VRF support

Hi:
1) Is VRF support dependent on switch/router model device or IOS version?
2) What devices support VRF currently? or what IOS version supports VRF now?

Hello,
A1) Yes, Multi-VRF (aka VRF-lite) depends on hardware and IOS software version.
A2) VRF support starts at 850 and 870 series router, 1700, 1800, 2800, up to CRS 1 and Catalyst 6500. So a very wide range of products and IOS versions support Multi-VRF.
For a detailed list of all IOS versions on all hardware platforms please cosult http://www.cisco.com/go/fn
Hope this helps! Please rate all posts.
Regards, Martin

Similar Messages

  • Cisco 1700 with MP-BGP and VRF support

    I have a Cisco 1721 with MP-BGP Support, you can create VRFs with it and every other MPLSVPN feature, but the commands for MPLS switching are not supported like Router(config-if)mpls ip , I read in some forums that you can create MPLS VPN without enabling MPLS at all, just with MPBGP, but I couldn't do it myself, Can someone tell me how to make it work or what can I do with a Cisco 1721 that supports MP-BGP?
    thanks in advance

    Here is an example. Take care about overhead for packets like VoIP. The overhead is 88 bytes.
    The packet semms something like that.
    IpHeader-pub@ - NAT-Tudp4500 - ESP - IpHeader-priv@(vrf discriminator) - GRE - Original IP Header - Data - Esp Trailer.
    In this case you neet tunnel-mode because you use
    private @ in order to determine vrf (vrf discriminator).
    This is a LAB config, all other security parameters you need on a router are not configured. If you add access-list on the external interface of REMOTE you have to understand every encapsulation step in order to well tune it.
    Good reading.
    The PPT draw shows physically and logically views.
    PS, take care about fragmentation issues, the problematic is still not well managed by the routers, I could not made Tunnel-path-mtu discovery work with vrf's. The workaround is to fragment packets. It's not good for performance but actually there is no other solution concerning that.
    Kind Regards
    Miguel

  • How many VRFs support a SUP7E

    Hello,
    I have a customer that wants to change his CORE devices, he is concerned about the VRFs instances that he can configure, I know that in the SUP2T from the 6500 supports 8,192 VRFs:
    MPLS in hardware to enable use of Layer 3 VPNs and EoMPLS tunneling. Up to 8192 VRFs with a total of up to 256K* forwarding entries per system.
    According to the next link:
    http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-series-supervisor-engine-2t/data_sheet_c78-648214.html
    I want to make a comparison between a 6500 with SUP2T and a 4500 with sUP7E but I can't find anything about the VRFs instances in the SUP7E.
    Could anyone please help me answering that question???
    Thanks a lot

    This is the problem. The customer has 2 4507 with SUP-V I think and he want to upgrade. He asked me about one 6509 with SUP2T but I suggested to upgrade to 4507R+E with SUP7E and VSS, I think that the budget of the customer is low...
    He needs at least 4 modules of 48 ports so he can receive all their customers. Regarding SUP7 vs SUP8 the main difference is that the SUP8 supports WLC in the module, and has more switching capacity (928 Gbps vs 848 Gbps of the SUP7).
    Thanks again
    Let me send a copy of the configuration:
    CORE-SWITCH#show run
    Building configuration...
    Current configuration : 77236 bytes
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service compress-config
    hostname CORE-SWITCH
    boot-start-marker
    boot system flash bootflash:cat4500-entservicesk9-mz.122-31.SGA9.bin
    boot-end-marker
    ip vrf TMX1
    ip vrf TMX2
    ip vrf TMX3
    ip vrf TMX4
    interface Vlan51
     description TMX1
     ip vrf forwarding TMX1
     ip address 192.168.150.65 255.255.255.240
    interface Vlan52
     description TMX2
     ip vrf forwarding TMX2
     ip address 192.168.150.113 255.255.255.240
    As you can see the configuration is so simple, I copy only the VRF side so you can see the VRF configuration that he is doing, as far as I know this is VRF-LITE, BTW he has a lot of static routing with VRFs

  • Multi-VRF support on Catalyst IOS Hybrid

    Hi,
    I have Catalyst 6509/Sup720. I intend to use hybrid sw (CatOS [SP] + IOS [RP]).
    I am planning to configure Multi-VRF feature.
    Is the Multi-VRF feature on hybrid version.? If no, is there a plan to support it in the future.
    I saw this feature supported on Cat IOS system native, but can't seem to find on the hybrid one.
    Thanks
    SSng

    Multi-VRF (VRF-Lite) is not supported in Hybrid mode. I don't think that there are any plans to support it in the future either. You would have to migrate to Native mode.
    Hope this helps,

  • Multi-VRF CE Speed Limitation

    Hi,
    I've got a 64Kbps BW between PE (3640) and CE (2600) and I'm planning to configure the 2600 as Lite-VRF CE so that I can connect 2 to 4 VPNs to this box. Does the Lite-VRF support a 64Kbps BW serial connection? If yes, what will be the encapsulation type to be used?
    Your help is appreciated.
    Thanks,
    Galie

    Hello,
    Could you verify whether it supports a 64K BW between PE (3640) and Lite-VRF CE (2600)? I could not find this in any Cisco documentations. I need to know if this setup is possible. If yes, then what's the required minimum BW for each VRF in serial connection.
    Thanks,
    Galie

  • VRF Aware WCCP !!!!!! PLEASE!!!!!!

    I am looking for a forcast of when WCCP will have VRF support. Head-End scalability is pretty tough to achieve with out it. ywa I can stack WAE's ( up to 32) in a WCCP service group but if the Edge WAE's are in A VRF, it breaks.
    Any Ideas?

    The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
    It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
    at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
    Kindly find here GRE Tunnel with VRF Configuration Example:
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
    I have gotten as far as the WAE registering the router:
    "WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
    WCCP configuration for TCP Promiscuous succeeded.Please remember to
    configure WCCP service 61 and 62 on the corresponding router."
    wae01#sh wccp router
    Router Information for Service: TCP Promiscuous 61
    Routers Configured and Seeing this Wide Area Engine(1)
    Router Id Sent To Recv ID
    0.0.0.0 209.1.1.1 0000022F
    The router registers the WAE as a WCCP client:
    router04#
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
    client 209.1.1.2"
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
    client 209.1.1.2"
    The router however cannot figure out what its ID is and does not see
    itself as a WCCP group router.
    router04#sh ip wccp
    Global WCCP information:
    Router information:
    Router Identifier: -not yet determined-
    Protocol Version: 2.0
    Service Identifier: 61
    Number of Service Group Clients: 1
    Number of Service Group Routers: 0
    Total Packets s/w Redirected: 0
    Process: 0
    Fast: 0
    CEF: 0
    Redirect access-list: ACCELERATED-TRAFFIC
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 25957
    Group access-list: -none-
    Total Messages Denied to Group: 0
    Total Authentication failures: 0
    Total Bypassed Packets Received: 0
    This is a short summary of important commands for working with VRF's.
    View the VRF instances and the associated interfaces.
    ml-mr-c6-gs#show ip vrf
    Name Default RD Interfaces
    blurvrf 100:2 Vlan215
    Vlan326
    tgvrf 100:1 Vlan132
    Vlan325
    TenGigabitEthernet1/1
    ml-mr-c6-gs#
    Show the routing table for a specific VRF.
    ml-mr-c6-gs#show ip route vrf tgvrf
    Routing Table: tgvrf
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external,
    ---More--
    Gateway of last resort is 128.117.243.57 to network 0.0.0.0
    O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
    172.17.0.0/29 is subnetted, 3 subnets
    O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
    --More--
    Debugging should otherwise be similar to a regular switch or router.
    Final Teragrid VRF Design and Diagrams
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
    Teragrid Testbed Design
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
    Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
    Configuring VRF-Lite
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
    sachin garg

  • Is wccp v2 VRF aware?

    Is there a version of IOS code available that has VRF support for WCCP.
    Thanks

    Eddie,
    yes, it is on our todo list.
    I would suggest you to contact you sales team to inform them you need this feature.
    They have the power to make things move faster sometimes :-)
    Gilles.

  • FabricPath & Layer-3 VPNs (VRF) between 2 Data Centres

    Hi there,
    I'm looking at deploying FabricPath for layer-2 extension between 2 Data Centres.
    We also have the requirement for providing layer-3 services between the 2 DC, as in Layer-3 VPN (MPLS VPN).
    The alternative technology was MPLS, with full blown Layer-3 VPN, and Layer-2 VPNs through AToM or VPLS.
    My question is, how can we provide VRF support over FabricPath?? Can we use 2 routers with VRF lite configuration in each DC, then dot1q on the trunk through the Fabric Path? Or just VRF Lite on the layer-3 terminating routers, with a specific VLAN for interconnecting the different VRFs?
    Thanks,

    Fabricpath is L2; not related to the L3 technology you want to use; if VRF are in use you can just use VLANs which is described in your first scenario : "use 2 routers with VRF lite configuration in each DC, then dot1q on the trunk through the Fabric Path"

  • ACE - Balance HTTP and sticky only SSL/TLS

    Hi there,
    I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers. 
    I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
    I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only  for connections that need it, and leave other HTTP traffic without this feature.
    I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
    Here is the actual configuration:
    probe tcp HTTP
      description Keepalive web servers
      interval 20
      passdetect interval 30
    rserver host Server1
      ip address 10.1.1.1
      inservice
    rserver host Server2
      ip address 10.1.1.2
      inservice
    rserver host Server3
      ip address 10.1.1.3
      inservice
    rserver host Server4
      ip address 10.1.1.4
      inservice
    rserver host Server5
      ip address 10.1.1.5
      inservice
    rserver host Server6
      ip address 10.1.1.6
      inservice
    serverfarm host PRX
      failaction purge
      predictor leastconns
      probe HTTP
      rserver Server1
        inservice
      rserver Server2
         inservice
      rserver Server3
        inservice
      rserver Server4
        inservice
      rserver Server5
        inservice
      rserver Server6
        inservice
    sticky ip-netmask 255.255.255.0 address source sticky-PRX
      timeout 60
      serverfarm PRX
    class-map match-any VIP-PRX
      2 match virtual-address 10.10.10.101 tcp eq www
    policy-map type loadbalance first-match POLICY-L7-PRX
      class class-default
        sticky-serverfarm sticky-PRX
    policy-map multi-match PRX-Balance
      class VIP-PRX
        loadbalance vip inservice
        loadbalance policy POLICY-L7-PRX
        loadbalance vip icmp-reply
    interface vlan 100
      ip address 10.10.10.11 255.255.255.0
      alias 10.10.10.10 255.255.255.0
      peer ip address 10.10.10.12 255.255.255.0
      no normalization
      access-group output SOLO-SLB
      service-policy input PRX-Balance
    Thanks
    Alexis

    You might want to check out this new product called ITD.
    Simple and faster solution:
    ITD provides :
    ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
    No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
    Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
    Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
    IP-stickiness
    Resilient (like resilient ECMP)
    VIP based L4 load-balancing
    NAT (available for EFT/PoC). Allows non-DSR deployments.
    Weighted load-balancing
    Load-balances to large number of devices/servers
    ACL along with redirection and load balancing simultaneously.
    Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
    Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
    Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
    The servers/appliances don’t have to be directly connected to N7k
    Monitoring the health of servers/appliances.
    N + M redundancy.
    Automatic failure handling of servers/appliances.
    VRF support, vPC support, VDC support
    Supported on both Nexus 7000 and Nexus 7700 series.
    Supports both IPv4 and IPv6
    N5k / N6k support : coming soon
    Blog
    At a glance
    ITD config guide
    Email Query or feedback:[email protected]

  • Data Centre Interconnection - firewall and load balancer deployment

    Hi all,
    I've read lots of Cisco docs/white papers on DCI - Layer 2 extension between DCs, but as yet I cannot find any decent information on how best to deploy firewalls and load balancers in such a design. I've seen refs to FHRP isolation on Nexus 7k (and possible 6k if you use DCI block) but nothing on the services elements.
    The services element seems to be a complete minefield here:
    - active/standby across sites, or deploy resilient pairs in each site?
    - how to align optimal traffic flows inbound and ooutbound (RHI, SNAT, etc.)
    - best practice suggestions ideally.
    Cisco DCI docs seem to always gloss over the fact that most customers would have to deal with firewalls and load balancers here, and simply refer to 'coming soon' for that info.
    If anyone has any good suggestions/links to docs explaining detailed implementation info would be much appreciate
    Thanks
    Phil

    You might want to check out this new product called ITD.
    Simple and faster solution:
    ITD provides :
    ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
    No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
    Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
    Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
    IP-stickiness
    Resilient (like resilient ECMP)
    VIP based L4 load-balancing
    NAT (available for EFT/PoC). Allows non-DSR deployments.
    Weighted load-balancing
    Load-balances to large number of devices/servers
    ACL along with redirection and load balancing simultaneously.
    Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
    Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
    Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
    The servers/appliances don’t have to be directly connected to N7k
    Monitoring the health of servers/appliances.
    N + M redundancy.
    Automatic failure handling of servers/appliances.
    VRF support, vPC support, VDC support
    Supported on both Nexus 7000 and Nexus 7700 series.
    Supports both IPv4 and IPv6
    N5k / N6k support : coming soon
    Blog
    At a glance
    ITD config guide
    Email Query or feedback:[email protected]

  • ACE30 module with 4 devices in HA mode

    Hi, 
    I have two ace module in ha mode, each ace are inside of a catalyst 6509, the catalyst  are in vss mode.
    Iam going to install another vss with two ace module, I would like to know if is possible to configure the four ace module in  ha mode?
    Regards
    Fidel Gonzalez

    Hi Fidel,
    You might want to check out this new product called ITD.
    Simple and faster solution:
    ITD provides :
    ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
    No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
    Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
    Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
    IP-stickiness
    Resilient (like resilient ECMP)
    VIP based L4 load-balancing
    NAT (available for EFT/PoC). Allows non-DSR deployments.
    Weighted load-balancing
    Load-balances to large number of devices/servers
    ACL along with redirection and load balancing simultaneously.
    Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
    Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
    Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
    The servers/appliances don’t have to be directly connected to N7k
    Monitoring the health of servers/appliances.
    N + M redundancy.
    Automatic failure handling of servers/appliances.
    VRF support, vPC support, VDC support
    Supported on both Nexus 7000 and Nexus 7700 series.
    Supports both IPv4 and IPv6
    N5k / N6k support : coming soon
    Blog
    At a glance
    ITD config guide
    Email Query or feedback:[email protected]

  • ACE 30 waits for TCP ACK

    Hi,
    I'd like to solve the problem which occurs when our client communicates with http server through ACE SM. See picture attached.
    The problem is, that http response from server (200 OK) is divided into two packets. Both packets are sent by backend http server in rapid succession.
    ACE forwards the first packet, but then waits for ACK from client. Only then it sends the second one. It takes about 200ms until client sends ACK.
    One transaction consists of hunderds such http requests. It means that whole transaction takes approx. 25 seconds when is balanced by ACE. When I connect dirrectly to backend server the transaction takes approx. 5 seconds.
    I'm quite sure the problem is not related to TCP window.
    Is there any parameter on ACE which should affect this behaviour (waiting for the ACK before second packet is sent)? 
    Petr

    Hi Petr,
    Since your issue is solved now, You might want to check out this new product called ITD.
    Simple and faster solution:
    ITD provides :
    ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
    No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
    Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
    Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
    IP-stickiness
    Resilient (like resilient ECMP)
    VIP based L4 load-balancing
    NAT (available for EFT/PoC). Allows non-DSR deployments.
    Weighted load-balancing
    Load-balances to large number of devices/servers
    ACL along with redirection and load balancing simultaneously.
    Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
    Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
    Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
    The servers/appliances don’t have to be directly connected to N7k
    Monitoring the health of servers/appliances.
    N + M redundancy.
    Automatic failure handling of servers/appliances.
    VRF support, vPC support, VDC support
    Supported on both Nexus 7000 and Nexus 7700 series.
    Supports both IPv4 and IPv6
    N5k / N6k support : coming soon
    Blog
    At a glance
    ITD config guide
    Email Query or feedback:[email protected]

  • Cisco ACE and firewall design

    Guys,
    If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?
    Sent from Cisco Technical Support iPad App

    Hi,
    With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.
    Firewall ---------Switch ---------------- Load Balancer ---
    As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.
    Regards,
    Siva

  • Mpls over atm ppp over aal5

    Hi,
    Does cisco support mpls over atm-ppp-llc
    per RFC 2354(PPP over AAL5).
    Something like a scenario if Cisco acts as a PE and it gets frames with mpls over atm-ppp-llc from a connected CE ,is it supported in cisco , or it will drop the frames ?
    Running mpls over ce-pe link is mandatory for the specific scenario.
    Thanks
    Thanks in advance

    Hello,
    The MPLS should be supported also on PPP over AAL5. Simply use the "mpls ip" command on the Virtual-Template or the Dialer interface you are using on top of the ATM VC to set up the PPP interface.
    The 3640 with proper IOS can support the PE functions. The Enterprise feature sets should be equipped with all features necessary to provide a PE router functionality - basically, the VRF, MPLS, LDP, MPLS VPN support, BGP, BGP VPNv4 support, IGP protocols with VRF support and that should be sufficient.
    Best regards,
    Peter

  • Sup720 vs 720-3B

    is there anyway I can run a sup720-3b as a backup for sup720? Also besides MPLS VRF support, what does the 3b or 3bXL do over a standard sup720?

    Yes you can use the 3b or 3bxl in place of 720. Other than MPLS features, there are a few other security features that are available only in 7203b and 3bxl. Other than that, performance wise for ipv4 routing, they are all the same. Check this link.
    http://www.cisco.com/en/US/products/hw/modules/ps4835/products_data_sheet09186a0080159856.html

Maybe you are looking for