VRF support
Hi:
1) Is VRF support dependent on switch/router model device or IOS version?
2) What devices support VRF currently? or what IOS version supports VRF now?
Hello,
A1) Yes, Multi-VRF (aka VRF-lite) depends on hardware and IOS software version.
A2) VRF support starts at 850 and 870 series router, 1700, 1800, 2800, up to CRS 1 and Catalyst 6500. So a very wide range of products and IOS versions support Multi-VRF.
For a detailed list of all IOS versions on all hardware platforms please cosult http://www.cisco.com/go/fn
Hope this helps! Please rate all posts.
Regards, Martin
Similar Messages
-
Cisco 1700 with MP-BGP and VRF support
I have a Cisco 1721 with MP-BGP Support, you can create VRFs with it and every other MPLSVPN feature, but the commands for MPLS switching are not supported like Router(config-if)mpls ip , I read in some forums that you can create MPLS VPN without enabling MPLS at all, just with MPBGP, but I couldn't do it myself, Can someone tell me how to make it work or what can I do with a Cisco 1721 that supports MP-BGP?
thanks in advanceHere is an example. Take care about overhead for packets like VoIP. The overhead is 88 bytes.
The packet semms something like that.
IpHeader-pub@ - NAT-Tudp4500 - ESP - IpHeader-priv@(vrf discriminator) - GRE - Original IP Header - Data - Esp Trailer.
In this case you neet tunnel-mode because you use
private @ in order to determine vrf (vrf discriminator).
This is a LAB config, all other security parameters you need on a router are not configured. If you add access-list on the external interface of REMOTE you have to understand every encapsulation step in order to well tune it.
Good reading.
The PPT draw shows physically and logically views.
PS, take care about fragmentation issues, the problematic is still not well managed by the routers, I could not made Tunnel-path-mtu discovery work with vrf's. The workaround is to fragment packets. It's not good for performance but actually there is no other solution concerning that.
Kind Regards
Miguel -
Hello,
I have a customer that wants to change his CORE devices, he is concerned about the VRFs instances that he can configure, I know that in the SUP2T from the 6500 supports 8,192 VRFs:
MPLS in hardware to enable use of Layer 3 VPNs and EoMPLS tunneling. Up to 8192 VRFs with a total of up to 256K* forwarding entries per system.
According to the next link:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-series-supervisor-engine-2t/data_sheet_c78-648214.html
I want to make a comparison between a 6500 with SUP2T and a 4500 with sUP7E but I can't find anything about the VRFs instances in the SUP7E.
Could anyone please help me answering that question???
Thanks a lotThis is the problem. The customer has 2 4507 with SUP-V I think and he want to upgrade. He asked me about one 6509 with SUP2T but I suggested to upgrade to 4507R+E with SUP7E and VSS, I think that the budget of the customer is low...
He needs at least 4 modules of 48 ports so he can receive all their customers. Regarding SUP7 vs SUP8 the main difference is that the SUP8 supports WLC in the module, and has more switching capacity (928 Gbps vs 848 Gbps of the SUP7).
Thanks again
Let me send a copy of the configuration:
CORE-SWITCH#show run
Building configuration...
Current configuration : 77236 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
hostname CORE-SWITCH
boot-start-marker
boot system flash bootflash:cat4500-entservicesk9-mz.122-31.SGA9.bin
boot-end-marker
ip vrf TMX1
ip vrf TMX2
ip vrf TMX3
ip vrf TMX4
interface Vlan51
description TMX1
ip vrf forwarding TMX1
ip address 192.168.150.65 255.255.255.240
interface Vlan52
description TMX2
ip vrf forwarding TMX2
ip address 192.168.150.113 255.255.255.240
As you can see the configuration is so simple, I copy only the VRF side so you can see the VRF configuration that he is doing, as far as I know this is VRF-LITE, BTW he has a lot of static routing with VRFs -
Multi-VRF support on Catalyst IOS Hybrid
Hi,
I have Catalyst 6509/Sup720. I intend to use hybrid sw (CatOS [SP] + IOS [RP]).
I am planning to configure Multi-VRF feature.
Is the Multi-VRF feature on hybrid version.? If no, is there a plan to support it in the future.
I saw this feature supported on Cat IOS system native, but can't seem to find on the hybrid one.
Thanks
SSngMulti-VRF (VRF-Lite) is not supported in Hybrid mode. I don't think that there are any plans to support it in the future either. You would have to migrate to Native mode.
Hope this helps, -
Hi,
I've got a 64Kbps BW between PE (3640) and CE (2600) and I'm planning to configure the 2600 as Lite-VRF CE so that I can connect 2 to 4 VPNs to this box. Does the Lite-VRF support a 64Kbps BW serial connection? If yes, what will be the encapsulation type to be used?
Your help is appreciated.
Thanks,
GalieHello,
Could you verify whether it supports a 64K BW between PE (3640) and Lite-VRF CE (2600)? I could not find this in any Cisco documentations. I need to know if this setup is possible. If yes, then what's the required minimum BW for each VRF in serial connection.
Thanks,
Galie -
VRF Aware WCCP !!!!!! PLEASE!!!!!!
I am looking for a forcast of when WCCP will have VRF support. Head-End scalability is pretty tough to achieve with out it. ywa I can stack WAE's ( up to 32) in a WCCP service group but if the Edge WAE's are in A VRF, it breaks.
Any Ideas?The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
Kindly find here GRE Tunnel with VRF Configuration Example:
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
I have gotten as far as the WAE registering the router:
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."
wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
Routers Configured and Seeing this Wide Area Engine(1)
Router Id Sent To Recv ID
0.0.0.0 209.1.1.1 0000022F
The router registers the WAE as a WCCP client:
router04#
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"
The router however cannot figure out what its ID is and does not see
itself as a WCCP group router.
router04#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Redirect access-list: ACCELERATED-TRAFFIC
Total Packets Denied Redirect: 0
Total Packets Unassigned: 25957
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
This is a short summary of important commands for working with VRF's.
View the VRF instances and the associated interfaces.
ml-mr-c6-gs#show ip vrf
Name Default RD Interfaces
blurvrf 100:2 Vlan215
Vlan326
tgvrf 100:1 Vlan132
Vlan325
TenGigabitEthernet1/1
ml-mr-c6-gs#
Show the routing table for a specific VRF.
ml-mr-c6-gs#show ip route vrf tgvrf
Routing Table: tgvrf
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external,
---More--
Gateway of last resort is 128.117.243.57 to network 0.0.0.0
O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
172.17.0.0/29 is subnetted, 3 subnets
O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
--More--
Debugging should otherwise be similar to a regular switch or router.
Final Teragrid VRF Design and Diagrams
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
Teragrid Testbed Design
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
Configuring VRF-Lite
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
sachin garg -
Is there a version of IOS code available that has VRF support for WCCP.
ThanksEddie,
yes, it is on our todo list.
I would suggest you to contact you sales team to inform them you need this feature.
They have the power to make things move faster sometimes :-)
Gilles. -
FabricPath & Layer-3 VPNs (VRF) between 2 Data Centres
Hi there,
I'm looking at deploying FabricPath for layer-2 extension between 2 Data Centres.
We also have the requirement for providing layer-3 services between the 2 DC, as in Layer-3 VPN (MPLS VPN).
The alternative technology was MPLS, with full blown Layer-3 VPN, and Layer-2 VPNs through AToM or VPLS.
My question is, how can we provide VRF support over FabricPath?? Can we use 2 routers with VRF lite configuration in each DC, then dot1q on the trunk through the Fabric Path? Or just VRF Lite on the layer-3 terminating routers, with a specific VLAN for interconnecting the different VRFs?
Thanks,Fabricpath is L2; not related to the L3 technology you want to use; if VRF are in use you can just use VLANs which is described in your first scenario : "use 2 routers with VRF lite configuration in each DC, then dot1q on the trunk through the Fabric Path"
-
ACE - Balance HTTP and sticky only SSL/TLS
Hi there,
I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers.
I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only for connections that need it, and leave other HTTP traffic without this feature.
I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
Here is the actual configuration:
probe tcp HTTP
description Keepalive web servers
interval 20
passdetect interval 30
rserver host Server1
ip address 10.1.1.1
inservice
rserver host Server2
ip address 10.1.1.2
inservice
rserver host Server3
ip address 10.1.1.3
inservice
rserver host Server4
ip address 10.1.1.4
inservice
rserver host Server5
ip address 10.1.1.5
inservice
rserver host Server6
ip address 10.1.1.6
inservice
serverfarm host PRX
failaction purge
predictor leastconns
probe HTTP
rserver Server1
inservice
rserver Server2
inservice
rserver Server3
inservice
rserver Server4
inservice
rserver Server5
inservice
rserver Server6
inservice
sticky ip-netmask 255.255.255.0 address source sticky-PRX
timeout 60
serverfarm PRX
class-map match-any VIP-PRX
2 match virtual-address 10.10.10.101 tcp eq www
policy-map type loadbalance first-match POLICY-L7-PRX
class class-default
sticky-serverfarm sticky-PRX
policy-map multi-match PRX-Balance
class VIP-PRX
loadbalance vip inservice
loadbalance policy POLICY-L7-PRX
loadbalance vip icmp-reply
interface vlan 100
ip address 10.10.10.11 255.255.255.0
alias 10.10.10.10 255.255.255.0
peer ip address 10.10.10.12 255.255.255.0
no normalization
access-group output SOLO-SLB
service-policy input PRX-Balance
Thanks
AlexisYou might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected] -
Data Centre Interconnection - firewall and load balancer deployment
Hi all,
I've read lots of Cisco docs/white papers on DCI - Layer 2 extension between DCs, but as yet I cannot find any decent information on how best to deploy firewalls and load balancers in such a design. I've seen refs to FHRP isolation on Nexus 7k (and possible 6k if you use DCI block) but nothing on the services elements.
The services element seems to be a complete minefield here:
- active/standby across sites, or deploy resilient pairs in each site?
- how to align optimal traffic flows inbound and ooutbound (RHI, SNAT, etc.)
- best practice suggestions ideally.
Cisco DCI docs seem to always gloss over the fact that most customers would have to deal with firewalls and load balancers here, and simply refer to 'coming soon' for that info.
If anyone has any good suggestions/links to docs explaining detailed implementation info would be much appreciate
Thanks
PhilYou might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected] -
ACE30 module with 4 devices in HA mode
Hi,
I have two ace module in ha mode, each ace are inside of a catalyst 6509, the catalyst are in vss mode.
Iam going to install another vss with two ace module, I would like to know if is possible to configure the four ace module in ha mode?
Regards
Fidel GonzalezHi Fidel,
You might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected] -
Hi,
I'd like to solve the problem which occurs when our client communicates with http server through ACE SM. See picture attached.
The problem is, that http response from server (200 OK) is divided into two packets. Both packets are sent by backend http server in rapid succession.
ACE forwards the first packet, but then waits for ACK from client. Only then it sends the second one. It takes about 200ms until client sends ACK.
One transaction consists of hunderds such http requests. It means that whole transaction takes approx. 25 seconds when is balanced by ACE. When I connect dirrectly to backend server the transaction takes approx. 5 seconds.
I'm quite sure the problem is not related to TCP window.
Is there any parameter on ACE which should affect this behaviour (waiting for the ACK before second packet is sent)?
PetrHi Petr,
Since your issue is solved now, You might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected] -
Guys,
If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?
Sent from Cisco Technical Support iPad AppHi,
With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.
Firewall ---------Switch ---------------- Load Balancer ---
As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.
Regards,
Siva -
Hi,
Does cisco support mpls over atm-ppp-llc
per RFC 2354(PPP over AAL5).
Something like a scenario if Cisco acts as a PE and it gets frames with mpls over atm-ppp-llc from a connected CE ,is it supported in cisco , or it will drop the frames ?
Running mpls over ce-pe link is mandatory for the specific scenario.
Thanks
Thanks in advanceHello,
The MPLS should be supported also on PPP over AAL5. Simply use the "mpls ip" command on the Virtual-Template or the Dialer interface you are using on top of the ATM VC to set up the PPP interface.
The 3640 with proper IOS can support the PE functions. The Enterprise feature sets should be equipped with all features necessary to provide a PE router functionality - basically, the VRF, MPLS, LDP, MPLS VPN support, BGP, BGP VPNv4 support, IGP protocols with VRF support and that should be sufficient.
Best regards,
Peter -
is there anyway I can run a sup720-3b as a backup for sup720? Also besides MPLS VRF support, what does the 3b or 3bXL do over a standard sup720?
Yes you can use the 3b or 3bxl in place of 720. Other than MPLS features, there are a few other security features that are available only in 7203b and 3bxl. Other than that, performance wise for ipv4 routing, they are all the same. Check this link.
http://www.cisco.com/en/US/products/hw/modules/ps4835/products_data_sheet09186a0080159856.html
Maybe you are looking for
-
I'm having a hard time with Adobe CS6 synching up with my soundcard. Latency settings and other applications are challenging at this time. I had 3.0, but my Windows 7 computer is now "deceased". Please help.
-
Can I get my apps from iPhone moved to iPad?
Is there an easy way to get all my compatible apps that are on iPhone copied to my iPad so I don't have to go through and re-download them?
-
How do I turn off the auto-constant labels in LV 7.1 block diagrams?
Whenever I create a new constant from the input to a sub-VI, LV automatically displays the label. This "feature" is making a mess of my diagrams and adding a lot of time to editting. Since LV automatically locates the constant to allow clearance for
-
Hi, We have trouble that Content Filter for blocking attachments executable, scr, and cab is not working if .exe, .scr, or.cab are inside 7zip, zip or rar archive. How deep inside attachment ESA goes, if any? Antivirus config is set to 5 and some vir
-
Record Working Time PROFILE_NOT_INITIALIZED
Dear Expert, When I try to click on the record working time page, it gives me the following error Exception condition "PROFILE_NOT_INITIALIZED" raised., error key: RFC_ERROR_SYSTEM_FAILURE: I have already assigned CVR = ESS in my user profile. I try