- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring Virtual Switching Systems
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring RPR
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Engine 7L-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring EVC-Lite
- Configuring SmartPort Macros
- Configuring Cisco IOS Auto Smartport Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering,
- Configuring IPv6 Multicast Listener Discovery Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring Cisco Discovery Protocol
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Bidirectional Forwarding Detection
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Port Security
- Configuring Auto Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring Network Security with ACLs
- Support for IPv6
- Configuring Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring Wireshark
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Onboard Failure Logging (OBFL)
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring callhome
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- Configuring MIB Support
- ROM Monitor
- Acronyms and Abbreviations
- Catalyst 4500 Series Switch SW Configuration Guide Index, IOS XE 3.6.0E and IOS 15.2(2)E
- About VRF-lite
- VRF-lite Configuration Guidelines
- Configuring VRF-lite for IPv4
- Configuring VRF-lite for IPv6
- Configuring VRF-Aware Services
- Configuring the User Interface for ARP
- Configuring the User Interface for PING
- Configuring the User Interface for uRPF
- Configuring the User Interface for Traceroute
- Configuring the User Interface for FTP and TFTP
- Configuring the User Interface for Telnet and SSH
- Configuring the User Interface for NTP
- VRF-lite Configuration Example
- Displaying VRF-lite Status
- Configuring IPv6 VRF-lite
- Configuring VRF-Aware Services
Configuring VRF-lite
Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table. A VPN routing table is called a VPN routing/forwarding (VRF) table.
With the VRF-lite feature, the Catalyst 4500 series switch supports multiple VPN routing/forwarding instances in customer edge devices. (VRF-lite is also termed multi-VRF CE, or multi-VRF Customer Edge Device). VRF-lite allows a service provider to support two or more VPNs with overlapping IP addresses using one interface.
This document addresses both IPv4 and IPv6 VRF-lite.
Note Starting with Cisco IOS Release 12.2(52)SG, the Catalyst 4500 switch supports VRF-lite NSF support with routing protocols OSPF/EIGRP/BGP.
Note The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs. For information about MPLS VRF, refer to the Cisco IOS Switching Services Configuration Guide at:
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_ipv4_ipv6_ps6922_TSD_Products_Configuration_Guide_Chapter.html
This chapter includes these topics:
- About VRF-lite
- VRF-lite Configuration Guidelines
- Configuring VRF-lite for IPv4
- Configuring VRF-lite for IPv6
- VPN Co-existence Between IPv4 and IPv6
- Migrating from the Old to New CLI Scheme
Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html
If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the Cisco IOS library. See the Cisco IOS Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
About VRF-lite
VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time.
Note VRF-lite interfaces must be Layer 3 interfaces.
VRF-lite includes these devices:
- Customer edge (CE) devices provide customer access to the service provider network over a data link to one or more provider edge routers. The CE device advertises the site’s local routes to the provider edge router and learns the remote VPN routes from it. A Catalyst 4500 series switch can be a CE.
- Provider edge (PE) routers exchange routing information with CE devices by using static routing or a routing protocol such as BGP, RIPv1, or RIPv2.
The PE is only required to maintain VPN routes for those VPNs to which it is directly attached, eliminating the need for the PE to maintain all of the service provider VPN routes. Each PE router maintains a VRF for each of its directly connected sites. Multiple interfaces on a PE router can be associated with a single VRF if all of these sites participate in the same VPN. Each VPN is mapped to a specified VRF. After learning local VPN routes from CEs, a PE router exchanges VPN routing information with other PE routers by using internal BGP (iBPG).
- Provider routers (or core routers) are any routers in the service provider network that do not attach to CE devices.
With VRF-lite, multiple customers can share one CE, and only one physical link is used between the CE and the PE. The shared CE maintains separate VRF tables for each customer and switches or routes packets for each customer based on its own routing table. VRF-lite extends limited PE functionality to a CE device, giving it the ability to maintain separate VRF tables to extend the privacy and security of a VPN to the branch office.
Figure 41-1 shows a configuration where each Catalyst 4500 series switch acts as multiple virtual CEs. Because VRF-lite is a Layer 3 feature, each interface in a VRF must be a Layer 3 interface.
Figure 41-1 Catalyst 4500 Series Switches Acting as Multiple Virtual CEs
Figure 41-1 illustrates the packet-forwarding process in a VRF-lite CE-enabled network.
- When the CE receives a packet from a VPN, it looks up the routing table based on the input interface. When a route is found, the CE forwards the packet to the PE.
- When the ingress PE receives a packet from the CE, it performs a VRF lookup. When a route is found, the router adds a corresponding MPLS label to the packet and sends it to the MPLS network.
- When an egress PE receives a packet from the network, it strips the label and uses the label to identify the correct VPN routing table. The egress PE then performs the normal route lookup. When a route is found, it forwards the packet to the correct adjacency.
- When a CE receives a packet from an egress PE, it uses the input interface to look up the correct VPN routing table. If a route is found, the CE forwards the packet within the VPN.
To configure VRF, create a VRF table and specify the Layer 3 interface associated with the VRF. You then configure the routing protocols in the VPN and between the CE and the PE. BGP is the preferred routing protocol used to distribute VPN routing information across the providers’ backbone. The VRF-lite network has three major components:
- VPN route target communities—Lists all other members of a VPN community. You need to configure VPN route targets for each VPN community member.
- Multiprotocol BGP peering of VPN community PE routers—Propagates VRF reachability information to all members of a VPN community. You need to configure BGP peering in all PE routers within a VPN community.
- VPN forwarding—Transports all traffic between all VPN community members across a VPN service-provider network.
VRF-lite Configuration Guidelines
IPv4 and IPv6
- A switch with VRF-lite is shared by multiple customers, and all customers have their own routing tables.
- Because customers use different VRF tables, you can reuse the same IP addresses. Overlapped IP addresses are allowed in different VPNs.
- VRF-lite lets multiple customers share the same physical link between the PE and the CE. Trunk ports with multiple VLANs separate packets among customers. All customers have their own VLANs.
- VRF-lite does not support all MPLS-VRF functionality: label exchange, LDP adjacency, or labeled packets.
- For the PE router, there is no difference between using VRF-lite or using multiple CEs. In Figure 41-1, multiple virtual Layer 3 interfaces are connected to the VRF-lite device.
- The Catalyst 4500 series switch supports configuring VRF by using physical ports, VLAN SVIs, or a combination of both. You can connect SVIs through an access port or a trunk port.
- A customer can use multiple VLANs as long because they do not overlap with those of other customers. A customer’s VLANs are mapped to a specific routing table ID that is used to identify the appropriate routing tables stored on the switch.
- The Layer 3 TCAM resource is shared between all VRFs. To ensure that any one VRF has sufficient CAM space, use the maximum routes command.
- A Catalyst 4500 series switch using VRF can support one global network and up to 64 VRFs. The total number of routes supported is limited by the size of the TCAM.
- A single VRF can be configured for both IPv4 and IPv6.
- PBR and VRF cannot be configured on the same interface. Similarly, WCCP, Etherchannel and MEC cannot be configured on the same interface with VRF.
- If an incoming packet's destination address is not found in the vrf table, the packet is dropped. Also, if insufficient TCAM space exists for a VRF route, hardware switching for that VRF is disabled and the corresponding data packets are sent to software for processing.
IPv4 Specific
- You can use most routing protocols (BGP, OSPF, EIGRP, RIP and static routing) between the CE and the PE. However, we recommend using external BGP (EBGP) for these reasons:
– BGP does not require multiple algorithms to communicate with multiple CEs.
– BGP is designed for passing routing information between systems run by different administrations.
– BGP makes simplifies passing attributes of the routes to the CE.
- VRF-lite does not support IGRP and ISIS.
- Beginning with Cisco IOS Release 12.2(50)SG, Multicast and VRF can be configured together on a Layer 3 interface.
- The Catalyst 4500 series switch supports all the PIM protocols (PIM-SM, PIM-DM, PIM-SSM, PIM BiDIR).
- The capability vrf-lite subcommand under router ospf should be used when configuring OSPF as the routing protocol between the PE and the CE.
IPv6 specific
- VRF-aware OSPFv3, BGPv6, EIGRPv6, and IPv6 static routing are supported.
- VRF aware ISISv6, RIPng, IPv6 Multicast Routing(MVRF), and PIMv6 are not supported.
- VRF-aware IPv6 route applications include: ping, telnet, ssh, tftp, ftp and traceroute. (This list does not include the Mgt interface, which is handled differently even though you can configure both IPv4 or IPv6 VRF under it.)
Configuring VRF-lite for IPv4
Configuring VRFs
To configure one or more VRFs, perform this task:
Note For complete syntax and usage information for the following commands, see the switch command reference for this release and see the Cisco IOS Switching Services Command Reference at: http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_book.html
Use the no ip vrf vrf-name global configuration command to delete a VRF and to remove all interfaces from it. Use the no ip vrf forwarding interface configuration command to remove an interface from the VRF.
Configuring VRF-Aware Services
IP services can be configured on global interfaces and within the global routing instance. IP services are enhanced to run on multiple routing instances; they are VRF-aware. Any configured VRF in the system can be specified for a VRF-aware service.
VRF-aware services are implemented in platform-independent modules. VRF provides multiple routing instances in Cisco IOS. Each platform has its own limit on the number of VRFs it supports.
Configuring the User Interface for ARP
To configure VRF-aware services for ARP, perform this task:
|
|
|
|
Displays the ARP table (static and dynamic entries) in the specified VRF. |
|
|
Configuring Per-VRF for TACACS+ Servers
The per-VRF for TACACS+ servers feature enables you to configure per-virtual route forwarding (per-VRF) authentication, authorization, and accounting (AAA) on TACACS+ servers.
Before configuring per-VRF on a TACACS+ server, you must have configured AAA and a server group.
You can create the VRF routing table (shown in Steps 3 and 4) and configure the interface (Steps 6, 7, and 8). The actual configuration of per-VRF on a TACACS+ server is done in Steps 10 through 13.
The following example lists all the steps to configure per-VRF TACACS+:
Switch (config)# interface Loopback0
Switch (config-if)# ip vrf forwarding cisco
Switch (config-if)# ip address 10.0.0.2 255.0.0.0
Switch (config-sg-tacacs+)# ip vrf forwarding cisco
Switch (config-sg-tacacs+)# ip tacacs source-interface Loopback0
Switch (config-sg-tacacs)# exit
For more information about configuring per-VRF for TACACS+ server,
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.pdf
Configuring Multicast VRFs
To configure multicast within a VRF table, perform this task:
The following example shows how to configure multicast within a VRF table:
For more information about configuring a multicast within a Multi-VRF CE, see the
Cisco IOS IP Multicast Configuration Guide, Release 12.4.
Use the no ip vrf vrf-name global configuration command to delete a VRF and to remove all interfaces from it. Use the no ip vrf forwarding interface configuration command to remove an interface from the VRF.
Configuring a VPN Routing Session
Routing within the VPN can be configured with any supported routing protocol (RIP, OSPF, or BGP) or with static routing. The configuration shown here is for OSPF, but the process is the same for other protocols.
To configure OSPF in the VPN, perform this task:
Use the no router ospf process-id vrf vrf-name global configuration command to disassociate the VPN forwarding table from the OSPF routing process.
The following example shows how to configure a single VRF named VRF-RED:
Configuring BGP PE to CE Routing Sessions
To configure a BGP PE to CE routing session, perform this task:
Use the no router bgp autonomous-system-number global configuration command to delete the BGP routing process. Use the command with keywords to delete routing characteristics.
VRF-lite Configuration Example
Figure 41-2 is a simplified example of the physical connections in a network similar to that in Figure 41-1. OSPF is the protocol used in VPN1, VPN2, and the global network. BGP is used in the CE to PE connections. The example commands show how to configure the CE switch S8 and include the VRF configuration for switches S20 and S11 and the PE router commands related to traffic with switch S8. Commands for configuring the other switches are not included but would be similar.
Figure 41-2 VRF-lite Configuration Example
Configuring Switch S8
On switch S8, enable routing and configure VRF.
Configure the loopback and physical interfaces on switch S8. Fast Ethernet interface 3/5 is a trunk connection to the PE. Interfaces 3/7 and 3/11 connect to VPNs:
Configure the VLANs used on switch S8. VLAN 10 is used by VRF 11 between the CE and the PE. VLAN 20 is used by VRF 12 between the CE and the PE. VLANs 118 and 208 are used for VRF for the VPNs that include switch S11 and switch S20, respectively:
Configure OSPF routing in VPN1 and VPN2:
Configure BGP for CE to PE routing:
Configuring Switch S20
Configure S20 to connect to CE:
Configuring Switch S11
Configure S11 to connect to CE:
Configuring the PE Switch S3
On switch S3 (the router), these commands configure only the connections to switch S8:
Displaying VRF-lite Status
To display information about VRF-lite configuration and status, perform one of the following tasks:
This example shows how to display multicast route table information within a VRF instance:
Note For more information about the information in the displays, refer to the Cisco IOS Switching Services Command Reference at:
http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_book.html
Configuring VRF-lite for IPv6
Configuring VRF-Aware Services
IP services can be configured on global interfaces and within the global routing instance. IP services are enhanced to run on multiple routing instances; they are VRF-aware. Any configured VRF in the system can be specified for a VRF-aware service.
VRF-aware services are implemented in platform-independent modules. VRF provides multiple routing instances in Cisco IOS. Each platform has its own limit on the number of VRFs it supports.
Configuring the User Interface for ARP
To configure VRF-aware services for ARP, perform this task:
|
|
|
|
Displays the ARP table (static and dynamic entries) in the specified VRF. |
|
|
Configuring the User Interface for PING
To perform a VRF-aware ping, perform this task:
|
|
|
---|---|---|
|
Configuring the User Interface for uRPF
You can configure uRPF on an interface assigned to a VRF. Source lookup is performed in the VRF table.
To configure VRF-aware services for uRPF, perform this task:
Configuring the User Interface for Traceroute
To configure VRF-aware services for traceroute, perform this task:
|
|
|
---|---|---|
|
Specifies the name of a VPN VRF in which to find the destination address. |
Configuring the User Interface for FTP and TFTP
You must configure some FTP and TFTP CLIs in order for FTP and TFTP to be VRF-aware. For example, if you want to use a VRF table that is attached to an interface (for example, E1/0), you need to configure the ip [t]ftp source-interface E1/0 command to inform [t]ftp to use a specific routing table. In this example, the VRF table is used to look up the destination IP address. These changes are backward-compatible and do not affect existing behavior. You can use the source-interface CLI to send packets out a particular interface even if no VRF is configured on that interface.
To specify the source IP address for FTP connections, use the ip ftp source-interface show mode command. To use the address of the interface where the connection is made, use the no form of this command.
To configure the user interface for FTP and TFTP, perform this task:
|
|
|
---|---|---|
|
||
|
||
|
To specify the IP address of an interface as the source address for TFTP connections, use the
ip tftp source-interface show mode command. To return to the default, use the no form of this command.
|
|
|
---|---|---|
|
||
|
||
|
Configuring the User Interface for Telnet and SSH
To configure VRF-aware for using Telnet and SSH, perform this task:
Configuring the User Interface for NTP
To configure VRF-aware for NTP, perform this task:
|
|
|
|
||
|
VRF-lite Configuration Example
The following topology illustrates how to use OSPFv3 for CE-PE routing.
Figure 41-3 VRF-lite Configuration Example
Configuring CE1 Switch
Configuring PE Switch
Configuring CE2 Switch
Displaying VRF-lite Status
To display information about VRF-lite configuration and status, perform one of the following tasks:
Note For more information about the information in the displays, refer to the Cisco IOS Switching Services Command Reference at:
http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_book.html
To display information about VRF-lite configuration and status, perform one of the following tasks:
When you configure VRF table “a” with the IPv6 address family and attach the VRF to the interface with IPv6 address 1::2/64, the show ipv6 route vrf a command displays the following output:
For further examples, refer to
http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_16.html
Configuring IPv6 VRF-lite
Beginning with Release IOS XE 3.5.0E and IOS 15.2(1)E, to support IPv6 VRF-lite, we transition from the ip vrf command to the “new” vrf definition command.
Configure VRFs
To configure one or more VRFs, perform this task:
This example shows how to configure VRFs:
Associate Interfaces to the Defined VRFs
To associate interface to the defined VRFs, perform this task:
This example shows how to associate an interface to VRFs:
Populate VRF with Routes via Routing Protocols
Static Route
|
|
|
---|---|---|
ipv6 route [vrf vrf-name] ipv6-prefix/prefix-length {ipv6-address | interface-type interface-number [ipv6-address]} |
This example shows how to populate VRF with a static route:
Routing Protocols
OSPFv3
To configure the OSPFv3 router process and the IPv6 address family in OSPFv3, perform the following steps:
This example shows how configure the OSPFv3 router process:
To enable OSPFv3 on an interface, do the following:
This example show how to enable OSPFv3 on an interface:
EIGRP
To configure an EIGRPv6 routing process, perform the following steps:
This example shows how to configure an EIGRP routing process:
EBGPv6
To configure EBGPv6, do the following:
This example shows how to configure EBRPv6:
VPN Co-existence Between IPv4 and IPv6
With Release IOS XE 3.5.0E and IOS 15.2(1)E, we provide backward compatibility between the “older” CLI for configuring IPv4 and the “new” CLI for IPv6. This means that a configuration might contain both CLI. The IPv4 CLI retains the ability to have on the same interface, an IP address defined within a VRF as well as an IPv6 address defined in the global routing table.
In this example, all addresses (v4 and v6) defined for Ethernet0/0 refer to VRF red whereas for Ethernet0/1, the IP address refers to VRF blue but the ipv6 address refers to the global IPv6 routing table.
Migrating from the Old to New CLI Scheme
Prior to Release IOS XE 3.5.0E and IOS 15.2(1)E, you used the ip vrf command to configure vrf. With Release IOS XE 3.5.0E and IOS 15.2(1)E, you use the new vrf definition command.
Henceforward, to incorporate IPv6 VRf configurations in addition to IPv4 configurations, you must migrate from the prior VRF CLI scheme using the following command:
This command forces migration from old CLI for IPv4 VRF to the new VRF multi-AF CLI. It is not nvgen'd because the effect is “one-time” only (see BGP similar command " bgp upgrade-cli ").