VRF Lite Configuration on Cisco IOS

Hi Laz,

something like the below example:

here we are not using the neighbor command:

router bgp 65498
address-family ipv4 vrf Staff
  no synchronization
  network mask
  network mask
  network mask

here we are using the neighbor command:

address-family ipv4 vrf Guest
  neighbor remote-as 2
  neighbor timers 3 9
  neighbor activate
network  mask
network  mask
  no synchronization

so my question was, when do we use the address family with/without the neighbor command.

Thanks Laz.

Hello Sufian

The neighbor command is necessary to allow the exchange of BGP routes regardless of whether it is in the address-family mode or not. If no neighbor command is initiated, then routes will not be exchanged. Now by default, the IPv4 address-family is automatically enabled and will exchange routes if the neighbor command is found under the BGP configuration mode.

Now as Cisco notes:

Address exchange for address family IPv4 is enabled by default for each BGP routing session configured with the neighbor remote-as command unless you configure the no bgp default ipv4-activate command before configuring the neighbor remote-as command, or you disable address exchange for address family IPv4 with a specific neighbor by using the no neighbor activate command.

This means that if you have a neighbor command outside of the address-family ipv4 mode, this neighbor command is as if it is configured within the ipv4 address family.

However, when using VRFs, if there is no neighbor command, then you are not exchanging information for that particular VRF with any other BGP devices.

I hope this has been helpful!


Hi Laz,

      Thank you so much, now it makes sense.


1 Like

I have a question, I know networks are advertised in BGP via the network command
but under a config I am reviewing I don’t see the network command all I see is this

Router BGP ****

neighbour remote as 5555
address -family IPV4 unicast
route-Map NAME in
route-may NAME out

how are the routes advertised?

Hello Michael.

Take a look at the posts above from this thread, they should answer your question.

I hope this has been helpful!


to clarifyt
he IPv4 address-family is automatically enabled and will exchange routes if the neighbor command is found under the BGP configuration mode
this is how routes are exchanged?

Hello Michael

Yes, this is correct. If you configure BGP like this:

router bgp 12345
neighbour remote-as 12345


router bgp 12345
address-family ipv4
neighbour remote-as 12345

the result is the same thing. By configuring without the address family configuration, you are using the default address family which is ipv4.

I hope this has been helpful!


Hi Rene,

In addition to your reply I did notice that multiple sub interfaces are configured on PE router being used for VRF’s. But where is the physical connection terminated or connected for the vendor on the router, as we have set multiple sub interfaces associated to one physical interfaces ?? Do we connect the wan connection on the L2 switch and set the L3 VRF configuration on the router over sub interfaces ??
Like example

 int gi0/0

no ip address
int gi0/0.10
ip vrf forwarding A

ip add

int gi0/0.20

ip vrf forwading B

ip add

Please confirm.

Hello Raja

In this lesson, there are no subinterfaces configured. Are you maybe speaking about a different lesson? Can you refer us to the specific lesson so that we can help you more effectively?



can i do vrf is-is and bgp mpls using 15.6 vrl router on my gns 3 and vmware ?

Hello Harshi

I haven’t actually tried the specific configuration that you are describing, but it may be worth experimenting with. I think that the best way to find out is to actually try it out. If you have this setup, and you attempt to do it, let us know how it goes!


hi Rene, if i have vrf blue and vrf red on a nexus 5k. and vlan 10 with ip in vrf blue and
vlan 11 in vrf blue with same is configured. How will a host on south side of nexus 5k, with its gateway in subnet can be directed to use a sepcific vrf for its routing ?

in a scenario where vrf red is disaster backup to vrf blue, how can we make sure traffic is sent through vrf red not vrf blue

Hi Harshi,

How did you configure the “south side” of your Nexus? If the host is directly connected then you add the interface directly to the VRF.


Hi is there a way you can redistributes routes form one VRf to another without causing a loop?
I have an ISP that we connect to via out VRF this goes out to our WaN sites. full routing tables are populated in the WAN sites.
NOW the ISP has requested that we create a new BGP AS with them and migrate sites over, however I presumed that the ISP would filter the traffic in there cloud from the old AS to the new AS site by site.
The requested that I do it at my END , is it possible to have 2 VRF’s with the same prefix/route map or will this cause a loop?

I tried thugs

Hello Michael

Can you clarify whether both WAN connections will be functioning simultaneously? Is there going to be a cutover from the WAN site to the New WAN site or will both WANs be functioning at the same time for a certain period of time?

If you have 2 VRFs with the same prefix/route map, then yes, you can have them function at the same time. However, if you are wanting to redistribute routes between the VRFs, this may cause some problems if the IP address spaces within the VRFs are the same.

Take a look at this lesson for how to share some routes between multiple VRFs:

Please let us know a little more information with the questions I asked at the beginning so we can help you out as much as we can!

I hope this has been helpful!


Hi Rene/Laz,

Looking at some other learning material when configuring VRF-lite and having OSPF running between two or more routers apparently it’s recommended to add the command:

capability vrf-lite

Apparently this stops background process checking for BGP and you configure this within the OSPF process on the ISP Router.

Example below:

router ospf 1 vrf Customer-1
capability vrf-lite
network area 0

Just to add for anyone adding this command in a live environment where an OSPF neighbour adjacency is already established on the process in question the neighbour adjacency will drop

*Nov 9 13:16:14.487: %OSPF-5-ADJCHG: Process 2, Nbr on FastEthernet1/1 from FULL to DOWN, Neighbor Down: Interface down or detached

*Nov 9 13:16:14.583: %OSPF-5-ADJCHG: Process 2, Nbr on FastEthernet1/1 from LOADING to FULL, Loading Done

What is your opinion on enabling this? is it something necessary or just recommended?

Hello Matthew

When an OSPF process is associated with a VRF instance, the PE performs the following checks:

  1. When a Type 3 LSA is received, the DN bit is checked. If this bit is set, the Type 3 LSA is not considered during the SPF calculation.
  2. When a Type 5 or Type 7 LSA is received, if the tag in the LSA is equal to the VPN tag, this LSA is not considered during the SPF calculation.

These checks are necessary for PE routers that are also running BGP. Now there are some situations in which these checks are not desirable, such as when VRFs are used on a router that is not a PE router (i.e. a router that does not run BGP as well). In such cases, the capability vrf-lite command should be used in order to trun off these checks and allow the correct population of the VRF routing table.

So this command is used in the specific situation where you are implementing VRFs in a router that is not a PE router, a router not running BGP.

I hope this has been helpful!


1 Like

Thanks Laz, very helpful.

1 Like

I have question can we use OSPF between ISP & CE1 even they have different AS numbers

Hello Dinesh

It seems that your question doesn’t correspond with the topology in this lesson, since we don’t have a CE1 router nor do we have different AS’es. However, your question is quite valid.

Technically speaking, when you have two routers in different BGP AS’es, it is possible to make them OSPF neighbors and have them exchange OSPF routes. However, this should not be done as it can introduce problems in routing, such as routing loops or sub-optical routing.

IGPs like OSPF and EIGRP have been designed to function only within an AS. BGP has been designed to function between AS’es. BGP should be the only routing protocol that exchanges routing information between AS’es, otherwise routing havoc can take place. :grimacing:

I hope this has been helpful!