Ddns on vrf'ed interface

Hi,
I'm having trouble getting ddns to work on a vrf'ed interface. Here's my config:
ip vrf provisioning
rd 1:10
ip host-list dns-list
host vrf provisioning 1.2.3.4
ip ddns update method my_ddns
DDNS both
interface Vlan2
ip vrf forwarding provisioning
ip ddns update hostname rtr.sub.dom.tld
ip ddns update my_ddns host-group dns-list
ip address dhcp
# deb ip ddns update
Feb 23 07:36:08.625: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up
Feb 23 07:36:08.625: DYNUPD: SWIF comingup 'Vlan2'
Feb 23 07:36:09.609: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up
Feb 23 07:36:09.609: DYNUPD: SWIF comingup 'FastEthernet1'
Feb 23 07:36:10.609: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to up
Feb 23 07:36:20.833: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan2 assigned DHCP address 10.145.20.31, mask 255.255.255.0, hostname rtr.sub.dom.tld
Feb 23 07:36:22.785: DYNDNSUPD: Adding DNS mapping for rtr.sub.dom.tld <=> 10.145.20.31 server 1.2.3.4
Feb 23 07:36:22.785: DDNS: Enqueuing new DDNS update 'rtr.sub.dom.tld' <=> 10.145.20.31 server 1.2.3.4
Feb 23 07:36:40.785: DDNS: Can't find authoritative zone info for '31.20.145.10.in-addr.arpa.'
Feb 23 07:37:16.786: DDNS: Can't find authoritative zone info for 'rtr.sub.dom.tld'
Feb 23 07:37:16.786: DDNS: Update of 'rtr.sub.dom.tld' <=> 10.145.20.31 finished
Feb 23 07:37:16.786: DYNDNSUPD: Another update completed (outstanding=0, total=0)
The dns zone allows for non-secure dynamic updates.
Running Version 15.0(1)M4 BTW.
Any suggestions?
Thank you,
/JZN

Anybody?
Is this posted in the wrong category?
The traffic isn't reaching the dns server at all. And I'm not getting any hits on an access-list.
I have reachability between the router and the dns server from the interface that should be registrered in dns.
Thank you,
/JZN

Similar Messages

MPLS Vrf opsf interfaces not working

P/PE router VRF ospf interfaces unable to receive or advertised routing to and from CE router.
Config attahced.
Routes from PE VRF nortel shld be forwarded to CE router
So are routes from CE 50.50.50.0 network
Any ideas?

Hello,
Looks to me as if you did not start the ospf process in the VRF. So adjust the config according to:
interface Serial2/0
description MPLS VRF 1:1 connection to Cisco 2611 PPP
ip vrf forwarding nortel
ip address 200.0.30.1 255.255.255.0
encapsulation ppp
clock rate 128000
interface FastEthernet4/0
description MPLS connection for vrf Nortel 1:1
ip vrf forwarding nortel
ip address 70.70.70.1 255.255.255.0
duplex auto
speed auto
no router ospf 1
router ospf 1 vrf nortel
network 200.0.30.0 0.0.0.255 area 0
network 70.70.70.1 0.0.0.0 area 0 !In case you want OSPF over this interface as well
With the current config I would assume that you do not see an OSPF adjacency on the CE.
Hope this helps! Please rate all posts.
Regards, Martin

Mac OS X 10.5 Server: Preventing DDNS registration for multiple interfaces

Please see http://support.apple.com/kb/ht3169 regarding a method to prevent OS X from registering all of its NICs IP addresses to the Active Directory to which it is bound's DNS.
This is the default and expected behavior and is actually quite helpful on machines with a single NIC.
However it is fatal on servers with more than one NIC as it breaks all sorts of things!
The problem I am having is that apples fix as linked does not work. I have applied this two both my Xserves running OS X 10.5.x Server (currently 10.5.6 Server) and I still see the automatic registration of both NICs IP addresses to the AD DNS. I am a little unconvinced that SAMBA is the root cause as my logs cheerfully report directory services is successfully registering the IPs to the Active Directory.
Windows at least allows you to turn of this feature per NIC, Id settle for turning it off entirely and manualy adding Arecords to the AD DNS as at the moment this is killing me.
What am I doing wrong. i have actualy rebuilt one of my servers from scratch to see if I can fix this to no avail.
In short, help!

I contacted Apple and they provided me a workaround:
You have to manually add the DNS entries once you have followed the steps.
1. In Terminal, we need to make a backup of the file /usr/bin/net which we will be replacing:
sudo mv /usr/bin/net /usr/bin/oldnet
2. Place the following in a shell script at /usr/bin/net and chmod its permissions to make it executable. The script will prevent the name registration and allow other net commands to succeed.
#!/bin/sh
if [ "$4" == "ads" -a "$5" == "dns" -a "$6" == "register" ]; then
exit 0
else
/usr/bin/oldnet "$@"
fi

Tunnel vrf "vrf-name", when tunnel source interface in GRT

Hello!
Following configuration is working on Cisco 871 (c870-advipservicesk9-mz.124-15.T8.bin) but doesn’t working on Cisco 881 (c880data-universalk9-mz.151-4.M4.bin, License Level: advipservices). What I missed?
ip vrf vrf_tun
rd 1:3
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1472
ip nhrp authentication 1
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp server-only
no ip nhrp cache non-authoritative
ip tcp adjust-mss 1400
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel vrf vrf_tun
interface FastEthernet4 (interface does not participate in the VRF!)
ip address i.i.i.i m.m.m.m
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
ip route 0.0.0.0 0.0.0.0 g.g.g.g
ip route vrf vrf_tun 0.0.0.0 0.0.0.0 FastEthernet4 g.g.g.g global
sh ip nh bri (C 871):
   Target             Via            NBMA           Mode   Intfc   Claimed
172.16.0.2/32    172.16.0.2    i.i.i.i         dynamic Tu0    <   >
sh ip nh bri (C 881):
   Target             Via            NBMA           Mode   Intfc   Claimed
debug nhrp on 881 not show anything. Configuration without "tunnel vrf vrf_tun" works perfect.

Hello, Peter.
So, I dug deeper. I tested my configuration on brand new C881 and even on C2911. On C881 I used c880data-universalk9_npe-mz.152-3.T and then c880data-universalk9-mz.124-20.T4 (the most oldest release on cisco.com).
I found that the router on opposite side receives packets. Look:
C881#ping 10.150.12.1 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.150.12.1, timeout is 2 seconds:
Success rate is 0 percent (0/1)
RouterOnOppositeSide#debug ip icmp
ICMP packet debugging is on
001150: Jan 19 23:36:44: ICMP: echo reply sent, src 10.150.12.1, dst 10.200.10.1, topology BASE, dscp 0 topoid 0
I guess that the problem lies in the part where router (C881) receives packets and decides what to do with them. Somehow in this part G1 and G2 routers behaves different.

ME3600 does not forward frames out one interface in service instance

Hi,
I have an issue with ME3600 running 15.3(1)S. I have a BDI used for CPE
management.
cisco ME-3600X-24FS-M
Cisco IOS Software, ME360x Software (ME360x-UNIVERSALK9-M), Version
15.3(1)S, RELEASE SOFTWARE (fc1)
This is the BDI and VRF configuration:
interface Vlan1620
ip vrf forwarding 65000:1620
ip address 10.232.28.1 255.255.252.0
no ip redirects
ip vrf 65000:1620
rd 65000:1620
route-target export 65000:1620
route-target import 65000:1620
address-family ipv4 vrf 65000:1620
redistribute connected
The MPLS part is working fine, no issues there. There is also a DHCP
pool handing out IPs to the CPEs.
ip dhcp pool 65000:1620
vrf 65000:1620
network 10.232.28.0 255.255.252.0
domain-name xyz
default-router 10.232.28.1
option 66 ascii 10.232.28.1
dns-server 8.8.8.8
lease 0 0 30
This also works fine and I have verified that CPE has both IP and GW.
Then for the service instance configuration:
interface GigabitEthernet0/5
switchport trunk allowed vlan none
switchport mode trunk
service instance 1620 ethernet
encapsulation dot1q 1620
rewrite ingress tag pop 1 symmetric
bridge-domain 1620
interface GigabitEthernet0/11
switchport trunk allowed vlan none
switchport mode trunk
service instance 1620 ethernet
encapsulation dot1q 1620
rewrite ingress tag pop 1 symmetric
bridge-domain 1620
Traffic to CPEs behind Gi0/11 works:
sh ip arp vrf 65000:1620 vlan 1620 | i 29.26
Internet 10.232.29.26 0 0022.07f3.3450 ARPA Vlan1620
show mac-address-table address 0022.07f3.3450
Mac Address Table
Vlan Mac Address Type Ports
1620 0022.07f3.3450 DYNAMIC Gi0/11+Efp1620
Total Mac Addresses for this criterion: 1
Pinging 10.232.29.26 with 32 bytes of data:
Reply from 10.232.29.26: bytes=32 time=33ms TTL=61
Reply from 10.232.29.26: bytes=32 time=32ms TTL=61
Reply from 10.232.29.26: bytes=32 time=34ms TTL=61
Reply from 10.232.29.26: bytes=32 time=32ms TTL=61
Traffic to CPEs behind Gi0/5 does not work.
sh ip arp vrf 65000:1620 vlan 1620 | i 28.190
Internet 10.232.28.190 2 0022.07f2.76a6 ARPA Vlan1620
show mac-address-table address 0022.07f2.76a6
Mac Address Table
Vlan Mac Address Type Ports
1620 0022.07f2.76a6 DYNAMIC Gi0/5+Efp1620
Total Mac Addresses for this criterion: 1
Pinging 10.232.28.190 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
This is also confirmed by looking at counters. There seems to be no
egress traffic on Gi0/5.
Service Instance 1620, Interface GigabitEthernet0/11
Pkts In Bytes In Pkts Out Bytes Out
31717 2955368 4569808 1709207624
Service Instance 1620, Interface GigabitEthernet0/5
Pkts In Bytes In Pkts Out Bytes Out
4850878 367975447 0 0
It does work to ping locally from the 3600 though:
ping vrf 65000:1620 10.232.28.190
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.232.28.190, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
I'm not sure how to troubleshoot it further. I've also tried setting up
ERSPAN sessions for RX traffic on Gi0/5 but I don't get anything in
unless I ping 28.1 which is the IP of the interface on the 3600.
Any clues?
Daniel Dib
CCIE #37149
Please rate helpful posts.

It could not have been caused by a virus, since there are no viruses for Mac OS X. I would guess it was a typo when you first setup the account, and when you set it up again, a user may have gone to Preferences and selected the Outgoing mail server drop down menu and inadvertently selected the typo'd server entry.
Mulder

Multipoint GRE and VRF

Hi all
I'm been doing some experimenting with multipoint GRE over 3G and I've run into a problem I need some help with. My setup is best described with the attached network drawing. MAR-Router has a fiber Internet connection while the ECK-Router1 only has 3G connections using external modems with dynamic provider IPs, hence the need for multipoint GRE rather than static GRE tunnels. I've also had to use VRF lite on the ECK-Router1 as there is a need to keep the routing tables separate.
The tunnel9 interface on ECK-Router1 noVRF comes online nicely and OSPF does what it does. The tunnel can even handle when the 3G provider assign the modem a new IP. The tunnel 16 on ECK-Router1 VRF guest however does not handle nicely. When I set up the configuration the first time the tunnel comes up and OSPF goes adjacent with MAR-Router but whenever there is a disturbance in the 3G connection or the modem gets a new IP the tunnel goes down and doesn't activate until I remove and reenter the " tunnel vrf guest" command. The show dmvpn static detail command on ECK-Router1 gives the result below with the VRF guest tunnel in the NHRP state.
It seems multipoint GRE has a problem with VRF lite but it could also be a case where I've missed something. I would appreciate any pointers.
Regards
/Fredrik
ECK-Router1#sh dmvpn static det
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel9 is up/up, Addr. is 172.16.14.2, VRF ""
Tunnel Src./Dest. addr: 192.168.14.30/194.112.9.140, Tunnel VRF ""
Protocol/Transport: "GRE/IP", Protect ""
Interface State Control: Disabled
nhrp event-publisher : Disabled
IPv4 NHS:
172.16.14.1 RE priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
1 194.112.9.140 172.16.14.1 UP 00:02:46 S 172.16.14.1/32
Interface Tunnel16 is up/up, Addr. is 172.16.14.3, VRF "guest"
Tunnel Src./Dest. addr: 192.168.15.30/194.112.9.140, Tunnel VRF "guest"
Protocol/Transport: "GRE/IP", Protect ""
Interface State Control: Disabled
nhrp event-publisher : Disabled
IPv4 NHS:
172.16.14.1 E priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
1 194.112.9.140 172.16.14.1 NHRP 00:00:45 S 172.16.14.1/32 (guest)
ECK-Router1
interface Tunnel9
bandwidth 10000
ip address 172.16.14.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast 194.112.9.140
ip nhrp map 172.16.14.1 194.112.9.140
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp nhs 172.16.14.1
ip ospf network non-broadcast
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf priority 0
ip ospf 1 area 0
ip ospf cost 2
tunnel source GigabitEthernet0/0.807
tunnel mode gre multipoint
interface Tunnel16
bandwidth 10000
ip vrf forwarding guest
ip address 172.16.14.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map multicast 194.112.9.140
ip nhrp map 172.16.14.1 194.112.9.140
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp nhs 172.16.14.1
ip ospf network non-broadcast
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf priority 0
ip ospf 10 area 0
ip ospf cost 2
tunnel source GigabitEthernet0/0.810
tunnel mode gre multipoint
tunnel vrf guest
interface GigabitEthernet0/0.807
encapsulation dot1Q 807
ip address 192.168.14.30 255.255.255.0
interface GigabitEthernet0/0.810
encapsulation dot1Q 810
ip vrf forwarding guest
ip address 192.168.15.30 255.255.255.0
MAR-Router
interface Tunnel9
bandwidth 10000
ip address 172.16.14.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 60
ip ospf network broadcast
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf priority 255
ip ospf 1 area 0
ip ospf cost 2
tunnel source 194.112.9.140
tunnel mode gre multipoint

Bump :)

VRF-Lite on one 6509; How to route traffic from global to VRF.

To anyone that can lead me in the right direction:
I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin" on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch. I am using EIGRP for the global network and route table and static routing within the the VRF. Any suggestions or recommendations? Thanks in advance for your help in this matter...

Hello,
You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
Example:
Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
interface G0/1
IP address 1.1.1.1 255.255.255.0
inteface G0/2
ip vrf forwarding X
ip address 2.2.2.2 255.255.255.0
Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
configure this: (ip route vrf X y.y.y.y y.y.y.y.y G0/1 Global)
Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
You Can then redistribute the Global static into the Eigrp as below:
router Eigrp 1
no auto summary
redistribute static metric 1.1.1.1.1
HTH
Mohamed

VRF v/s VRFLite

Hi,
what is difference between vrf and vrfLite ? any examples where these can be used ?

Hi Jon,
In addition to your awesome explanation, I would like to add that technically, there is no difference between a VRF and a VRF-lite. The difference lies in how you use it. The naming is unfortunate: while VRF is a technology, VRF-lite is a particular way of using that technology, with the other "style" of using it (using, say, MPLS) having no special name on its own.
A VRF is a standalone routing table with its own set of interfaces that are associated with it, its own CEF instance and its own rules about populating and sharing its contents. Only interfaces associated with a particular VRF can communicate with each other (provided that by normal routing rules, a packet entering one of this set of interfaces has its destination reachable via another interface in this set, and this destination is properly recorded in the VRF). Interfaces in different VRFs in general cannot talk to each other. There are some specific exceptions but let's keep things simple for now. I like to tell my students that VRFs are to routers what VLANs are to switches. They both allow you to create multiple virtual devices on top of the physical device. With VLANs, you virtualize a single switch into multiple virtual switches. With VRFs, you virtualize a single router into multiple virtual routers.
If you use a VRF exactly like this, however, then you have VRF-lite. In a way similar to switches and VLANs, you group a set of interfaces into a VRF and thereby limit their mutual visibility just to them alone, isolating them from all other interfaces on the router.
On switches, VLANs would have only limited usability if there was no concept of trunks and trunking. Similarly, on routers, VRFs in the "VRF-lite way of usage" would be hardly usable if there was no concept of using multiple VRFs at once on a single router, allowing all VRFs to send packets out the same "trunk" interfaces out a router and receive packets back while still being able to tell the packets apart and know which packet goes into which VRF. This would constitute the full VRF implementation as opposed to just VRF-lite where you can still use multiple VRFs but to distinguish outgoing and incoming packets, you use a totally separate set of interfaces or subinterfaces.
Interestingly enough, as opposed to switches where trunking is mandated by a standard, there is no such simple thing with VRFs. Traditionally, MPLS has been used as the technology that allows carrying packets from multiple VRFs over a single interface of a router, using different label values for different networks in different VRFs and thereby keeping them distinguishable. Recently, the LISP protocol has started leveraging the instance ID field in its headers, allowing to assign a unique instance ID to a VRF, thereby again allowing to distinguish between packets belonging to different VRFs. So when VRFs are tied together with MPLS, LISP or any other technology that allows to uniquely mark and distinguish packets as belonging to a particular VRF, we have the full VRF implementation.
So to wrap it up, both VRF and VRF-lite are built on the same premise: have a separate routing table or tables (i.e. VRFs) created on your router and unique interfaces associated with them. If you remain here, you have VRF-lite. If you couple VRFs with a technology such as MPLS or LISP to communicate with other routers having similar VRFs while allowing to carry all traffic via a single interface and being able to tell the packets apart, you have a full VRF.
Lots of simplifications here but perhaps it helps.
Best regards,
Peter

VRF on 3750

Hi
I have a single 3750 in a lab with one VRF
vrfdrawing1.png
I am trying to route traffic from the global space to a host in the VRF but I cannot get it to work. The relevent config is as follows, I cannot figure why this will not work. Any suggestions?
IOS is IPservices 12.2.55.
ip vrf Cust1
interface Vlan2
ip vrf forwarding Cust1
ip address 10.0.2.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 10.0.2.0 255.255.255.0 Vlan2
ip route vrf Cust1 0.0.0.0 0.0.0.0 10.0.0.2 global

Don't know whether this is a limitation of the 3750s but I just tested your configuration on a L3 switch and it worked fine for me. (I was using a simulator though).
I don't want to insult your intelligence but just have to check, you do have a route on the router for the 10.0.2.0/24 subnet ?
If so then can you run debugs on the router to see if packets are arriving as that at least would tell you if the traffic was leaving the VRF.
Jon

Can't apply policy route-map on C3750 stack vlan interface

Hi All.
I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
2 x WS-C3750G-24T-E in stack
Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
switch#sh sdm prefe
The current template is "desktop IPv4 and IPv6 routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses:                  1.5K
number of IPv4 IGMP groups + multicast routes:    1K
number of IPv4 unicast routes:                    2.75K
    number of directly-connected IPv4 hosts:        1.5K
    number of indirect IPv4 routes:                 1.25K
number of IPv6 multicast groups:                  1.125k
number of directly-connected IPv6 addresses:      1.5K
number of indirect IPv6 unicast routes:           1.25K
number of IPv4 policy based routing aces:         0.25K
number of IPv4/MAC qos aces:                      0.5K
number of IPv4/MAC security aces:                 0.5K
number of IPv6 policy based routing aces:         0.25K
number of IPv6 qos aces:                          0.5K
number of IPv6 security aces:                     0.5K
There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
Any help will be appretiated.
Thanks.

Hi Jon.
Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
track 11 rtr 1 reachability
track 22 rtr 2 reachability
ip routing
no ip dhcp use vrf connected
interface GigabitEthernet1/0/1
description ISP1
no switchport
ip address 9.9.9.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
speed 100
duplex full
ipv6 address 2B01:4B8:0:3::2/64
ipv6 ospf 1 area 0
no mdix auto
no cdp enable
interface GigabitEthernet2/0/1
description ISP2
no switchport
ip address 9.9.9.5 255.255.255.252
ip ospf cost 10000
speed 1000
duplex full
ipv6 address 2B01:4B8:0:7::2/64
ipv6 enable
ipv6 ospf cost 10000
ipv6 ospf 1 area 0
interface Vlan5
description Company Ext Subnet
ip address 9.9.8.1 255.255.255.128
no ip proxy-arp
no ip mroute-cache
ipv6 address 2B01:4B8:1:22::1/64
ipv6 ospf 1 area 15
access-list 111 permit tcp any any eq www
route-map pbr1 permit 10
match ip address 111
set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
route-map pbr1 permit 20
set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
route-map pbr2 permit 10
match ip address 111
set ip next-hop verify-availability 9.9.9.6 1 track 11
set ip next-hop 9.9.9.1
route-map pbr2 permit 20
set ip next-hop verify-availability 9.9.9.1 1 track 22
set ip next-hop 9.9.9.6
I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
Cheers,

How many VRFs support a SUP7E

Hello,
I have a customer that wants to change his CORE devices, he is concerned about the VRFs instances that he can configure, I know that in the SUP2T from the 6500 supports 8,192 VRFs:
MPLS in hardware to enable use of Layer 3 VPNs and EoMPLS tunneling. Up to 8192 VRFs with a total of up to 256K* forwarding entries per system.
According to the next link:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-series-supervisor-engine-2t/data_sheet_c78-648214.html
I want to make a comparison between a 6500 with SUP2T and a 4500 with sUP7E but I can't find anything about the VRFs instances in the SUP7E.
Could anyone please help me answering that question???
Thanks a lot

This is the problem. The customer has 2 4507 with SUP-V I think and he want to upgrade. He asked me about one 6509 with SUP2T but I suggested to upgrade to 4507R+E with SUP7E and VSS, I think that the budget of the customer is low...
He needs at least 4 modules of 48 ports so he can receive all their customers. Regarding SUP7 vs SUP8 the main difference is that the SUP8 supports WLC in the module, and has more switching capacity (928 Gbps vs 848 Gbps of the SUP7).
Thanks again
Let me send a copy of the configuration:
CORE-SWITCH#show run
Building configuration...
Current configuration : 77236 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
hostname CORE-SWITCH
boot-start-marker
boot system flash bootflash:cat4500-entservicesk9-mz.122-31.SGA9.bin
boot-end-marker
ip vrf TMX1
ip vrf TMX2
ip vrf TMX3
ip vrf TMX4
interface Vlan51
description TMX1
ip vrf forwarding TMX1
ip address 192.168.150.65 255.255.255.240
interface Vlan52
description TMX2
ip vrf forwarding TMX2
ip address 192.168.150.113 255.255.255.240
As you can see the configuration is so simple, I copy only the VRF side so you can see the VRF configuration that he is doing, as far as I know this is VRF-LITE, BTW he has a lot of static routing with VRFs

Sub interface privilege level?

For the life of me, i cannot get my users to be able to create & edit subinterfaces using privilege levels
This is my current privilege setup
privilege ip-vrf level 7 rd
privilege vpdn-group level 7 description
privilege interface level 7 pvc
privilege interface level 7 tunnel mode
privilege interface level 7 tunnel destination
privilege interface level 7 tunnel source
privilege interface level 7 tunnel
privilege interface level 7 atm-dxi pvc
privilege interface level 7 atm-dxi
privilege interface level 7 atm pvc
privilege interface level 7 atm
privilege interface level 7 service-policy
privilege interface level 7 ip access-group
privilege interface level 7 ip address
privilege interface level 7 ip vrf forwarding
privilege interface level 7 ip vrf
privilege interface level 7 ip
privilege interface level 7 encapsulation
privilege interface level 7 description
privilege configure level 7 ip route
privilege configure level 7 ip local pool
privilege configure level 7 ip local
privilege configure level 7 interface
privilege configure level 7 policy-map
privilege configure level 7 ip vrf
privilege configure level 7 ip
privilege exec level 7 copy running-config startup-config
privilege exec level 7 copy running-config
privilege exec level 7 copy
privilege exec level 7 telnet
privilege exec level 7 write memory
privilege exec level 7 write
privilege exec level 7 traceroute
privilege exec level 1 ping atm interface
privilege exec level 1 ping atm
privilege exec level 1 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show policy-map
privilege exec level 1 show vpdn session
privilege exec level 1 show vpdn tunnel
privilege exec level 1 show vpdn
privilege exec level 1 show ip route
privilege exec level 1 show ip
privilege exec level 1 show users
privilege exec level 1 show version
privilege exec level 7 show startup-config
privilege exec level 1 show running-config
privilege exec level 1 show
privilege exec level 7 clear interface
privilege exec level 7 clear

That command isn't valid my friend
XXX-rtr-08(config)#privilege mode ?
% Unrecognized command
XXX-rtr-08(config)#privilege mode ^Z ^
% Invalid input detected at '^' marker.
XXX-rtr-08#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-JS-M), Version 12.3(6a), RELEASE SOFTWARE (fc4)

How to configure VRF in IOS XR

Hello Folks,
I know this, is this correct?
Can we configure rd in ios xr? I am unable to find it.
I found somewhere that IOS XR by default uses vrf.
vrf vrf_cu1
interface interface-type1
interface interface-type2
addipv4 uni
route-target import 1:1
route-target export 1:1
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Thanks Harold,
I have a creepy doubt now.
Think I have a scenario
                R4
                 |
                 |
R1------->R2<-------R3
                 |
                 |
                R5
Here I want R1 to communicate with R3
and             R4 to communicate with R5
I have put interfaces going to R1 and R3 in vrf_1
and th interfaces going to R4 and R5 in vrf_2 in R2
Now R2 has protocol for R1 and R3 as ospf
and for R4 and R5 also has the same.
R2 is bgp free and where do I have my RD configured? How the router R2 distinguishes between two vrfs
Does it do automatically?
For the Scenario in which I have bgp and If I donot configure RD, does the router take it automatically or I must and should configure RD?
I am unable to catch the point why We need to configure RD in bgp addressfamily for VRF
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

OTV with multiple VRFs

Hi,
we want to deploy OTV in order to interconnect 2 active/active DCs , but we have multiple VRFs classifying the different SVIs (VLANs). We have 2 Nexus 7706 in each DC.
We would like to know if this would be supported.
Example
VRF A --> Has SVI Vlan1,2
VRF B --> Has SVI Vlan3,4
Join interface that is Po100 to be virtualized into multiple logical sub-interfaces as many VRFs as we have, so:
int Po100.1
vrf member A
int Po100.2
vrf member B
and then configure 2 overlay interfaces in the same switch.
interface overlay 1
otv join-interface po100.1
otv extend-vlan 1-2 --> SVI in VRF A
interface overlay 2
otv join-interface po100.2
otv extend-vlan 3-4 --> SVI in VRF B
Traffic is always segregated and VRFs configuration is maintain. Note that the configuration is only showing the VRF part and it is not complete it.
Is this setup supported? in order to support VRFs we should do it differently? Here we are only showing one switch configuration and we would like to know if we would be able to load balance as we have 2 Nexus per DC.
Thanks a lot.
Regards,
J

Hmm,
I think you're over complicating it. OTV maintains separation at the layer 2 level. Just extend vlans 1-4 over the otv tunnel and apply the VRF's to the SVI's (layer 3) on the other side and you're done. Unless there's more than two datacenters in the mix I'm not sure why you would want to maintain two separate overlays.
~jerry

ZBFW design with vrf

Hello,
I am preparing a zbfw design with 400+ ISR/ASR remote routers, Flexvpn and 1 vrf. Each router has a tunnel for visitors and another tunnel for normal users. Config below. In the documentation, I read "All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance"
There is no need to communicate between vrf visitor and the GRT, but both use the common wan zone on gigibit 0/0 and gigabit 0/2 to communicate to central.
My question: Can I put all 4 tunnel interfaces below in the same zone :vpn ?
ip vrf Visitors
interface Tunnel1111
description === FlexVPN to nrtc102 (DC1 AVC - primary line) ===
ip unnumbered Loopback1
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/0
tunnel destination 10.255.117.104
tunnel protection ipsec profile Primary-line
interface Tunnel1112
description === FlexVPN to nrtc102 (DC1 AVC - Secondary line) ===
ip unnumbered Loopback2
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/2
tunnel destination 10.255.117.105
tunnel protection ipsec profile Secondary-line
interface Tunnel1113
description === FlexVPN to nrtcDMZ (DC1 - visitors - primary line) ===
ip vrf forwarding Visitors
ip unnumbered Loopback3
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/0
tunnel destination 10.255.112.104
tunnel protection ipsec profile Primary-line-visitors
interface Tunnel1114
description === FlexVPN to nrtcDMZ (DC1 - visitors - Secondary line) ===
ip vrf forwarding Visitors
ip unnumbered Loopback4
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/2
tunnel destination 10.255.112.105
tunnel protection ipsec profile Secondary-line-visitorsinterface
Many thanks Karien

Hello Karien,
Not sure I get the question..
The definition you are looking I guess is this one:
A router can only inspect inter-VRF traffic if traffic must enter or leave a VRF through an interface to cross to a different VRF. If traffic is routed directly to another VRF, there is no physical interface where a firewall policy can inspect traffic, so the router is unable to apply inspection.
Based on that I would say that on each VRF there will need to be a dedicated security zone applied,
I will try to run a lab real quick tomorrow and get back to u,
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Ddns on vrf'ed interface

Similar Messages

Maybe you are looking for