Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple VRFs for a Single Internet Access line

Currently we have several VRFs accessing single line of internet of 34-Mbps.

How can we distribute evenly the internet access, in the config (Router7609-s + FWSM separated per vlan/per vrf)?

Do we need the other device which can do distribution? any other suggestion

New Member

Re: Multiple VRFs for a Single Internet Access line

Please associate the VRF to your Vlan.

New Member

Re: Multiple VRFs for a Single Internet Access line

done already. But how each vrf will get the internet access equally?

Do i need to change the queue, policy-map for qos or what? please advice.

New Member

Re: Multiple VRFs for a Single Internet Access line

As far as I know there is no VRF-aware QoS which would allow to apply a single QoS policy directly to VRFs. You will need to configure standard QoS. In your situation, I would suggest a configuration like this:


class-map INTERNET

match protocol http

match protocol ftp


-> here you define what is "Internet traffic"



police 1000000

conform-action set-dscp-transmit 41

exceed-action set-dscp-transmit 11

-> here you define the amount of fair raffic for each VRF. You need to create a policy for each VRF (unless all get the same). In the example all Internet traffic up to 1MB is makred with DSCP 41 and transmitted. Any

additional Internet traffic is marked with DSCP 11 and also transmitted.

The DSCP values are random, you could choose any other value, or IP precedence, as long as the conforming and exceeding traffic is marked differently.

interface FastEthernet xx

service-policy input INTERNET_MARKING_VRF1

-> here you apply the policy assigned to a VRF (i.e. to each VRF aka end-customer).


class-map CONFORM

match dscp 41

class-map EXCEED

match dscp 11

-> create two classes: fair Internet traffic (conform) and the rest.



bandwidth 99%

class EXCEED

bandwidth 1%

-> fair traffic gets 99% of the Internet bandwidth. Unfair traffic has to compete

for the remaining 1%.

interface serial xy

service-policy output INTERNET_POLICING

-> applies the policy to the WAN interface

This configuration provides fairness between VRFs as each VRF can send Internet traffic up to the contraced amount and be sure it is transmitted (this requires of course that bandwidth is available: the sum of all policed bandwidths in step 1 is smaller or equal than 99% of your available Internet bandwidth. Note that 99% as specified in the

policy-map translates to 99% of 75% of the actual interface bandwidth).

Next to fairness it also allows individual VRFs to send more traffic in times when

additional bandwidth is available because one or some other VRFs send less than their

contracted bandwith. Bandwidth is not wasted.

Please consult for more options and more details. You will need to add additional configuration for other Internet traffic (not http, or ftp) or non-Internet traffic (such as your routing protocols for instance).

HTH, Thomas