Table Of Contents
Configuring the VRF-Aware Service Infrastructure
Finding Feature Information
Contents
Information About Configuring the VRF-Aware Service Infrastructure
VASI Interfaces
How to Configure VASI
Configuring the VASI Interface
Configuration Examples for VASI
Example: Configuring VASI Interface:
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Feature Information for Configuring VRF-Aware Service Infrastructure
Configuring the VRF-Aware Service Infrastructure
First Published: April 23, 2010
Last Updated: November 24, 2010
This module describes how to configure the VRF-Aware Service Infrastructure feature. VRF-Aware Service Infrastructure (VASI) allows you to apply services such as firewall, and Network Address Translation (NAT) to traffic flowing across two different Virtual Routing and Forwarding (VRF) instances.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring VRF-Aware Service Infrastructure" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Information About Configuring the VRF-Aware Service Infrastructure
•How to Configure VASI
•Configuration Examples for VASI
•Additional References
•Feature Information for Configuring VRF-Aware Service Infrastructure
Information About Configuring the VRF-Aware Service Infrastructure
•VASI Interfaces
VASI Interfaces
VASI is implemented using virtual interfaces that provide the framework necessary to configure a firewall and NAT between VRF instances. Each interface pair is associated with two different VRF instances. The two virtual interfaces, called vasileft and vasiright, in a pair are logically wired back-to-back and are completely symmetrical. Each interface has an index. The association of the pairing is done automatically based on the two interface indexes such that vasileft automatically gets paired to vasiright. Routing can be configured either with static routing or with Border Gateway Protocol (BGP) dynamic routing. BGP dynamic routing protocol restrictions and configuration are valid for BGP routing configuration between VASI interfaces.
How to Configure VASI
This section section contains the following task:
•Configuring the VASI Interface (required)
Configuring the VASI Interface
VASI must be enabled for each interface of the VASI pair (vasileft and vasiright). You can configure VRF on any of the VASI interface. Perform the following task to configure the VASI interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface vasileft number
4. vrf forwarding table-name [downstream table-name]
5. ip address {ip-address mask [secondary] | pool pool-name}
6. exit
7. interface vasiright number
8. vrf forwarding table-name [downstream table-name]
9. ip address {ip-address mask [secondary] | pool pool-name}
10. exit
11. ip route [vrf vrf-name] destination-prefix destination-prefix-mask {vasileft |vasiright} number
12. end
DETAILED STEPS
|
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface vasileft number
Example:
router(config)# interface vasileft 200
|
Configures the vasileft interface and enters interface configuration mode.
•number—vasileft interface number. Range is from 1 to 500.
|
Step 4
|
vrf forwarding table-name [downstream
table-name]
Example:
Router(config-if)# vrf forwarding t1
|
Configures the VRF table.
Note You can configure vrf forwarding on any of the vasi interfaces. It is not mandatory to configure vrf instances on both the vasi interfaces.
|
Step 5
|
ip address {ip-address mask [secondary] | pool
pool-name}
Example:
Router(config-if)# ip address 192.168.0.0
255.255.255.224
|
Configures a primary or secondary IP address for an interface.
|
Step 6
|
exit
Example:
router(config)# exit
|
Exits interface configuration mode.
|
Step 7
|
interface vasiright number
Example:
Router(config)# interface vasiright 200
|
Configures the vasiright interface and enters interface configuration mode.
•number—vasiright interface number. Range: 1 to 500.
|
Step 8
|
vrf forwarding table-name [downstream
table-name]
Example:
Router(config-if)# vrf forwarding t1
|
Configures the VRF table.
|
Step 9
|
ip address {ip-address mask [secondary] | pool
pool-name}
Example:
Router(config-if)# ip address 192.168.0.0
255.255.255.224
|
Configures a primary or secondary IP address for an interface.
|
Step 10
|
exit
Example:
router(config-if)# exit
|
Exits interface configuration mode.
|
Step 11
|
ip route [vrf vrf-name] destination-prefix
destination-prefix-mask {vasileft | vasiright}
number
Example:
Router(config)# ip route vrf t1 192.167.0.0
255.255.255.224 vasileft 1
|
Establishes static routes for a VRF instance and VASI interface.
Note If you want to add any IP route for a VRF instance, then you must specify the vrf keyword.
|
Step 12
|
end
Example:
Router(config)# end
|
Exits global configuration mode.
|
Configuration Examples for VASI
•Example: Configuring VASI Interface:
Example: Configuring VASI Interface:
The following example shows how to configure the VASI interface. VASI must be enabled for each interface of the VASI pair (vasileft and vasiright). You can configure VRF on any of the VASI interfaces. . See the "Configuring the VASI Interface" section for configuration information.
Router(config)# interface vasileft 1
Router(config-if)# vrf forwarding t1
Router(config-if)# ip address 10.0.0.10 255.255.255.0
Router(config)# ip route vrf t1 10.0.0.20 255.255.255.0 vasileft 1
Router(config)# interface vasiright 1
Router(config-if)# ip address 10.0.0.30 255.255.255.0
Router(config)# ip route 10.0.0.40 255.255.255.0 vasiright 1
Additional References
Related Documents
Related Topic
|
Document Title
|
Security commands
|
Cisco IOS Security Command Reference
|
Zone-based Policy Firewall feature
|
Zone-based Policy Firewall
|
IP Routing: BGP
|
Cisco IOS XE IP Routing: BGP Configuration Guide
|
Configuring NAT for IP Address Conservation feature
|
Configuring NAT for IP Address Conservation
|
VRF Aware Cisco IOS Firewall feature
|
VRF Aware Cisco IOS Firewall
|
Implementing EIGRP for IPv6
|
Implementing EIGRP for IPv6
|
Implementing OSPF for IPv6
|
Implementing OSPF for IPv6
|
Standards
Standard
|
Title
|
No new or modified standards are supported by this release.
|
—
|
MIBs
MIB
|
MIBs Link
|
None
|
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
|
RFCs
Technical Assistance
Description
|
Link
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
|
http://www.cisco.com/cisco/web/support/index.html
|
Feature Information for Configuring VRF-Aware Service Infrastructure
Table 1 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Table 1 Feature Information for Configuring the VRF-Aware Service Infrastructure
Feature Name
|
Releases
|
Feature Information
|
Configuring VRF-Aware Service Infrastructure
|
Cisco IOS XE Release 2.6
|
VASI allows you to apply services such as firewall, NAT, and IPsec to traffic flowing across different VRF instances. VASI is implemented using virtual interfaces that provide the framework necessary to configure a firewall and NAT between VRF instances.
The following sections provide information about this feature:
•VASI Interfaces
•Configuring the VASI Interface
|
VASI (VRF-Aware Software Infrastructure) Enhancements Phase I
|
Cisco IOS XE Release 3.1S
|
This feature provides the following enhancements to VASI:
•Support for 500 VASI interfaces .
•Support for BGP dynamic routing between VASI interfaces.
|
VASI (VRF Aware Software Infrastructure) Enhancements Phase II
|
Cisco IOS XE Release 3.2S
|
This feature provides the following enhancements to VASI:
•Support for IPv6 unicast traffic over VASI interfaces.
•Support for OSPF and EIGRP dynamic routing between VASI interfaces.
|
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved.