Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
1
Replies

VRF-lite and router management

p-dionne
Level 1
Level 1

‎07-17-2007 06:14 AM - edited ‎03-05-2019 05:20 PM

I have a 4948 w/L-3 software. Am using VRFs to segment the traffic for two different entities. Am having problems getting the router management stuff (TACACS+, NTP, logging, SNMP, etc.) working.

All of these things are configured to originate from Loopback 0 (ip tacacs source-interface Loopback0, for example). I have also assigned Loopback 0 to one of the VRFs. Yet I can't get these things to work.

Do I have to select one VRF as the "master" VRF or something like that?

Here's the relevant config snippets from this box (names changed to protect the innocent). Note that the management servers are across the MetroE connections, not on the local LAN:

=================

ip vrf Main_VRF

rd 64512:1

!

ip vrf Second_VRF

rd 64514:1

!

ip vrf select

!

interface Loopback0

ip vrf forwarding Main_VRF

ip address 192.168.150.81 255.255.255.255

interface GigabitEthernet1/48

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 534,536

switchport mode trunk

bandwidth 250000

speed nonegotiate

tx-queue 1

shape 100 mbps

!

!

interface Vlan3

desc Local LAN in main VRF

ip vrf forwarding Main_VRF

ip address 172.19.48.5 255.255.240.0

ip helper-address 10.30.252.31

ip helper-address 10.30.254.31

no ip redirects

!

interface Vlan534

description MetroEthernet WAN to Site 1

bandwidth 100000

ip vrf forwarding Main_VRF

ip address 192.168.93.126 255.255.255.252

!

interface Vlan536

description MetroEthernet WAN to Site 2

bandwidth 100000

ip vrf forwarding Second_VRF

ip address 192.168.69.250 255.255.255.252

router eigrp 64512

passive-interface Vlan3

no auto-summary

!

address-family ipv4 vrf Main_VRF

network 192.168.93.0

network 192.168.150.0

no auto-summary

autonomous-system 64512

exit-address-family

!

router eigrp 64514

no auto-summary

!

address-family ipv4 vrf Second_VRF

network 192.168.69.0

no auto-summary

autonomous-system 64514

exit-address-family

!

no ip http server

!

ip tacacs source-interface Loopback0

!

!

logging source-interface Loopback0

===============

Help/advice would be appreciated.

Labels:
0 Helpful
1 Reply 1

carenas123
Level 5
Level 5

‎07-23-2007 10:27 AM

To use overlapping addresses between group member VRFs, PE should also use a unique MPLS VPN (PE VRFs) for each of the group member VRFs. In addition, a separate key server must be dedicated for each VRF, mainly because the key server is not VRF-aware. For this, group members should also use a separate certificate for authentication for each crypto map. The group member configuration is almost the same as in case 1 except that the additional certificate trustpoints and different key server addresses should be required

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card