Does ip vrf require MPLS

You don't but you need to make sure that your image supports OSPF routing in VRFs. (There are images that support only BGP and static, BGP, OSPF and static, and BGP, OSPF, EIGRP and static) I have setup vrf's for a similar purpose, routing on a DMZ switch so groups of VLANs could have their own routing instance. I could find no examples of VRFs without MPLS, but its actually very simple. I think the reason that Cisco doesn't have any documentation for this because it is so simple. It is, but I still spent about 4 hours researching it, and then configured it in our test lab because I couldn't believe that this was all there was too it.

ip vrf rd :1 ! can be anything, it is really only used with MPLS, but should be an IP in the VRF, and there is a ":1" (colon one) after it. The number can be anything, but I just used one.

interface ip vrf forwarding ! Do this on each routed interface in the VRF

You will need to create a separate OSPF routing process for the VRF. I don't know the commands for assigning the process to the VRF instance, but you can look that up in the documentation.

Hi Robert

A few years ago i did it as follows:

!the config is used on a c3550 with enhanced image and looks like this: ! ! ----vl100---- ----vlan200----- ----vlan300---- ! | | | ! | ---vlan201--- | | ! | | | | ! global | | | ! routing table vrf for vrf for ! | customer 1 customer 2 ! | | | ! | | | ! vlan10 vlan20 vlan30 ! | | | ! v v v ! to core to core to core ! ! ! !----lets start! ip subnet-zero ip routing ! !-----lets create the vrf-environment first---------- ip vrf custom1 rd 20:20 route-target export 20:20 route-target import 20:20 ! ip vrf custom2 rd 30:30 route-target export 30:30 route-target import 30:30 ! ! !----then set up a few vlans for transport towards the core and !----local purpose !----start first with the vlans for managing your devices !----vlan 10 is used towards the core, this net transports netmgt !----traffic as ssh/telnet, snmp, syslog vlan 10 name netmgmt ! !vlan 100 is the local vlan for netmgmt traffic vlan 100 name netmgmt-local ! ! !----then start with your customervlans !----vlan 20 connects to the core and transports all traffic for !----customer 1 vlan 20 name custom1 ! !vlan 200 is the 1st local vlan for for customer 1 vlan 200 name custom1-local-1 ! !vlan 201 is the 2nd local vlan for for customer 1 vlan 201 name custom1-local-2 ! ! !----then add some vlans for a 2nd customer !----vlan 30 ist the towards the core an holds all traffic for !----customer 2 vlan 30 name custom2 ! !---- next create the vlans for your customers !----vlan 300 is the 1st local vlan for for customer 2 vlan 300 name custom2-local-1 ! ! !----now add some loopback i/f. they will be used for routing purposes !----and others !----lo1 is used to terminate ssh/telnet or as source for snmp, syslog interface Loopback1 ip address 10.1.1.1 255.255.255.255 ! ! lo2 is used to address the vrf for customer 1 interface Loopback2 ip vrf forwarding custom1 ip address 10.2.1.1 255.255.255.255 ! ! lo3 is used to address the vrf for customer 2 interface Loopback3 ip vrf forwarding custom2 ip address 10.3.3.1 255.255.255.255 ! ! !----now set up the layer-3 !----vlan1 not used interface Vlan1 no ip address shutdown ! interface Vlan10 description netmgmt-to-core ip address 10.10.1.1 255.255.255.0 ! interface Vlan20 description custom1-to-core ip vrf forwarding custom1 ip address 10.20.1.1 255.255.255.0 ! interface Vlan30 description custom2-to-core ip vrf forwarding custom2 ip address 10.30.1.1 255.255.255.0 ! ! !----then add the local vlans !----vlan100 is used only if you need to have the netmgt-vlan on !----other switches !----you'll notice that vlan 10 & 100 is NOT connected to a vrf. !----see at the end for a reason interface Vlan100 description netmgt-to-local ip address 10.10.11.1 255.255.255.0 ! ! !----vlan200 is the 1st local customer vlan interface Vlan200 description custom1-local-1 ip vrf forwarding custom1 ip address 150.50.5.1 255.255.255.0 ! ! !----vlan201 is the 2nd local customer vlan interface Vlan201 description custom1-local-2 ip vrf forwarding custom1 ip address 150.50.6.1 255.255.255.0 ! ! !----vlan300 is the 1st local customer vlan for customer 2 interface Vlan300 description custom2-local-1 ip vrf forwarding custom2 ip address 130.30.3.1 255.255.255.0 ! ! ! !----you have to route these networks in the global routing table router ospf 10 network 10.10.1.0 0.0.0.255 area 0 ! this is vlan10 network 10.10.11.0 0.0.0.255 area 0 ! this is vlan100 network 10.1.1.1 0.0.0.0 area 0 ! this is lo1 ! !----this vrf has its own routing table; vl20,200,201 & lo2 router ospf 20 vrf custom1 redistribute connected subnet network 10.20.1.0 0.0.0.255 area 0 ! this is vlan20 ! router ospf 30 vrf custom2 redistribute connected subnet network 10.30.1.0 0.0.0.255 area 0 ! this is vlan30 ! ! !---the next few commands are helpful but not required ip tacacs source-interface Loopback1 ip telnet source-interface vlan 100 logging source-interface Loopback1 snmp-server trap-source Loopback1

!----reason for NOT connecting vlan 10 & 100 & lo1 to a vrf: ! i actually dont remember anymore for sure but i think it ! was because of the unability of snmp (or was it syslog?) ! to work with a vrf....???? ! anyway, with newer releases that might work today....

you might need capability vrflite

on the 1st OSPF instance - i found routing across an ABR was broken until we added this on a 12.2 switch (although a 12.4 routers added the line for me).

this is an easy way to "lock" protocols to a vrf as long as you dont have interfaces with the same address in a different VRF.

you can send traps and syslog into a VRF pretty easily - just add "vrf xxx" to the command.

got this going with 3560 and 12.2(40)SE, and on 12.4(15)T on a 2811 (for some version of x - dont remember which)