Upload
truongtuyen
View
222
Download
0
Embed Size (px)
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Present and Future Services
for Network Virtualization BRKVIR-2009
2
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
More Info
3
Andy Kessler
Other Sessions:
BRKCRS-2033 Deploying a Virtualized Campus Network Infrastructure
– Ray Blair
BRKRST-2045 Network Virtualization Design Concepts over the WAN
– Craig Hill
BRKVIR-2008 Experiences From Delivering End to End Cloud IaaS
– Koren Lev
Mailing List:
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Agenda
Network Virtualization
VRF-Lite Review
Easy Virtual Network (EVN)
IP Multicast Virtualization
Multicast with Multi-VRF
Multicast VPNs
Shared Services
Unprotected Services – Extranet
Route Replication
QoS and Virtual Networks
Network Management in a
Virtualized Environment
NV Architectures
4
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Virtual Network
Merged New Company
What is “Network” Virtualization?
Giving One physical network the ability to support multiple virtual networks
End-user perspective is that of being connected to a dedicated network (security, independent set of policies, routing decisions…)
Maintains Hierarchy, Virtualizes devices, data paths, and services
Allows for better utilization of network resources
Actual Physical Infrastructure
Internal Organizational Separation (eng, sales)
Virtual Network Virtual Network
Guest Access Network
5
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Network Virtualization Benefits
Groups and services are logically separated
Guest/partner access - wireless
Physical Security – video surveillance, card key access
Mergers and Acquisitions
Airports – Airlines, Security, Guest networks, Shopping Malls
Regulation
Health Care – HIPAA
Financial – Sarbanes-Oxley
Credit Card Transactions – PCI compliance
6
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Enterprise Network Design
Distribution Blocks
SiSiSiSiSiSiSiSi
SiSi
SiSi SiSi
SiSi
Internet
Data Center 2
WAN
Campus
Yellow VRF
Green VRF
Red VRF
Branch 1
Branch 2
Branch 3
Data Center 1
Building 1 Building 2
Yellow VRF
Green VRF
Red VRF
Yellow VRF
Green VRF
Red VRF
7
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Network Virtualization Transport and Payload
Transport Payload Feature Names
Ethernet Layer 3 VRF-Lite (Campus)
Easy Virtual Network (EVN)
MPLS Layer 2
AToM (EoMPLS)
VPLS
Layer 3 MPLS-VPN
IP
Layer 2 OTV
VPLSoGRE
Layer 3 VRF-Lite over mGRE
MPLS-VPN over mGRE
8
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
MPLS-VPN Overview MPLS-VPN Service
Allows an SP to offer a L3 IP service to many customers on a common core
Traffic from each customer is encapsulated in MPLS and delivered between PE/CEs
Each customer has their own IP address domain – supports overlap
Blue
CE2
CE3
Blue CE1
PE1
PE2
Provider Net
Blue
MPLS VPN
Red
CE
Red
CE
PE4
eBGP
PE3
eBGP
eBGP
eBGP
eBGP
9
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF
VRF
Global
Path Isolation
Functional Components
VRF: Virtual Routing and Forwarding
Per VRF: Virtual Routing Table
Virtual Forwarding Table
IP
802.1q
10
Device virtualization
Control plane virtualization
Data plane virtualization
Services virtualization
Data path virtualization
Hop-by-Hop (VRF-Lite End-to-End)
Multi-Hop
(VRF-Lite+GRE, MPLS-VPN)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Evolution of VRFs – Easy Virtual Network
11
MPLS-VPN
VRFs VRF-Lite Easy Virtual Network
VRFs were born from MPLS-VPN
VRFs grew into adolescence with VRF-Lite
EVN brings VRFs into maturity
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Easy Virtual Network Summary
LAN Trunks
Significant configuration simplification
VRFs are pre-provisioned on Trunk
Route Replication
IGP based Shared Services
BGP not required
Enhanced Troubleshooting and Usability
routing-context, traceroute, debug condition, cisco-vrf-mib
VRF VRF
Global
VRF VRF
Global
802.1Q
Available on ASR1K, Cat6500 and Cat4500
today, planned for more platforms 12
VRF-Lite Review
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF-Lite – Interface Config Example
VRF-Lite Subinterface Config ip vrf red
!
ip vrf green
!
interface TenGigabitEthernet1/1
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
!
interface TenGigabitEthernet1/1.101
description Subinterface for Red VRF
encapsulation dot1Q 101
ip vrf forwarding red
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
!
interface TenGigabitEthernet1/1.102
description Subinterface for green VRF
encapsulation dot1Q 102
ip vrf forwarding green
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
ip vrf red
!
ip vrf green
!
interface TenGigabitEthernet1/1
ip address 10.122.5.2 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
!
interface TenGigabitEthernet1/1.101
description Subinterface for red VRF
encapsulation dot1Q 101
ip vrf forwarding red
ip address 10.122.5.2 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
!
interface TenGigabitEthernet1/1.102
description Subinterface for green VRF
encapsulation dot1Q 102
ip vrf forwarding green
ip address 10.122.5.2 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
14
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF Global
Red and Green Traffic Are Tagged with 802.1Q VLAN 101 and 102
IP Data Packet IGP Update
IP Data Packet IGP Update
IP Data Payload VLAN ID 101 IGP Update VLAN ID 101
IGP Update VLAN ID 101 IP Data Payload VLAN ID 101
VRF Red
IGP Update VLAN ID 102 IP Data Payload VLAN ID 102
IP Data Payload VLAN ID 102 IGP Update VLAN ID 102
VRF Green
VRF Global
VRF Green
VRF Red
Global Traffic Is UnTagged
VRF-Lite Packet Flows
15
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF-Lite – Routing Protocol Example
OSPF Example
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
passive-interface default
no passive-interface vlan 2000
!
router ospf 100 vrf green
network 11.0.0.0 0.255.255.255 area 0
no passive-interface vlan 2001
!
router ospf 200 vrf red
network 12.0.0.0 0.255.255.255 area 0
no passive-interface vlan 2002
router eigrp 100
network 10.0.0.0 0.255.255.255
passive-interface default
no passive-interface vlan 2000
no auto-summary
!
address-family ipv4 vrf green autonomous-system 100
network 11.0.0.0 0.255.255.255
no auto-summary
exit-address-family
!
address-family ipv4 vrf red autonomous-system 100
network 12.0.0.0 0.255.255.255
no auto-summary
exit-address-family
EIGRP Example
16
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF-Lite End-to-End
How Does It Work?
17
VLAN 10 VLAN 20
VLAN 11 VLAN 21
VLAN 12 VLAN 22
VLAN 13 VLAN 23
VLAN 15 VLAN 25
VLAN 14 VLAN 24
IGPs
Traffic is now carried end-to-end across the network maintaining logical isolation between the defined groups
VRFs need to be defined on each L3 device,
Map the VLANs to a VRF
Create L2 VLANs at the edge of the network
and trunk them to the first L3 device
Trunks need to be configured to carry each
of the VRFs
Create sub-interfaces and map them to the correct VRF
IGPs are configured for each VRF on each
L3 device
VLAN 16 VLAN 26
Easy Virtual Network
LAN Trunks
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Multi-AF VRF Structure
Old VRF CLI only applies to IPv4 Address Family
ip vrf blue
New VRF CLI allows multiple address families under same VRF – multi-protocol VRF
vrf definition blue
Policies for the VRF can apply to IPv4 and IPv6 VPNs
at the same time – routing tables are still different
Supported in 12.2(33)SB and 15.0(1)M
19
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Multi-AF VRF Structure
Existing IPv4 VRFs Will Need to Be Converted to
Multi-AF VRFs to Support IPv6
router(config)# vrf upgrade-cli multi-af-mode common-policies
ip vrf blue
rd 2:2
route-target export 2:2
route-target import 2:2
!
interface Ethernet0
ip vrf forwarding blue
ip address 11.1.1.1 255.255.0.0
vrf definition blue
rd 2:2
route-target export 2:2
route-target import 2:2
!
address-family ipv4
exit-address-family
!
interface Ethernet0
vrf forwarding blue
ip address 11.1.1.1 255.255.0.0
Converts Existing Config
20
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Easy Virtual Network - End-to-End
How Does It Work?
21
VLAN 10 VLAN 20
VLAN 11 VLAN 21
VLAN 12 VLAN 22
VLAN 13 VLAN 23
VLAN 15 VLAN 25
VLAN 14 VLAN 24
IGPs
Trunks are Pre-Provisioned for new VRFs !!!! When you add a new VRF you don’t have to configure a new sub-interface. It is automatically done by the VNET Trunk.
VRFs need to be defined on each L3 device,
Map the VLANs to a VRF
Create L2 VLANs at the edge of the network
and trunk them to the first L3 device
Configure a VNET Trunk on each of the physical core interfaces. Uses the same 802.1Q tag
IGPs are configured for each VRF on each
L3 device
VLAN 16 VLAN 26
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF-Lite and VNET Trunk Compatibility
22
VRF-Lite Subinterface Config VNET Trunk Config interface TenGigabitEthernet1/1
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
interface TenGigabitEthernet1/1.101
description Subinterface for Red VRF
encapsulation dot1Q 101
ip vrf forwarding red
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
interface TenGigabitEthernet1/1.102
description Subinterface for Green VRF
encapsulation dot1Q 102
ip vrf forwarding green
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
interface TenGigabitEthernet1/1
vnet trunk
ip address 10.122.5.2 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
Global Config: vrf definition red
vnet tag 101
vrf definition green
vnet tag 102
Both routers have VRFs defined EVN router has VNET Tags
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF Integration with L2 Edge Multitier Deployment
23
Campus Core
Layer 2 Trunks
VLAN 21 Red
VLAN 22 Green
VLAN 23 Blue
VLAN 31 Red
VLAN 32 Green
VLAN 33 Blue
g1/0
g1/1 interface vlan 21
vrf forwarding red
interface vlan 22
vrf forwarding green
interface vlan 23
vrf forwarding blue
interface vlan 31
vrf forwarding red
interface vlan 32
vrf forwarding green
interface vlan 33
vrf forwarding blue
SiSi SiSiLayer 3
Layer 2
vrf definition red
vnet tag 101
vrf definition green
vnet tag 102
vrf definition blue
vnet tag 103
interface g1/0
vnet trunk
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
EVN - show derived-config
24
Normal show run show derived-config Router# show derived-config
. . .
interface Ethernet1/0
vnet trunk
ip address 10.122.6.11 255.255.255.0
ip pim sparse-mode
!
interface Ethernet1/0.101
description Subinterface for VNET red
vrf forwarding red
encapsulation dot1Q 101
ip address 10.122.6.11 255.255.255.0
ip pim sparse-mode
!
interface Ethernet1/0.102
description Subinterface for VNET green
vrf forwarding green
encapsulation dot1Q 102
ip address 10.122.6.11 255.255.255.0
ip pim sparse-mode
. . .
Router# show run
. . .
interface Ethernet1/0
vnet trunk
ip address 10.122.6.11 255.255.255.0
ip pim sparse-mode
. . .
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
EVN - show ip int brief
25
show ip int brief - Displays All Subinterfaces
vrf definition red
vnet tag 101
vrf definition green
vnet tag 102
!
interface Ethernet1/0
vnet trunk
ip address 10.1.95.1 255.255.255.0
!
interface Ethernet2/0
vnet trunk
ip address 10.1.96.1 255.255.255.0
Router# show ip int brief Interface IP-Address OK? Method Status Protocol
Ethernet1/0 10.1.95.1 YES NVRAM up up
Ethernet1/0.101 10.1.95.1 YES NVRAM up up
Ethernet1/0.102 10.1.95.1 YES NVRAM up up
.
Ethernet2/0 10.1.96.1 YES NVRAM up up
Ethernet2/0.101 10.1.96.1 YES NVRAM up up
Ethernet2/0.102 10.1.96.1 YES NVRAM up up
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
EVN - show vnet, show vnet int
26
show vnet int - Info sorted by int, status, ip address
Router#show vnet
Name Tag Protocols Interfaces
red 101 ipv4 Gi0/0/0.101
Gi0/0/3.101
blue 102 ipv4 Gi0/0/0.102
Gi0/0/3.102
Green 103 ipv4 Gi0/0/0.103
es1-asr-w8#show vnet int
Interface State VNET Tag IP-Address
Gi0/0/0.101 Up red 101 1.1.1.1
Gi0/0/0.102 Up blue 102 1.1.1.1
Gi0/0/0.103 Up green 103 1.1.1.1
Gi0/0/3.101 Up red 101 1.1.2.2
Gi0/0/3.102 Up blue 102 1.1.2.2
Gi0/0/3.103 Up green 103 1.1.2.2
VRF VRF
Global
show vnet - VRF names, Tags, Sub intf
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VNET Trunk – Overriding Inheritance
27
VRF-Lite Subinterface Config VNET Trunk Config interface TenGigabitEthernet1/1
ip address 10.122.5.1 255.255.255.252
ip ospf cost 20
ip pim sparse-mode
interface TenGigabitEthernet1/1.101
description Subinterface for Red VRF
encapsulation dot1Q 101
ip vrf forwarding red
ip address 10.122.5.1 255.255.255.252
ip ospf cost 20
ip pim sparse-mode
interface TenGigabitEthernet1/1.102
description Subinterface for Green VRF
encapsulation dot1Q 102
ip vrf forwarding green
ip address 10.122.5.1 255.255.255.252
ip ospf cost 30
interface TenGigabitEthernet1/1
vnet trunk
ip address 10.122.5.2 255.255.255.252
ip ospf cost 20
ip pim sparse-mode
vnet name green
no ip pim sparse-mode
ip ospf cost 30
Global Config: vrf definition red
vnet tag 101
vrf definition green
vnet tag 102
Specific Interface Commands Can Be Overridden on a per VRF Basis
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
R2
R3
Yellow VRF
Green VRF
Red VRF
Green VRF
Red VRF
Yellow VRF
Red VRF
R1
R6
R4 R5
R7
vrf list group-a
member red
member yellow
interface g1/0
vnet trunk vrf-list group-a
vrf list group-b
member red
member green
interface g2/0
vnet trunk vrf-list group-b Group B
Group A
VRF Lists Can Filter Traffic Carried over VNET Trunks
VRF List Specify VRFs Carried on Trunks
28
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF Simplification - Trunk Advantage
29
Virtual
Networks Neighbors
VRF
Subinterfaces
VNET
Trunks
4 4 16 4
10 4 40 4
20 4 80 4
30 4 120 4
VRF-Lite Requires 1 Point-to-Point Subinterface Configuration per VRF per Physical Interface VNET Trunks Requires 1 Point-to-Point Trunk Configuration per Physical Interface
VRF-Lite Subinterfaces VNET Trunks interface TenGigabitEthernet1/1.101
description 10GE to core 3
encapsulation dot1Q 101
ip vrf forwarding red
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
interface TenGigabitEthernet1/1.102
description 10GE to core 3
encapsulation dot1Q 102
ip vrf forwarding green
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
interface TenGigabitEthernet1/1
description 10GE to core 3
vnet trunk
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
1 Point-to-Point Subinterface Configuration, per VRF per Physical Interfaces
1 Point-to-Point Trunk Configuration per Physical Interface
Easy Virtual Network Enhanced Troubleshooting and Usability
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Routing Context – IOS
31
Router# routing-context vrf red
Router%red#
Router%red# show ip route
Routing table output for red
Router%red# ping 10.1.1.1
Ping result using VRF red
Router%red# telnet 10.1.1.1
Telnet to 10.1.1.1 in VRF red
Router%red# traceroute 10.1.1.1
Traceroute output in VRF red
Router# show ip route vrf red
Routing table output for red
Router# ping vrf red 10.1.1.1
Ping result using VRF red
Router# telnet 10.1.1.1 /vrf red
Telnet to 10.1.1.1 in VRF red
Router# traceroute vrf red 10.1.1.1
Traceroute output in VRF red
Routing Context IOS CLI
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF Aware show run
32
router# show run vrf green
vrf definition green
!
address-family ipv4
exit-address-family
!
interface GigabitEthernet0/1
vrf forwarding green
ip address 11.2.2.1 255.255.255.0
!
interface Tunnel2
vrf forwarding green
ip address 11.2.1.1 255.255.255.0
tunnel source Loopback101
tunnel destination 126.101.1.2
!
router eigrp 100
!
address-family ipv4 vrf green
network 11.2.0.0 0.0.255.255
autonomous-system 102
exit-address-family
!
Displays VRF Configuration Info for:
VRF Definitions
Interfaces in VRFs
Protocol configs for Multi-VRF
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
EVN - VRF Verification – Operator Interface
33
Router%Red# trace 10.1.3.1
Tracing the route to 125.0.10.12
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.2 (red/1001, red/1001)
2 10.2.1.2 (red/1001, red/1001)
Router%Red# trace 10.1.2.1
Tracing the route to 125.0.10.12
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.2 (red/1001, red/1001)
2 10.2.1.2 (red/1001, green/1002)
3 10.2.2.2 (green/1002, green/1002)
4 * * *
• Improved CLI for VRF-aware SNMP
• New CISCO-VRF-MIB for VRF discovery and management
R2# debug condition vrf red
R2# debug condition vrf blue
R2# debug ip ospf hello
R2# debug ip ospf spf
Display Debug Output for Configured VRF
VRF Traceroute
VRF Instrumentation VRF-Aware Debug
Multicast in a Multi-VRF
Environment
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF-Lite End-to-End
Simplest design choice is leveraging in
each VRF the same multicast configuration
already in place in global table
‒ PIM mode, RP placement, RP advertisement
protocol
Simple deployment when multicast source
and receivers are part of the same VRF
‒ Alternative is to deploy the multicast source as
a shared resource (Shared Services)
Multicast VRF functionality supported
across all Catalyst platforms
‒ Support for Catalyst 4000 family limited to
Sup6E supervisors (modular) or 4900M models
(12.2(50)SG IOS release)
Multicast
35
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF-Lite End-to-End
36
2. Configure the RP in the VRF using Anycast RP
1. Enable multicast routing globally and on each L3 interface
ip multicast-routing
!
interface TenGigabitEthernet1/1
description 10GE to core (Global)
ip pim sparse-mode
ip multicast-routing vrf red
!
interface TenGigabitEthernet1/1.10
description 10GE to core (VRF red)
ip vrf forwarding red
ip pim sparse-mode
interface Loopback0
description Anycast RP Global
ip address 10.122.5.200 255.255.255.255
ip pim sparse-mode
!
interface Loopback1
description MSDP Peering interface
ip address 10.122.5.250 255.255.255.255
ip pim sparse-mode
!
ip msdp peer 10.122.5.251 connect-source loopback 1
ip msdp originator-id loopback 1
!
ip pim rp-address 10.122.5.200
access-list 10 permit 239.0.0.0 0.255.255.255
Global Table VRF Red
Example valid config for PIM Sparse Mode Deployment, Leveraging Anycast RP for RP Redundancy
interface Loopback10
description Anycast RP VRF red
ip vrf forwarding red
ip address 10.122.15.200 255.255.255.255
ip pim sparse-mode
!
interface Loopback11
description MSDP Peering interface VRF red
ip vrf forwarding red
ip address 10.122.15.250 255.255.255.255
ip pim sparse-mode
!
ip msdp vrf red peer 10.122.15.251 connect-source loopback 11
ip msdp vrf red originator-id loopback 11
!
ip pim vrf red rp-address 10.122.15.200
access-list 11 permit 239.192.0.0 0.0.255.255
VRF Red Global Table
Multicast VPNs
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Enterprise Network Design
Distribution Blocks
SiSiSiSiSiSiSiSi
SiSi
SiSi SiSi
SiSi
Internet
Data Center 2
WAN
Campus
Yellow VRF
Green VRF
Red VRF
Branch 1
Branch 2
Branch 3
Data Center 1
Building 1 Building 2
Yellow VRF
Green VRF
Red VRF
Yellow VRF
Green VRF
Red VRF
MPLS-VPN in Campus Core or WAN
38
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
MVPN - Cisco’s Implementation
Multicast not supported with MPLS-VPN (in RFC2547,RFC4364)
Cisco‘s implementation is based on IETF draft:
‒ Multicast in MPLS/BGP IP VPNs
‒ draft-ietf-l3vpn-2547bis-mcast-07
‒ Provider builds independent multicast network in the core
‒ All customer multicast traffic is encapsulated and multicast across Provider
Network
‒ Separate multicast group used in Provider Network for each customer VPN
(Default MDT / MI-PMSI)
Provider multicast address space independent of customer address space.
Avoids overlap of customers‘ multicast addresses
39
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
MPLS Core
PE
PE
PE
PE
Join High Bandwidth Source
Join High Bandwidth Source
MPLS VPN and Multicast Concept and Fundamentals
40
First step is to enable multicast in the Campus core
No difference from a normal multicast deployment
High Bandwidth Multicast Source
Receiver 1
Receiver 2
Default MDT
For Low Bandwidth &
Control Traffic Only
Data MDT
For High Bandwidth Traffic Only
ip multicast-routing vrf red ! ip vrf red rd 3:3 mdt default 232.0.0.1 mdt data 232.0.1.0 0.0.0.255 threshold 500
A default MDT for each VRF is established between PEs
A High-bandwidth source for that customer starts sending traffic
Interested receivers 1 & 2 join that High Bandwidth source
Data-MDT is formed between PEs
for this High-Bandwidth source
Shared Services
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Shared Services
42
Services That You Don‘t Want to Duplicate:
Internet Gateway
Firewall and NAT - DMZ
DNS
DHCP
Corporate Communications - Hosted Content
Requires IP Connectivity Between VRFs
This Is Usually Accomplished Through Some Type of Extranet Capability or Fusion Router/FW
Best Methods for Shared Services
Fusion Router/FW – Internet Gateway, NAT/DMZ
Extranet – DNS, DHCP, Corp Communications
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Sharing Services
Traffic leaving a specific virtual network
is steered to the services edge
Deployment of a fusion router in the
services edge to provide:
‒ Inter-VPN connectivity
‒ Protected access to shared resources
Positioning of a firewall front-ending each VPN
‒ VPN isolation/protection
‒ Application of per VPN policies
‒ Leverage the multi-context functionality
available with Cisco FWSM, PIX, and ASA
Routing between VRFs and Fusion Router depends on
the FW mode of operation
‒ FW in Transparent Mode IGP or eBGP
‒ FW in Routed Mode Static Routing or eBGP
Protected Services
43
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Sharing Services
Provides access to services without
requiring traffic to be enforced through
the firewall front-ending each VPN
Useful for sharing specific services
(DHCP and DNS servers, for example)
‒ Services commonly deployed in a dedicated
Shared VPN
‒ Not recommended to provide inter-VPN
communication
Leverage the BGP route-target
mechanism for route leaking
‒ No support for overlapping IP addresses
across VPNs
Route Import/Export Between VRFs
44
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Unprotected Services - Extranet
Usually utilized in conjunction with
the use of MPLS VPN as path
isolation strategy
‒ Requires the deployment of MP-BGP to exchange
VPN routes between devices
Leverage MP-BGP ―route-target‖ attribute to
determine the type of connectivity achieved
‒ Hub-and-spoke is usually deployed to provide
access to shared services
Route leaking is performed on the PE
devices receiving BGP updates
No routes exchanged between
―Red‖ and ―Green‖
‒ Red and Green devices remain isolated
from each other
Multi-Device Deployment
45
SiSi
SiSi SiSi
MP-BGP MP-BGP
PE2 PE3
PE1
PC Red PC Green
Shared Server
MP-BGP
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Unprotected Services - Extranet Configuration
46
ip vrf Shared
rd 3:3
route-target export 3:3
route-target import 1:1
route-target import 2:2
ip vrf Red
rd 1:1
route-target export 1:1
route-target import 3:3
SiSi
SiSi SiSi
MP-BGP MP-BGP
PE2 PE3
PE1
PC Red PC Green
Shared Server
ip vrf Green
rd 2:2
route-target export 2:2
route-target import 3:3
MP-BGP
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Unprotected Services - Extranet Verification
47
SiSi
SiSi SiSi
MP-BGP MP-BGP
PE2 PE3
PE1
PC Red
10.137.12.0/24
PC Green
10.137.22.0/24
Shared Subnet
10.138.32.0/24
PE2#sh ip route vrf Red 10.138.32.0
Routing entry for 10.138.32.0/24
Known via "bgp 100", distance 200, metric 0
Last update from 192.168.100.100 00:29:47 ago
<snip>
PE2#sh ip route vrf Red 10.137.22.0
% Subnet not in table
PE3#sh ip route vrf Green 10.138.32.0
Routing entry for 10.138.32.0/24
Known via "bgp 100", distance 200, metric 0
Last update from 192.168.100.100 00:30:35 ago
<snip>
PE3#sh ip route vrf Green 10.137.12.0
% Subnet not in table
Shared Server
PE1#sh ip route vrf Shared 10.137.12.0
Routing entry for 10.137.12.0/24
Known via "bgp 100", distance 200, metric 0
Last update from 192.168.100.1 00:32:38 ago
<snip>
PE1#sh ip route vrf Shared 10.137.22.0
Routing entry for 10.137.22.0/24
Known via "bgp 100", distance 200, metric 0
Last update from 192.168.100.2 00:35:17 ago
<snip>
MP-BGP
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Unprotected Services - Extranet
Applicable to VRF-Lite End-to-End
scenarios
‒ Configuration of a local BGP process to enable
the route import/export mechanism
‒ No BGP neighbor relationships are established
since BGP is required only on the local device
―Shared‖ routes locally imported/exported
to ―Red‖ and ―Green‖ VRFs
‒ The ―Shared‖ routes locally leaked into the
―Red‖ and ―Green‖ VRFs can be advertised to
other devices via the IGP running in the context
of each VRF
Red and Green devices can reach the
Shared server but remain isolated from
each other
Single Device Deployment
48
SiSi
SiSi SiSi
IGP IGP
PC Red PC Green
R1
R2 R3
Local Route Leaking (BGP)
Shared Server
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
ip vrf Red
rd 100:100
route-target export 1:1
route-target import 3:3
!
ip vrf Green
rd 200:200
route-target export 2:2
route-target import 3:3
!
ip vrf Shared
rd 300:300
route-target export 3:3
route-target import 1:1
route-target import 2:2
router bgp 100
!
address-family ipv4 vrf Red
redistribute eigrp 100
no synchronization
exit-address-family
!
address-family ipv4 vrf Green
redistribute eigrp 100
no synchronization
exit-address-family
!
address-family ipv4 vrf Shared
redistribute connected
no synchronization
exit-address-family
router eigrp 100
!
address-family ipv4 vrf Red
redistribute bgp 100 metric 100000 1 255 1 1500
network 10.0.0.0
no auto-summary
autonomous-system 100
exit-address-family
!
address-family ipv4 vrf Green
redistribute bgp 100 metric 100000 1 255 1 1500
network 10.0.0.0
no auto-summary
autonomous-system 100
exit-address-family
Unprotected Services - Extranet Configuration
49
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Unprotected Services - Extranet Verification
50
PC Red
10.137.12.0/24
PC Green
10.137.22.0/24
Shared Subnet
10.138.32.0/24
SiSi
SiSi SiSi
IGP IGP
R1
R2 R3
Local Route Leaking (BGP)
R1#sh ip route vrf Red 10.138.32.0
Routing entry for 10.138.32.0/24
Known via "bgp 100", distance 20, metric 0
Redistributing via eigrp 100, bgp 100
Routing Descriptor Blocks:
* directly connected, via Vlan32
<snip>
R1#sh ip route vrf Green 10.138.32.0
Routing entry for 10.138.32.0/24
Known via "bgp 100", distance 20, metric 0
Redistributing via eigrp 100, bgp 100
Routing Descriptor Blocks:
* directly connected, via Vlan32
<snip>
R2#sh ip route vrf Red 10.138.32.0
Routing entry for 10.138.32.0/24
Known via "eigrp 100", distance 90, metric 3840
<snip>
R2#sh ip route vrf Red 10.137.22.0
% Subnet not in table
R3#sh ip route vrf Green 10.138.32.0
Routing entry for 10.138.32.0/24
Known via "eigrp 100", distance 90, metric 3840
<snip>
R3#sh ip route vrf Green 10.137.12.0
% Subnet not in table
Shared Server
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Route Import - GlobalVRF / VRFGlobal
51
VRF to VRF – No issues
Global to/from VRF - Import/Export
Static routes can be used
import map <route-map> / export map <route-map>
Limited to 5 VRFs, 1000 routes per VRF
Route Replication will add this functionality
Recommended approach
– Put services in VRF and leak routes
– Or use route-replication
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF Simplification - Shared Services
52
Before: Sharing Services in Existing Technologies
Route-Replication Advantage: • No BGP required • No Route Distinguisher required • No Route Targets required • No Import/Export required • Simple Deployment • Supports both Unicast/Mcast
vrf definition SHARED
address-family ipv4
route-replicate from vrf RED unicast all route-map red-map
route-replicate from vrf GREEN unicast all route-map grn-map
After: Simple Shared Service Definition
vrf definition RED
address-family ipv4
route-replicate from vrf SHARED unicast all
vrf definition GREEN
address-family ipv4
route-replicate from vrf SHARED unicast all
ip vrf SHARED
rd 3:3
route-target export 3:3
route-target import 1:1
route-target import 2:2
!
ip vrf RED
rd 1:1
route-target export 1:1
route-target import 3:3
!
ip vrf GREEN
rd 2:2
route-target export 2:2
route-target import 3:3
!
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf SHARED
redistribute ospf 3
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf RED
redistribute ospf 1
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf GREEN
redistribute ospf 2
no auto-summary
no synchronization
exit-address-family
!
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Route Redistribution
53
Route Redistribution will copy routes between different routing processes or protocols within a single RIB
Each VRF has a separate and distinct RIB
OSPF Process 2
Route Type Dest
Int NextHop
126.1.9.0/24 OSPF Gi0/1 126.1.17.13
126.1.12.0/24 OSPF Gi0/1 126.1.17.13
126.1.14.0/24 OSPF Gi0/1 126.1.17.13
router ospf 1
network 126.1.0.0 0.0.255.255 area 0
OSPF Process 1
Route Type Dest
Int NextHop
126.1.9.0/24 OSPF Gi0/1 126.1.17.13
126.1.12.0/24 OSPF Gi0/1 126.1.17.13
126.1.14.0/24 OSPF Gi0/1 126.1.17.13
RIB – Routing Information Base
Route Type Dest Int NextHop
126.1.17.0/24 Connected Gi0/1
126.1.9.0/24 OSPF Gi0/1 126.1.17.13
126.1.12.0/24 OSPF Gi0/1 126.1.17.13
126.1.14.0/24 OSPF Gi0/1 126.1.17.13
router ospf 2
redistribute ospf 1 subnets
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Route Replication
54
RIB – VRF Services
Route Type Dest Int NextHop
126.1.17.0/24 Connected Gi0/1
126.1.9.0/24 OSPF Gi0/1 126.1.17.13
126.1.12.0/24 OSPF Gi0/1 126.1.17.13
126.1.14.0/24 OSPF Gi0/1 126.1.17.13
Route Replication creates
a link to a route in a RIB
from a different VRF
RIB – VRF User-A
Route Type Dest Int NextHop
126.1.9.0/24 OSPF Gi0/1 126.1.17.13
126.1.12.0/24 OSPF Gi0/1 126.1.17.13
126.1.14.0/24 OSPF Gi0/1 126.1.17.13
vrf definition services
!
address-family ipv4
route-replicate from vrf user-a unicast all
exit-address-family
!
vrf definition user-a
!
address-family ipv4
route-replicate from vrf services unicast all
exit-address-family
router ospf 99 vrf services
network 126.1.0.0 0.0.255.255 area 0
!
router ospf 98 vrf user-a
network 126.1.0.0 0.0.255.255 area 0
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Route Replication Output
55
The routes now show up in the destination VRF with
a ‗+‘ and the source VRF identified
Router# routing-context vrf user-a
Router%user-a# show ip route
Routing Table: user-a
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is not set
126.0.0.0/8 is variably subnetted, 124 subnets, 4 masks
....
O + 126.1.9.0/24 [110/2] via 126.1.17.13 (services), 1d04h, GigabitEthernet0/1
O + 126.1.12.0/24 [110/4] via 126.1.17.13 (services), 1d04h, GigabitEthernet0/1
O + 126.1.14.0/24 [110/3] via 126.1.17.13 (services), 1d04h, GigabitEthernet0/1
C + 126.1.17.0/24 is directly connected (services), GigabitEthernet0/1
L + 126.1.17.31/32 is directly connected (services), GigabitEthernet0/1
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Route Replication Output
56
The routes show up in the RIB as replicated with the same
OSPF metrics, distance, next hop, etc.
Router# routing-context vrf services
Router%services# show ip route 126.1.9.0
Routing Table: services
Routing entry for 126.1.9.0/24
Known via "ospf 99", distance 110, metric 2, type intra area
Last update from 126.1.17.13 on GigabitEthernet0/1, 1d05h ago
Routing Descriptor Blocks:
* 126.1.17.13, from 126.0.1.15, 1d05h ago, via GigabitEthernet0/1
Route metric is 2, traffic share count is 1
Router%services# routing-context vrf user-a
Router%user-a# show ip route 126.1.9.0
Routing Table: user-a
Routing entry for 126.1.9.0/24
Known via "ospf 99", distance 110, metric 2, type intra area, replicated
Last update from 126.1.17.13 on GigabitEthernet0/1, 1d05h ago
Routing Descriptor Blocks:
* 126.1.17.13 (services), from 126.0.1.15, 1d05h ago, via GigabitEthernet0/1
Route metric is 2, traffic share count is 1
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
vrf definition red
route-replicate from vrf SERVICES unicast all
vrf definition green
route-replicate from vrf SERVICES unicast all
vrf definition services
route-replicate from vrf RED unicast all route-map red-map
route-replicate from vrf GREEN unicast all route-map grn-map
192.168.1.1
10.1.1.1
20.1.1.1
20.0.0.0/8
10.0.0.0/8
R1 and R2 Do Not Have Route to 192.168.1.1 – Need Route Redistribution on R3
show ip route vrf services
Routes to 10.0.0.0/8 and 20.0.0.0/8 R1
R2
R3 R4
192.168.1.0/24
Fusion Point
R4 Does Not Have Routes to 10.0.0.0/8 and 20.0.0.0/8 – Need Route Redistribution on R3
Shared Services Using Route Replication
57
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Shared Services Using Route Replication and
Redistribution
10.1.1.1
20.0.0.0/8
10.0.0.0/8
show ip route vrf green
Route to 192.168.1.1 Through R3
show ip route vrf services
Routes to 10.0.0.0/8 and 20.0.0.0/8 R1
R2
R3 R4
192.168.1.0/24
router ospf 99 vrf services
redistribute vrf red ospf 98 subnets
redistribute vrf green ospf 97 subnets
router ospf 98 vrf red
redistribute vrf services ospf 99 subnets
router ospf 97 vrf green
redistribute vrf services ospf 99 subnets
20.1.1.1
192.168.1.1
58
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Global
Route replication enables the ability to dynamically share
routes between the global/default VRF and a user defined VRF
vrf definition services
!
address-family ipv4
route-replicate from vrf global unicast all route-map g-map
exit-address-family
!
global-address-family ipv4
route-replicate from vrf services unicast all route-map services-map
!
router ospf 10 vrf services
redistribute connected subnets
redistribute vrf global ospf 1 subnets
network 0.0.0.0 255.255.255.255 area 0
!
router ospf 1
redistribute vrf services ospf 10 subnets
network 0.0.0.0 255.255.255.255 area 0
VRF Route Replication
59
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Shared Services Summary
60
Support for shared services across VRFs
Shared services approach is best for DNS, DHCP, Corp
Communications – Not Internet Gateway
Consideration needs to be taken for the location of
Extranet Fusion point for unicast and multicast
Route replication simplifies deployment
‒ Works with IGPs without any additional protocol
‒ Multicast Extranet will work with route replication
‒ Supports VRFGlobal and GlobalVRF
QoS in a Virtualized Network
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
QoS with GRE, MPLS over GRE
62
Router will copy original ToS marking to outer GRE header
For MPLS over GRE, the EXP marking is copied to the outer header of the
GRE tunnel
This allows the IPv4 ―transport‖ to perform QoS on the multi-encapsulated
packet
ToS (IP Hdr) EXP (MPLS Shim) GRE IP Hdr
IP Payload
IP Payload
IP Payload
GRE
GRE
Original IP Header
Original IP Header
ToS
Original IP Header
ToS
GRE
Outer GRE IP Header
EXP
MPLS Shim Outer GRE IP Header To
S
Outer GRE IP Header
ToS
ToS (IP Hdr) GRE IP Hdr
GRE Header
GRE Header with ToS Reflection
MPLS over GRE Header with ToS
Reflection
MPLS Shim EX
P
ToS Reflection
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
QoS Is Orthogonal to Virtualization
The Same Approach Should Be Used for a Typical Enterprise Network Design as a Virtualized Network
Deployment Models in a Virtualized Environment
63
Aggregate Model
A common QoS strategy is used for all VRFs
(i.e. same marking for voice, video, critical data, best effort)
The aggregate of all markings is applied at the WAN Agg
Prioritized VRF Model
Traffic in some VRFs are prioritized over other VRFs
(i.e. Production over Guest VRF)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Branch 1
Campus
Branch 2
Branch 3
SiSi
SiSi
Classify and Mark Traffic
at Edge
Classify and Mark Traffic
at Edge
WAN
WAN Int
Voice
Scavenger
Best Effort
Video
Traffic Is Queued, Shaped According to DSCP Values
Typical QoS Deployment Without Network Virtualization
64
Voice
Scavenger
Best Effort
Video
Voice
Scavenger
Best Effort
Video
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Branch 1
Campus
Branch 2
Branch 3
SiSi
SiSi
Classify and Mark Traffic
at Edge
Classify and Mark Traffic
at Edge
Green VRF
Red VRF
Green VRF
Red VRF
Traffic Is Aggregated Across VRFs (e.g. All Voice Traffic Is Queued Together)
WAN
Aggregate Model
Traffic Is Queued, Shaped According to DSCP Values
Typical QoS Deployment With NV – Aggregate Model
65
Voice
Scavenger
Best Effort
Video
Voice
Scavenger
Best Effort
Video
Voice
Scavenger
Best Effort
Video
Green VRF
Red VRF
Green VRF
Red VRF
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Branch 1
Campus
Branch 2
Branch 3
SiSi
SiSi
Classify and Mark Traffic
at Edge
Classify and Mark Traffic
at Edge
Green VRF
Red VRF
WAN
Prioritized VRF
Scavenger
Best Effort
Traffic Is Queued, Shaped According to DSCP Values
Green VRF Is Guest. All Traffic Is Marked as Best Effort or Scavenger
Typical QoS Deployment – With NV – Prioritized VRF
66
Voice
Scavenger
Best Effort
Video
Voice
Scavenger
Best Effort
Video
Green VRF
Red VRF
Green VRF
Red VRF
Green VRF
Red VRF
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
QoS for Virtualization – Summary
67
Aggregate QoS model is the simplest and straight
forward approach – Recommended
Prioritized VRF model can be used to prefer traffic
originating in one VRF over another
(e.g. guest access)
The same QoS approach should be used for a non-
virtualized and virtualized enterprise network design
Network Management in a
Virtualized Environment
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Network Mgmt Strategy for NV
69
Two Approaches to Managing a Multi-VRF Environment
Manage the network through the Global VRF
The global VRF must be accessible to all devices that need to be managed
Routers are managed normally
Create a Management VRF
The Mgmt VRF must be accessible to all devices that need to be managed. Many SPs take this approach for a managed CE service.
All of the mgmt services will need to be VRF aware.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF Aware Services
70
Feature ISR ASR1K Cat6K Cat4K Cat3K N7K
ping Yes Yes Yes Yes Yes Yes
traceroute Yes Yes Yes Yes Yes Yes
telnet Yes Yes Yes Yes Yes Yes
ssh Yes Yes Yes Yes Yes Yes
tftp/ftp Yes Yes Yes Yes Yes Yes
snmp Yes Yes Yes Yes Yes Yes
syslog Yes Yes Yes Yes Yes Yes
ntp Yes Yes Yes Yes Yes Yes
tacacs Yes Yes Yes No No Yes
radius Yes Yes Yes Yes No Yes
netflow Yes Yes Yes Yes Yes Yes
DNS Yes Yes No No No Yes
IP SLA Yes Yes Yes Yes Yes No
ERSPAN No Yes Yes No No Yes
DHCP Relay Yes Yes Yes Yes Yes Yes
routing-context No Yes Yes Yes No Yes
Yes Feature completely supported Yes Feature NOT completely supported - but key functions are supported
No Feature NOT supported
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Ping / Traceroute / Telnet
71
Ping, Traceroute and Telnet Are All VRF Aware
ping vrf green 10.1.1.1
traceroute vrf green 10.1.1.1
telnet 10.1.1.1 /vrf red
If an Access-Class Is Configured on the VTY: Telnet and ssh from VRFs will be denied without the vrf-also keyword With vrf-also – Sessions will be allowed based on ACL No way to have separate access classes for each VRF
These Commands All Have Keywords to Operate Within a VRF
line vty 0 15
access-class 10 in vrf-also
login
transport input telnet ssh
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 permit 10.1.2.0 0.0.0.255
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes Yes Yes Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
SSH and SCP
72
SSH Is VRF Aware
ssh –vrf red –l john 10.1.1.1
ip ssh source-interface loopback 252
interface loopback 252
ip vrf forwarding red
You Can Set the Source-Interface Inside a VRF. Some SPs require a connection from a particular IP address.
SSH uses –vrf keyword to connect through VRF SSH server on router is VRF aware to receive connections Cat3k does not support ssh client (CLI) but does support server
SCP Is Not VRF Aware
router# copy scp://10.1.1.1/latest-image disk2:
You cannot use SCP to copy a file inside a VRF
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes Yes Yes Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
TFTP and FTP
73
TFTP and FTP Are VRF Aware
ip tftp source-interface loopback 1
ip ftp source-interface loopback 1
interface loopback 1
ip vrf forwarding red
These Commands Do Not Have a VRF Keyword.
They Operate in a VRF by Setting the Source Interface to a VRF Interface:
router# copy tftp://10.0.89.3/latest-image disk2:
router# copy ftp://10.0.89.3/latest-image disk2:
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes Yes Yes Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
What is VRF Aware SNMP?
If a MIB Is VRF Aware Then:
SNMP gets and sets can be made to the individual
VRFs
The MIB will have the ability to detect conditions for
a trap inside of a VRF and lookup the additional
information in the VRF context
Traps will be sent to a manager located inside a
VRF
snmp-server host 1.1.1.1 vrf blue
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes Yes Yes Yes
74
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF Aware MIBs
75
VRF Independent MIB
Reports info on entire system – every VRF
MPLS-VPN MIB, CISCO-MVPN-MIB
e.g. How many VRF are defined, names, RD and RT of those VRFs, etc
VRF Aware MIB
Uses Context field in SNMP PDU to specify VRF to access
IF-MIB, IP-FORWARD-MIB, OSPF-MIB, CISCO-EIGRP-MIB, etc.
These MIBs report the routing/forwarding info for each VRF – one at a time
Context Aware MIB
Any MIB that uses the Context field to specify another set of info
Context Aware does not necessarily mean VRF Aware
e.g. BRIDGE-MIB uses context field to specify bridge group
show snmp mib context
Displays Which MIBs Are Context Aware
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF Aware and VRF Independent MIBS
76
MPLS-VPN-MIB
MPLS-L3VPN-STD-MIB
MPLS-LSR-STD-MIB
MPLS-LDP-STD-MIB
IF-MIB
CISCO-PING-MIB
IP-FORWARD-MIB
IP-MIB
OSPF-MIB
CISCO-EIGRP-MIB
CISCO-CEF-MIB
CISCO-IETF-ISIS-MIB
CISCO-IPSEC-MIB
CISCO-IPSEC-FLOW-MONITOR-MIB
CISCO-MVPN-MIB
IGMP-STD-MIB
IPMROUTE-STD-MIB
CISCO-IPMROUTE-MIB
PIM-MIB
CISCO-PIM-MIB
MSDP-MIB
Partial List of MIBs with VRF Information:
VRF Independent MIBS are RED
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
MPLS-VPN MIB – Useful Objects
77
MPLS-VPN-MIB
Based on draft-ietf-ppvpn-mpls-vpn-mib-03
Available on platforms that support MPLS
MPLS-L3VPN-STD-MIB
Based on RFC 4382
Will be replacing MPLS-VPN-MIB
Key Objects in MPLS-VPN-MIB
mplsVpnConfiguredVrfs – Number of VRFs configured
mplsVpnVrfOperStatus – VRF is configured on interface that is up
mplsVpnVrfRouteNextHop – Next hop (neighbor) for routes in VRF
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
CISCO-VRF-MIB – Useful Objects
78
CISCO-VRF-MIB
Developed by Cisco for routers that do not have MPLS
Contains additional information for EVN – VNET Tags, etc.
Key Objects in MPLS-VPN-MIB
cvVrfName – Name of VRFs configured (blue, red, etc.)
cvVrfVnetTag – VNET Tags configured per VRF
cvVrfOperStatus – VRF is configured on interface that is up
cvVrfRouteDistProt – IGPs that are configured per VRF (OSPF, EIGRP, etc.)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Monitoring with VRF Aware MIBs Example
79
snmp-server view mcastview pim included
snmp-server context blue_ctx
ip vrf blue
context blue_ctx
snmp-server user blue_user blue_group v2c
snmp-server group blue_group v2c context blue_ctx read
mcastview write mcastview notify mcastview
snmp mib community-map blue_user context blue_ctx
snmp-server host 10.77.241.66 vrf blue version 2c
blue_user pim
Example Using SNMP v2c
An SNMP Query with a Community Name of blue_user Will Return Data
from VRF Blue
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Monitoring with VRF Aware MIBs Example
80
vrf definition blue
!
address-family ipv4
snmp context blue community blue_comm RW
exit-address-family
!
snmp-server host 10.1.1.1 vrf blue version 2c blue_comm
Updated Simpler CLI Example Using SNMP v2c Community
An SNMP query with a Community String of blue_comm will return data from VRF Blue
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
NX-OS VRF Aware MIBs Example
81
vrf context BLUE
snmp-server community BLUE group network-operator
snmp-server context BLUE instance BLUE vrf BLUE
snmp-server mib community-map BLUE context BLUE
Example Using SNMP v2c Community
An SNMP query with a Community String of BLUE will return data from VRF Blue
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Syslog in a VRF
82
Syslog can be configured to forward to a log server in a VRF
logging host 10.1.1.1 vrf red
logging host 20.1.1.1 vrf blue
All syslogs will be sent to all log servers
The transport is VRF aware – not the content
The source address will be the address of the egress
interface. The source interface cannot be set in a VRF.
router(config)#logging source-interface loopback 999
Interface Loopback999 is not in the global table
Addresses of the router egress interfaces could be entered into the Host File
on the server so they could be identified.
* Fix for Cat6k shipped in 12.2(33)SXJ1. Other platforms – Future Releases
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes Yes Yes Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
NTP in a VRF
83
NTP servers and peers can be in a VRF
Routers can set source interface to be in a VRF
ntp server vrf green 10.1.1.1
ntp peer vrf green 10.1.1.1
ntp source FastEthernet5/0
NTP Is VRF Aware
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes Yes Yes Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
AAA/Tacacs/Radius in a VRF
84
aaa group server tacacs+ tacacs1
server-private 10.1.1.1 port 19 key red
ip vrf forwarding red
ip tacacs source-interface Loopback0
interface Loopback0
ip address 10.0.0.2 255.0.0.0
ip vrf forwarding red
aaa group server radius red
server-private 10.10.132.4 auth-port 1645 acct-port 1646 key ww
ip vrf forwarding red
ip radius source-interface loopback0
radius-server attribute 44 include-in-access-req vrf red
Tacacs and Radius Servers Can Be Configured in a VRF.
Example Tacacs Config:
Example Radius Config:
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes No No Yes
Yes Yes Yes Yes No Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
NetFlow – VRF Aware
85
NetFlow is VRF independent
Flow info can be collected for interfaces in any VRF
Flows can be collected on Sub-interfaces for VRF-Lite
ISR, ASR1K, N7K, 7600, Cat6K and Cat4K (Sup7-E) can export flows to the collector through a VRF
NetFlow is now supported on the Cat3K with the X-Series with the C3KX-SM-10G service module
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes Yes Yes Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
How Does NFC Correlate Flows with VRFs?
86
Src IP Dest IP IF Index ...
10.2.2.2 10.20.4.2 21 ...
Netflow Collector
Traffic
NetFlow Enabled Device
NetFlow Export Packet
SNMP Query:
IF-MIB – Interface Name
MPLS-VPN MIB – VRF Info
Fa5/1
VRF Input Int Pkts Protocol NextHop
Red Fa5/1 11000 11 10.0.23.2
Red Fa5/3 2491 6 10.0.24.6
Blue Fa2/2 2210 6 10.0.25.8
Traffic Analysis Report
NetFlow is VRF agnostic
Collects info for any VRF
NFC uses SNMP to find
out VRF membership on
interfaces
Source IP Address
Destination IP Address
Source Port
Destination Port
Layer 3 Protocol
TOS byte (DSCP)
Input Interface – Fa5/1
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Traditional NetFlow with Multi-VRF
87
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.0
ip flow ingress
!
interface GigabitEthernet0/0/0.101
description Subinterface for VRF red
vrf forwarding red
encapsulation dot1Q 101
ip address 1.1.1.2 255.255.255.0
ip flow ingress
!
interface GigabitEthernet0/0/0.102
description Subinterface for VRF blue
vrf forwarding blue
encapsulation dot1Q 102
ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet0/0/0.103
description Subinterface for VRF yellow
vrf forwarding yellow
encapsulation dot1Q 103
ip address 1.1.1.2 255.255.255.0
ip flow ingress
ip flow ingress
is configured on main interface
May Be Configured on the Main
Interface or Subinterface
It can be configured on a per
subinterface/VRF basis
Traffic
NetFlow Enabled Device
Fa5/1
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Flexible NetFlow with Multi-VRF
88
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.0
ip flow monitor VRF-Monitor input
ip flow monitor VRF-Monitor output
!
interface GigabitEthernet0/0/0.101
description Subinterface for VRF red
vrf forwarding red
encapsulation dot1Q 101
ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet0/0/0.102
description Subinterface for VRF blue
vrf forwarding blue
encapsulation dot1Q 102
ip address 1.1.1.2 255.255.255.0
ip flow monitor VRF-Monitor input
ip flow monitor VRF-Monitor output
!
interface GigabitEthernet0/0/0.103
description Subinterface for VRF yellow
vrf forwarding yellow
encapsulation dot1Q 103
ip address 1.1.1.2 255.255.255.0
ip flow monitor [Monitor]
[input | output]
May Be Configured on the Main
Interface or Subinterface
It can be configured on a per
subinterface/VRF basis
Traffic
NetFlow Enabled Device
Fa5/1
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
DNS
89
The Router Can Perform a Name Lookup to a Server in a VRF. The Name-Server Must Be Configured with the VRF Keyword. The Source-Interface Can Be Specified If Required. VRF Aware DNS Is Not supported on Cat6k, Cat4k and Cat3k Workaround: Setup DNS as a Shared Service
ip name-server vrf green 10.1.1.1
ip domain lookup source-interface FastEthernet5/0
DNS Is VRF Aware
ip host vrf green MAIL-SERVER 10.1.10.20
Static Host Entries Can Be Configured Inside a VRF
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes No No No Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
IP SLA
90
IP SLA can measure response time inside VRFs Starting 12.2(2)T, 12.2(33)SXH, 12.2(40)SE: ICMP echo, ICMP path echo, ICMP path jitter, UDP echo, UDP jitter Starting 12.4(6)T: ICMP Jitter Starting 12.4(20)T, 15.1(1)T: TCP Connect, FTP, HTTP, DNS IP SLA IPv6 VRF Aware – 12.4(20)T: ICMP Echo, UDP Echo, UDP Jitter, TCP Connect
ip sla 1
udp-jitter 1.1.1.2 233
vrf red
ip sla schedule 4 start-time now life forever
IP SLA is VRF Aware
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes Yes Yes No
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
ERSPAN in a VRF
91
ERSPAN can monitor flows in any VRF
Captures can be exported (transported) in a VRF
ASR1K cannot export through the ―Mgmt VRF‖ but
may be exported through any other VRF
No support for ERSPAN on Cat4K, Cat3K
Support for ERSPAN shipped on the
N7K in 5.1(1)
ISR ASR1K Cat6K Cat4K Cat3K N7K
No Yes Yes No No Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
DHCP in Multi-VRF
92
3 Approaches to DHCP in Multi-VRF Environment
Separate DHCP Server for Each VRF - Recommended
Each one could be a different VM on VMware
Each server needs to be administered separately
Supports Address overlap between VRFs
Shared Server with No Address Overlap – Recommended
DHCP Server IP address (IP Helper addr) is redistributed using BGP/Extranet, fusion router or Route Replication
Shared Server that Is VRF Aware
Requires VRF Aware DHCP Relay
Supports Address overlap between VRFs
Cisco Network Registrar v5.5 supports VPN option – Option 82
* Option 82 not supported on Cat6K today – coming in future release
ISR ASR1K Cat6K Cat4K Cat3K N7K
Yes Yes Yes Yes Yes Yes
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
DHCP in Multi-VRF (Cont.)
93
Dedicated Servers per VRF or Shared Servers Without
Address Overlap Are Configured Normally:
Shared Servers that Are VRF Aware Need VPN Options:
ip helper-address 10.10.1.1
ip dhcp relay information option vpn
!
interface ethernet 0/1
ip helper-address vrf red 10.44.23.7
DHCP VPN Options (Option 82) – Includes These Fields: • VPN identifier — VRF name if configured on the interface • Subnet selection — Incoming interface subnet address • Server identifier override — Incoming interface IP address
The DHCP Server Must Be Reachable in the Client VRF
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Network Mgmt Summary
94
The global or a Mgmt VRF can be used to access and manage the router
If you use a Mgmt VRF – need to make sure that all the services are VRF aware on your platform/version
Many services just work by setting source interface. Others require specifying the VRF in CLI command
Present and Future Services for
Network Virtualization
WAN Design Options
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
EVN
Yellow VRF
Green VRF
Red VRF
EVN
Yellow VRF
Green VRF
Red VRF
IP Service
eBGP eBGP
L3VPNoMGRE MP-BGP
WAN Options for EVN
96
EVN
Yellow VRF
Green VRF
Red VRF
EVN
Yellow VRF
Green VRF
Red VRF MPLS-VPN
eBGP eBGP
Multi-VRF
EVN
Yellow VRF
Green VRF
Red VRF
EVN
Yellow VRF
Green VRF
Red VRF
IP Service
eBGP eBGP
LISP
EVN
Yellow VRF
Green VRF
Red VRF
EVN
Yellow VRF
Green VRF
Red VRF
IP Service
eBGP eBGP
DMVPN Encryption
Single VRF
Single VRF
Single VRF
© 2012 Cisco and/or its affiliates. All rights reserved. BRKRBRKVIR-2009_Kessler Cisco Public
Extending EVN over the WAN Leverage MPLS-VPN for EVN Extension
R1 R2 OSPF OSPF R3
BGP Update
VNET Trunk
E 1/0 E 0/0
VNET Tag = 10
WAN
On MPLS ―PE‖, apply the ‗vnet tag‘ under the ―vrf definition‖
This connects the campus VNET with the MPLS VRF and is handled as normal VRF forwarding
!
vrf definition red
vnet tag 10
rd 1:1
route-target export 1:1
route-target import 1:1
!
!
address-family ipv4
exit-address-family
!
VNET Tag Applied under the “vrf Definition”
Normal ‘rd’ and ‘route-target’ Applied in MPLS VPN Case
Injects Routes from VNET Trunk into VRF, Allowing Any VRF over WAN Solution to Be Applied Using VNET
R4
VNET Trunk
MPLS VPN + VNET
MPLS
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Multi-VRF Across IP Based WAN
98
Customer is able to multiplex 3 VRFs across 1 VRF from the Provider
– Provider Transparency
– Provider Independent Blue
CE2
CE3
Blue
CE1 PE3
PE1
PE2
Provider Net
Blue
L0 10.2.1.1 Yellow VRF
Green VRF
Red VRF
Yellow VRF
Green VRF
Red VRF
Yellow VRF
Green VRF
Red VRF
L0 10.2.1.2
MPLS VPN
Red
CE
Red
CE
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
MPLS VPNs over mGRE (a.k.a. L3VPNoMGRE)
99
No LDP or NHRP required
BGP replaces LDP and NHRP
Allows MPLS-VPN over GRE without manual GRE tunnel configuration
Leverages multipoint GRE (mGRE) and the tunnel is not connection oriented
mGRE is a multipoint unidirectional GRE tunnel
Support for multicast is mVPN
Requires BGP config on E-PE routers
IP Service
MPLS Campus/
MAN
E-PE
E-PE
E-PE E-PE
Remote Branches
RR RR
Enterprise
GRE Tunnels
Branch LAN
802.1q Trunk Physical Cable
VPNv4 Label over GRE Encapsulation
mGRE
Campus-PE
Spoke to
Spoke
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public 100
eBGP
AS 65000
172.16.1.1
MPLS Campus/MAN
E-PE
Branch Site
MPLS VPN over Multipoint GRE (mGRE) Control Plane
RR E-PE
mGRE iBGP
SP Cloud
AS 1
Interface Loopback0
ip address 10.100.1.201 255.255.255.255
router bgp 65000
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.100.1.204 remote-as 65000
neighbor 10.100.1.204 update-source Loopback0
neighbor 172.16.1.1 remote-as 1
neighbor 172.16.1.1 update-source Ethernet0/0
!
address-family ipv4
no synchronization
redistribute connected metric 1
neighbor 172.16.1.1 activate
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 10.100.1.204 activate
neighbor 10.100.1.204 send-community both
neighbor 10.100.1.204 route-map mgre_v4 in
exit-address-family
eBGP Peer to SP
Address Family for eBGP to SP
iBGP Peer for MP-BGP (VPNv4)
Address Family for MPLS-VPN over IP (i-BGP)
100
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF-Lite over GRE
101
One tunnel per VRF
IGP Neighbor maintained from end-2-end
GRE Tunnel could be across arbitrary cloud e.g. CE-2-CE
Can transport EVN traffic in the Campus over WAN
vrf-router-a vrf-router-b
11.1.1.1
11.2.1.1
11.3.1.1
11.1.1.2
11.2.1.2
11.3.1.2
126.101.1.2 126.101.1.1
126.102.1.1
126.103.1.1
126.102.1.2
126.103.1.2
Tunnel1
Tunnel2
Tunnel3
IP IP IP
GRE GRE GRE
IP IP IP IP IP IP IP IP IP
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
VRF-Lite over GRE
102
One tunnel per VRF
IGP Neighbor maintained from end-2-end
GRE Tunnel could be across arbitrary cloud e.g. CE-2-CE
Can transport EVN traffic in the Campus over WAN
vrf-router-a vrf-router-b
11.1.1.1
11.2.1.1
11.3.1.1
11.1.1.2
11.2.1.2
11.3.1.2
126.101.1.2 126.101.1.1
126.102.1.1
126.103.1.1
126.102.1.2
126.103.1.2
Tunnel1
Tunnel2
Tunnel3
IP IP IP
GRE GRE GRE
IP IP IP IP IP IP IP IP IP
interface Loopback101
ip address 126.101.1.1 255.255.255.0
!
interface Loopback102
ip address 126.102.1.1 255.255.255.0
!
interface Loopback103
ip address 126.103.1.1 255.255.255.0
interface Tunnel1
ip vrf forwarding red
ip address 11.1.1.1 255.255.255.0
tunnel source Loopback101
tunnel destination 126.101.1.2
!
interface Tunnel2
ip vrf forwarding green
ip address 11.2.1.1 255.255.255.0
tunnel source Loopback102
tunnel destination 126.102.1.2
!
interface Tunnel3
ip vrf forwarding yellow
ip address 11.3.1.1 255.255.255.0
tunnel source Loopback103
tunnel destination 126.103.1.2
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
EVN over DMVPN Multi-VRF Transported over Several NHRP Domains
103
Yellow VRF
Green VRF
Red VRF
Yellow VRF
Green VRF
Red VRF
Yellow VRF
Green VRF
Red VRF
Yellow VRF
Green VRF
Red VRF
Hub
Branch 1 Branch 2 Branch 3
Hub-2-Spoke
vrf definition Red
!
interface Loopback0
ip address 10.126.100.1 255.255.255.255
!
interface Tunnel0
description mGRE for Red
vrf forwarding Red
ip address 11.1.1.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 100
tunnel source Loopback0
tunnel mode gre multipoint
Hub Configuration
vrf definition Green
!
interface Loopback1
ip address 10.126.101.1 255.255.255.255
!
interface Tunnel1
description mGRE for Green
vrf forwarding Green
ip address 11.1.2.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 101
tunnel source Loopback1
tunnel mode gre multipoint
vrf definition Yellow
!
interface Loopback2
ip address 10.126.102.1 255.255.255.255
!
interface Tunnel2
description mGRE for Yellow
vrf forwarding Yellow
ip address 11.1.3.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 102
tunnel source Loopback2
tunnel mode gre multipoint
Spoke Configuration
vrf definition Red
!
interface Loopback0
ip add 10.123.100.1 255.255.255.255
!
interface Tunnel0
description GRE to hub
vrf forwarding Red
ip address 11.1.1.10 255.255.255.0
ip nhrp network-id 100
ip nhrp nhs 11.1.1.1
tunnel source Loopback0
tunnel destination 10.126.100.1
!
interface Vlan10
description Red Subnet
vrf forwarding Red
ip address 11.1.100.1 255.255.255.0
vrf definition Green
!
interface Loopback1
ip add 10.123.101.1 255.255.255.255
!
interface Tunnel1
description GRE to hub
vrf forwarding Green
ip address 11.1.2.10 255.255.255.0
ip nhrp network-id 101
ip nhrp nhs 11.1.2.1
tunnel source Loopback1
tunnel destination 10.126.101.1
!
interface Vlan11
description Green Subnet
vrf forwarding Green
ip address 11.1.101.1 255.255.255.0
vrf definition Yellow
!
interface Loopback2
ip add 10.123.102.1 255.255.255.255
!
interface Tunnel2
description GRE to hub
vrf forwarding Yellow
ip address 11.1.3.10 255.255.255.0
ip nhrp network-id 102
ip nhrp nhs 11.1.3.1
tunnel source Loopback2
tunnel destination 10.126.102.1
!
interface Vlan12
description Yellow Subnet
vrf forwarding Yellow
ip address 11.1.102.1 255.255.255.0
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
EVN over LISP – Location/ID Separation Protocol
104
Branch Site
Branch Site
Corp Campus
LISP xTR
LISP
LISP
LISP
EVN
Green VRF
Red VRF
IP Service
SP Cloud
Blue VRF
EVN
Green VRF
Red VRF
EVN
Green VRF Blue VRF
Red VRF
LISP xTR
LISP xTR
• LISP can be used to multiplex several VRFs across a Provider IP Service
• LISP will encapsulate the traffic across the provider and internal IP addresses will be hidden from the provider
• LISP is a compatible WAN solution with EVN in the campus
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
EVN over LISP – Location/ID Separation Protocol
105
Branch Site
Branch Site
Corp Campus
LISP xTR
LISP
LISP
LISP
EVN
Green VRF
Red VRF
IP Service
SP Cloud
Blue VRF
EVN
Green VRF
Red VRF
EVN
Green VRF Blue VRF
Red VRF
LISP xTR
LISP xTR
• LISP can be used to multiplex several VRFs across a Provider IP Service
• LISP will encapsulate the traffic across the provider and internal IP addresses will be hidden from the provider
• LISP is a compatible WAN solution with EVN in the campus
router lisp
eid-table vrf default instance-id 0
exit
!
eid-table vrf Red instance-id 101
...
exit
!
eid-table vrf Green instance-id 102
...
exit
!
eid-table vrf Blue instance-id 103
...
exit
!
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
EVN - Easy Virtual Network Roadmap
106
Cat4K Release/Platforms: 15.1(1)SG: Sup6-E, Sup6L-E, 4900M, 4948E, 4940E-F IOS XE 3.3.0SG: Sup7-E, Sup7L-E, 4500-X * Sup720 will not support VNET Trunk
“Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.”
Platform Release FCS Date
ASR1K IOS XE 3.2S Nov 2010
Cat6K – Sup2T 15.0(1)SY1 March 2012
Cat4K 15.1(1)SG
IOS XE 3.3.0SG April 2012
Cat6K – Sup720* Roadmap Future
Cat3K-X Roadmap Future
ISR-G2 Roadmap Future
Nexus 7K Roadmap Future
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
More Info
107
Other Sessions:
BRKCRS-2033 Deploying a Virtualized Campus Network Infrastructure
– Ray Blair
BRKRST-2045 Network Virtualization Design Concepts over the WAN
– Craig Hill
Mailing List: [email protected]
WWW http://www.cisco.com/go/evn
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Network Virtualization Questions?
108
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Complete Your Online
Session Evaluation Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our
portal) or visit one of the Internet
stations throughout the Convention
Center.
Don‘t forget to activate your
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
109
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of
Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
110
© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public