Cisco Virtual Routing & Forwarding (VRF)

           Ad – Amazon Networking Products

Last updated on November 16th, 2022 at 05:21 pm

Cisco Virtual Routing & Forwarding (VRF) is a technology that allows having more than one routing table on a single router. The concept of VRFs on routers is similar to VLANs on switches.

I use VRFs for at least the management interface on routers and switches whenever I can. Most Cisco routers and switches have a dedicated management port for, well, management of the device. This port can be connected to a switch or another switch for access. On most recent Cisco devices, in the operating system, this port is placed in a VRF.

The VRF has a separate route and fording table from the rest of the device (router or switch). This provides security if the device route or forwarding table is attacked or fails for some reason keeping the management VRF available. Because of this, the management VRF must be configured separately to include a route and gateway.

This management port is usually configured for SSH sessions (though sometimes for HTTP/S) and can be used for NTP, Syslog, and other services.

Here are some configurations that have worked well for the management interface in its own VRF.

VRF Notes using Mgmt Interface; G0:

ntp server vrf Mgmt-intf 10.100.100.10 prefer

ntp server vrf Mgmt-intf 10.100.100.11

ntp server use-vrf prefer source G0

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.100.100.1

ip name-server vrf Mgmt-intf 192.168.10.10 192.168.10.11

ip domain lookup vrf Mgmt-intf source-interface GigabitEthernet0

ip domain name vrf Mgmt-intf example.com

Reference Links:

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/113667-ios-vrf-tshoot.html

https://community.cisco.com/t5/network-access-control/tacacs-per-vrf/td-p/1871265

VRF SSH Access List

If an SSH access list is used and the destination IP address is in a VRF, the “access-class snmp-ro in vrf-also” command is used in the line vty configuration.

ip access-list standard snmp-ro

 permit 10.2.12.27

line vty 0 4

access-class snmp-ro in vrf-also

Reference Links:

https://community.cisco.com/t5/switching/access-list-for-vty-lines-on-isr-4331-running-ios-xe/td-p/3335905/page/2

VRF NTP

ntp server vrf Mgmt-vrf Server1 prefer

ntp server vrf Mgmt-vrf Server2

Logging

logging host 110.20.20.68 vrf Mgmt-vrf

Copyright © Packet Passers 2024