Cisco IOS Software Releases 12.3 Mainline

Table Of Contents

MPLS VPN Half-Duplex VRF

Contents

Prerequisites for MPLS VPN Half-Duplex VRF

Restrictions for MPLS VPN Half-Duplex VRF

Information about MPLS VPN Half-Duplex VRF

MPLS VPN Half-Duplex VRF Overview

Upstream and Downstream VRFs

Reverse Path Forwarding Check

How to Configure MPLS VPN Half-Duplex VRF

Configuring the Upstream and Downstream VRFs on the PE Router or the Spoke PE Router

Associating VRFs

Configuring the RADIUS Server for MPLS VPN Half-Duplex VRF Support

Verifying MPLS VPN Half-Duplex VRF Configuration

Configuration Examples for MPLS VPN Half-Duplex VRF

Configuring the Upstream and Downstream VRFs on the PE Router and the Spoke PE Router: Example

Associating VRFs: Example

Configuring Half-Duplex VRF Support—Basic Configuration: Example

Configuring Hub-and-Spoke Routers with Half-Duplex VRFs: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ip vrf forwarding (interface configuration)

show ip interface

show ip vrf

Glossary

MPLS VPN Half-Duplex VRF

---

The Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) Half-Duplex Virtual Routing and Forwarding (VRF) feature provides scalable hub-and-spoke connectivity for subscribers of an MPLS VPN service. This feature addresses the limitations previously imposed on hub-and-spoke topologies by removing the requirement of one VRF per spoke. This feature also ensures that subscriber traffic always traverses the central link between the wholesale service provider and the ISP, whether the subscriber traffic is being routed to a remote network by way of the upstream ISP or to another locally or remotely connected subscriber.

Feature History for MPLS VPN Half-Duplex VRF

Release	Modification
12.2(16)BX2	This feature was introduced on the Cisco 10000 series router.
12.3(6)	This feature was integrated into the Cisco IOS 12.3 mainline release. Support was added for the Cisco 6400 series router.
12.3(11)T	This feature was modified to support the Cisco 7200 series router.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for MPLS VPN Half-Duplex VRF

•Restrictions for MPLS VPN Half-Duplex VRF

•Information about MPLS VPN Half-Duplex VRF

•How to Configure MPLS VPN Half-Duplex VRF

•Configuration Examples for MPLS VPN Half-Duplex VRF

•Additional References

•Command Reference

•Glossary

Prerequisites for MPLS VPN Half-Duplex VRF

•You must have a working MPLS core network.

Restrictions for MPLS VPN Half-Duplex VRF

•In both the upstream and downstream VRFs, routing protocols are not supported on interfaces configured for half-duplex VRFs. Interfaces that are not configured for half-duplex VRFs, however, do not have this restriction for the upstream or downstream VRFs.

•Half-duplex VRFs apply only to virtual access interfaces (VAIs) and virtual template interfaces (VTIs).

•Only unnumbered interfaces are supported.

Information about MPLS VPN Half-Duplex VRF

To configure the MPLS VPN half-duplex VRF feature, you need to understand the following concepts:

•MPLS VPN Half-Duplex VRF Overview

•Upstream and Downstream VRFs

•Reverse Path Forwarding Check

MPLS VPN Half-Duplex VRF Overview

The MPLS VPN Half-Duplex VRF feature provides the following benefits:

•The MPLS VPN Half-Duplex VRF feature prevents local connectivity between subscribers at the spoke provider edge (PE) router and ensures that a hub site provides subscriber connectivity. Any sites that connect to the same PE router must forward intersite traffic using the hub site. This ensures that the routing done at the spoke site moves from the access-side interface to the network-side interface or from the network-side interface to the access-side interface, but never from the access-side interface to the access-side interface.

The MPLS VPN Half-Duplex VRF feature prevents situations where the PE router locally switches the spokes without passing the traffic through the upstream Internet service provider (ISP). This prevents subscribers from directly connecting to each other, which causes the wholesale service provider to lose revenue.

•The MPLS VPN Half-Duplex VRF feature improves scalability by removing the requirement of one VRF per spoke. In prior releases, when spokes connected to the same PE router, each spoke was configured in a separate VRF to ensure that the traffic between the spokes traversed the central link between the wholesale service provider and the ISP. However, this solution was not scalable. When many spokes connected to the same PE router, configuration of VRFs for each spoke became quite complex and greatly increased memory usage. This was especially true in large-scale wholesale service provider environments that supported high-density remote access to Layer 3 VPNs.

Figure 1 shows a sample hub-and-spoke topology for MPLS VPN Half-Duplex VRF.

Figure 1 Hub-and-Spoke Topology for MPLS VPN Half-Duplex VRF

Upstream and Downstream VRFs

The MPLS VPN Half-Duplex VRF feature uses two unidirectional VRFs to forward IP traffic between the spokes and the hub PE router:

•The upstream VRF forwards the IP traffic from the spokes toward the MPLS VPN backbone. This VRF typically contains only a default route but might also contain summary routes and multiple default routes. The default route points to the interface on the hub PE router that connects to the upstream ISP. The router dynamically learns about the default route from the routing updates that the hub PE router or home gateway sends. The upstream VRF also contains the VAIs that connect the spokes, but it contains no other local interfaces.

•The downstream VRF forwards traffic from the MPLS core back to the spokes. This VRF contains Point-to-Point Protocol (PPP) peer routes for the spokes and per-user static routes received from the Authentication, Authorization, and Accounting (AAA) server. It also contains the routes imported from the hub PE router. These routes are the dynamically allocated VAIs of the subscribers associated with a particular service.

The router redistributes routes from the downstream VRF into Multiprotocol Border Gateway Protocol (MP-BGP). The spoke PE router typically advertises a summary route across the MPLS core for the connected spokes. The VRF configured on the hub PE router imports the advertised summary route.

Reverse Path Forwarding Check

The Reverse Path Forwarding (RPF) check ensures that an IP packet that enters a router uses the correct inbound interface. The MPLS VPN Half-Duplex VRF feature supports unicast RPF check on the spoke-side interfaces. Because different VRFs are used for downstream and upstream forwarding, the RPF mechanism ensures that source address checks occur in the downstream VRF.

How to Configure MPLS VPN Half-Duplex VRF

This section contains the following procedures:

•Configuring the Upstream and Downstream VRFs on the PE Router or the Spoke PE Router (required)

•Associating VRFs (required)

•Configuring the RADIUS Server for MPLS VPN Half-Duplex VRF Support (optional)

•Verifying MPLS VPN Half-Duplex VRF Configuration (optional)

Configuring the Upstream and Downstream VRFs on the PE Router or the Spoke PE Router

To configure the upstream and downstream VRFs on the PE router or on the spoke PE router, use the following procedure.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip vrf vrf-name

4. rd route-distinguisher

5. route-target {import | export | both} route-target-ext-community

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip vrf vrf-name Example: Router(config)# ip vrf U	Enters VRF configuration mode and defines the VRF instance by assigning a VRF name.
Step 4	rd route-distinguisher Example: Router(config-vrf)# rd 1:0	Creates routing and forwarding tables.
Step 5	route-target {import | export | both} route-target-ext-community Example: Router(config-vrf)# route-target import 1:0	Creates a list of import and export route target communities for the specified VRF. The import keyword is required to create an upstream VRF. The upstream VRF is used to import the default route from the hub PE router. The export keyword is required to create a downstream VRF. The downstream VRF is used to export the routes of all subscribers of a given service that the VRF serves.

Associating VRFs

The virtual template interface is used to create and configure a virtual access interface (VAI). After you define and configure the VRFs on the PE routers, associate each VRF with the following:

•Interface or subinterface

•Virtual template interface

To associate a VRF, enter the following commands on the PE router.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface virtual-template number

4. ip vrf forwarding vrf-name1 [downstream vrf-name2]

5. ip unnumbered type number

6. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface virtual-template number Example: Router(config)# interface virtual-template 1	Creates a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces. Enters interface configuration mode.
Step 4	ip vrf forwarding vrf-name1 [downstream vrf-name2] Example: Router(config-if)# ip vrf forwarding vpn1 downstream D	Associates a virtual template interface with the VRF you specify. The vrf-name1 argument is the name of the VRF associated with the virtual template interface. The vrf-name2 argument is the name of the downstream VRF into which the PPP peer route and all of the per-user routes from the AAA server are installed. If an AAA server is used, it provides the VRF membership; you do not need to configure the VRF members on the virtual templates.
Step 5	ip unnumbered type number Example: Router(config-if)# ip unnumbered Loopback1	Enables IP processing on an interface without assigning an explicit IP address to the interface. The type and number arguments are the type and number of another interface on which the router has an assigned IP address. It cannot be another unnumbered interface.
Step 6	exit Example: Router(config-if)# exit	Returns to global configuration mode.

Configuring the RADIUS Server for MPLS VPN Half-Duplex VRF Support

To configure the downstream VRF for an AAA server, enter the following Cisco attribute value:

lcp:interface-config=ip vrf forwarding U downstream D

For more information about configuring a RADIUS server, see Configuring Virtual Template Interfaces.

Verifying MPLS VPN Half-Duplex VRF Configuration

To verify the MPLS VPN half-duplex VRF configuration, perform the following steps.

SUMMARY STEPS

1. show ip vrf [brief | detail | interfaces | id] [vrf-name] [output-modifiers]

2. show ip route vrf vrf-name

3. show running-config [interface type number]

DETAILED STEPS

---

Step 1 show ip vrf [brief | detail | interfaces | id] [vrf-name] [output-modifiers]

Use this command to display information about all of the VRFs configured on the router, including the downstream VRF for each associated VAI.

Router# show ip vrf 

  Name   Default RD   Interface

  D      2:0          Loopback2

                      Virtual-Access3 [D] 

                      Virtual-Access4 [D] 

  U      2:1          Virtual-Access3

                      Virtual-Access4

show ip vrf detail vrf-name

Use this command to display detailed information about the VRF you specify, including all of the VAIs associated with the VRF.

If you do not specify a value for vrf-name, detailed information about all of the VRFs configured on the router appears, including all of the VAIs associated with each VRF.

The following example shows how to display detailed information for the VRF called vrf1.

Router# show ip vrf detail vrf1 

VRF D; default RD 2:0; default VPNID <not set>

  Interfaces:

         Loopback2           Virtual-Access3 [D]  Virtual-Access4 [D]

  Connected addresses are not in global routing table

  Export VPN route-target communities

    RT:2:0                 

  Import VPN route-target communities

    RT:2:1                 

  No import route-map

  No export route-map

VRF U; default RD 2:1; default VPNID <not set>

  Interfaces:

    Virtual-Access3          Virtual-Access4         

  Connected addresses are not in global routing table

  No Export VPN route-target communities

  Import VPN route-target communities

    RT:2:1                 

  No import route-map

  No export route-map

---

Note For a description of each output display field, see the "Command Reference" section.

---

Step 2 show ip route vrf vrf-name

Use this command to display the IP routing table for the VRF you specify, and information about the per-user static routes installed in the downstream VRF.

The following example shows how to display the routing table for the downstream VRF named D.

Router# show ip route vrf D 

Routing Table: D

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter

area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is not set

     2.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

U       2.0.0.2/32 [1/0] via 2.8.1.1

S       2.0.0.0/8 is directly connected, Null0

U       2.0.0.5/32 [1/0] via 2.8.1.2

C       2.8.1.2/32 is directly connected, Virtual-Access4

C       2.8.1.1/32 is directly connected, Virtual-Access3

The following example shows how to display the routing table for the upstream VRF named U.

Router# show ip route vrf U 

Routing Table: U

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS interarea

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 100.0.0.20 to network 0.0.0.0

     2.0.0.0/32 is subnetted, 1 subnets

C       2.0.0.8 is directly connected, Loopback2

B*   0.0.0.0/0 [200/0] via 100.0.0.20, 1w5d

---

Note For a description of each output display field, see the show ip route vrf command in the Cisco IOS Switching Services Command Reference document.

---

Step 3 show running-config [interface type number]

Use this command to display information about the virtual access interface you specify, including information about the upstream and downstream VRFs.

The following example shows how to display information about the interface named virtual-access 3.

Router# show running-config interface virtual-access 3

Building configuration...

Current configuration : 92 bytes

!

interface Virtual-Access3

 ip vrf forwarding U downstream D

 ip unnumbered Loopback2

end

The following example shows how to display information about the interface named virtual-access 4.

Router# show running-config interface virtual-access 4

Building configuration...

Current configuration : 92 bytes

!

interface Virtual-Access4

 ip vrf forwarding U downstream D

 ip unnumbered Loopback2

end

---

Configuration Examples for MPLS VPN Half-Duplex VRF

This section provides the following configuration examples:

•Configuring the Upstream and Downstream VRFs on the PE Router and the Spoke PE Router: Example

•Associating VRFs: Example

•Configuring Half-Duplex VRF Support—Basic Configuration: Example

•Configuring Hub-and-Spoke Routers with Half-Duplex VRFs: Example

Configuring the Upstream and Downstream VRFs on the PE Router and the Spoke PE Router: Example

The following example configures an upstream VRF named U:

Router> enable 

Router# configure terminal 

Router(config)# ip vrf U 

Router(config-vrf)# rd 1:0 

Router(config-vrf)# route-target import 1:0 

The following example configures a downstream VRF named D:

Router> enable

Router# configure terminal 

Router(config)# ip vrf D 

Router(config-vrf)# rd 1:8   

Router(config-vrf)# route-target export 1:100 

Associating VRFs: Example

The following example associates the VRF named U with the virtual-template 1 interface and specifies the downstream VRF named D:

Router> enable 

Router# configure terminal 

Router(config)# interface virtual-template 1 

Router(config-if)# ip vrf forwarding U downstream D

Router(config-if)# ip unnumbered Loopback1 

Configuring Half-Duplex VRF Support—Basic Configuration: Example

In this example, local authentication is used; that is, the RADIUS server is not used.

This example and the "Configuring Hub-and-Spoke Routers with Half-Duplex VRFs: Example" section use the hub-and-spoke topology shown in Figure 2.

Figure 2 Sample Topology for Half-Duplex Configuration

ip vrf D 

 rd 1:8 

 route-target export 1:100 

! 

ip vrf U 

 rd 1:0 

 route-target import 1:0 

! 

ip cef 

vpdn enable 

! 

vpdn-group U 

 accept-dialin 

  protocol pppoe 

  virtual-template 1 

! 

interface Loopback2 

 ip vrf forwarding U 

 ip address 2.0.0.8 255.255.255.255 

! 

interface ATM2/0 

 description Mze ATM3/1/2 

 no ip address 

 no atm ilmi-keepalive 

 pvc 0/16 ilmi 

! 

 pvc 3/100 

  protocol pppoe 

!

pvc 3/101 

  protocol pppoe

!

interface Virtual-Template1

 ip vrf forwarding U downstream D

 ip unnumbered Loopback2 

 peer default ip address pool U-pool 

 ppp authentication chap 

Configuring Hub-and-Spoke Routers with Half-Duplex VRFs: Example

The following example shows how to connect two Point-to-Point Protocol over Ethernet (PPPoE) clients to a single VRF pair on the spoke PE router named Lipno. Although both PPPoE clients are configured in the same VRF, all communication occurs using the hub PE router. Half-duplex VRFs are configured on the spoke PE. The client configuration is downloaded to the spoke PE from the RADIUS server.

---

Note The wholesale provider can forward the user authentication request to the corresponding ISP. If the ISP authenticates the user, the wholesale provider appends the VRF information to the request that goes back to the PE router.

---

aaa new-model

!

aaa group server radius R

 server 22.0.20.26 auth-port 1812 acct-port 1813

!

aaa authentication ppp default group radius

aaa authorization network default group radius

!

ip vrf D

 description Downstream VRF - to spokes

 rd 1:8   

 route-target export 1:100

!

ip vrf U

 description Upstream VRF - to hub

 rd 1:0

 route-target import 1:0

!

ip cef    

vpdn enable

!         

vpdn-group U

 accept-dialin

  protocol pppoe

  virtual-template 1

!

interface Loopback2

 ip vrf forwarding U

 ip address 2.0.0.8 255.255.255.255

!

interface ATM2/0

  pvc 3/100 

  protocol pppoe

 ! 

pvc 3/101 

  protocol pppoe

 !

interface virtual-template 1

 no ip address

 ppp authentication chap

!

router bgp 1

 no synchronization

 neighbor 100.0.0.34 remote-as 1

 neighbor 100.0.0.34 update-source Loopback0

 no auto-summary

 !

address-family vpnv4

  neighbor 100.0.0.34 activate

  neighbor 100.0.0.34 send-community extended

  auto-summary

  exit-address-family

 !

address-family ipv4 vrf U

  no auto-summary

  no synchronization

  exit-address-family

! 

address-family ipv4 vrf D

  redistribute static

  no auto-summary

  no synchronization

  exit-address-family 

!

ip local pool U-pool 2.8.1.1 2.8.1.100

ip route vrf D 2.0.0.0 255.0.0.0 Null0

!

radius-server host 22.0.20.26 auth-port 1812 acct-port 1813

radius-server key cisco

Additional References

The following sections provide references related to MPLS VPN Half-Duplex VRF.

Related Documents

Related Topic	Document Title
MPLS Virtual Private Networks	•Cisco IOS Switching Services Configuration Guide, Release 12.3 •Cisco IOS Switching Services Command Reference, Release 12.3
Virtual access interfaces	•Cisco IOS Dial Solutions Configuration Guide, Release 12.3 •Cisco IOS Dial Solutions Command Reference, Release 12.3
Virtual template interfaces	•Cisco IOS Dial Solutions Configuration Guide, Release 12.3 •Cisco IOS Dial Solutions Command Reference, Release 12.3

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
RFC 2547	BGP/MPLS VPNs

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section describes the following modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3T command reference publications.

•ip vrf forwarding (interface configuration)

•show ip interface

•show ip vrf

ip vrf forwarding (interface configuration)

To associate a Virtual Private Network (VPN) routing/forwarding instance (VRF) with an interface or subinterface, use the ip vrf forwarding command in interface configuration mode. To disassociate a VRF, use the no form of this command.

ip vrf forwarding vrf-name [downstream vrf-name2]

no ip vrf forwarding vrf-name [downstream vrf-name2]

Syntax Description

vrf-name	Associates the interface with the specified VRF.
downstream	Enables Half Duplex VRF (HDVRF) functionality on the interface and associates the interface with the downstrean VRF.
vrf-name2	Associates the interface with the specified downstream VRF.

Defaults

The default for an interface is the global routing table.

Command Modes

Interface configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.3(6)	This command was updated with the downstream keyword to support MPLS VPN Half-Duplex VRFs.

Usage Guidelines

•Use this command to associate an interface with a VRF. Executing this command on an interface removes the IP address. The IP address should be reconfigured.

•The downstream keyword is available on supported platforms with virtual interfaces.

•The downstream keyword associates the interfaces with a downstream VRF, which enables Half Duplex VRF functionality on the interface. Some functions operate in the upstream VRF, while others operate in the downstream VRFs. The following functions operate in the downstream VRFs:

–Point-to-Point Protocol (PPP) peer routes are installed in the downstream VRF.

–Authentication, Authorization, and Accounting (AAA) per-user routes are installed in the downstream VRF.

–A Reverse Path Forwarding (RPF) check is performed in the downstream VRF.

Examples

The following example shows how to link a VRF to ATM interface 0/0:

Router(config)# interface atm0/0

Router(config-if)# ip vrf forwarding vpn1

The following example associates the VRF named U with the virtual-template 1 interface and specifies the downstream VRF named D:

Router> enable 

Router# configure terminal 

Router(config)# interface virtual-template 1 

Router(config-if)# ip vrf forwarding U downstream D

Router(config-if)# ip unnumbered Loopback1 

Related Commands

Command	Description
ip route vrf	Establishes static routes for a VRF.
ip vrf	Configures a VRF routing table.

show ip interface

To display the usability status of interfaces configured for IP, use the show ip interface command in privileged EXEC mode.

show ip interface [type number] [brief]

Syntax Description

type	(Optional) Interface type.
number	(Optional) Interface number.
brief	(Optional) Displays a summary of the usability status information for each interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.
12.0(3)T	This command was expanded to include the status of ip wccp redirect out and ip wccp redirect exclude add in commands.
12.2(14)S	This command was expanded to display the status of NetFlow on a subinterface.
12.2(15)T	The command output enhancements introduced in Cisco IOS Release 12.2(14)S were integrated into Cisco IOS Release 12.2(15)T.
12.3(6)	The command output was modified to identify the downstream VRF in the output.

Usage Guidelines

The Cisco IOS software automatically enters a directly connected route in the routing table if the interface is usable. A usable interface can send and receive packets. If an interface is not usable, the directly connected routing entry is removed from the routing table. Removing the entry allows the software to use dynamic routing protocols to determine backup routes to the network, if any.

If the interface can provide two-way communication, the line protocol is marked "up." If the interface hardware is usable, the interface is marked "up."

If you specify an optional interface type, you see information for that specific interface.

If you specify no optional arguments, you see information on all the interfaces.

When an asynchronous interface is encapsulated with PPP or Serial Line Internet Protocol (SLIP), IP fast switching is enabled. A show ip interface command on an asynchronous interface encapsulated with PPP or SLIP displays a message indicating that IP fast switching is enabled.

Examples

The following example identifies a downstream VRF. The highlighted line (for documentation purposes only) identifies the downstream VRF.

Router# show ip interface vi 3

Virtual-Access3 is up, line protocol is up

  Interface is unnumbered. Using address of Loopback2 (2.0.0.8)

  Broadcast address is 255.255.255.255

  Peer address is 2.8.1.1

  MTU is 1492 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is enabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP Feature Fast switching turbo vector

  IP VPN CEF switching turbo vector

  VPN Routing/Forwarding "U"

  Downstream VPN Routing/Forwarding "D" 

  IP multicast fast switching is disabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

  BGP Policy Mapping is disabled 

Table 1 describes the significant fields shown in the display.

Table 1 show ip interface Field Descriptions 

Field	Description
Virtual-Access3 is up	If the interface hardware is usable, the interface is marked "up." For an interface to be usable, both the interface hardware and line protocol must be up.
Broadcast address is	Displays the broadcast address.
Peer address is	Displays the peer address.
MTU is	Displays the MTU value set on the interface.
Helper address	Displays a helper address, if one has been set.
Directed broadcast forwarding	Indicates whether directed broadcast forwarding is enabled.
Outgoing access list	Indicates whether the interface has an outgoing access list set.
Inbound access list	Indicates whether the interface has an incoming access list set.
Proxy ARP	Indicates whether Proxy Address Resolution Protocol (ARP) is enabled for the interface.
Security level	Specifies the IP Security Option (IPSO) security level set for this interface.
Split horizon	Indicates that split horizon is enabled.
ICMP redirects	Specifies whether redirect messages will be sent on this interface.
ICMP unreachables	Specifies whether unreachable messages will be sent on this interface.
ICMP mask replies	Specifies whether mask replies will be sent on this interface.
IP fast switching	Specifies whether fast switching has been enabled for this interface. It is generally enabled on serial interfaces, such as this one.
IP Flow switching	Specifies whether Flow switching is enabled for this interface.
IP CEF switching	Specifies whether Cisco Express Forwarding (CEF) is enabled for the interface.
Downstream VPN Routing/Forwarding "D"	Specifies the VRF where the PPP peer routes and AAA per-user routes are being installed.
IP multicast fast switching	Specifies whether multicast fast switching is enabled for the interface.
IP route-cache flags are Fast, Flow init, CEF, Ingress Flow	Specifies whether NetFlow has been enabled on an interface. Displays "Flow init" to specify that NetFlow is enabled on the interface. Displays "Ingress Flow" to specify that NetFlow is enabled on a subinterface using the ip flow ingress command. Specifies "Flow" to specify that NetFlow is enabled on a main interface using the ip route-cache flow command.
Router Discovery	Specifies whether the discovery process has been enabled for this interface. It is generally disabled on serial interfaces.
IP output packet accounting	Specifies whether IP accounting is enabled for this interface and what the threshold (maximum number of entries) is.
TCP/IP header compression	Indicates whether compression is enabled or disabled.
WCCP Redirect outbound is disabled	Indicates the status of whether packets received on an interface are redirected to a cache engine. Displays "enabled" or "disabled."
WCCP Redirect exclude is disabled	Indicates the status of whether packets targeted for an interface will be excluded from being redirected to a cache engine. Displays "enabled" or "disabled."

The following is sample output from the show ip interface brief command:

Router# show ip interface brief

Interface     IP-Address     OK?  Method  Status                  Protocol

Ethernet0     151.108.0.5    YES  NVRAM   up                      up      

Ethernet1     unassigned     YES  unset   administratively down   down    

Loopback0     152.108.20.5   YES  NVRAM   up                      up      

Serial0       162.108.10.5   YES  NVRAM   up                      up      

Serial1       162.108.4.5    YES  NVRAM   up                      up      

Serial2       152.108.10.5   YES  manual  up                      up      

Serial3       unassigned     YES  unset   administratively down   down 

The method field has the following possible values:

•RARP or SLARP—Reverse Address Resolution Protocol (RARP) or Serial Line Address Resolution Protocol (SLARP) request

•BOOTP—Bootstrap protocol

•TFTP—Configuration file obtained from Trivial File Transfer Protocol (TFTP) server

•manual—Manually changed by CLI command

•NVRAM—Configuration file in nonvolatile RAM (NVRAM)

•IPCP—ip address negotiated command

•DHCP—ip address dhcp command

•unassigned—No IP address

•unset—Unset

•other—Unknown

show ip vrf

To display the set of defined Virtual Private Network (VPN) routing/forwarding instances (VRFs) and associated interfaces, use the show ip vrf command in privileged EXEC mode.

show ip vrf [brief | detail | interfaces | id] [vrf-name] [output-modifiers]

Syntax Description

brief	(Optional) Displays concise information on the VRFs and associated interfaces.
detail	(Optional) Displays detailed information on the VRFs and associated interfaces.
interfaces	(Optional) Displays detailed information about all interfaces bound to a particular VRF or any VRF.
id	(Optional) Displays the VPN IDs that are configured in a PE router for different VPNs.
vrf-name	(Optional) Name assigned to a VRF.
output-modifiers	(Optional) For a list of associated keywords and arguments, use context-sensitive help.

Defaults

When no keywords or arguments are specified, the command shows concise information about all configured VRFs.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.0(17)ST	This command was modified to include the id keyword, and VPN ID information was added to the output of the show ip vrf detail command.
12.2(4)B	This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(8)T	This command was integrated into Cisco IOS Release 12.2(8)T.
12.3(6)	This command was integrated into Cisco IOS Release 12.3(6). The command shows the downstream VRF for each associated VAI.

Usage Guidelines

Use this command to display information about VRFs. Two levels of detail are available:

•The brief keyword (or no keyword) displays concise information.

•The detail keyword displays all information.

To display information about all interfaces bound to a particular VRF, or to any VRF, use the interfaces keyword. To display information about VPN IDs assigned to a PE router, use the id keyword.

Examples

The following example displays information about all the VRFs configured on the router, including the downstream VRF for each associated VAI. The lines that are highlighted (for documentation purposes only) indicate the downstream VRF.

Router# show ip vrf 

  Name   Default RD   Interface

  D      2:0          Loopback2

                      Virtual-Access3 [D] 

                      Virtual-Access4 [D] 

  U      2:1          Virtual-Access3

                      Virtual-Access4

Table 2 describes the significant fields shown in the display.

Table 2 show ip vrf Field Descriptions 

Field	Description
Name	Specifies the VRF name.
Default RD	Specifies the default route distinguisher.
Interfaces	Specifies the network interfaces.

The following example displays detailed information about all of the VRFs configured on the router, including all of the VAIs associated with each VRF:

Router# show ip vrf detail 

VRF D; default RD 2:0; default VPNID <not set>

  Interfaces:

         Loopback2           Virtual-Access3 [D]  Virtual-Access4 [D]

  Connected addresses are not in global routing table

  Export VPN route-target communities

    RT:2:0                 

  Import VPN route-target communities

    RT:2:1                 

  No import route-map

  No export route-map

VRF U; default RD 2:1; default VPNID <not set>

  Interfaces:

    Virtual-Access3          Virtual-Access4         

  Connected addresses are not in global routing table

  No Export VPN route-target communities

  Import VPN route-target communities

    RT:2:1                 

  No import route-map

  No export route-map

Table 3 describes the significant fields shown in the display.

Table 3 show ip vrf detail Field Descriptions 

Field	Description
VPNID	Specifies the VPN ID assigned to the VRF.
Interfaces	Specifies the network interfaces.
Virtual-Accessn [D]	Specifies the downstream VRF.
Export	Specifies VPN route-target export communities.
Import	Specifies VPN route-target import communities.

The following example shows the interfaces bound to a particular VRF:

Router# show ip vrf interfaces

Interface       IP-Address      VRF                       Protocol

Ethernet2       130.22.0.33     blue_vrf                  up      

Ethernet4       130.77.0.33     hub                       up      

Router#

Table 4 describes the significant fields shown in the display.

Table 4 show ip vrf interfaces Field Descriptions 

Field	Description
Interface	Specifies the network interfaces for a VRF.
IP-Address	Specifies the IP address of a VRF interface.
VRF	Specifies the VRF name.
Protocol	Displays the state of the protocol (up or down) for each VRF interface.

The following is sample output that shows all the VPN IDs that are configured in the router and their associated VRF names and VRF route distinguishers (RDs):

Router# show ip vrf id

VPN Id          Name                             RD

2:3             vpn2                             <not set>

A1:3F6C         vpn1                             100:1

Table 5 describes the significant fields shown in the display.

Table 5 show ip vrf id Field Descriptions 

Field	Description
VPN ID	Specifies the VPN ID assigned to the VRF.
Name	Specifies the VRF name.
RD	Specifies the route distinguisher.

Related Commands

Command	Description
import map	Configures an import route map for a VRF.
ip vrf	Configures a VRF routing table.
ip vrf forwarding (interface configuration)	Associates a VRF with an interface or subinterface.
rd	Creates routing and forwarding tables for a VRF.
route-target	Creates a route-target extended community for a VRF.
vpn id	Assigns a VPN ID to a VRF.

Glossary

BGP—Border Gateway Protocol. An interdomain routing protocol that replaces Exterior Gateway Protocol (EGP). BGP exchanges reachability information with other BGP systems. It is defined by RFC 1163.

CE router—customer edge router. A router that is part of a customer network and that interfaces to a provider edge (PE) router.

hub—The center of a star-topology network. A hub is a hardware or software device that contains multiple independent but connected modules of network and internetwork equipment. Hubs can be active (where they repeat signals sent through them) or passive (where they do not repeat, but merely split, signals sent through them).

MPLS—Multiprotocol Label Switching. A packet-forwarding technology, used in the network core, that applies data link layer labels to tell switching nodes how to forward data, resulting in faster and more scalable forwarding than network layer routing normally can do.

PE router—provider edge router. A router at the edge of a service provider network that interfaces to customer edge (CE) routers.

PPPoE—Point-to-Point Protocol over Ethernet. A protocol that provides the ability to connect a network of hosts over a simple bridging access device to a remote access concentrator or aggregation concentrator. Each host uses its own PPP stack, thus presenting the user with familiar user interfaces.

router—A network layer device that uses one or more metrics to determine the optimal path along which network traffic should be forwarded. Routers forward packets from one network to another based on network layer information.

static route—A route that is explicitly configured and entered into the routing table. Static routes take precedence over routes chosen by dynamic routing protocols.

VAI—virtual access interface. An instance of a unique virtual interface that is created dynamically and exists temporarily. Virtual access interfaces can be created and configured differently by different applications, such as virtual profiles and virtual private dialup networks. Virtual access interfaces are cloned from virtual template interfaces.

VPN—Virtual Private Network. A communication network that enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level.

VRF—A VPN routing/forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router.

VTI—virtual template interface. A logical interface configured with generic configuration information for a specific purpose or configuration common to specific users, plus router-dependent information. The template takes the form of a list of Cisco IOS interface commands that are applied to virtual access interfaces, as needed.

---

Note Refer to the Internetworking Terms and Acronyms for terms not included in this glossary.

---

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0402R)

Copyright ©2004 Cisco Systems, Inc. All rights reserved.