VRF Config

Unanswered Question
Oct 5th, 2009

We are trying to configure VRFs in our network which has VSS6500 and 2960s. So can anyone help me out in finding the appropriate configuration documents for the setup.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Giuseppe Larosa Mon, 10/05/2009 - 03:44

Hello Venkata,

first of all you need to decide if you want to implement VRF lite also known as Multi VRF CE (no mpls involved)

or you want to use MPLS L3 VPN (VRF + MPLS).

config guide is here


C2960 should be only L2 switches.

you need to map a set of L2 Vlans to each VRF so that you can segregate.

SVI interfaces on VSS will be mapped in respective VRF using

ip vrf forwarding vrf-name

note that when you assign a L3 interface to a VRF you need to configure the ip address again.

A VRF lite approach can be enough for your needs, this leads to using dedicated Vlans for each VRF to build a topology:



access switch -- vlan 101 -- VSS --- vlan 102 --- FW or border router -- Internet


access switch -- vlan 202 -- VSS --- vlan 203 --- FW or border router -- Internet

and so on

physical links will be 802.1Q trunks carrying needed vlans

each VRF is separated and only FW can make them to communicate if needed in a controlled way.

the FW can be external or a FWSM in VSS.

Hope to help


Rams.Dandu Mon, 10/05/2009 - 23:14

Hi Giuseppe;

Thanks for a quick response; that did help me. But is there a link where i can find a config guide for VRF Lite ?



VitaliyVS Thu, 12/23/2010 - 07:57


One more question. I'm trying to configure 2x6509(VSS+MEC)+external FW. I'm confused about VRF approach. Which variant would be better? Which advantage and disadvantage every one have:

1.   VRFx: [access switch] -- vlan 101 -- [VSS] --- vlan 102 --- [FW] -- <

2.   VRFx: [access switch] -- vlan 101 -- [VSS] --- vlan 101 --- [FW] -- <

Is it necessary to create an additional 102 vlan? I see just one advantage  - no 101 vlan's broadcasts on FW


This Discussion