Last updated on November 16th, 2022 at 05:21 pm
Cisco Virtual Routing & Forwarding (VRF) is a technology that allows having more than one routing table on a single router. The concept of VRFs on routers is similar to VLANs on switches.
I use VRFs for at least the management interface on routers and switches whenever I can. Most Cisco routers and switches have a dedicated management port for, well, management of the device. This port can be connected to a switch or another switch for access. On most recent Cisco devices, in the operating system, this port is placed in a VRF.
The VRF has a separate route and fording table from the rest of the device (router or switch). This provides security if the device route or forwarding table is attacked or fails for some reason keeping the management VRF available. Because of this, the management VRF must be configured separately to include a route and gateway.
This management port is usually configured for SSH sessions (though sometimes for HTTP/S) and can be used for NTP, Syslog, and other services.
Here are some configurations that have worked well for the management interface in its own VRF.
VRF Notes using Mgmt Interface; G0:
ntp server vrf Mgmt-intf 10.100.100.10 prefer
ntp server vrf Mgmt-intf 10.100.100.11
ntp server use-vrf prefer source G0
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.100.100.1
ip name-server vrf Mgmt-intf 192.168.10.10 192.168.10.11
ip domain lookup vrf Mgmt-intf source-interface GigabitEthernet0
ip domain name vrf Mgmt-intf example.com
Reference Links:
https://community.cisco.com/t5/network-access-control/tacacs-per-vrf/td-p/1871265
VRF SSH Access List
If an SSH access list is used and the destination IP address is in a VRF, the “access-class snmp-ro in vrf-also” command is used in the line vty configuration.
ip access-list standard snmp-ro
permit 10.2.12.27
line vty 0 4
access-class snmp-ro in vrf-also
Reference Links:
VRF NTP
ntp server vrf Mgmt-vrf Server1 prefer
ntp server vrf Mgmt-vrf Server2
Logging
logging host 110.20.20.68 vrf Mgmt-vrf
Copyright © Packet Passers 2024