Guest

Cisco IOS Software Releases 12.2 S

VRF-Autoclassify

  • Viewing Options

  • PDF (379.0 KB)
  • Feedback
VRF-Autoclassify

Table Of Contents

VRF-Autoclassify

Contents

Information About VRF-Autoclassify

Feature Design of VRF-Autoclassify

How to Configure VRF-Autoclassify

Enabling VRF-Autoclassify

Restrictions

Configuring Secondary Addresses for Different VRFs

Restrictions

Configuring VRF Forwarding

Prerequisites

Verifying VRF-Autoclassify Configuration

Configuration Examples for VRF-Autoclassify

VRF-Autoclassify Basic Connectivity Configuration: Example

Multiple VRFs on the Same Interface Configuration: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ip address

ip vrf autoclassify

match ip source

show ip arp

show ip interface

show route-map


VRF-Autoclassify


The Virtual Routing and Forwarding (VRF)-Autoclassify feature enables certain types of Policy Based Routing (PBR) to be created dynamically without configuring all the related route maps and access lists. The feature facilitates the mapping of packets to VRFs other than the one assigned to the ingress interface.

History for the VRF-Autoclassify Feature

Release
Modification

12.2(27)SBA

This feature was introduced.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Information About VRF-Autoclassify

How to Configure VRF-Autoclassify

Configuration Examples for VRF-Autoclassify

Additional References

Command Reference

Information About VRF-Autoclassify

To configure the VRF-Autoclassify feature, you should understand the following concepts:

Feature Design of VRF-Autoclassify

Feature Design of VRF-Autoclassify

When a router receives a packet, the packet is mapped to a global table by default. When the ip vrf forwarding command is used to assign a specific VRF on the ingress interface, the packet is mapped to that VRF. The packet is forwarded based on the routes in the VRF.

The VRF-Autoclassify feature enables the capability to map packets from connected hosts to VRFs that are different from the VRF defined on the ingress interface. This feature also enables the configuration of policies that are required for the mapping of packets to the VRFs depending on whether the source address of the packet belongs to those connected routes.

For example, in Figure 1 Fast Ethernet interface 0/0 is configured with two secondary addresses, 1.1.1.1/24 and 2.1.1.1/24. The first address, 1.1.1.1/24, is assigned to VRF red, while the other, 2.1.1.1/24, is assigned to VRF green. So in the VRF red table, a connected route 1.1.1.0/24 is installed, while in VRF green, 2.1.1.0/24 is installed. The routing information can be learned dynamically or statically defined.

There is a default route in VRF red that directs all traffic to Fast Ethernet interface 1/0, while in VRF green, another default route directs all traffic to Fast Ethernet interface 1/1. When packets arrive at Fast Ethernet interface 0/0, they are mapped to either VRF red or VRF green based on their source address. If the source address is 1.1.1.2, connected route 1.1.1.0/24 is used, and the packet is mapped to VRF red. Following the default route, it is forwarded out of Fast Ethernet interface 1/0.

Figure 1 Routing and Mapping of Packets with VRF-Autoclassify Enabled

For the return traffic, packets are mapped to the VRF configured on the downstream interface. For example, when a packet is received by a Fast Ethernet interface, destined for host 1.1.1.2, it is marked VRF red automatically based on the VRF configured on the downstream interface using the ip vrf forwarding red command. A lookup in VRF red would return a connected route for 1.1.1.0/24 out of Fast Ethernet interface 0/0 or return a 1.1.1.2/32 that is a directly connected neighbor. When the connected route 1.1.1.0/24 is installed in vrf red while pointing out of an interface that is native to the global table or some other table, the table is tracked. See Figure 2.

Figure 2 Return-Packet Mapping

on the Downstream Interface

This feature is targeted for directly connected hosts on broadcast media such as an Ethernet interface. In networks in which VRF autoclassify is enabled, the IP addresses of the connected hosts can be assigned by using DHCP.

How to Configure VRF-Autoclassify

This section contains the following tasks:

Enabling VRF-Autoclassify (required)

Configuring Secondary Addresses for Different VRFs (required)

Configuring VRF Forwarding (optional)

Verifying VRF-Autoclassify Configuration (optional)

Enabling VRF-Autoclassify

Perform this task to enable VRF autoclassify. When a upstream interface is configured, ARP is required to apply a policy on the ARP packets received and map them to different VRFs based on the source addresses of the packets. ARP is also required to insert new entries into its table with the VRF identification for the VRF-Autoclassify feature. When the ARP lookup is performed as a packet is switched out of the upstream interface in the process switching path, the packet with the VRF table identification should be used, instead of the VRF configured on the upstream interface.

Restrictions

Any directly connected hosts must not run routing protocols and the router that is enabled with the VRF-Autoclassify feature must not run routing protocols.

If the ip policy route-map command and the ip vrf select source command are specified on an interface, the interface will reject the ip vrf auto source command. VRF-Autoclassify is blocked because PBR is set with VRF/VRF select.

Overlapped subnets are are not allowed in the same VRF on a broadcast media interface if it is already defined on another interface.

This feature is applicable only to unicast packets. Multicast packets, including control packets (for example, PIM protocol packets) are not affected by this feature.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip vrf autoclassify source

5. Repeat Steps 3 and 4 for the required number of secondary VRFs specified using the ip address command.

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface fastethernet0/1

Enters interface configuration mode.

Note Refer to the Cisco IOS Interface and Hardware Component Command Reference, Release 12.3T for specific interface and hardware types.

Step 4 

ip vrf autoclassify source

Example:

Router(config-if)# ip vrf autoclassify source

Enables VRF autoclassify on the source interface specified in Steps 3 and 4.

Note When the ip vrf autoclassify source command is configured, Policy-Based Routing (PBR) and the dynamic route maps are automatically configured on an interface.

Step 5 

Repeat Steps 3 and 4 for the required number of secondary VRFs specified using the ip address command.

Step 6 

exit

Example:

Router# exit

Exits to global configuration mode.

Configuring Secondary Addresses for Different VRFs

Perform this task to enable the secondary addresses for different VRFs. When the VRF tables are removed globally, the secondary addresses and the policies are removed also.

When a VRF secondary address is defined on an interface, and the connected route is installed in the routing table and CEF table of that VRF, the broadcast entries and the interface address entry (corresponding receive entries) for that VRF secondary address should also be installed in the CEF table of that VRF, rather than the VRF defined for the interface.

If a packet is mapped by VRF autoclassify to a VRF different from that configured on the ingress interface, unicast RPF filters the packet based on the routes in the routing table of the VRF of the packet, rather than the VRF of the interface.

Note Dynamic route maps are generated automatically based on the configured VRF secondary addresses. There is no configuration required using the route-map command.

Restrictions

Overlapped subnets are not allowed in the same VRF on a broadcast media interface if it is already defined on another interface.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip address ip-address mask [secondary [vrf vrf-name]]

5. Repeat Steps 3 and 4 for the required number of secondary interfaces that are configured for VRF autoclassify.

6. match ip source ip-address mask

7. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface fastethernet0/1

Enters interface configuration mode.

Note Refer to the Cisco IOS Interface and Hardware Component Command Reference, Release 12.3T for specific interface and hardware types.

Step 4 

ip address ip-address mask [secondary [vrf vrf-name]]

Example:

Router(config-if)# ip address 10.0.0.0 255.0.0.0 secondary vrf red

Configures a secondary IP address for all ingress interfaces. The vrf keyword is used when the VRF-Autoclassify feature is enabled.

Step 5 

Repeat Steps 3 and 4 for the required number of secondary interfaces that are configured for VRF autoclassify.

Step 6 

match ip source ip-address mask

Example:

Router(conf-route-map)# match ip source 1.1.1.1 255.255.255.0

Defines the source address to match. The ip-address and mask arguments are the IP address and subnet for the specified VRF.

Step 7 

exit

Example:

Router# exit

Exits to global configuration mode.

Configuring VRF Forwarding

Perform this task to configure VRF forwarding on an interface. This configuration task is optional unless a different default VRF table is required other than the global table.

Prerequisites

Because the connected routes are added only to the specified VRF, packets destined for hosts on those subnets need to be mapped to that VRF in order to be forwarded properly.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip vrf forwarding vrf-name

5. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface fastethernet0/1

Enters interface configuration mode.

Note Refer to the Cisco IOS Interface and Hardware Component Command Reference, Release 12.3T for specific interface and hardware types.

Step 4 

ip vrf forwarding vrf-name

Example:

Router(config-if)# ip vrf forwarding red

Associates a VPN VRF instance with an interface or subinterface to which packets are forwarded. The vrf-name argument is the name assigned to the VRF.

Step 5 

exit

Example:

Router# exit

Exits to global configuration mode.

Verifying VRF-Autoclassify Configuration

To verify the VRF-Autoclassify configuration, perform the following steps.

SUMMARY STEPS

1. show ip interface secondary interface type number

2. show ip interface autoclassify interface type number

3. show route-map dynamic

4. show ip policy

5. show ip interface type number

6. show cef interface type number internal

7. show ip arp

8. show ip arp vrf vrf-name

DETAILED STEPS


Step 1 show ip interface secondary interface type number

Use this command to verify that the secondary interface is configured for a secondary IP address and VRF, for example:

Router# show ip interface secondary ethernet3/1

IP Address/Mask     VRF
1.1.1.1/24          red

Step 2 show ip interface autoclassify interface type number

Use this command to verify that the interface is enabled with VRF-Autoclassify, for example:

Router# show ip interface autoclassify ethernet3/1

IP Address/Mask     VRF
1.1.1.0/24          red

Step 3 show route-map dynamic

Use this command to verify the route map, for example:

Router# show route-map dynamic

route-map None-06/01/04-21:14:21.407-1-IP VRF, permit, sequence 0, identifier 1675771000
 Match clauses:
 Set clauses:
  vrf red
  Policy routing matches: 0 packets, 0 bytes
 Current active dynamic routemaps = 1

Step 4 show ip policy

Use this command to verify the route-map policy configuration, for example:

Router# show ip policy
Interface      Route map

Early Policy:
Interface      Route map
Ethernet3/1    None-06/01/04-21:14:21.407-1-IP VRF (Dynamic)

Step 5 show ip interface type number

Use this command to verify that there is a secondary IP address configured and that VRF-Autoclassify is enabled, for example:

Router# show ip interface ethernet3/1

Ethernet3/1 is up, line protocol is up
 Internet address is 20.1.1.1/24
 Broadcast address is 255.255.255.255
 Address determined by setup command
 MTU is 1500 bytes
 Helper address is not set
 Directed broadcast forwarding is disabled
 Secondary address 1.1.1.1/24
 Outgoing access list is not set
 Inbound access list is not set
 Proxy ARP is enabled
 Local Proxy ARP is disabled
 Security level is default
 Split horizon is enabled
 ICMP redirects are always sent
 ICMP unreachables are always sent
 ICMP mask replies are never sent
 IP fast switching is enabled
 IP Flow switching is disabled
 IP CEF switching is enabled
 IP CEF switching turbo vector
 IP CEF turbo switching turbo vector
 IP multicast fast switching is enabled
 IP multicast distributed fast switching is disabled
 IP route-cache flags are Fast, CEF
 Router Discovery is disabled
 IP output packet accounting is disabled
 IP access violation accounting is disabled
 TCP/IP header compression is disabled
 RTP/IP header compression is disabled
 Probe proxy name replies are disabled
 Policy routing is disabled
 Network address translation is disabled
 WCCP Redirect outbound is disabled
 WCCP Redirect inbound is disabled
 WCCP Redirect exclude is disabled
 BGP Policy Mapping is disabled
 Input features: IP VRF Autoclassify

Step 6 show cef interface type number internal

Use this command to verify that Cisco Express Forwarding (CEF) and VRF-Autoclassify is enabled, for example:

Router# show cef interface ethernet3/1 internal

Ethernet3/1 is up (f-number 6)
 Corresponding hwidb fast_if_number 6
 Corresponding hwidb firstsw->if_number 6
 Internet address is 20.1.1.1/24
 Secondary address 1.1.1.1/24
 ICMP redirects are always sent
 Per packet load-sharing is disabled
 IP unicast RPF check is disabled
 Input features: IP VRF Autoclassify
 Inbound access list is not set
 Outbound access list is not set
 IP policy routing is disabled
 BGP based policy accounting on input is disabled
 BGP based policy accounting on output is disabled
 Hardware dab is Ethernet3/1
 Fast switching type 1, interface type 64
 IP CEF switching enabled
 IP CEF switching turbo vector
 IP CEF turbo switching turbo vector
 IP prefix lookup IPv4 mitre 8-8-8-8 optimized
 Input fast flags 0x0, Output fast flags 0x0
 ifindex 4(4)
 Slot 3 Slot unit 1 VC -1
 Transmit limit accumulator 0x0 (0x0)
 IP MTU 1500
 Subblocks:
 Early Policy: IP early policy route map is None-06/01/04-21:14:21.407-1-IP VRF 
 Attached prefix export tracking subblock
        tracking 1 table hosting exported attached prefixes
        vrf: "red"
 IPv4: Internet address is 20.1.1.1/24
        Secondary address 1.1.1.1/24
        Broadcast address 255.255.255.255
        Per packet load-sharing is disabled
        IP MTU 1500

Step 7 show ip arp

Use this command to verify that ARP is enabled, for example:

Router# show ip arp

Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 20.1.1.1                -   0050.a2de.7055 ARPA   Ethernet3/1
Internet 10.0.18.171             -   0050.a2de.7054 ARPA   Ethernet3/0

Step 8 show ip arp vrf vrf-name

Use this command to verify that the VRF named "red" is assigned to the correct IP address and interfaces, for example:

Router# show ip arp vrf red

Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 1.1.1.1                 -   0050.a2de.7055 ARPA   Ethernet3/1
Internet 2.1.1.1                 -   0050.a2de.7056 ARPA   Ethernet3/2

Use the ping command from IP address 1.1.1.2 to IP address 1.1.1.1 and then the show ip arp vrf red command to verify the ARP entry of 1.1.1.2 in VRF red, for example:

Router# show ip arp vrf red

Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 1.1.1.1                 -   0050.a2de.7055 ARPA   Ethernet3/1
Internet 1.1.1.2                19   000a.f4b1.2b82 ARPA   Ethernet3/1
Internet 2.1.1.1                 -   0050.a2de.7056 ARPA   Ethernet3/2

A ping from IP address 2.1.1.1 and IP address 2.1.1.2 are also good. This creates an ARP entry of 2.1.1.2 in VRF red as shown below using the show ip arp vrf red command.

Router# show ip arp vrf red

Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 2.1.1.2                 8   0050.50c1.f011 ARPA   Ethernet3/2
Internet 1.1.1.1                 -   0050.a2de.7055 ARPA   Ethernet3/1
Internet 1.1.1.2                19   000a.f4b1.2b82 ARPA   Ethernet3/1
Internet 2.1.1.1                 -   0050.a2de.7056 ARPA   Ethernet3/2

Configuration Examples for VRF-Autoclassify

The section provides the following configuration examples:

VRF-Autoclassify Basic Connectivity Configuration: Example

Multiple VRFs on the Same Interface Configuration: Example

VRF-Autoclassify Basic Connectivity Configuration: Example

The following example shows how to configure basic connectivity that uses the VRF-Autoclassify feature.

interface Ethernet0/1
 ip address 1.1.1.2 255.255.255.0

interface Ethernet3/1
 ip address 1.1.1.1 255.255.255.0 secondary vrf red
 ip address 20.1.1.1 255.255.255.0
 ip vrf autoclassify source

interface Ethernet3/2
 ip vrf forwarding red
 ip address 2.1.1.1 255.255.255.0
 ip directed-broadcast

The following example shows how to configure Fast Ethernet interface 0/0 for VRF red, and Fast Ethernet interface 0/1 for VRF green.

interface fastethernet0/0
 ip address 1.1.1.1 255.255.255.0 secondary vrf red

interface fastethernet0/1
 ip address 1.1.1.1 255.255.255.0 secondary vrf green

The following example shows a configuration of Fast Ethernet interface 0/0 that will not perform, because the interface is configured for VRF red and green.

interface Fast-Ethernet0/0
 ip address 1.1.1.1 255.255.255.0 secondary vrf red
 ip address 1.1.1.2 255.255.255.0 secondary vrf green

The following example is another example of a configuration that will not perform, because both interfaces have IP addresses assigned to VRF red:

interface Fast-Ethernet0/0
 ip address 1.1.1.1 255.255.255.0 secondary vrf red

interface Fast-Ethernet0/1
 ip address 1.1.1.2 255.255.255.0 secondary vrf red

Multiple VRFs on the Same Interface Configuration: Example

The following example shows how to configure three IP addresses (1.1.1.1/24, 1.1.2.1/24, and 1.1.1.3/16) for Ethernet interface 3/1 in VRF red in one subnet, 1.1.0.0/16.

interface Ethernet3/1
 ip address 1.1.1.1 255.255.255.0 secondary vrf red
 ip address 1.1.2.1 255.255.255.0 secondary vrf red
 ip address 1.1.1.3 255.255.0.0 secondary vrf red
 ip address 1.1.0.0 255.255.0.0
 ip vrf autoclassify source
 duplex half

Additional References

The following sections provide references related to VRF-Autoclassify.

Related Documents

Related Topic
Document Title

ISA and VRF configuration tasks

"Configuring ISA VRF Transfer" chapter of the Cisco IOS ISA Configuration Guide, Cisco IOS Release 12.3

DHCP configuration tasks

"Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide, Release 12.3

IP addressing and services configuration tasks

Cisco IOS IP Configuration Guide, Release 12.3

IP addressing and services commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3T


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents new and modified commands only.

New Commands

ip vrf autoclassify

match ip source

Modified Commands

ip address

show ip arp

show ip interface

show route-map

ip address

To set a primary or secondary IP address for an interface, use the ip address command in interface configuration mode. To remove an IP address or disable IP processing, use the no form of this command.

ip address ip-address mask [secondary [vrf vrf-name]]

no ip address ip-address mask [secondary [vrf vrf-name]]

Syntax Description

ip-address

IP address.

mask

Mask for the associated IP subnet.

secondary

(Optional) Configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.

Note If the secondary address is used for a VRF table configuration with the vrf keyword, the vrf keyword must be specified also.

vrf

(Optional) Name of the VRF table. The vrf-name argument specifies the VRF name of the ingress interface.


Defaults

No IP address is defined for the interface.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.

12.2(27)SBA

The vrf keyword and vrf-name argument were introduced.


Usage Guidelines

An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the Cisco IOS software always use the primary IP address. Therefore, all routers and access servers on a segment should share the same primary network number.

Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) mask request message. Routers respond to this request with an ICMP mask reply message.

You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the software detects another host using one of its IP addresses, it will print an error message on the console.

The optional secondary keyword allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and Address Resolution Protocol (ARP) requests are handled properly, as are interface routes in the IP routing table.

Secondary IP addresses can be used in a variety of situations. The following are the most common applications:

There may not be enough host addresses for a particular network segment. For example, your subnetting allows up to 254 hosts per logical subnet, but on one physical subnet you need 300 host addresses. Using secondary IP addresses on the routers or access servers allows you to have two logical subnets using one physical subnet.

Many older networks were built using Level 2 bridges. The judicious use of secondary addresses can aid in the transition to a subnetted, router-based network. Routers on an older, bridged segment can be easily made aware that many subnets are on that segment.

Two subnets of a single network might otherwise be separated by another network. This situation is not permitted when subnets are in use. In these instances, the first network is extended, or layered on top of the second network using secondary addresses.


Note If any router on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.



Note When you are routing using the Open Shortest Path First (OSPF) algorithm, ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses.


To transparently bridge IP on an interface, you must perform the following two tasks:

Disable IP routing (specify the no ip routing command).

Add the interface to a bridge group, see the bridge-group command.

To concurrently route and transparently bridge IP on an interface, see the bridge crb command.

Examples

In the following example, 131.108.1.27 is the primary address and 192.31.7.17 and 192.31.8.17 are secondary addresses for Ethernet interface 0:

interface ethernet 0
 ip address 131.108.1.27 255.255.255.0
 ip address 192.31.7.17 255.255.255.0 secondary
 ip address 192.31.8.17 255.255.255.0 secondary

In the following example, Ethernet interface 0/1 is configured to automatically classify the source IP address in the VRF table red:

interface ethernet 0/1
 ip address 10.108.1.27 255.255.255.0
 ip address 11.31.7.17 255.255.255.0 secondary vrf red
 ip vrf autoclassify source

Related Commands

Command
Description

bridge crb

Enables the Cisco IOS software to both route and bridge a given protocol on separate interfaces within a single router.

bridge-group

Assigns each network interface to a bridge group.

ip vrf autoclassify

Enables VRF autoclassify on a source interface.

match ip source

Specifies a source IP address to match to required route maps that have been set up based on VRF connected routes.

route-map

Defines the conditions for redistributing routes from one routing protocol into another, or to enable policy routing.

set vrf

Enables VPN VRF selection within a route map for policy-based routing VRF selection.

show ip arp

Displays the ARP cache, in which SLIP addresses appear as permanent ARP table entries.

show ip interface

Displays the usability status of interfaces configured for IP.

show route-map

Displays static and dynamic route maps.


ip vrf autoclassify

To enable Virtual Routing and Forwarding (VRF) autoclassify on a source interface, use the ip vrf autoclassify command in interface configuration mode. To remove VRF autoclassify, use the no form of this command.

ip vrf autoclassify source

no ip vrf autoclassify source

Syntax Description

source

Specifies that the VRF classification is automatically performed based on the source.


Defaults

The VFR autoclassify functionality is disabled.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(27)SBA

This command was introduced.


Usage Guidelines

The ip vrf autoclassify command enables the capability to map packets from connected hosts to VRFs that are different from the VRF defined on the ingress interface. It also enables the configuration of policies that are required for the mapping of packets to the VRFs depending on whether the source address of the packet belong to those connected routes.

The routing information can be learned dynamically or statically defined.

Examples

In the following example, the Fast Ethernet interface 0/0 is configured with two secondary addresses, 1.1.1.1/24 and 2.1.1.1/24. The first address, 1.1.1.1/24, is assigned to VRF red, while the other, 2.1.1.1/24, is assigned to VRF green. So in the VRF red table, a connected route 1.1.1.0/24 is installed, while in VRF green, 2.1.1.0/24 is installed:

interface fast ethernet0/0
 ip address 1.1.1.1 255.255.255.0 secondary vrf red
 ip address 2.1.1.1 255.255.255.0 secondary vrf green
 ip vrf autoclassify source

There is a default route in VRF red that directs all traffic to Fast Ethernet interface 1/0, while in VRF green, another default route directs all traffic to Fast Ethernet interface 1/1. When packets arrive at Fast Ethernet interface 0/0, they are mapped to either VRF red or VRF green based on their source address. If the source address is 1.1.1.2, connected route 1.1.1.0/24 is used, and the packet is mapped to VRF red. Following the default route, it is forwarded out of Fast Ethernet interface 1/0.

The return packets are mapped to the VRF configured on the downstream interface. Refer to the ip vrf forwarding command for more information in the Cisco IOS Switching Services Command Reference, Release 12.3T.

Related Commands

Command
Description

ip address

Enables the Cisco IOS software to both route and bridge a given protocol on separate interfaces within a single router.

ip vrf forwarding

Associates a VPN VRF with an interface or subinterface.

match ip source

Specifies a source IP address to match to required route maps that have been set up based on VRF connected routes.

route-map

Defines the conditions for redistributing routes from one routing protocol into another, or to enable policy routing.

set vrf

Enables VPN VRF selection within a route map for policy-based routing VRF selection.

show ip arp

Displays the ARP cache, in which SLIP addresses appear as permanent ARP table entries.

show ip interface

Displays the usability status of interfaces configured for IP.

show route-map

Displays static and dynamic route maps.


match ip source

To specify a source IP address to match to required route maps that have been set up based on VRF connected routes for Policy Based Routing (PBR), use the match ip source command in route-map configuration mode. To remove the source IP address, use the no form of this command.

match ip source ip-address mask

no match ip source ip-address mask

Syntax Description

ip-address

Source IP address. The source address must match the VRF address of the ingress interface.

mask

Source subnet mask.


Defaults

No source IP addresses are matched.

Command Modes

Route-map configuration

Command History

Release
Modification

12.2(27)SBA

This command was introduced.


Examples

In the following example, the source IP addresses are matched to the IP addresses configured for VRF table red and green:

route-map new-dynamic-route-map permit 10
 match ip source 10.1.10 255.255.255.0
 set vrf red
route-map another-dynamic-route-map permit 20
 match ip source 10.1.1.0 255.255.255.0
 set vrf green

Related Commands

Command
Description

ip address

Sets a primary or secondary IP address for an interface.

ip vrf autoclassify

Enables VRF autoclassify on a source interface.

route-map

Defines the conditions for redistributing routes from one routing protocol into another, or to enable policy routing.

set vrf

Enables VPN VRF selection within a route map for policy-based routing VRF selection.

show ip arp

Displays the ARP cache, in which SLIP addresses appear as permanent ARP table entries.

show ip interface

Displays the usability status of interfaces configured for IP.


show ip arp

To display the Address Resolution Protocol (ARP) cache, where Serial Line Internet Protocol (SLIP) addresses appear as permanent ARP table entries, use the show ip arp command in user EXEC or privileged EXEC mode.

show ip arp [ip-address] [host-name] [mac-address] [interface type number] vrf vrf-name

Syntax Description

ip-address

(Optional) ARP entries matching this IP address are displayed.

host-name

(Optional) Host name.

mac-address

(Optional) 48-bit MAC address.

interface type number

(Optional) ARP entries learned via this interface type and number are displayed.

vrf

VRF table. The vrf-name argument is a specified VRF table name.


Command Modes

User EXEC
Privileged EXEC

Command History

Release
Modification

9.0

This command was introduced.

12.2(27)SBA

The vrf keyword and vrf-name argument were added.


Usage Guidelines

ARP establishes correspondences between network addresses (an IP address, for example) and LAN hardware addresses (Ethernet addresses). A record of each correspondence is kept in a cache for a predetermined amount of time and then discarded.

Examples

The following is sample output from the show ip arp command:

Router# show ip arp

Protocol Address              Age(min) Hardware Addr   Type   Interface
Internet 171.69.233.22        9        0000.0c59.f892  ARPA   Ethernet0/0
Internet 171.69.233.21        8        0000.0c07.ac00  ARPA   Ethernet0/0
Internet 171.69.233.19        -        0000.0c63.1300  ARPA   Ethernet0/0
Internet 171.69.233.30        9        0000.0c36.6965  ARPA   Ethernet0/0
Internet 172.19.168.11        -        0000.0c63.1300  ARPA   Ethernet0/0
Internet 172.19.168.25        49       0000.0c36.6965  ARPA   Ethernet0/0

Table 1 describes the significant fields shown in the display.

Table 1 show ip arp Field Descriptions 

Field
Description

Protocol

Protocol for network address in the Address field.

Address

The network address that corresponds to the Hardware Address.

Age (min)

Age in minutes of the cache entry. A hyphen (-) means the address is local.

Hardware Addr

LAN hardware address of a MAC address that corresponds to the network address.

Type

Indicates the encapsulation type the Cisco IOS software is using the network address in this entry. Possible value include:

ARPA

SNAP

SAP

Interface

Indicates the interface associated with this network address.


The following is sample output from the show ip arp vrf command with the table name red specified:

Router# show ip arp vrf red

Protocol Address          Age (min)  Hardware Addr   Type   Interface
Internet 1.1.1.1                 -   0050.a2de.7055  ARPA   Ethernet3/1
Internet 1.1.1.2                19   000a.f4b1.2b82  ARPA   Ethernet3/1
Internet 2.1.1.1                 -   0050.a2de.7056  ARPA   Ethernet3/2

Related Commands

Command
Description

ip address

Sets a primary or secondary IP address for an interface.

ip vrf autoclassify

Enables VRF autoclassify on a source interface.

match ip source

Specifies a source IP address to match to required route maps that have been set up based on VRF connected routes.

route-map

Defines the conditions for redistributing routes from one routing protocol into another, or to enable policy routing.

set vrf

Enables VPN VRF selection within a route map for policy-based routing VRF selection.

show ip interface

Displays the usability status of interfaces configured for IP.

show route-map

Displays static and dynamic route maps.


show ip interface

To display the usability status of interfaces configured for IP, use the show ip interface command in privileged EXEC mode.

show ip interface [type number] [brief] secondary

Syntax Description

type

(Optional) Interface type.

number

(Optional) Interface number.

brief

(Optional) Displays a summary of the usability status information for each interface.

secondary

Displays the secondary IP address and the VRF table configured for VRF autoclassification.


Command Modes

Privileged EXEC

Command History

Release
Modification

10.0

This command was introduced.

12.0(3)T

This command was expanded to include the status of ip wccp redirect out and ip wccp redirect exclude add in commands.

12.2(14)S

This command was expanded to display the status of NetFlow on a subinterface.

12.2(15)T

The command output enhancements introduced in Cisco IOS Release 12.2(14)S were integrated into Cisco IOS Release 12.2(15)T.

12.3(6)

The command output was modified to identify the downstream VRF in the output.

12.3(11)T

This command was integrated into Cisco IOS Release 12.3(11)T.

12.2(27)SBA

The secondary keyword was added and the output enhanced to display VRF autoclassification.


Usage Guidelines

The Cisco IOS software automatically enters a directly connected route in the routing table if the interface is usable. A usable interface can send and receive packets. If an interface is not usable, the directly connected routing entry is removed from the routing table. Removing the entry allows the software to use dynamic routing protocols to determine backup routes to the network, if any.

If the interface can provide two-way communication, the line protocol is marked "up." If the interface hardware is usable, the interface is marked "up."

If you specify an optional interface type, you see information for that specific interface.

If you specify no optional arguments, you see information on all the interfaces.

When an asynchronous interface is encapsulated with PPP or Serial Line Internet Protocol (SLIP), IP fast switching is enabled. A show ip interface command on an asynchronous interface encapsulated with PPP or SLIP displays a message indicating that IP fast switching is enabled.

Examples

The following example identifies a downstream VRF. The highlighted line (for documentation purposes only) identifies the downstream VRF.

Router# show ip interface vi 3

Virtual-Access3 is up, line protocol is up
 Interface is unnumbered. Using address of Loopback2 (2.0.0.8)
 Broadcast address is 255.255.255.255
 Peer address is 2.8.1.1
 MTU is 1492 bytes
 Helper address is not set
 Directed broadcast forwarding is disabled
 Outgoing access list is not set
 Inbound access list is not set
 Proxy ARP is enabled
 Local Proxy ARP is disabled
 Security level is default
 Split horizon is enabled
 ICMP redirects are always sent
 ICMP unreachables are always sent
 ICMP mask replies are never sent
 IP fast switching is enabled
 IP fast switching on the same interface is enabled
 IP Flow switching is disabled
 IP CEF switching is enabled
 IP Feature Fast switching turbo vector
 IP VPN CEF switching turbo vector
 VPN Routing/Forwarding "U"
 Downstream VPN Routing/Forwarding "D" 
 IP multicast fast switching is disabled
 IP multicast distributed fast switching is disabled
 IP route-cache flags are Fast, CEF
 Router Discovery is disabled
 IP output packet accounting is disabled
 IP access violation accounting is disabled
 TCP/IP header compression is disabled
 RTP/IP header compression is disabled
 Policy routing is disabled
 Network address translation is disabled
 WCCP Redirect outbound is disabled
 WCCP Redirect inbound is disabled
 WCCP Redirect exclude is disabled
 BGP Policy Mapping is disabled 

Table 2 describes the significant fields shown in the display.

Table 2 show ip interface Field Descriptions 

Field
Description

Virtual-Access3 is up

If the interface hardware is usable, the interface is marked "up." For an interface to be usable, both the interface hardware and line protocol must be up.

Broadcast address is

Displays the broadcast address.

Peer address is

Displays the peer address.

MTU is

Displays the MTU value set on the interface.

Helper address

Displays a helper address, if one has been set.

Directed broadcast forwarding

Indicates whether directed broadcast forwarding is enabled.

Outgoing access list

Indicates whether the interface has an outgoing access list set.

Inbound access list

Indicates whether the interface has an incoming access list set.

Proxy ARP

Indicates whether Proxy Address Resolution Protocol (ARP) is enabled for the interface.

Security level

Specifies the IP Security Option (IPSO) security level set for this interface.

Split horizon

Indicates that split horizon is enabled.

ICMP redirects

Specifies whether redirect messages will be sent on this interface.

ICMP unreachables

Specifies whether unreachable messages will be sent on this interface.

ICMP mask replies

Specifies whether mask replies will be sent on this interface.

IP fast switching

Specifies whether fast switching has been enabled for this interface. It is generally enabled on serial interfaces, such as this one.

IP Flow switching

Specifies whether Flow switching is enabled for this interface.

IP CEF switching

Specifies whether Cisco Express Forwarding (CEF) is enabled for the interface.

Downstream VPN Routing/Forwarding "D"

Specifies the VRF where the PPP peer routes and AAA per-user routes are being installed.

IP multicast fast switching

Specifies whether multicast fast switching is enabled for the interface.

IP route-cache flags are Fast, Flow init, CEF, Ingress Flow

Specifies whether NetFlow has been enabled on an interface. Displays "Flow init" to specify that NetFlow is enabled on the interface. Displays "Ingress Flow" to specify that NetFlow is enabled on a subinterface using the ip flow ingress command. Specifies "Flow" to specify that NetFlow is enabled on a main interface using the ip route-cache flow command.

Router Discovery

Specifies whether the discovery process has been enabled for this interface. It is generally disabled on serial interfaces.

IP output packet accounting

Specifies whether IP accounting is enabled for this interface and what the threshold (maximum number of entries) is.

TCP/IP header compression

Indicates whether compression is enabled or disabled.

WCCP Redirect outbound is disabled

Indicates the status of whether packets received on an interface are redirected to a cache engine. Displays "enabled" or "disabled."

WCCP Redirect exclude is disabled

Indicates the status of whether packets targeted for an interface will be excluded from being redirected to a cache engine. Displays "enabled" or "disabled."


The following is sample output from the show ip interface brief command:

Router# show ip interface brief

Interface     IP-Address     OK? Method  Status                  Protocol
Ethernet0     151.108.0.5    YES NVRAM   up                      up      
Ethernet1     unassigned     YES unset   administratively down   down    
Loopback0     152.108.20.5   YES NVRAM   up                      up      
Serial0       162.108.10.5   YES NVRAM   up                      up      
Serial1       162.108.4.5    YES NVRAM   up                      up      
Serial2       152.108.10.5   YES manual  up                      up      
Serial3       unassigned     YES unset   administratively down   down 

The method field has the following possible values:

RARP or SLARP—Reverse Address Resolution Protocol (RARP) or Serial Line Address Resolution Protocol (SLARP) request

BOOTP—Bootstrap protocol

TFTP—Configuration file obtained from Trivial File Transfer Protocol (TFTP) server

manual—Manually changed by CLI command

NVRAM—Configuration file in nonvolatile RAM (NVRAM)

IPCP—ip address negotiated command

DHCP—ip address dhcp command

unassigned—No IP address

unset—Unset

other—Unknown

The following is sample output from the show ip interface secondary command for Ethernet interface 3/1:

Router# show ip interface secondary ethernet3/1

IP address/Mask    VRF
1.1.1.1/24         red

Related Commands

Command
Description

ip address

Sets a primary or secondary IP address for an interface.

ip vrf autoclassify

Enables VRF autoclassify on a source interface.

match ip source

Specifies a source IP address to match to required route maps that have been set up based on VRF connected routes.

route-map

Defines the conditions for redistributing routes from one routing protocol into another, or to enable policy routing.

set vrf

Enables VPN VRF selection within a route map for policy-based routing VRF selection.

show ip arp

Displays the ARP cache, in which SLIP addresses appear as permanent ARP table entries.

show route-map

Displays static and dynamic route maps.


show route-map

To display static and dynamic route maps, use the show route-map command in privileged EXEC mode.

show route-map [map-name | dynamic [dynamic-map-name | application [application-name]] | all] [detailed]

Syntax Description

map-name

(Optional) Name of a specific route map.

dynamic

(Optional) Displays dynamic route map information.

dynamic-map-name

(Optional) Name of a specific dynamic route map.

application

(Optional) Displays dynamic route maps based on applications.

application-name

(Optional) Name of a specific application.

all

(Optional) Displays all static and dynamic route maps.

detailed

(Optional) Displays the details of the access control lists (ACLs) that have been used in the match clauses for dynamic route maps.


Command Modes

Privileged EXEC

Command History

Release
Modification

10.0

This command was introduced.

12.0(22)S

An additional counter collect policy routing statistic was integrated in Cisco IOS Release 12.0(22)S.

12.2(15)T

An additional counter collect policy routing statistic was integrated in Cisco IOS Release 12.2(15)T.

12.3(7)T

The dynamic, application, and all keywords were added.

12.0(28)S

The support for recursive next-hop clause was added.

12.3(14)T

The support for recursive next-hop clause was integrated into Cisco IOS Release 12.3(14)T. Support for the map display extension functionality was added: The detailed keyword was added.

12.2(27)SBA

The output was enhanced to display dynamically assigned route maps to VRF tables.


Usage Guidelines

For Cisco IO Releases 12.3(14)T and later releases, you can display the ACL-specific information that pertains to the route map in the same display without having to execute a show route-map command to display each ACL that is associated with the route map.

Examples

show route-map Command with No Keywords Specified Example

The following is sample output from the show route-map command:

Router# show route-map

route-map sid, permit, sequence 10
Match clauses:
    tag 1 2
Set clauses:
    metric 5
route-map sid, permit, sequence 20
Match clauses:
    tag 3 4
Set clauses:
    metric 6
Policy routing matches: 0 packets; 0 bytes

The following example shows Multiprotocol Label Switching (MPLS)-related route map information:

Router# show route-map

route-map OUT, permit, sequence 10
Match clauses:
  ip address (access-lists): 1 
Set clauses:
  mpls label
Policy routing matches: 0 packets, 0 bytes
       
route-map IN, permit, sequence 10
Match clauses:
  ip address (access-lists): 2 
  mpls label
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Table 3 describes the significant fields shown in the display.

Table 3 show route-map Field Descriptions 

Field
Description

route-map

Name of the route map.

permit

Indicates that the route is redistributed as controlled by the set actions.

sequence

Number that indicates the position a new route map is to have in the list of route maps already configured with the same name.

Match clauses
  tag

Match criteria—conditions under which redistribution is allowed for the current route map.

Set clauses
  metric

Set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met.

Policy routing matches

Number of packets and bytes that have been filtered by policy routing.


show route-map Command with Dynamic Route Map Specified Example

The following is sample output from the show route-map command when entered with the dynamic keyword:

Router# show route-map dynamic

route-map AAA-02/06/04-14:01:26.619-1-AppSpec, permit, sequence 0, identifier 1137954548
  Match clauses:
    ip address (access-lists): PBR#1 PBR#2 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map AAA-02/06/04-14:01:26.619-1-AppSpec, permit, sequence 1, identifier 1137956424
  Match clauses:
    ip address (access-lists): PBR#3 PBR#4 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map AAA-02/06/04-14:01:26.619-1-AppSpec, permit, sequence 2, identifier 1124436704
  Match clauses:
    ip address (access-lists): PBR#5 PBR#6 
    length 10 100
  Set clauses:
    ip next-hop 172.16.1.1
    ip gateway 172.16.1.1
  Policy routing matches: 0 packets, 0 bytes
Current active dynamic routemaps = 1

The following is sample output from the show route-map command when entered with the dynamic and application keywords:

Router# show route-map dynamic application

Application - AAA
  Number of active routemaps = 1

When you specify an application name, only dynamic routes for that application are shown. The following is sample output from the show route-map command when entered with the dynamic and application keywords and the AAA application name:

Router# show route-map dynamic application AAA

AAA
  Number of active rmaps = 2
AAA-02/06/04-14:01:26.619-1-AppSpec
AAA-02/06/04-14:34:09.735-2-AppSpec

Router# show route-map dynamic AAA-02/06/04-14:34:09.735-2-AppSpec

route-map AAA-02/06/04-14:34:09.735-2-AppSpec, permit, sequence 0, identifier 1128046100
  Match clauses:
    ip address (access-lists): PBR#7 PBR#8 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map AAA-02/06/04-14:34:09.735-2-AppSpec, permit, sequence 1, identifier 1141277624
  Match clauses:
    ip address (access-lists): PBR#9 PBR#10 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map AAA-02/06/04-14:34:09.735-2-AppSpec, permit, sequence 2, identifier 1141279420
  Match clauses:
    ip address (access-lists): PBR#11 PBR#12 
    length 10 100
  Set clauses:
    ip next-hop 172.16.1.12
    ip gateway 172.16.1.12
  Policy routing matches: 0 packets, 0 bytes
Current active dynamic routemaps = 2

show route-map Command with Detailed ACL Information for Route Maps Specified Example

The following is sample output from the show route-map command with the dynamic and detailed keywords entered:

Router# show route-map dynamic detailed

route-map AAA-01/20/04-22:03:10.799-1-AppSpec, permit, sequence 1, identifier 29675368 
Match clauses: 
ip address (access-lists): 
Extended IP access list PBR#3 
1 permit icmp 0.0.16.12 1.204.167.240 8.1.1.0 0.0.0.255 syn dscp af12 log-input fragments 
Extended IP access list PBR#4 
1 permit icmp 0.0.16.12 1.204.167.240 8.1.1.0 0.0.0.255 syn dscp af12 log-input fragments 
Set clauses: 
ip next-hop 172.16.1.14 
ip gateway 172.16.1.14 
Policy routing matches: 0 packets, 0 bytes

show route-map Command with VRF Autoclassification Example

The following is sampe output from the show route-map command when a specified VRF is configured for VRF autoclassification:

Router# show route-map dynamic

route-map None-06/01/04-21:14:21.407-1-IP VRF, permit, sequence 0
identifier 1675771000
 Match clauses:
 Set clauses: vrf red
 Policy routing matches: 0 packets, 0 bytes
Current active dynamic routemaps = 1

Related Commands

Command
Description

redistribute (IP)

Redistributes routes from one routing domain into another routing domain.

route-map (IP)

Defines the conditions for redistributing routes from one routing protocol into another, or enables policy routing.