Network Virtualization Easy Virtual Network (EVN) · Network Virtualization Creation of Logical Partitions Virtualization: one-to-many (one network supports many virtual networks)

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1

Network Virtualization

Easy Virtual Network (EVN)

Martin Vozár, [email protected]


Agenda

� Easy Virtual Network Overview

� Overriding Defaults

� VRF Filtering

� Shared Services

� Management

� Summary


Virtual Network

Merged NewCompany

Network VirtualizationCreation of Logical Partitions

� Virtualization: one-to-many (one network supports many virtual networks)

� End-user perspective is that of being connected to a dedicated network (security, independent set of policies, routing decisions…)

� Must have a rock-solid campus design in place before adding virtualization to the network

Actual Physical Infrastructure

OutsourcedIT Department

Virtual Network Virtual Network

Segregated Department(Regulatory Compliance)

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKRST-2033 4

Enterprise Network DesignVRF-Lite + MPLS VPNs

Distribution Blocks

SiSiSiSiSiSiSiSi

SiSi

SiSi SiSi

SiSi

Internet

Data Center 2

WAN

MPLSVPNs

Yellow VRF

Green VRF

Red VRF

Branch 1

Yellow VRF

Green VRF

Red VRF

Branch 2

Yellow VRF

Green VRF

Red VRF

Branch 3

Data Center 1

Building 1 Building 2

PE3

PE1 PE2

PE4

VRF-LiteDevices


Evolution of VRFs – Easy Virtual Network

MPLS-VPN

VRFs VRF-Lite Easy Virtual Network

� VRFs were born from MPLS-VPN

� VRFs grew into adolescence with VRF-Lite(Multi-VRF)

� Easy Virtual Networks brings VRFs into maturity – Simplified/Enhanced VRF-Lite


EVN Summary

� ASR1k – first platform supporting EVN

� LAN Trunks

VLAN-ID reuse

Sub-interface inheritance

� Route Replication

IGP based Shared Services

� Enhanced Troubleshooting and Usability

routing-context, traceroute, debug condition, cisco-vrf-mib


Enterprise Network DesignEVN Presence

Distribution Blocks

SiSiSiSiSiSiSiSi

SiSi

SiSi SiSi

SiSi

Internet

Data Center 2

WAN

MPLSVPNs

Yellow VRF

Green VRF

Red VRF

Branch 1

Yellow VRF

Green VRF

Red VRF

Branch 2

Yellow VRF

Green VRF

Red VRF

Branch 3

Data Center 1

Building 1 Building 2

PE3

PE1 PE2

PE4

EVNDevices


Enterprise Network DesignEVN Presence

Distribution Blocks

SiSiSiSiSiSiSiSi

SiSi

SiSi SiSi

SiSi

Internet

Data Center 2

WAN

Campus

Yellow VRF

Green VRF

Red VRF

Branch 1

Yellow VRF

Green VRF

Red VRF

Branch 2

Yellow VRF

Green VRF

Red VRF

Branch 3

Data Center 1

Building 1 Building 2EVNDevices


Path IsolationFunctional Components

� Device virtualization

Control plane virtualization

Data plane virtualization

Services virtualization

� Data path virtualization

Hop-by-Hop

(EVN/VRF-LIte End-to-End)

Multi-Hop

(EVN/VRF-Lite+GRE, MPLS-VPN)

VRF

VRF

Global

IP/MPLS

802.1q

VRF: Virtual Routing and Forwarding

Per VRF:Virtual Routing Table

Virtual Forwarding Table


VRF-Lite End-to-EndHow Does It Work?

1. Create L2 VLANs and trunk them to the first L3 device

2. Define VRFs at the first L3 device and map the L2 VLANs to the proper VRF

3. Define VRFs on all the other L3 devices in the network

4. Configure as trunks all the physical links connecting the L3 devices in the network

Create VLAN interfaces or subinterfaces

and map them to the corresponding VRF

5. Define unique VLANs on each trunk to be associated to each VRF

7. Traffic is now carried end-to-end across the network maintaining logical isolation between the defined groups

VLAN 10VLAN 20

VLAN 11VLAN 21

VLAN 12VLAN 22

VLAN 13VLAN 23

VLAN 15VLAN 25

VLAN 16VLAN 26

VLAN 14VLAN 246. Enable a routing protocol in each VRF

IGPs


Easy Virtual Networks How Does It Work?

1. Create L2 VLANs and trunk them to the first L3 device

2. Define VRFs at the first L3 device and map the L2 VLANs to the proper VRF

3. Define VRFs on all the other L3 devices in the network

4. Configure as VNET trunks all the physical links connecting the L3 devices in the core

Each link will use the same 802.1q tag

6. Traffic is now carried end-to-end across the network maintaining logical isolation between the defined groups

A single trunk interface transports multiple VRF traffic. Trunks are Pre-Provisioned for new VRFs

VLAN 10VLAN 20

VLAN 10VLAN 20

5. Enable a routing protocol in each VRF

IGPs

VNET Tag 101VNET Tag 102VNET Trunk

VNET Tag 101VNET Tag 102

VNET Tunk


VNET Tunk


VNET Tunk


VNET Tunk

User Attachment Circuit (AC)

AC


EVN Provisioning – What is new

� Basic VRF Provisioning

1. Provision VRFs

“vnet tag <>” new command

2. Associate user facing (AC) and Trunk (Core facing interfaces) with VRF

“vnet trunk” new command

3. Define routing instance for VRFs

same as in VRF-Lite (Multi-VRF or MPLS VPNs on access side)

� Advanced VRF Provisioning options

� Customize attributes for each VRF (Override Inheritance)

� Filter VRFs on some links but allow on others

“vrf list <>” new command

� Setup inter-VRF communication (Shared Services/Extranet Services)

“route-replicate from vrf <>” new command


1. Create VRFs and allocate unique

VNET tags for each VRF

! VNET Tag is any number selected

by a network manager

!

vrf definition user-a

vnet tag 11

vrf definition user-b

vnet tag 12

vrf definition user-c

vnet tag 13

!

2. Map VRFs to appropriate

interfaces

!

interface Loopback11

vrf forwarding user-a

!

interface vlan 21


interface vlan 22

vrf forwarding user-c

interface vlan 23

vrf forwarding user-b

!

EVN Configuration: Define VRFs and map to interfaces

L3 Core

VLAN 21 user-a

VLAN 22 user-c

VLAN 23 user-b

VLAN 31 user-a

VLAN 32 user-c

VLAN 33 user-b

SiSi SiSi

e1/0

g1/1

Layer 2 Trunks

SiSi SiSi

es2-sd4

es2-d4

e1/0

3. Transport all provisioned VRFs on

Trunk interfaces

!

interface e1/0

vnet trunk!

es2-d3

es2-sd3

L2 D1L2 D2


!

es2-sd3(config-vrf)#vnet tag ?

<2-4094> Integer that is globally unique for all

VNETs

!

es2-sd3(config-vrf-af)#vrf definition 33

es2-sd3(config-vrf)#vnet tag 33

% Error: maximum of 32 VNETs already configured

EVN Configuration: Maximum 32 vnetssupported

1st

32nd

|


VRF Simplification - Trunk advantage

VRF Sub-interfaces!

interface Ethernet1/0.11

description Subinterface for VNET services

vrf forwarding user-aencapsulation dot1Q 11

ip address 125.1.15.18 255.255.255.0

ip pim sparse-mode

!


description Subinterface for VNET services

vrf forwarding user-bencapsulation dot1Q 12

ip address 125.1.15.18 255.255.255.0

ip pim sparse-mode

!


description Subinterface for VNET user-c

vrf forwarding user-cencapsulation dot1Q 13

ip address 125.1.15.18 255.255.255.0

ip pim sparse-mode

!

VNET Trunks!

interface Ethernet1/0

vnet trunkip address 125.1.15.18 255.255.255.0

ip pim sparse-mode

!

Configuration Expands to

� VNET Tag # defined for each VRF is used as part of numbering Sub-interfaces� Each sub-interface inherits the same characteristics from the main interface

-same IP address on all sub-interfaces� Unless a VRF Filter is applied, trunk interface will transport traffic for all

provisioned VRFs


Changing VNET Tag

VRF Sub-interfaces!

interface Ethernet1/1.11description Subinterface for VNET services

vrf forwarding user-aencapsulation dot1Q 11ip address 125.1.15.18 255.255.255.0

!

� In creation of VRF sub-interfaces, vnet tag is used� vnet tag also used with encap dot1q� Best Practice to change vnet tag so vrf sub-int is created

properly: 1. Remove old vnet tag. 2. Configure new vnet tag.

!


vnet tag 11

!

VNET Tag

es2-sd3(config)#vrf definition user-a

es2-sd3(config-vrf)#no vnet tag 11

es2-sd3(config-vrf)#vnet tag 101!


vrf forwarding user-aencapsulation dot1Q 101ip address 125.1.15.18 255.255.255.0

!


View Expanded configuration: show derived-config

Normal show run show derived-configRouter# show derived-config.................snip.......................

.



ip pim sparse-mode

!


vrf forwarding servicesencapsulation dot1Q 10

ip address 125.1.1.11 255.255.255.0

ip pim sparse-mode

!

interface Ethernet1/0.13description Subinterface for VNET user-c


ip address 125.1.1.11 255.255.255.0

ip pim sparse-mode

.

. .................snip.......................

Router# show run.

.................snip.................



ip pim sparse-mode

.................snip..................

� The only way to display full VNET

Trunk interface config generated automatically


View full VRF configuration: show running-config vnet

show running-config vnet

!

vrf definition services

vnet tag 10

!

address-family ipv4

exit-address-family

!


vnet trunk

ip address 125.1.15.18 255.255.255.0

ip pim sparse-mode

!



ip address 125.0.11.18 255.255.255.0

!



ip address 125.0.13.18 255.255.255.0

!

router ospf 13 vrf user-c

network 0.0.0.0 255.255.255.255 area 0

!

vrf list list-c

member services

member user-c

!

� Displays only VRF related

configuration for all VRFs: VRF

name, VNET Tag, VRF lists, vrf

outing instance and VRF interfaces� Does not display expended

configuration for Trunk Interface


VRF Aware show run

router# show run vrf user-aip vrf user-a

!

interface GigabitEthernet0/1

ip vrf forwarding user-a

ip address 11.2.2.1 255.255.255.0

!

interface Tunnel2

ip vrf forwarding user-a

ip address 11.2.1.1 255.255.255.0

tunnel source Loopback101

tunnel destination 126.101.1.2

tunnel key 102

!

router eigrp 100

!

address-family ipv4 vrf user-a

network 11.2.0.0 0.0.255.255

auto-summary

autonomous-system 102

exit-address-family

!

Old command displays VRF configuration info for:

� VRF Definitions

� Interfaces in VRFs

� Protocol configs for Multi-VRF

� Does not display expended configuration for Trunk Interface


VRF-Lite and VNET Trunk Compatibility

VRF-Lite Config EVN config!


!


!


ip address 125.1.1.11 255.255.255.0

ip pim sparse-mode

!


vrf forwarding servicesencapsulation dot1Q 10ip address 125.1.1.11 255.255.255.0

ip pim sparse-mode

!


vrf forwarding user-cencapsulation dot1Q 13ip address 125.1.1.11 255.255.255.0

ip pim sparse-mode

!


vnet tag 10

!


vnet tag 13!



ip pim sparse-mode

!

VRF-Lite Device EVN Device

•dot1Q tag and vnet tag must match


Changing VNET sub-interface configuration?

show derived-configRouter# show derived-config.................snip.......................

.



ip pim sparse-mode

!

!



ip address 125.1.1.11 255.255.255.0

ip pim sparse-mode

!

es2-d4#conf t

es2-d4(config)#interface Ethernet1/0.13

% VNET subinterface Et1/0.13 is not manually configurable

�Notice, VNET sub-interfaces are not manually configurable!

VRF-Lite Device EVN Device

�Adjust config on VRF-litedevice


Override Defaults


VNET Trunk – Overriding Inheritance

VNET Trunk config

es2-d4(config)# interface Ethernet1/1vnet trunkip address 10.122.5.32 255.255.255.254

ip ospf cost 20ip pim sparse-mode

logging event link-status

vnet name user-aes2-d4(config-if-vnet)# no ip pim sparse-

mode

vnet name user-ces2-d4(config-if-vnet)# ip ospf cost 30

�All VRFs on a trunk inherit characteristics from the main interface �Inherited characteristics can be overridden on a per VRF basis

-VRF user-a doesn’t support multicast-user-b VRF’s OSPF cost is different



vnet name user-cip ospf cost 30

es2-d4(config-if-vnet)#ip address ?% Unrecognized command

�VRF sub-interface IP address override is not supported.


Inheritance override for VNET Global

�EVN device has two types of routing tables: VRFs and Global �Global table carries all non-VRF routes�Global table is known as VNET Global �Global is Not a reserved word�Best Practice: do not create a VRF name “global” or any variation using mix of different case: “Global”, “gLobal”…..etc.

VRF

VRF

Global

es2-d4(config)# interface Ethernet1/1es2-d4(config-if)#vnet trunkip address 10.122.5.32 255.255.255.254

ip ospf cost 20ip pim sparse-mode

logging event link-status

es2-d4(config-if)# vnet globales2-d4(config-if-vnet)# ip ospf cost 20

vnet name user-ces2-d4(config-if-vnet)# ip ospf cost 30

• Use regular commands like show ip

route…etc. Can not access global table

using “show vnet global”…es2-d4#sh vnet global

% No VNET or VRF named 'global'


VRF Filters


Specifying Explicit Paths using VRF ListSpecify VRFs carried on Trunks

vrf list list-a

member user-a

member user-c

member services

interface g1/0

vnet trunk vrf-list list-a

vrf list list-b

member user-b

member user-c

member services

interface g1/0

vnet trunk vrf-list list-b

Campus Core

Layer 2 Trunks

g1/1g1/1

SiSi

VLAN 21 user-a

VLAN 22 user-c

VLAN 23 user-b

SiSi

SiSi SiSi

� VRFs can be carried over specific trunks for traffic engineering� Specify on each trunk which VRFs are allowed� VRF list not supported with VRF-lite


VRF aware debug filtering

es2-d3# debug condition vrf user-aCondition 1 set

CEF filter table debugging is on

es2-sd3#

*Nov 30 23:47:13.116: vrfmgr(0) Debug: Condition 1, vrf user-a triggered, count 1

es2-d3# debug ip ospf hello

es2-sd3#

*Nov 30 23:47:42.204: OSPF-11 HELLO Et3/0.11: Rcv hello from

125.0.11.13 area 0 125.1.2.13

es2-sd3#sh debug conditionCondition 1: vrf user-a (1 flags triggered) Flags: vrfmgr(0)

Condition 2: vrf user-b (1 flags triggered) Flags: vrfmgr(1)

es2-sd3#no debug condition vrf user-aCondition 1 has been removed

es2-sd3#sh deb condition

Condition 2: vrf user-b (1 flags triggered)

Flags: vrfmgr(1)

� Set debug condition to include debug output for only selected VRFs: user created VRFs or global or default


Routing Context


VRF Verification Using Routing Context

Routing context

es2-d4#routing-context vrf user-a

es2-d4%user-a#

es2-d4%user-a# show ip route

Routing table output for red

es2-d4%user-a# ping 10.1.1.1

Ping result using VRF red

es2-d4%user-a# telnet 10.1.1.1

Telnet to 10.1.1.1 in VRF red

es2-d4%user-a# traceroute 10.1.1.1

Traceroute output in VRF red

Original CLI

es2-d4#show ip route vrf user-a

Routing table output for red

es2-d4#ping vrf user-c 10.1.1.1

Ping result using VRF red

es2-d4#telnet 10.1.1.1 /vrf user-a

Telnet to 10.1.1.1 in VRF red

es2-d4#traceroute vrf user-a 10.1.1.1

Traceroute output in VRF red

Exiting VRF routing context (back to global)es2-sd4#routing-context vrf user-a

es2-sd4%user-a#routing-context vrf global

es2-sd4#


Shared Services


Shared Services

Services that you don’t want to duplicate:

� Internet Gateway

� Firewall and NAT - DMZ

� DNS

� DHCP

� Corporate Communications - Hosted Content

Requires IP Connectivity between VRFs

This is usually accomplished through some type of Extranet Capability or Fusion Router/FW

Best Methods for Shared Services

Fusion Router/FW – Internet Gateway, NAT/DMZ

Extranet – DNS, DHCP, Corp Communications


Provisioning Shared Services

Before: Setting up shared services

• No BGP required• No Route Distinguisher required• No Route Targets required• No Import/Export required• Simple Deployment• Supports both Unicast/Mcast

!


!

address-family ipv4

route-replicate from vrf user-a unicast all

route-replicate from vrf user-b unicast all route-map userb

exit-address-family

!


vnet tag 11

!

address-family ipv4

route-replicate from vrf services unicast all

exit-address-family

!

vrf definition user-b

vnet tag 12

!

address-family ipv4

route-replicate from vrf services unicast all

exit-address-family

!

With: Route Replication in EVN

ip vrf servicesrd 3:3route-target export 3:3route-target import 1:1route-target import 2:2!ip vrf user-ard 1:1route-target export 1:1route-target import 3:3!ip vrf user-brd 2:2route-target export 2:2route-target import 3:3!router bgp 65001bgp log-neighbor-changes!address-family ipv4 vrf servicesredistribute ospf 3no auto-summaryno synchronizationexit-address-family!address-family ipv4 vrf user-aredistribute ospf 1no auto-summaryno synchronizationexit-address-family!address-family ipv4 vrf user-bredistribute ospf 2no auto-summaryno synchronizationexit-address-family!


Route Redistribution

� Route Redistribution will copyroutes between different routing

processes or protocols within a

single RIB

� Each VRF has a separate and distinct RIB

OSPF Process 2

Route TypeDest Int

NextHop

126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

router ospf 1network 126.1.0.0 0.0.255.255 area 0

OSPF Process 1

Route TypeDest Int

NextHop

126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

RIB – Routing Infomation Base

Route Type Dest Int NextHop

126.1.17.0/24 Connected Gi0/1

126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

router ospf 2redistribute ospf 1 subnets


Route Replication

RIB – VRF services


126.1.17.0/24 Connected Gi0/1

126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

� Route Replication creates a link to a route in a RIB from a different VRF

RIB – VRF user-a


126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

vrf definition user-a!address-family ipv4route-replicate from vrf services unicast all

exit-address-family

router ospf 99 vrf servicesnetwork 126.1.0.0 0.0.255.255 area 0

!router ospf 98 vrf user-anetwork 126.1.0.0 0.0.255.255 area 0


Ping and Traceroute in Shared Services

• Trunk interface address is common among VRFs (125.1.6.0 is in

all VRFs)

• Telnet/Ping sources egress interface address by default

• Specify source address from the same VRF

es2-d4%user-c# traceroute 125.0.10.12 source 125.0.13.18

es2-d4%user-c# ping 125.0.10.12 source 125.0.13.18

Campus Core

Layer 2 Trunks

g1/1g1/1

SiSi

VLAN 22 user-c

VLAN 23 user-b

SiSi

SiSi SiSi

user-c

user-b

services

user-c

Es2-d4

Es2-sd4es2-sd4#

!interface Loopback10

vrf forwarding services

ip address 125.0.10.12 255.255.255.0

!125.1.6.0

es2-d4#

!interface Loopback13


ip address 125.0.13.18 255.255.255.0

!


EVNInstrumentation


• Improved CLI for VRF-aware SNMP

• New CISCO-VRF-MIB for VRF discovery and management

• Netflow data using Flexible Netflow-not supported on VNET Trunk interface-works on VRF edge interfaces

EVN Instrumentation


Summary


EVN Summary

� EVN – simplied VRF Lite

� Works with VRF Lite, MPLS VPNs and MPLSVPNsomGRE

� New Concepts

-VNET Tag

-LAN Trunks

-VLAN-ID reuse

-Sub-interface inheritance

-Route Replication: IGP based Shared Services

-Enhance Troubleshooting and Usability

-routing-context, traceroute, debug condition, cisco-vrf-mib


List of new commands at a glance

command Description

vnet tag <> Define vnet tag unique for each VRF

vnet name <> To switch to a VRF for override inheritance

vnet trunk Allow all VRFs on a trunk/core interface

vrf list <> Specify VRFs to filter

vnet trunk list <> Allow all but specified VRFs on a trunk interface

route-replicate Replicate routes among VRFs for shared

services

routing-context vrf <> VRF’s context to view/verify a VRF specific info


References

� Overview of Easy Virtual Network

http://www.cisco.com/en/US/partner/docs/ios/ios_xe/evn/configuration/guide/evn_overview_xe_ps11174_TSD_Products_Configuration_Guide_Chapter.html

� Command Reference

http://www.cisco.com/en/US/docs/ios/evn/command/reference/evn1.html

� Management and Troubleshooting

http://www.cisco.com/en/US/docs/ios/ios_xe/evn/configuration/guide/evn_mgt_ts_xe.html


Documents

Network Virtualization Easy Virtual Network (EVN) · Network Virtualization Creation of Logical Partitions Virtualization: one-to-many (one network supports many virtual networks)