07-17-2007 06:14 AM - edited 03-05-2019 05:20 PM
I have a 4948 w/L-3 software. Am using VRFs to segment the traffic for two different entities. Am having problems getting the router management stuff (TACACS+, NTP, logging, SNMP, etc.) working.
All of these things are configured to originate from Loopback 0 (ip tacacs source-interface Loopback0, for example). I have also assigned Loopback 0 to one of the VRFs. Yet I can't get these things to work.
Do I have to select one VRF as the "master" VRF or something like that?
Here's the relevant config snippets from this box (names changed to protect the innocent). Note that the management servers are across the MetroE connections, not on the local LAN:
=================
ip vrf Main_VRF
rd 64512:1
!
ip vrf Second_VRF
rd 64514:1
!
ip vrf select
!
interface Loopback0
ip vrf forwarding Main_VRF
ip address 192.168.150.81 255.255.255.255
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 534,536
switchport mode trunk
bandwidth 250000
speed nonegotiate
tx-queue 1
shape 100 mbps
!
!
interface Vlan3
desc Local LAN in main VRF
ip vrf forwarding Main_VRF
ip address 172.19.48.5 255.255.240.0
ip helper-address 10.30.252.31
ip helper-address 10.30.254.31
no ip redirects
!
interface Vlan534
description MetroEthernet WAN to Site 1
bandwidth 100000
ip vrf forwarding Main_VRF
ip address 192.168.93.126 255.255.255.252
!
interface Vlan536
description MetroEthernet WAN to Site 2
bandwidth 100000
ip vrf forwarding Second_VRF
ip address 192.168.69.250 255.255.255.252
router eigrp 64512
passive-interface Vlan3
no auto-summary
!
address-family ipv4 vrf Main_VRF
network 192.168.93.0
network 192.168.150.0
no auto-summary
autonomous-system 64512
exit-address-family
!
router eigrp 64514
no auto-summary
!
address-family ipv4 vrf Second_VRF
network 192.168.69.0
no auto-summary
autonomous-system 64514
exit-address-family
!
no ip http server
!
ip tacacs source-interface Loopback0
!
!
logging source-interface Loopback0
===============
Help/advice would be appreciated.
07-23-2007 10:27 AM
To use overlapping addresses between group member VRFs, PE should also use a unique MPLS VPN (PE VRFs) for each of the group member VRFs. In addition, a separate key server must be dedicated for each VRF, mainly because the key server is not VRF-aware. For this, group members should also use a separate certificate for authentication for each crypto map. The group member configuration is almost the same as in case 1 except that the additional certificate trustpoints and different key server addresses should be required
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide