VRF Lite running in the enterprise network

Hello everybody
Altough VRF lite (or Mulit VRF) seems to be a Service Provider Tecnology.
Does it make sense to use it in an Enterprise Network to isolate Networks from others ?
I cant find any design paper which describes if this would make sense.
What do you think. Is someone using it ? Does Cisco recommend it ?

Yes, VRF-lite SHOULD be used in an Enterprise environment to isolate the different security classes of devices.
In the past you would isolate different groups of users using Layer1, i.e. separate hubs either totally isolated or connected together by a router with ACLs. Since the PCs were only connected at shared 10 Mbit and the routers were such low performance and worms weren't really prevalent, this was not a big security issue at the time.
Then we migrated to VLANs, which essentially allowed Layer2 isolation within the same switch to provide the same functionality of separating different classes of users and to break up broadcast domains. Unfortunately, everyone connected the VLANs together at Layer3 with a router (or SVI) which essentially connected everything together again! And almost no one gets the ACLs right (if at all) to isolate the VLANs from each other. In fact, in most cases every VLAN can automatically reach every other VLAN from a Layer3 or IP perspective. This is a huge security problem.
Enter VRF-lite, essentially created by Cisco as their tag switching migrated to standards based MPLS and had a need to isolate Layer3 security domains from each other within the same switch (or router). Think of VLANs for routing tables. VRF stands for 'Virtual Route Forwarding', which basically means separate routing tables. Since VRF-lite is a per-switch feature (running locally to the switch) you will need to use other technologies to connect multiple VRF-lite switches together and keep the traffic isolated, see below.
What makes this so secure is that there is no command within the switch to connect different VRFs together within the same switch. You would need to connect a cable between two ports on the same switch configured in different VRFs to be able to communicate between them (recent IOS 12.2SR allows tunnels with different source VRFs but that is a corner case). The reason for this is simple, remember the basis for VRF (and VRF-lite) is for a service provider to isolate multiple customers from each other within the same switch. Just like an ATM, Frame-Relay, SONET, or Optical switch, the command line makes it very difficult (or impossible) to accidentally connect 2 different customers together.
Think about that. Even if someone was able to get ssh enable access to your switch (you aren't running telnet anymore, right?!), they CAN'T connect 2 VRFs together with any command.
And, yes, this is highly recommended by Cisco Engineers and is actually deployed far more than you think. I have VRF-lite running on at least 10 client's networks and those are LARGE networks. VRF-lite was integrated into the environment purely to solve a Layer3 security class isolation issue. I have used Layer3 dot1q trunks on c6500 switches and tunnels to keep isolated connectivity between VRFs between switches.
In Cisco speak, VRF-lite falls under the topic of 'Path Isolation' which is combined with other features that isolate traffic within the same network such as dot1q trunking, tunneling, VPN, policy-routing, and MPLS. Do a search on Cisco's web site for 'path isolation' and you will find a bunch of info.
See the following URLs for a good start:
http://www.cisco.com/en/US/netsol/ns658/networking_solutions_design_guidances_list.html
http://www.cisco.com/en/US/netsol/ns658/netbr0900aecd804a17db.html
http://www.cisco.com/en/US/netsol/ns658/networking_solutions_white_paper0900aecd804a17c9.shtml
As always, rate all posts appropriately, particularly those that provide value and don't be shy about following up with additional questions or comments.
Good luck!

Similar Messages

Who can shed some light on my ongoing connection problem. After upgrading my iPad Air with IOS 7.06, I could no longer connect to the internet. I have 2 MacBooks Air, 1 ipad mini and one iPhone 4S running on the same network, and they are all connected to

Who can shed some light on my ongoing connection problem.
After upgrading my iPad Air with IOS 7.06, I could no longer connect to the internet.
I have 2 MacBooks Air, 1 ipad mini and one iPhone 4S running on the same network, and they are all connected to the net and function well.
So I cleaned up the ipad completely, installed the latest firmware and reinstalled my apps : no connection.
I tried all things of resets and forgets. No result.
I have been fondling with my Airport Extreme 5 , but that did not help much.
This morning I went to a neighbor , hooked my ipad air on his network, typed the password and the thing all worked fine.
I have tried to connect the ipad air as an ethernet client, but that did not work. „Not enough power“ was the statement
Ideas anyone ?

Yes I tried this manyfold. But did not work. Reading on, I took Tesserac's advice. Shut down router and computer.
Start router after 15 minutes and wait another 10 minutes before starting the computer.
Et voila.... everything is back in working order,
Regards form Curacao, Dutch Caribean.
Pete van Linden

Providing DRC solution for ATMs in the enterprise network

Hi all,
I am looking for ideas on how to provide a Disaster Recovery solution for thousands of ATMs (Automated Teller Machine) deployed in the bank enterprise network. The solution should consider
the following facts:-
1.- Having the ATMs switch the connection to the Server at DRC shouldn't be automatic. This situation might last for the next few years until DRC becomes mirror image of primary data center.
2.- The ATM servers at the primary and disaster recovery center is single server equipped with high availability (Tandem). I mean to say, there is no SLBs invloved in the connection
3.- The application running on the ATMs is calling the ATM Server by hardcoded IP address in the application. The bank is willing to visit the ATMs to change once and forever.
I see source natting as the most appropriate solution, however your opanion and expertise are appreciated.
Thanks
Sami

Sami,
what kind of solution are you looking for ?
Is the concern the connection from ATM to central location ?
Or is it a concern about the server at the central location ?
For connection issues, I don't see any other solution than providing multiple lines.
If the concern is the single server, you could have a loadbalancer somewhere in your network.
The loadbalancer can use probes to check the health of the server.
If the primary fails, or is unreachable, you can automatically redirect the traffic to the standby.
ATM machines will point to the virtual ip (you could reuse the current ip and assign a new one to the servers).
Not sure where to place the loadbalancer without a better idea of the problem to solve and the network.
Gilles.

IPad on the Enterprise network

Hello All -
I am looking to get some more information on the iPad in the enterprise. We are currently using Cisco wireless running a corporate SSID using WPA+WPA2 with AES and 802.1X.
Is anyone running iPad's in the 802.1X enterprise? We use a Device CA for all of our devices, is it possible to use this on the iPad or do you have to use client CA?
I am using the iPad configuration utility to try and configure my test iPad, but it doesn't seem to work like I need it to. I get to a certain point and it wants username and password. I do not want a user to have to login, so this would lead me to believe client CA needs to be used and not Device CA.
Can anyone help me out?

First, try a system reset. It cures many ills and it's quick, easy and harmless...
Hold down the on/off switch and the Home button simultaneously until you see the Apple logo. Ignore the "Slide to power off" text if it appears. You will not lose any apps, data, music, movies, settings, etc.
If the Reset doesn't work, try a Restore. Note that it's nowhere near as quick as a Reset. It could take well over an hour! Connect via cable to the computer that you use for sync. From iTunes, select the iPad/iPod and then select the Summary tab. Follow the on-screen directions for Restore and be sure to say "yes" to the backup. You will be warned that all data (apps, music, movies, etc.) will be erased but, as the Restore finishes, you will be asked if you wish the contents of the backup to be copied to the iPad/iPod. Again, say "yes."
At the end of the basic Restore, you will be asked if you wish to sync the iPad/iPod. As before, say "yes." Note that that sync selection will disappear and the Restore will end if you do not respond within a reasonable time. If that happens, only the apps that are part of the IOS will appear on your device. Corrective action is simple - choose manual "Sync" from the bottom right of iTunes.
If you're unable to do the Restore, go into Recovery Mode per the instructions here. You WILL lose all of your data (game scores, etc,) but, for the most part, you can redownload apps and music without be charged again. Also, if you have IOS-7, read this.

State of the enterprise network & wireless technology

In your opinion, what do you think is the single most gating factor for an enterprise to be able to provide wireless access to corporate resources on a LAN?
and what does an enterprise need to do today to get their network ready for wireless?

In our environment, infrastructure was the biggest factor. It is very difficult and expensive to wire (and re-wire) our facility so putting in access points throughout and wireless nics eliminates the problem. It also very convenient for our users with notebooks. There are other factors as well but thats the main reason.

Can I use back to my mac to access two daisy chained time capsules running on my network alone or do I also need a mac running on the same network?

I have a DSL modem router (HUWAI ECHO LIFE 520) with uPNP enabled. The first time capsule´s wan is connected to that router the second time capsules wan is connected to the first time capsules lAN. The router looks at the first time capsule as DMZ and passes traffic on the public IP through to it. There are airport expressses either end of the chain. The network works a charm. I would like to have both time capsules visible through Back to My Mac, which isn´t currently working. Back to My Mac is activated on all devices involved. What else to try?
Arved

Both TC should be in bridge mode. Is that what you have done? You cannot use the TC in router mode as it will cause double NAT problems.
Can you access one of the TC? Or do both fail to show up?

I have both TimeCapsule and Airport, and run two mac computers in the house on the one network. The airport often can not be found, and the signal is incredibly weak unless in the same room as the modem. Previously our signal was strong and effective.

The signal has been strong and effective previously and as far as i'm aware that nothing else in the house has changed. We have two apple computers, appletv, an ipad, 2 iphones, time capsule, and airport all running off the same network. If there is product, a configuration or program we can get to help diagnose and or solve any connectivity issue that would be awesome

The Powerline adapters mentioned by edex67 are your only hope if you cannot run an Ethernet cable.
Even if the home and office are on the same electrical circuit, you won't really know how well the Powerline adapters might work until you actually try them out at your location.
For that reason, it would be a good idea to understand the store's return policy before you buy.

Using VRF-Lite in 6509 as Really Expensive IPS ByPass

I have an IPS (Intrustion Prevention) unit that is causing me some problems with some of my servers in my ServerFarm. I would like to route most of my to/from ServerFarm traffic through the IPS, but use some policy-based routing with an ACL (preferably, a policy-based ACL) to allow some servers to bypass the IPS.
So, I thought of taking my Cisco 6509 and making it into a Really Expensive Optical ByPass switch for this small group of servers. The challenge is that the IPS runs strictly at Layer 2. So if I connect the IPS in a loop to the 6509, I must change the MAC addresses on these interfaces on the 6509 so that each address is unique -- as well as assign unique IPs to each of the two interfaces, but the addresses must share the same L3 subnet. Of course, this leads to overlapping addresses on the 6509, which it does not like. So, I want to see if I can try a little VRF-lite to remove the overlapping address problem.
To accomplish the bypass segment, I take a piece of fiber and just connect two ports together on the 6509, changing the MAC addresses and assigning the "overlapping" IPs (which is "solved" by placing the different ports in different VRFs, on just one port in the Global table and the other port in a standalone VRF). If I can do this without running this piece of fiber, I'd be welcome to the idea.
I can fire up OSPF on all of my interfaces, raising the cost of the IPS Bypass link, and use the route-maps to try to route the Bypass traffic correctly. Unfortunately, the route-maps are not behaving. The traffic moves across the two links (one with IPS, one without) assymetrically, which isn't what I want.
I am uploading a diagram that will show a simplified example of what I am doing. Here is my config below. Does anyone have any ideas on what I am doing wrong, or a better way to do this? (I tried a VACL approach, but I could not redirect the traffic properly):
ip vrf Srv
description ServerNets
rd 65000:10
object-group ip address IPS-Ignore
host 192.168.20.2
interface GigabitEthernet1/3
ip address 192.168.200.1 255.255.255.0
ip policy route-map ServerNetIngress
interface GigabitEthernet1/9
description ServerNets
no ip address
ip flow ingress
interface GigabitEthernet1/9.20
description PublicServerNet
encapsulation dot1Q 20
ip vrf forwarding Srv
ip address 192.168.20.1 255.255.255.128
ip flow ingress
ip policy route-map ServerNetEgress
interface GigabitEthernet1/15
description IPS-ByPass-Global
mac-address 0015.c7c9.c10f
ip address 192.168.15.73 255.255.255.252
ip flow ingress
ip ospf cost 100
interface GigabitEthernet1/17
description IPS-ByPass-Srv-VRF
mac-address 0015.c7c9.c111
ip vrf forwarding Srv
ip address 192.168.15.74 255.255.255.252
ip flow ingress
ip ospf cost 100
interface GigabitEthernet1/19
description IPS-Scrub-Global
mac-address 0015.c7c9.c113
ip address 10.0.0.2 255.255.255.252
ip flow ingress
interface GigabitEthernet1/21
description IPS-Scrub-Srv-VRF
mac-address 0015.c7c9.c115
ip vrf forwarding Srv
ip address 10.0.0.1 255.255.255.252
ip flow ingress
router ospf 10 vrf Srv
router-id 192.168.10.1
log-adjacency-changes
capability vrf-lite
network 192.168.0.0 0.0.255.255 area 0
router ospf 1
router-id 192.168.0.1
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
ip access-list extended IPS-Bypass
permit ip addrgroup IPS-Ignore any
permit ip any addrgroup IPS-Ignore
route-map ServerNetIngress permit 100
description ByPassIPS
match ip address IPS-Bypass
set global
set ip next-hop 192.168.15.74 10.0.0.1
route-map ServerNetEgress permit 100
description ByPassIPS
match ip address IPS-Bypass
set ip vrf Srv next-hop 192.168.15.73 10.0.0.2
I obfuscated my addresses, so don't let that throw you off too much.
Clarke Morledge
College of William and Mary

Thank you for the suggestion. Just using the "set ip next-hop" in the respective route-map is sufficient and gets the job done. Unfortunately, my problem is more with how the policy-based ACLs (PBACLs) work; i.e. the lines with the object-group syntax in the config. My contact with the TAC tells me that PBACLs are not really supported to do policy-based routing. So because the PBACL is not working correctly all of the time, things don't get matched properly in the route-map for the policy-based route to get correctly applied.
This is really too bad since the PBACL looks to be a quite handy feature. In my example -- at least in theory -- I should be able to make but one change to the "object-group" in order to properly handle the policy-based routing involving the two different route-maps. Alas, this is not as easy as I hoped for since making changes to the PBACL apparently produces unpredictable results -- and the TAC just tells me that the feature is not supported for what I want to do.

AAA Authentication and VRF-Lite

Hi!
I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
--> Config Begins <---
aaa new-model
aa group server radius radius-auth
server x.x.4.23 auth-port 1645 acct-port 1646
server x.x.7.139 auth-port 1645 acct-port 1646
aaa authentication login default group radius-auth local
aaa authentication enable default group radius-auth enable
radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
ip radius source-interface <outside-if> vrf 10
---> Config Ends <---
The VRF-Lite instance is configured like this:
---> Config Begins <---
ip vrf 10
rd 65001:10
---> Config Ends <---
Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

Just wanted to help future people as some of the answers I found here were confusing.
This is all you need from the AAA perspective:
aaa new-model
aaa group server radius RADIUS-VRF-X
server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
ip vrf forwarding X
aaa authentication login default group RADIUS-VRF-X local
aaa authorization exec default group X local if-authenticated
Per VRF AAA reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

Extending VRF-lite to 6500??

Hello,
I have a simple scenario, where there is a 6500 connected to a router (ISP end), which we have planned to implement vrf-lite on.... there are basically 2 VLANs on the LAN, one production and one guest... we need to isolate the routing table instances between the production and guest.. we have planned to configure trunk between the 6500 and PE router at the ISP end. 6500 acts as a CE here.
Now, I want to extend the VRF information from the PE to the 6500 CE, since the layer 3 VLANs terminate on the 6500. i will define the same VRF information on the 6500 and isolate VRF routing tables for the guest/production vlan on the LAN also.. I know we will require to configure VRF, RD, BGP etc on the PE router and do a "ip vrf forwarding" on the subinterface of the router. What is the configuration required on the 6500 to extend the VRF-lite information to the end vlans ????? does anyone have any sample configs or links to which i can refer ?
Raj

Well,
first a sample config (not from a 6500, but you should be able to get the idea):
ip vrf Cust1
rd 65000:1
ip vrf Cust2
rd 65000:2
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip vrf forwarding Cust1
ip address 10.1.1.1 255.255.255.252
interface FastEthernet0/0.200
encapsulation dot1Q 200
ip vrf forwarding Cust1
ip address 10.1.2.1 255.255.255.252
interface FastEthernet0/0.300
encapsulation dot1Q 300
ip vrf forwarding Cust2
ip address 10.20.1.1 255.255.255.252
interface FastEthernet0/0.333
encapsulation dot1Q 333
ip vrf forwarding Cust2
ip address 10.1.1.1 255.255.255.252
!On a 6500 you could also have:
interface vlan 400
ip vrf forwarding Cust2
ip address 10.1.123.1 255.255.255.252
router rip
address-family ipv4 vrf Cust1
version 2
network 10.0.0.0
no auto-summary
exit-address-family
address-family ipv4 vrf Cust2
version 2
network 10.0.0.0
no auto-summary
exit-address-family
The separation in the control plane (routing etc.) is achieved through the normal VRF configuration. Overlapping IPs and such are supported by having separate IP routing tables per VRF and VRF aware routing protocols like RIP, OSPF, etc.
In the data plane traffic is sorted by layer2 encapsulation. In the example above, the dot1Q VLAN tag will deliver the same functionality as the MPLS VPN labels. If f.e. an IP packet with destination 10.1.1.1 arrives, the VLAN tag 100 or 333 will allow the VRF-lite CE to determine, whether it belongs to Cust1 or Cust2. The same differentation will take place for traffic from the CE to the PE. So the PE config is practically the same, BUT in addition MP-BGP and route-targets and MPLS towards the core is used.
So no MPLS is needed on the VRF-lite CE router, no labels will be used, hence VRF-lite.
The PE will not be the PHP LSR in the MPLS sense, because it is the LAST router in the MPLS network.
Instead of the FastEthernet also VLAN interfaces can be used. The number of interfaces per VRF or the number of VRFs are limited by memory.
Hope this helps! Please use the rating system.
Regards, Martin

Ps CC 2014 not opening files on enterprise network - any ideas?

I've recently run in to an issue where i cannot open any files or start a new .PSD when logged into my company's network.
However, when I'm working at home on my personal network, everything is functioning normally.
Any ideas what the issue might be? Our IT help desk do not support Adobe CC, but if I can make a suggestion as to what the snag might be on the enterprise network, I might be able to avoid having my PC re-imaged, which is the only solution they've suggested so far!
Thanks!
Jon

If I drag a .jpg or .png in to Ps, nothing opens.
If I use 'File -> Open' and select .PSD, .jpg,, .png, nothing...
If create a new document, still nothing.
All these scenarios work just fine when not logged in to the company network.
I've uninstalled/reinstalled Ps, updated all Dell drivers.

MPLS / vrf-lite

Hi
We currently use a BT MPLS network and use BGP on our CE router to peer with the providers PE routers. Currently we only use one VPN for production across the MPLS network.
We are now looking to give access from some of our MPLS sites to a test environment housed in our data centre. We need to do this on a pc by pc basis.
At the moment the plan is to add a Test VPN within the MPLS network. All sites will be a member of the production VPN and those sites that also need access to test environment will be a member of the Test vpn.
This will segregate the traffic over the WAN but the issue i now have is how to segregate the traffic once it leaves the PE router. The link between the CE and PE router is just a layer 3 link so the VPN separation
has disappeared by now. I don't mind the traffic not being separated in terms of VPN's on the CE to PE link but i need to segregate the traffic once it leaves the CE router and enters our LAN.
So finally the questions
1) Is there a way to keep the separation at a VPN level on the CE -> PE link. As i say i don't mind not having it but if there is a way i would be interested.
2) More importantly i have done some limited reading on VRF-lite and was wondering before i go further if that would allow me to segregate the traffic internally within the LAN. Our Lan's in major buildings usually consist
of 4500 at the access-layer and 6500 as distribtion/core. What i would ideally like to do is ensure that only users within the site who need to access the test environment can ie. by adding a site to the TEST vpn this does
not mean that all users within the site should be able to get to it.
I could
i) Use PBR together with access-list and potentially firewalls
ii) use vrf-lite to segregate the traffic.
So is this a good application for vrf-lite or have i missed the point of it ?. if not can anyone suggest a better way ?
Many thanks
Jon

Joseph/Anantha
Thanks to both of you for your replies. If i could just query your expertise a little more.
Attached is a visio of a site that i would like to be able to access both the Test and Production VPN's. The key thing to note is that we are routing from the access-layer down to the distribution 6500 switches.
Now on the 4500 i can have 2 separate VRF's, one for the Prod VPN and one for the Test VPN. I can then assign different vlan interfaces into the relevant vrf.
Am i right in my assumptions so far ?
The problem i am having in taking this further is that a L3 interface can only be in one VRF and as the connections from the 4500 to the 6500 are L3 uplinks i can't allocate the L3 link into 2 separate vrf's (nor would it make sense to do so).
I am not in a position to change the L3 links to L2 links which would solve part of the problem as the vlan interfaces would then be on the 6500 and i could allocate these interfaces into separate VRF's.
So is there any way, bearing in mind that i need to keep L3 links from the access-layer, that i can segregate the routing tables on the 6500 and 7200 router.
If i can't do this then i don't see the advantage of trying to use VRF-lite because the 6500/7200 and 3800 will all have one routing table with both Test and Prod routes in in it and this means without route filtering these routes will get propogated by the 3800 to our remote sites.
If i have to revert to route-filtering i may as well not bother with vrf-lite ?
Jon

If remote access is allowed on the server, Then can my users on the local network access this server by ie

Dear all,
If my server is enabled for the remote desktop connection, then the users on the local network can access my server IIS services by entering the IP address of my server in the IE (http/https) on the local network only.
I went to control panel>>system>>Allow Remote desktop Connection>>with network level authentication.
Now If my team wants to access this server not by opening the Remote Desktop Connection, rather by entering the IP address of my server on the IE and access the resources offered.
Is it possible by this way,
Or is there any other method to do so.
Regards,
Ahmed

3. My web Developer is installing an application on the server for our department team. To test this application running, he wants to access this application through the local machine from browser (rather than logging in through the remote desktop connection).
4. He wants this application to run on the local network only.
5. He wants me to do some setup, that he must be able to enter the IP address of the server in the browsers address bar on his local machine and test the functionality of his application on the local network.
If this is the requirements of the developer, I guess he wants you to configure IIS.
You can do a test, whether IIS is working properly.
Log on to server, enter https://localhost or http://IP_address_of_the_server don't know whether some ports are configured in order for your IIS to work.
check out this youtube video:
https://www.youtube.com/watch?v=tNAdv1EPj-I
Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
IT Stuff Quick Bytes

Will an unlocked iPhone 5 work on the Verizon network?

Will an unlocked iPhone 5 work on the Verizon network? I know this question is probably premature, I don't think apple has mentioned anything about it yet, but I saw that past unlocked iPhones (4 and 4S) would not work on Verizon. I'm a Verizon customer and I want to keep my unlimited data plan, the only way to do this is buy a iPhone at retail, but from what I saw regarding the 4 and 4S I may not be able to do this. I did read that the iPhone 4S is being made in three distinctive models, 1 with a CDMA network and 2 others with varied GSM - LTE networks. I'm hoping this means that an unlocked iPhone 5S can now run on the Verizon network. Any ideas if I'm correct? Thanks.

Honestly I'm not convinced to jump to sprint so quickly. I am monitoring my data as it is, I'm a heavy data user as I watch a lot of movies from Netflix Hulu plus crackle etc. the flip side of this is that I do most of this on my iPad, which I have currently unlimited data on, so I can still get by without unlimited data on my cell, it's more of me not wanting to lose what I have. But thanks for all the info. I'm secretly hoping that apple has redone the unlocked iPhones but I wont lose any sleep over wishful thinking. I'm just quite anal I guess lol. Thanks again
R.S.C.

Running vrf-lite and dhcp server see 0.0.0.0 as giaddr

Im running vrf-lite and our dhcp server see only 0.0.0.0. Im able to ping vlan10, and see the dhcp request. Running on a 2811. I have limited access to device. Do I need to turn on Dhcp-relay? Verifing ip forward-protocol. Do i need to add " vrf WISP to my helper-address? The interface it sends Dhcp request is also within the vrf. The dhcp scope is part of Vlan10 subnet
int vlan 10
ip vrf forward WISP
ip add x.x.x.x s.s.s.192
ip helper-address x.x.x.x

Yes and no. It uses another interface thats within the same vrf Wisp. On the other end of the vrf it is forwarded to our global dhcp server. in bold is where the unicast packet are going using the defaultroute
int fast0/0.1
encap dot1q 1
ip vrf forwarding WISP
ip add 172.16.6.2 255.255.255.252
int vlan 10
ip vrf forward WISP
ip add 66.223.195.129 255.255.255.192
ip helper-address 208.138.129.49
ip route vrf WISP 0.0.0.0 0.0.0.0 172.16.6.1

VRF Lite running in the enterprise network

Similar Messages

Maybe you are looking for