From: Max Bozeman (maxbozeman@excite.com)
Date: Thu Sep 07 2006 - 00:06:58 ART
Jens,
kinda of a complex topic to cover in an email, but here goes. This example does not include a default VRF. Basically, anything not defined in a particular VRF is in the default VRF. If use use the default VRF for TACACS, the configuration should be the same as you would normally do (just make sure your source interface is in the default VRF). This example uses 2 VRFs. 1STVRF - uses EIGRP and is the VLAN for TACACS authentication. 2NDVRF - uses static routes. Both VRFs have one FastEthernet interface and one frame-relay subinterface associated with them.
aaa group server tacacs+ 1STVRFAUTH
server-private 10.1.1.20 key 0 g0t2LUVdaLAB
server-private 10.1.2.20 key 0 g0t2LUVdaLAB
ip vrf forwarding 1STVRF
ip tacacs source-interface Loopback0
!
enable secret 0 g0t2LUVdaLAB
!
username VRFPERSON password 0 g0t2LUVdaLAB
!
aaa authentication login default group 1STVRFAUTH local
aaa authentication enable default group 1STVRFAUTH enable
aaa authorization exec default group 1STVRFAUTH local
aaa accounting exec default start-stop group 1STVRFAUTH
!
ip vrf 1STVRF
rd 10:1
!
ip vrf 2NDVRF
rd 192:1
!
interface Loopback0
ip vrf forwarding 1STVRF
ip address 10.1.15.1 255.255.255.255
!
interface Loopback1
ip vrf forwarding 2NDVRF
ip address 191.168.15.1 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding 1STVRF
ip address 10.1.5.1 255.255.255.0
!
interface FastEthernet0/1
ip vrf forwarding 2NDVRF
ip address 191.168.5.1 255.255.255.0
!
interface Serial0/1/0
description Frame connection
bandwidth 1536
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip vrf forwarding 1STVRF
ip address 10.1.14.3 255.255.255.254
frame-relay interface-dlci 1
!
interface Serial0/1/0.2 point-to-point
bandwidth 1536
ip vrf forwarding 2NDVRF
ip address 192.168.14.3 255.255.255.254
frame-relay interface-dlci 3
!
router eigrp 1
passive-interface FastEthernet0/0
no auto-summary
!
address-family ipv4 vrf 1STVRF
network 10.1.0.0 0.0.15.255
no auto-summary
autonomous-system 1
exit-address-family
!
ip classless
ip route vrf 2NDVRF 0.0.0.0 0.0.0.0 Serial0/1/0.2
I should point out that almost all (if not all) of your basic troubleshooting commands change with VRFs. Examples:
ping vrf 1STVRF 10.1.1.20
traceroute vrf 2NDVRF 192.168.1.10
sh ip route vrf 1STVRF
telnet 191.168.5.2 /vrf 2NDVRF
--- On Tue 09/05, Jens Petter < jenseike@start.no > wrote:
From: Jens Petter [mailto: jenseike@start.no]
To: ccielab@groupstudy.com
Date: Wed, 6 Sep 2006 04:58:50 +0200
Subject: VRF membership (off topic)
Hi group...<br><br> <br><br> <br><br>We have several customers with cpe devices that a are connected via L2TP<br>tunnelse, coming in on virtual-access interface on the LNS ruter.<br><br>Severeal of the customers need to be put in a cloed network somhow and<br>therefore I am looking for a soulition where I am <br><br>able to have the cpe devices via RADIUS (CPE devices get authenticated and<br>get ip addresses from RADIUS) the CPE devices ask for <br><br>membership in VRF`s. Don't use MPLS..<br><br> <br><br>Anybody that can help me with how I would need to do this. First, what do I<br>need to do on the router and how do I configure the<br>RADIUS attributes. This is kind of unfamiliar territory for me, therefore I<br>need your guys help. I tried to read from cco about this, but was<br>unable to find anything. Not easy what you don't know what to look for.<br><br> <br><br>So, please if anynody could share some of their knowledge about this, that<br>would be nice..<br><br>
This archive was generated by hypermail 2.1.4
: Sun Oct 01 2006 - 16:55:40 ART
<br><br>Thanks<br><br>Jens Petter<br><br>_______________________________________________________________________<br>Subscription information may be found at: <br>http://www.groupstudy.com/list/CCIELab.html