Maximum VRF n VFI

hello there. what is the maximum VRF n VFI supported on cisco? what is the best selection for PE position? catalyst or Router? tq anyway... :)

HI, [Pls Rate if HELPS]
Refer Link below for MPLS VPN and Multi-Virtual Route Forwarding Support for Cisco ISR:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6557/prod_white_paper0900aecd8051fbdc.html
Hope I am Informative.
Pls RATE if HELPS
Best Regards,
Guru Prasad R

Similar Messages

[solved]VPLS can not activate

Hello guys,
I meet a pretty strange problem. I use ME36600X to test the vpls. And i cant activate the vfi.It said "Maximum number of VFIs 0 have been configured."
And the other ME3600x have no problem at all.
Someone know where is the problem?
The two ME3600x have the exactlly same license and IOS version.
thanks!
3600-1(config)#l2 vfi test autodiscovery
Maximum number of VFIs 0 have been configured.
=========================
Cisco IOS Software, ME360x Software (ME360x-UNIVERSALK9-M), Version 15.2(2)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 22-May-12 21:21 by prod_rel_team
ROM: Bootstrap program is WHALES boot loader
BOOTLDR: ME360x Boot Loader (ME360X-HBOOT-M), Version 12.2 [sourdutt-loader_release_ledfix 100]
3k1.me.rd uptime is 1 hour, 48 minutes
System returned to ROM by power-on
System restarted at 16:05:39 UTC Thu Aug 23 2012
System image file is "flash:/me360x-universalk9-mz.152-2.S1/me360x-universalk9-mz.152-2.S1.bin"
Last reload reason: Unknown reason
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
License Level: AdvancedMetroIPAccess
License Type: Permanent
Next reload license Level: AdvancedMetroIPAccess
cisco ME-3600X-24FS-M (PowerPC8572) processor (revision A0) with 1015808K/32760K bytes of memory.
Processor board ID FOC1615V1AY
Last reset from power-on
2 Virtual Ethernet interfaces
25 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
1536K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : F4:EA:67:B2:C1:80
Motherboard assembly number     :
Motherboard serial number       :
Model revision number           : A0
Motherboard revision number     : B0
Model number                    : ME-3600X-24FS-M
System serial number            :
Top Assembly Part Number        : 800-32951-01
Top Assembly Revision Number    : B0
Version ID                      : V01
CLEI Code Number                :
Configuration register is 0xF
==================================================================================

Cisco Bug CSCua05375, just change the sdm config to "default"

Maximum number of interfaces per vrf

hi, is there a limit or maximum number of interface / sub-interface which I could associate to a single vrf? The box is Cisco 10000..thanks..

Hi,
The limit is the max number of (sub)interfaces or idb the box can handle.
HTH
Laurent.

Maximum number of routes per vrf on SUP720-3BXL

Hello,
What are the limits for max number of routes in one vrf on SUP720-3BXL? Thanks for answers.

Davor,
The datasheet refers to 1024 VRFs with 700 routes each (tested numbers) but this is just an example as you could, in principal, have any combination of # VRFs * routes/VRF that would equal 700K routes (i.e. 2 VRF * 350K routes or 1 VRF * 700K routes).
I say in principal because I have never seen a customer requesting the support for that many routes and have never tested it either.
http://www.cisco.com/en/US/products/hw/modules/ps4835/products_data_sheet09186a0080159856.html
Hope this helps,

Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

Hi Guys,
I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers) I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).
I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
So I need to clarify following with you guys..
1) Can I actually do this or am I missing something.
2) Are there any limitations that I might run in to with this setup
3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
Appreciate your input.
Thanks
Shamal

There is a limitation on how many context you can have, which depends on the license you have. This is quite possible with ASA multi routed mode and even with multi transparent mode. You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
Thanks

Static routes within VRF

Is there a limit to the number of static route one could use within a VRF ?
We have a large customer connected to MPLS VRF based backbone and due to various limiting factors this customer uses static routing from a PE-CE perspective.
We have been experiencing a problem where a static needsto be removed and placed back as routing to a site stops (No traffic passed) , this happes intermittently and to different sites within diffrent regions as well. All the general or expected troubleshooting procedures have been followed i.e. Check routing table , bgp , CEF tables , FIB etc. All seems fine , the only thing that reloves this is removing the static and then replacing it.
My thinking is that there might be a limit to the number of static's that one can use within a VRF and that we have reached the limit for this customer , which causes the intermittent failure.
Please advise.

I know of a "maximum routes limit " command to limit the number of routes in a Vrf on a PE.
From this command reference i find there are no default values for this.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_r/xrfscmd3.htm#1032272
So I assume, the default is to allow a huge value and the only limitations would be the memory/capacity and the number of vrfs on the PE router.
If you are experiencing a problem in this regard and removing a static route is helping to overcome it, then I would only suspect a bug here.
I am also curious to know how may many static routes you have in this particular vrf.

Can I run static NAT44 in default VRF without ISM or VSM module?

I have to configure static NAT (1IP to 1 IP NAT44) in default vrf. I don't want to buy ISM/VSM and licence CGv6
The traffic will be very low (maximum 10000 session per second). I don't want to place a new router. ARS9k has 4.2.1 frimware version.
Can I run static NAT44 in default VRF without ISM or VSM module?

Hi Tomasz,
unfortunately no, even at very low speed, we can not perform NAT tasks on ASR9000 without a service card.
Kind regards,
N.

How many VRF-Lite Routing Instances can a 6509-E with a 720-Sup module run?

I know that in a 4500 style switch it supports a maximum of 64 VRF-lite routing instances. However what is the maximum amount of VRF-Lite routing instances can a 6509-E switch support with a Sup-720 sup module?

Sup 720 supports 1024 VRF Lites
see table-1 in this link:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_data_sheet09186a0080159856.html
HTH

Command to clear the bgp vrf table.

Hi,
I want to clear the bgp table on this vrf. Here is how it looks like :-
address-family ipv4 vrf mj
redistribute connected
neighbor 12.12.12.12 remote-as 1111
neighbor 12.12.12.12 activate
neighbor 12.12.12.12 send-community
neighbor 12.12.12.12 as-override
neighbor 12.12.12.12 soft-reconfiguration inbound
neighbor 12.12.12.12 route-map customer in
neighbor 12.12.12.12 route-map vpn-routes out
neighbor 12.12.12.12 maximum-prefix 1000
neighbor 13.13.13.13 remote-as 65222
neighbor 13.13.13.13 activate
neighbor 13.13.13.13 send-community
neighbor 13.13.13.13 remove-private-as
neighbor 13.13.13.13 soft-reconfiguration inbound
neighbor 13.13.13.13 route-map a-in in
neighbor 13.13.13.13 route-map a-out out
neighbor 13.13.13.13 maximum-prefix 1000
no auto-summary
no synchronization
exit-address-family
I would like to confirm that the command to clear this vrf is whereby the ASN is 1110 :-
clear ip bgp vrf mj ipv4 unicast 1110 soft.
Pls advice,
InternetB.

Hi Shivlu,
To confirm, since my ASN is 1110, the 200 should be replaced with my ASN number of 1110 right ?
Thank you,
InternetB.

Maximum OSPF processes on a router?

What is the maximum number of OSPF processes that a router can run? In a book I read the following:
"when provisioning for PE-to-CE connectivity, it is important to bear in mind that the current IOS implementation provides a maximum of 32 protocol descriptor blocks (PDBs) per PE router.
One PDB is used per protocol instance, including static and connected.
If OSPF is used for PE-CE connectivity, separate OSPF processes are required (1 per VRF), and 1 PDB is used per VRF where you run an OSPF process."
So does that mean that only 32 OSPF processes can be run on a single router? If someone can confirm this, I would appreciate it!
Thanks

Yes that is true. Actually in an MPLS/VPN environment a PE is using "directly connected", "static", IGP (f.e. IS-IS) and MP-BGP. So finally there are 28 processes left for OSPF. Whether one would be very happy with a router trying to run 28 SPF concurrently is another question ... so to my opinion this is not really such a big deal. "only 32" is relative ...
kind regards
Martin

Multi-vrf CE/vrf lite Instances

I'm currently looking at deploying vrf lite on our ce's but I'm unable to locate the limitations on how many instances can be run. I realise that the low-end ce's (1700, 2600) the limitation is 5 instances. Is there any other CE related devices that can run more instances, if so, how many and what devices?
Regards
Mark

Hi,
The 5 instances restriction comes from the "Designing MPLS Extensions for Customer Edge Routers" Product bulletin. The following script from that document is:
Conclusions
In order to ensure that their data is kept private while traveling across a Service Providers network, customers are presented many VPN options to suit their needs. This paper has focused on one particular type of VPNs: MPLS-VPNs. A general description was outlined for MPLS-VPNs in order to discuss the new feature in Cisco IOS release 12.2: Multi-VRF CE.
Multi-VRF CE extends limited PE functionality to CE devices by allowing the traditional LAN network behind a CE router to be segmented into separate VRFs. With this feature, the CE router is now able to segment their LAN traffic into a maximum of 5 separate VRFs.
So, I'm not sure whether this is just a standard feature set for all models, or this particular feature has been upgraded to support more vrfs, which as you say, will require the appropriate capacity.
Regards
Mark

VRF limit on vrf-lite

Hello guys. i am thinking of using vrf-lite on a CE for IP seperation but i want to know the limit of the number of VRF allowed when using vrf-lite (i am using a 7206 as CE)

Theoritically yes, but you still will be constrained by how much memory you have in the router and the maximum number of interfaces (both physical and logical) or more accurately, IDB (interface descriptor blocks) supported by the IOS version. Different platforms and different IOS versions have different IDB limits. Every interface is allocated an IDB, either a hardware IDB (for phyical interfaces) or a software IDB (for logical interfaces ie. subinterfaces).
IDBs consume memory as do routes, as do vrfs, as do different features you turn on.
Also, IDBs, once allocated, the memory remains allocated until the router is reloaded. That is why subinterfaces aren't completely removed from the router until a reload when you delete them from the config.)
Depending on the IOS version, you can use the "show idb" to see your IDB allocation on the box. Also, the following link talks about what IDBs are and limits per platform.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a0080094322.shtml
Jay

VRF Route leaking to internet

I'm just starting to learn about route leaking today, so I'm still trying to figure this out.
In short, I've created three vlans and put them in a vrf and would like them to access the internet. At this point, I have vrf created, vlans assigned and a global route leaked from the vrf to the gateway of last resort. A machine in the vrf is able to ping all three vlan gateways, but cannot still get to the internet.
I have everything on a 6509 core switch, and my firewall is an ASA 5505. I've also tried putting routing configs in using eigrp, but the vrf networks never made it to the ASA. Attached are my configs on both. If anyone could help me with what I'm missing that would be great. Thanks!
**** 6509 Config ****
lab-core6509#sh run
Building configuration...
Current configuration : 22128 bytes
! Last configuration change at 17:31:43 pst Tue Jan 7 2014 by rmf
! NVRAM config last updated at 12:30:19 pst Tue Jan 7 2014 by rmf
upgrade fpd auto
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
service counters max age 5
hostname lab-core6509
boot-start-marker
boot system flash disk0:s72033-ipservicesk9_wan-mz.122-33.SXI.bin
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone pst -8
clock summer-time PDT recurring
clock calendar-valid
ip subnet-zero
ip dhcp excluded-address 192.168.80.1 192.168.80.9
ip dhcp pool 192.168.80.0/24
   network 192.168.80.0 255.255.255.0
   default-router 192.168.80.1
   domain-name procopio-guest.com
   dns-server 8.8.8.8
ip vrf bingfish
rd 123:1
ip domain-name company.local
mls ip slb purge global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls cef error action reset
spanning-tree mode pvst
diagnostic bootup level minimal
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric timer 15
redundancy
main-cpu
auto-sync running-config
mode sso
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
interface Port-channel10
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/1
switchport
switchport access vlan 500
switchport mode access
spanning-tree portfast edge
~SNIP~ (I don't think anyone cares about all the interface configs!)
interface Vlan510
description voice server net
ip address 10.90.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan666
ip address 10.90.253.1 255.255.255.0
interface Vlan851
description bingfish client net
ip vrf forwarding bingfish
ip address 10.249.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan852
description bingfish server net
ip vrf forwarding bingfish
ip address 10.249.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan853
description bingfish management net
ip vrf forwarding bingfish
ip address 10.249.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan901
description guest network
ip address 192.168.80.1 255.255.255.0
ip access-group guest-net in
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan912
description internet perimeter
ip address 10.91.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface Vlan999
description management net
ip address 10.90.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
router eigrp 200
network 10.0.0.0
address-family ipv4 vrf bingfish
autonomous-system 99
network 10.249.1.0 0.0.0.255
network 10.249.2.0 0.0.0.255
network 10.249.3.0 0.0.0.255
redistribute static metric 10000 100 255 1 1500
exit-address-family
ip classless
ip route 0.0.0.0 0.0.0.0 10.91.1.2
ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
no ip http server
no ip http secure-server
ip access-list extended guest-net
deny   ip any 10.0.0.0 0.255.255.255
permit ip any any
control-plane
dial-peer cor custom
line con 0
exec-timeout 30 0
line vty 0 4
exec-timeout 30 0
line vty 5 15
exec-timeout 30 0
ntp logging
ntp authenticate
ntp trusted-key 10
ntp clock-period 17179851
ntp source Vlan500
ntp master
ntp server 10.90.1.50 prefer
end
**** ASA 5505 Config ****
lab-5505asa# sh run
: Saved
ASA Version 8.2(5)
hostname lab-5505asa
domain-name company.local
names
dns-guard
interface Ethernet0/0
description inside
interface Ethernet0/1
description outside
switchport access vlan 2
interface Ethernet0/2
description dmz
switchport access vlan 4
speed 100
duplex full
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.91.1.2 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.128
ospf cost 10
interface Vlan4
nameif DMZ
security-level 50
ip address 172.16.35.1 255.255.255.0
ospf cost 10
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name company.local
object-group service DM_INLINE_SERVICE_1
service-object tcp eq domain
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host 10.90.1.10
network-object host 10.90.1.11
object-group network DM_INLINE_NETWORK_2
network-object host <outside ip>
network-object host<outside ip>
object-group service DM_INLINE_SERVICE_2
service-object tcp eq domain
service-object udp eq domain
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq 3008
port-object eq 3010
port-object eq ssh
object-group network DM_INLINE_NETWORK_3
network-object 216.9.240.0 255.255.240.0
network-object 68.171.224.0 255.255.224.0
object-group service DM_INLINE_TCP_4 tcp
port-object eq 3268
port-object eq 3269
port-object eq ldap
port-object eq ldaps
object-group network DM_INLINE_NETWORK_6
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_7
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group network DM_INLINE_NETWORK_8
network-object host 172.16.36.45
network-object host 172.16.36.46
object-group service DM_INLINE_TCP_6 tcp
port-object eq 2598
port-object eq citrix-ica
port-object eq www
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host<outside ip>
network-object host <outside ip>
network-object host <outside ip>
object-group network DM_INLINE_NETWORK_5
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group network DM_INLINE_NETWORK_10
network-object host 172.16.36.15
network-object host 172.16.36.42
object-group network xenapp_servers
network-object host 10.90.1.45
network-object host 10.90.1.46
network-object host 10.90.5.54
object-group network xendesktop_servers
network-object host 10.90.1.38
network-object host 10.90.1.54
object-group network DM_INLINE_NETWORK_11
network-object host 172.16.36.10
network-object host 172.16.36.42
network-object 10.80.1.0 255.255.255.0
group-object xenapp_servers
group-object xendesktop_servers
object-group network DM_INLINE_NETWORK_9
network-object host 172.16.36.27
network-object host 172.16.36.31
object-group network DM_INLINE_NETWORK_12
network-object host 74.117.58.150
network-object host 97.95.240.159
object-group network DM_INLINE_NETWORK_13
network-object 10.90.10.0 255.255.255.0
network-object 192.168.80.0 255.255.255.0
network-object 10.249.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_14
network-object 10.90.1.0 255.255.255.0
network-object 10.90.5.0 255.255.255.0
access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_12 any log disable
access-list outside_access_in extended permit tcp any host <outside ip>eq 3389 log disable
access-list outside_access_in extended permit tcp any host<outside ip>eq smtp log disable
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
access-list dmz_access_in extended permit ip any any log disable
access-list inside_access_in extended deny ip host 10.90.100.25 any log disable
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
access-list inside_access_in extended permit tcp host 10.90.1.27 host 172.16.35.11 eq smtp log disable
access-list inside_access_in extended permit ip 10.80.1.0 255.255.255.0 any log disable
access-list inside_access_in extended permit tcp host 10.90.1.33 object-group DM_INLINE_NETWORK_3 eq 3101 log disable
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_14 any object-group DM_INLINE_TCP_2 log disable
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 log disable
access-list inside_access_in extended permit udp host 10.90.1.50 any eq ntp log disable
access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_11 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.27 eq smtp log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.35.10 host 172.16.36.10 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.11 any eq smtp log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 any object-group DM_INLINE_TCP_1 log disable
access-list DMZ_access_in remark rule for cag to owa
access-list DMZ_access_in extended permit tcp host 172.16.35.13 object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_3 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.10 object-group DM_INLINE_TCP_4 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_5 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_6 log disable inactive
access-list slow-down extended permit ip 10.90.0.0 255.255.0.0 any
access-list slow-down extended permit ip any 10.90.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm warnings
logging host inside 10.90.1.65 6/1470
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 10.80.1.0 255.255.255.0
nat (inside) 1 10.90.1.0 255.255.255.0
nat (inside) 1 10.90.5.0 255.255.255.0
nat (inside) 1 192.168.80.0 255.255.255.0
nat (inside) 1 10.249.0.0 255.255.0.0
nat (DMZ) 1 172.16.35.0 255.255.255.0
static (DMZ,outside)<outside ip>172.16.35.10 netmask 255.255.255.255 dns
static (DMZ,outside) <outside ip>172.16.35.55 netmask 255.255.255.255 dns
static (DMZ,outside) <outside ip>172.16.35.50 netmask 255.255.255.255 dns
static (DMZ,outside) <outside ip>172.16.35.60 netmask 255.255.255.255 dns
static (inside,outside) <outside ip>10.90.1.21 netmask 255.255.255.255 dns
static (inside,DMZ) 172.16.36.31 10.90.1.31 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.10 10.90.1.10 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.27 10.90.1.27 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.15 10.90.1.15 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.42 10.90.1.42 netmask 255.255.255.255
static (inside,DMZ) 10.90.1.0 10.90.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.80.1.0 10.80.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.90.5.0 10.90.5.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
router eigrp 200
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 209.242.145.129 1
route inside 10.0.0.0 255.0.0.0 10.91.1.1 1
route inside 10.249.0.0 255.255.0.0 10.91.1.1 1
route inside 192.168.80.0 255.255.255.0 10.91.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.90.1.50 source inside prefer
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9ba1f1f89fa1a88af05e2fc5fdba3090
: end

So it would appear I've solved it by adding a static route in the global routing table back to the subnets in the vrf:
ip classless
ip route 0.0.0.0 0.0.0.0 10.91.1.2
ip route 10.249.1.0 255.255.255.0 Vlan851   <-----------------------
ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global
Thanks

VRF aware GET-VPN Group-member

Hi,
we want to configure following on some of our routers.
3 VRF-lite (before it has been 3 seperate routers)
For each VRF we have to use a seperate GDOI-Group , different PSKs.
The KS for the different GDOI Groups is the same adresses (central resource reachable from every VRF).
I know that I can configure per GDOI-Group a "client registartion interface ..." which can be an interface in a VRF.
to configure the same KS-address for different GDOI-groups seems to be not possible
crypto gdoi group GROUP-1
identity number 1111111
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
crypto gdoi group GROUP-2
identity number 2222222
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
As soon as I configure the KS for GROUP-2 I get an error-message that the KS is already configured.
We can configure different ISAKMP-Profiles (vrf aware), but GDOI-GROUP configuration seems not to be VRF aware.
Is there a way how to achive to use the same KS-Address for different-Groups in different VRFs.
Thx
Hubert

Hi Naman, I think there is a misunderstanding of my problem.
On the branch-routers I have two VRFs. In each VRF I have to configure GET-VPN-GM.
The KS are on central routers in each VRF but they do have the sam IP-address (we use overlapping address-space in both VRFs)
Configuration is like following
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
the problem is that we would have to configure to different ISAKMP-PSK for same Server-Address, and thats not possible
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.109.255.45
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.109.255.45
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
crypto map MAP-12-SECURE-WAN local-address Loopback0
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
interface Loopback1
ip vrf forwarding VRF_10
ip address 10.10.10.45 255.255.255.252
interface Loopback1
ip vrf forwarding VRF_12
ip address 12.12.12.45 255.255.255.252
interface gig0/1.10
ip vrf forwarding VRF_10
crypto map MAP-10-SECURE-WAN
interface gig0/1.12
ip vrf forwarding VRF_12
crypto map MAP-12-SECURE-WAN
So my idea was to configure the PSKs per VRF via an ISAKMP-Profile (where i can define VRFs)
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto keyring ISAKMP_KEY_GETVPN_10
local-address Loopback0
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010
crypto keyring ISAKMP_KEY_GETVPN_12
local-address Loopback1
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212
crypto isakmp profile ISAKMP_PROFILE_GETVPN_10
   vrf VRF_10
   keyring ISAKMP_KEY_GETVPN_10
   self-identity address
   match identity address 22.161.255.33 255.255.255.255
   match identity address 22.109.255.45 255.255.255.255
   keepalive 20 retry 2
   local-address Loopback0
crypto isakmp profile ISAKMP_PROFILE_GETVPN_12
   vrf VRF_12
   keyring ISAKMP_KEY_GETVPN_12
   self-identity address
   match identity address 22.161.255.33 255.255.255.255
   match identity address 22.109.255.45 255.255.255.255
   keepalive 20 retry 2
   local-address Loopback1
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
crypto map MAP-12-SECURE-WAN local-address Loopback1
crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
But it seems it does not work !!!
Any idea ?
Thx in Advance
Hubert

VRF-Lite versus VLANs at access edge

What would be the advantage in using VRF-Lite at the CE (e.g. a 3750 switch) and trunking a series of /30 pt-pt VLANs (one for each VRF) from the PE to the CE switch, and then defining customer VLANs on the 3750 versus defining the customer VLANs on the PE device and simply trunking the customer VLANs down to the 3750 switch. In the latter scenario, the IP Services feature set would not be required on the 3750 as VRF-Lite would not be necessary at the edge; just VLAN separation, with IP routing disabled.
A couple of possible benefits for using routed /30 links to the CE:
(i) if the routing is complex at the CE site and more subnets need to be advertised towards the PE (i.e. it's more than a single VLAN);
(ii) SP does not need to get involved in customer routing, but in a small Enterprise MPLS scenario, the customer and the provider may be one and the same, so may be less of an issue;
(iii) A dual-homed CE device may need routes advertised towards two separate PEs.

Hello Matthew,
a multi VRF CE also known as VRF lite is a shared device: it can be partitioned between different customers reducing cost of ownership for each of them.
It is typically owned and managed by a service provider.
It can fit to multi-tenant office facilities.
If yours is an enterprise scenario and the device is not going to be shared you can save some money making the C3750 a simple L2 switch and terminating all L3 interfaces on the PE itself.
On the other hand a VRF lite CE can reduce the number of L3 interfaces that need to be defined on the PE providing a scalability advantage (every platform has a maximum number of interfaces supported regardless they are in VRF or in global routing table)
Hope to help
Giuseppe

Maximum VRF n VFI

Similar Messages

Maybe you are looking for