_ERR

warnings

4

Warning conditions

LOG_WARNING

notifications

5

Normal but significant condition

LOG_NOTICE

informational

6

Informational messages only

LOG_INFO

debugging

7

Debugging messages

LOG_DEBUG

How to Configure and Verify VRF Aware System Message Logging

Configuring a VRF on a Routing Device

Configuring a virtual routing and forwarding (VRF) instance on a routing device helps provides customer connectivity to a Virtual Private Network (VPN). The routing device can be a provider edge (PE) device connected to a Multiprotocol Label Switching (MPLS) VPN network or a customer edge (CE) device that is configured for VRF-Lite.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip vrf vrf-name

    4.    rd route-distinguisher

    5.    route-target {import | export | both} route-target-ext-community

    6.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ip vrf vrf-name


    Example:
    Device(config)# ip vrf vpn1
     

    Defines a VRF instance and enters VRF configuration mode.

    • The vrf-name argument is a name assigned to the VRF.

     
    Step 4 rd route-distinguisher


    Example:
    Device(config-vrf)# rd 100:1
     

    Creates routing and forwarding tables for a VRF.

    • The route-distinguisher argument adds an 8-byte value to an IPv4 prefix to create a VPN IPv4 prefix.

    • The route distinquisher (RD) is either an autonomous system number (ASN)-relative RD, in which case it is composed of an autonomous system number and an arbitrary number, or it is an IP-address-relative RD, in which case it is composed of an IP address and an arbitrary number.

    • You can enter an RD in either of these formats:
      • 16-bit autonomous system number: your 32-bit number For example, 101:3.
      • 32-bit IP address: your 16-bit number For example, 10.0.0.1:1.
     
    Step 5 route-target {import | export | both} route-target-ext-community


    Example:
    Device(config-vrf)# route-target both 100:1
     

    Creates a route-target extended community for a VRF.

    • The import keyword imports routing information from the target VPN extended community.

    • The export keyword exports routing information to the target VPN extended community.

    • The both keyword imports routing information from and exports routing information to the target VPN extended community.

    • The route-target-ext-community argument adds the route-target extended community attributes to the VRF's list of import, export, or both (import and export) route-target extended communities.

    The route target specifies a target VPN extended community. Like a route distinguisher, an extended community is composed of either an autonomous system number and an arbitrary number or an IP address and an arbitrary number. You can enter the numbers in either of these formats:

    • 16-bit autonomous system 1 32-bit number For example, 101:3.

    • 32-bit IP address: your 16-bit number For example, 10.0.0.2.15: 1.

     
    Step 6 end


    Example:
    Device(config-vrf)# end
     

    Returns to privileged EXEC mode.

     

    Associating a VRF with an Interface

    Perform this task to associate a virtual routing and forwarding (VRF) instance with an interface. A VRF must be associated with an interface before you can forward Virtual Private Network (VPN) traffic.


    Note


    You cannot configure a source address for VRF system logging messages. The VRF Aware System Message Logging feature uses the VRF interface address as the source address for all VRF-aware system logging messages.


    After configuring the VRF and associating it with an interface, you can configure the VRF Aware System Message Logging feature on the routing device.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    interface type number

      4.    ip vrf forwarding vrf-name

      5.    end

      6.    copy running-config startup-config


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 interface type number


      Example:
      Device(config)# interface FastEthernet 0/0/0
       

      Configures an interface type and enters interface configuration mode.

      • The type argument is the type of interface to be configured.

      • The number argument is the port, connector, or interface card number. The numbers are assigned at the factory at the time of installation or when the port, connector, or interface card is added to a system, and can be displayed with the show interfaces command.

       
      Step 4 ip vrf forwarding vrf-name


      Example:
      Device(config-if)# ip vrf forwarding vpn1
       

      Associates a VRF with an interface or subinterface.

      • The vrf-name argument associates the interface with the specified VRF.

       
      Step 5 end


      Example:
      Device(config-if)# end
       

      Returns to privileged EXEC mode.

       
      Step 6 copy running-config startup-config


      Example:
      Device# copy running-config startup-config 
       

      (Optional) Saves configuration changes to NVRAM.

       

      Configuring VRF Aware System Message Logging on a Routing Device

      Configure the VRF Aware System Message Logging feature on a routing device so that logging messages can be used to monitor and troubleshoot network traffic connected through VRF instances.

      Before You Begin

      You must perform the following tasks before you perform this task:
      • Configure a virtual routing and forwarding (VRF) instance on a routing device.

      • Associate a VRF with an interface.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    logging host {ip-address | hostname} [vrf vrf-name]

        4.    logging trap level

        5.    logging facility facility-type

        6.    logging buffered [buffer-size | severity-level]

        7.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 logging host {ip-address | hostname} [vrf vrf-name]


        Example:
        Device(config)# logging host 10.0.150.63 vrf vpn1
         

        Specifies a host to receive syslog messages.

        • The ip-address argument is the IP address of the syslog server host.

        • The hostname argument is the name of the IP or IPv6 host that receives the syslog messages.

        • The vrf vrf-name keyword and argument specifies a VRF that connects to the syslog server host.

         
        Step 4 logging trap level


        Example:
        Device(config)# logging trap debugging
         

        Limits messages logged to the syslog servers based on severity.

        • The level argument limits the logging of messages to the syslog servers to a specified level. You can enter the level number or level name. See the "Message Levels for Logging Commands" section for a description of acceptable keywords.

         
        Step 5 logging facility facility-type


        Example:
        Device(config)# logging facility local6
         

        (Optional) Configures the syslog facility in which error messages are sent.

        • The facility-type argument names the syslog facility type keyword. For locally defined messages, the range of acceptable keywords is local0 to local7. The default is local7.

         
        Step 6 logging buffered [buffer-size | severity-level]


        Example:
        Device(config)# logging buffered debugging
         

        (Optional) Limits messages logged to an internal buffer on the device based on severity.

        • Thebuffer-size argument is the size of the buffer from 4096 to 4,294,967,295 bytes. The default size varies by platform.

        • The severity-level argument limits the logging of messages to the buffer to a specified level. You can enter the level name or level number. See the "Message Levels for Logging Commands" section for a list of the acceptable level name or level number keywords. The default logging level varies by platform, but is generally 7, meaning that messages at all levels (0–7) are logged to the buffer.

         
        Step 7 end


        Example:
        Device(config)# end
         

        (Optional) Returns to privileged EXEC mode.

         

        Verifying VRF Aware System Message Logging Operation

        SUMMARY STEPS

          1.    enable

          2.    show running-config | include logging

          3.    show ip vrf interfaces

          4.    show running-config [interface type number]

          5.    ping vrf vrf-name target-ip-address

          6.    exit


        DETAILED STEPS
          Step 1   enable

          Enables privileged EXEC mode. Enter your password if prompted.



          Example:
          Device> enable
          Device#
          
          Step 2   show running-config | include logging

          Displays the logging configuration for the device and the logging host for a virtual routing and forwarding (VRF) instance.



          Example:
          Device# show running-config | include logging
          
          logging queue-limit 100
          logging buffered 100000 debugging
          mpls ldp logging neighbor-changes
          logging trap debugging
          logging facility local6
          logging host vrf vpn1 10.0.0.3
          Device#
          

          This example shows the configuration of a syslog server in VRF vpn1 with a server host address of 10.0.0.3.

          Step 3   show ip vrf interfaces

          Displays the interfaces associated with the VRF that links to a syslog server host. The following example displays a list of VRF interfaces and their associated IP addresses that are configured on the device:



          Example:
          Device# show ip vrf interfaces
          
          Interface              IP-Address       VRF                             Protocol
          FastEthernet0/0/0      10.0.0.0         vpn1                             up      
          Loopback1              10.0.0.6         vpn1                             up 
          
          Step 4   show running-config [interface type number]

          Displays interface specific configuration information for an interface associated with a VRF.



          Example:
          Device# show running-config interface FastEthernet 0/0/0
          
          Building configuration...
          Device#
          .
          .
          .
          !
          Current configuration : 116 bytes
          !
          interface FastEthernet0/0/0
           ip vrf forwarding vpn1
           ip address 10.0.0.98 255.0.0.0
           duplex half
           no cdp enable
          end
          

          This example displays configuration information for Fast Ethernet interface 0/0/0 in VRF vpn1.

          Step 5   ping vrf vrf-name target-ip-address

          Verifies that you can reach the syslog server host, the target-ip-address, through the specified VRF.



          Example:
          Device# ping vrf vpn1 10.3.0.1 
          Type escape sequence to abort.
          Sending 5, 100-byte ICMP Echos to 10.3.0.1, timeout is 2 seconds:
          .!!!!
          Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms 
          

          In this example, the syslog server has an IP address of 10.3.0.1 and the VRF is named vpn1. The server is reached successfully four of five times.

          Step 6   exit

          Returns to privileged EXEC mode.



          Example:
          Device# exit
          Device>

          Configuration Examples for VRF Aware System Message Logging

          Example: Configuring a VRF on a Routing Device

          enable
          configure terminal
          !
          ip vrf vpn1
           rd 100:1
           route-target both 100:1
           end

          Example: Associating a VRF with an Interface

          enable
          configure terminal
          !
          interface FastEthernet 0/0/0
           ip vrf forwarding vpn1
           end

          Examples: Configuring VRF Aware System Message Logging on a Routing Device

          The following example shows how to configure the VRF Aware System Message Logging feature on a routing device. The IP address of the syslog server host is 10.0.1.3 and the VRF is vpn1.

          enable
          configure terminal
          !
           logging host 10.0.1.3 vrf vpn1
           logging trap debugging
           logging facility local6
           logging buffered 10000
           logging buffered debugging
           end
          

          The following example shows how to turn off logging to the syslog server:

          enable 
          configure terminal
          !
           no logging 10.0.1.3
           end

          Additional References

          Related Documents

          Related Topic

          Document Title

          Cisco IOS commands

          Cisco Master Command List, All Releases

          MPLS and MPLS applications commands

          Cisco IOS Multiprotocol Label Switching Command Reference

          Concepts and tasks for configuring VRF-lite on a Catalyst 4500 switch

          “Configuring VRF-lite" chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide

          Concepts and tasks for configuring VRF Lite on ML-Series Ethernet cards

          “Configuring VRF-lite" chapter in the Ethernet Card Software Feature and Configuration Guide for the Cisco ONS 15454 SDH, ONS 15454, and ONS 15327

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for VRF Aware System Message Logging

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
          Table 2 Feature Information for VRF Aware System Message Logging

          Feature Name

          Releases

          Feature Information

          VRF Aware System Message Logging

          12.2(31)SB2

          12.2(33)SRA

          12.2(33)SXH

          12.4(13)

          15.1(1)SG

          Cisco IOS XE Release 2.2

          Cisco IOS XE Release 3.3SG

          The VRF Aware System Message Logging feature allows a device to send syslog messages to a syslog server host connected through a VPN VRF interface.

          In Cisco IOS Release 12.2(31)SB2, this feature was introduced on the Cisco 10000 series routers.

          In Cisco IOS Release 12.2(33)SRA, this feature was integrated.

          In Cisco IOS Release 12.2(33)SXH, this feature was integrated.

          In Cisco IOS Release 12.4(13), this feature was integrated.

          In Cisco IOS Release 15.1(1)SG, this feature was integrated.

          In Cisco IOS XE Release 2.2, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

          In Cisco IOS XE Release 3.3SG, this feature was integrated.

          The following command was modified: logging host.

          Glossary

          CE device—customer edge device. A device on the border between a VPN provider and a VPN customer that belongs to the customer.

          LSR—label switching router. A device that forwards MPLS packets based on the value of a fixed-length label encapsulated in each packet.

          MPLS—Multiprotocol Label Switching. A method for forwarding packets (frames) through a network. It enables devices at the edge of a network to apply labels to packets (frames). ATM switches or existing devices in the network core can switch packets according to the labels with minimal lookup overhead.

          MPLS VPN—Multiprotocol Label Switching Virtual Private Network. An IP network infrastructure delivering private network services over a public infrastructure using a Layer 3 backbone. Using MPLS VPNs in a Cisco network provides the capability to deploy and administer scalable Layer 3 VPN backbone services including applications, data hosting network commerce, and telephony services to business customers.

          PE device—provider edge device. A device on the border between a VPN provider and a VPN customer that belongs to the provider.

          VPN—Virtual Private Network. A group of sites that, as the result of a set of administrative policies, are able to communicate with each other over a shared backbone network. A VPN is a secure IP-based network that shares resources on one or more physical networks. A VPN contains geographically dispersed sites that can communicate securely over a shared backbone. See also MPLS VPN.

          VRF—VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE device.