Solved: Re: Default route for vrf router?

Ruhtra · ‎01-13-2023

Is there a way to setup a default route? My router has multiple vrf's. I can ping an address by using

ping vrf VVVV www.xxx.yyy.zzz'.

I can setup an ntp server source by using

ntp server vrf VVVV ntp.server prefer.

However some services like tacacs don't have vrf sub commands to specify vrf to route through, so you have to use a workaround like a loopback address. Is there a way to globally specify a default vrf if you don't specify it in the command?

Ruhtra · ‎01-18-2023

I was finally able to configure tacacs in the environet. Every document on Cisco had me setting up a loopback address, but in my environment that was not reliable (would successfully authenticate 1 out of 6 times). what worked for me was:

aaa group server tacacs+ kzopa-tacacs
server-private 10.100.100.250 key 7 ABCdef123456
server-private 10.100.100.251 key 7 ABCdef123456
ip vrf forwarding SS-20
ip tacacs source-interface Vlan100

set default-vrf

is an unrecognized command. However, what does work is

routing-context vrf <name>.

It also changes your prompt to

SWITCH_NAME%VRF_NAME#

View solution in original post

paul driver · ‎01-13-2023

Hello
you can have a global default route and also state a default within a vrf to use the global default.

Example:

ip route 0.0.0.0 0.0.0.0 <interface> x.x.x.x
ip route vrf VRF 0.0.0.0 0.0.0.0 <interface> y.y.y.y global

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ruhtra · ‎01-13-2023

I apologize if I am being dense. Maybe have been thinking about this too long.

Let's say the switch management vlan is 100, and is in vrf MGMT. The vlan100 interface address is 10.100.100.1. At the exec prompt I can't even ping myself at that address unless I specify

ping vrf MGMT 10.100.100.1.

I did setup a next hop using above, but that doesn't seem to help.

Joseph W. Doherty · ‎01-13-2023

Ok, I recall the overall default would be the "global" routing table. I.e. if "somehow" a specific VRF isn't specified.

Each VRF, I also recall, can have its own default route.

Of course, it doesn't really make any sense to have a default that applies to more than one VRF (including global), as by design, each is logically different.

I realize, what you're really asking, is how to get router specific services to use a particular VRF, if there's no

configuration

command to tie that service to a particular VRF. I think (?) the answer is, you-are-out-of-luck. (You can request Cisco to include such a feature in one of their IOS updates.)

Two ways to possibly mitigate this. First, consider your global VRF for only management purposes. (Doesn't help much, though, if you want to "split" some of your services into different VRFs, and though services do not support using a specific VRF.)

Second, some Cisco devices support, I believe (?) virtual routers. If supported, that too would allow one physical device to possibly split services across those virtual routers. This too, though, is not a panacea. It too wouldn't allow you to split services across VRFs per virtual router (BTW, I'm still assuming particular service cannot specify VRF) and it further might (probably) limit service "info" to the specific virtual router it's tied to.

balaji.bandi · ‎01-13-2023

default route use GRT table, so if you looking vrf routing or you need to leak the routes to GRT.

if you looking VRF routing use below command :

ip route vrf vrf-name prefix mask [next-hop-address] [interface {interface-number}]

if you looking to leake to GRT use below command :

ip route vrf vrf-name prefix mask [next-hop-address] [interface {interface-number}] [global] [distance] [permanent] [tag tag]

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎01-13-2023

IOS Per VRF RADIUS Troubleshooting - Cisco
I think the AAA server also support vrf aware

mlund · ‎01-18-2023

For some services you can specify the source interface to use,

ip tacacs source vlan 100

for example, then if vlan 100 is in vrf MGMT the tacacs request would use the routing table for MGMT.

In IOS-XR you can use

set default-vrf <name>

at the logg in prompt, and then you don't need to specify the vrf for each command, wich is convenient when troubleshooting.

Ruhtra · ‎01-18-2023

I was finally able to configure tacacs in the environet. Every document on Cisco had me setting up a loopback address, but in my environment that was not reliable (would successfully authenticate 1 out of 6 times). what worked for me was:

aaa group server tacacs+ kzopa-tacacs
server-private 10.100.100.250 key 7 ABCdef123456
server-private 10.100.100.251 key 7 ABCdef123456
ip vrf forwarding SS-20
ip tacacs source-interface Vlan100

set default-vrf

is an unrecognized command. However, what does work is

routing-context vrf <name>.

It also changes your prompt to

SWITCH_NAME%VRF_NAME#

MHM Cisco World · ‎01-18-2023

glad your issue solved