Present and Future Services for Network Virtualizationd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKVIR-2009.pdf · Present and Future Services for Network Virtualization ... BRKCRS-2033

© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public

Present and Future Services

for Network Virtualization BRKVIR-2009

2


More Info

3

Andy Kessler

[email protected]

Other Sessions:

BRKCRS-2033 Deploying a Virtualized Campus Network Infrastructure

– Ray Blair

BRKRST-2045 Network Virtualization Design Concepts over the WAN

– Craig Hill

BRKVIR-2008 Experiences From Delivering End to End Cloud IaaS

– Koren Lev

Mailing List:

[email protected]

mailto:[email protected]

mailto:[email protected]


Agenda

Network Virtualization

VRF-Lite Review

Easy Virtual Network (EVN)

IP Multicast Virtualization

Multicast with Multi-VRF

Multicast VPNs

Shared Services

Unprotected Services – Extranet

Route Replication

QoS and Virtual Networks

Network Management in a

Virtualized Environment

NV Architectures

4


Virtual Network

Merged New Company

What is “Network” Virtualization?

Giving One physical network the ability to support multiple virtual networks

End-user perspective is that of being connected to a dedicated network (security, independent set of policies, routing decisions…)

Maintains Hierarchy, Virtualizes devices, data paths, and services

Allows for better utilization of network resources

Actual Physical Infrastructure

Internal Organizational Separation (eng, sales)

Virtual Network Virtual Network

Guest Access Network

5


Network Virtualization Benefits

Groups and services are logically separated

Guest/partner access - wireless

Physical Security – video surveillance, card key access

Mergers and Acquisitions

Airports – Airlines, Security, Guest networks, Shopping Malls

Regulation

Health Care – HIPAA

Financial – Sarbanes-Oxley

Credit Card Transactions – PCI compliance

6


Enterprise Network Design

Distribution Blocks

SiSiSiSiSiSiSiSi

SiSi

SiSi SiSi

SiSi

Internet

Data Center 2

WAN

Campus

Yellow VRF

Green VRF

Red VRF

Branch 1

Branch 2

Branch 3

Data Center 1

Building 1 Building 2

Yellow VRF

Green VRF

Red VRF

Yellow VRF

Green VRF

Red VRF

7


Network Virtualization Transport and Payload

Transport Payload Feature Names

Ethernet Layer 3 VRF-Lite (Campus)

Easy Virtual Network (EVN)

MPLS Layer 2

AToM (EoMPLS)

VPLS

Layer 3 MPLS-VPN

IP

Layer 2 OTV

VPLSoGRE

Layer 3 VRF-Lite over mGRE

MPLS-VPN over mGRE

8


MPLS-VPN Overview MPLS-VPN Service

Allows an SP to offer a L3 IP service to many customers on a common core

Traffic from each customer is encapsulated in MPLS and delivered between PE/CEs

Each customer has their own IP address domain – supports overlap

Blue

CE2

CE3

Blue CE1

PE1

PE2

Provider Net

Blue

MPLS VPN

Red

CE

Red

CE

PE4

eBGP

PE3

eBGP

eBGP

eBGP

eBGP

9


VRF

VRF

Global

Path Isolation

Functional Components

VRF: Virtual Routing and Forwarding

Per VRF: Virtual Routing Table

Virtual Forwarding Table

IP

802.1q

10

Device virtualization

Control plane virtualization

Data plane virtualization

Services virtualization

Data path virtualization

Hop-by-Hop (VRF-Lite End-to-End)

Multi-Hop

(VRF-Lite+GRE, MPLS-VPN)


Evolution of VRFs – Easy Virtual Network

11

MPLS-VPN

VRFs VRF-Lite Easy Virtual Network

VRFs were born from MPLS-VPN

VRFs grew into adolescence with VRF-Lite

EVN brings VRFs into maturity

http://www.thekesslers.com/family/ben/02/ben-blue-2.html


Easy Virtual Network Summary

LAN Trunks

Significant configuration simplification

VRFs are pre-provisioned on Trunk

Route Replication

IGP based Shared Services

BGP not required

Enhanced Troubleshooting and Usability

routing-context, traceroute, debug condition, cisco-vrf-mib

VRF VRF

Global

VRF VRF

Global

802.1Q

Available on ASR1K, Cat6500 and Cat4500

today, planned for more platforms 12

VRF-Lite Review


VRF-Lite – Interface Config Example

VRF-Lite Subinterface Config ip vrf red

!

ip vrf green

!

interface TenGigabitEthernet1/1

ip address 10.122.5.1 255.255.255.252

ip pim query-interval 1

ip pim sparse-mode

!

interface TenGigabitEthernet1/1.101

description Subinterface for Red VRF

encapsulation dot1Q 101

ip vrf forwarding red

ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode

!


description Subinterface for green VRF


ip vrf forwarding green

ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode

ip vrf red

!

ip vrf green

!


ip address 10.122.5.2 255.255.255.252


ip pim sparse-mode

!


description Subinterface for red VRF



ip address 10.122.5.2 255.255.255.252


ip pim sparse-mode

!


description Subinterface for green VRF



ip address 10.122.5.2 255.255.255.252


ip pim sparse-mode

14


VRF Global

Red and Green Traffic Are Tagged with 802.1Q VLAN 101 and 102

IP Data Packet IGP Update

IP Data Packet IGP Update

IP Data Payload VLAN ID 101 IGP Update VLAN ID 101

IGP Update VLAN ID 101 IP Data Payload VLAN ID 101

VRF Red

IGP Update VLAN ID 102 IP Data Payload VLAN ID 102

IP Data Payload VLAN ID 102 IGP Update VLAN ID 102

VRF Green

VRF Global

VRF Green

VRF Red

Global Traffic Is UnTagged

VRF-Lite Packet Flows

15


VRF-Lite – Routing Protocol Example

OSPF Example

router ospf 1

network 10.0.0.0 0.255.255.255 area 0

passive-interface default

no passive-interface vlan 2000

!

router ospf 100 vrf green

network 11.0.0.0 0.255.255.255 area 0


!

router ospf 200 vrf red

network 12.0.0.0 0.255.255.255 area 0


router eigrp 100

network 10.0.0.0 0.255.255.255

passive-interface default


no auto-summary

!

address-family ipv4 vrf green autonomous-system 100

network 11.0.0.0 0.255.255.255

no auto-summary

exit-address-family

!

address-family ipv4 vrf red autonomous-system 100

network 12.0.0.0 0.255.255.255

no auto-summary

exit-address-family

EIGRP Example

16


VRF-Lite End-to-End

How Does It Work?

17

VLAN 10 VLAN 20

VLAN 11 VLAN 21

VLAN 12 VLAN 22

VLAN 13 VLAN 23

VLAN 15 VLAN 25

VLAN 14 VLAN 24

IGPs

Traffic is now carried end-to-end across the network maintaining logical isolation between the defined groups

VRFs need to be defined on each L3 device,

Map the VLANs to a VRF

Create L2 VLANs at the edge of the network

and trunk them to the first L3 device

Trunks need to be configured to carry each

of the VRFs

Create sub-interfaces and map them to the correct VRF

IGPs are configured for each VRF on each

L3 device

VLAN 16 VLAN 26

Easy Virtual Network

LAN Trunks


Multi-AF VRF Structure

Old VRF CLI only applies to IPv4 Address Family

ip vrf blue

New VRF CLI allows multiple address families under same VRF – multi-protocol VRF

vrf definition blue

Policies for the VRF can apply to IPv4 and IPv6 VPNs

at the same time – routing tables are still different

Supported in 12.2(33)SB and 15.0(1)M

19


Multi-AF VRF Structure

Existing IPv4 VRFs Will Need to Be Converted to

Multi-AF VRFs to Support IPv6

router(config)# vrf upgrade-cli multi-af-mode common-policies

ip vrf blue

rd 2:2

route-target export 2:2

route-target import 2:2

!

interface Ethernet0

ip vrf forwarding blue

ip address 11.1.1.1 255.255.0.0

vrf definition blue

rd 2:2



!

address-family ipv4

exit-address-family

!

interface Ethernet0

vrf forwarding blue

ip address 11.1.1.1 255.255.0.0

Converts Existing Config

20


Easy Virtual Network - End-to-End

How Does It Work?

21

VLAN 10 VLAN 20

VLAN 11 VLAN 21

VLAN 12 VLAN 22

VLAN 13 VLAN 23

VLAN 15 VLAN 25

VLAN 14 VLAN 24

IGPs

Trunks are Pre-Provisioned for new VRFs !!!! When you add a new VRF you don’t have to configure a new sub-interface. It is automatically done by the VNET Trunk.

VRFs need to be defined on each L3 device,

Map the VLANs to a VRF

Create L2 VLANs at the edge of the network

and trunk them to the first L3 device

Configure a VNET Trunk on each of the physical core interfaces. Uses the same 802.1Q tag

IGPs are configured for each VRF on each

L3 device

VLAN 16 VLAN 26


VRF-Lite and VNET Trunk Compatibility

22

VRF-Lite Subinterface Config VNET Trunk Config interface TenGigabitEthernet1/1

ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode





ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode


description Subinterface for Green VRF



ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode


vnet trunk

ip address 10.122.5.2 255.255.255.252


ip pim sparse-mode

Global Config: vrf definition red

vnet tag 101

vrf definition green

vnet tag 102

Both routers have VRFs defined EVN router has VNET Tags


VRF Integration with L2 Edge Multitier Deployment

23

Campus Core

Layer 2 Trunks

VLAN 21 Red

VLAN 22 Green

VLAN 23 Blue

VLAN 31 Red

VLAN 32 Green

VLAN 33 Blue

g1/0

g1/1 interface vlan 21

vrf forwarding red

interface vlan 22

vrf forwarding green

interface vlan 23

vrf forwarding blue

interface vlan 31

vrf forwarding red

interface vlan 32


interface vlan 33

vrf forwarding blue

SiSi SiSiLayer 3

Layer 2

vrf definition red

vnet tag 101


vnet tag 102

vrf definition blue

vnet tag 103

interface g1/0

vnet trunk


EVN - show derived-config

24

Normal show run show derived-config Router# show derived-config

. . .

interface Ethernet1/0

vnet trunk

ip address 10.122.6.11 255.255.255.0

ip pim sparse-mode

!

interface Ethernet1/0.101

description Subinterface for VNET red

vrf forwarding red


ip address 10.122.6.11 255.255.255.0

ip pim sparse-mode

!

interface Ethernet1/0.102

description Subinterface for VNET green



ip address 10.122.6.11 255.255.255.0

ip pim sparse-mode

. . .

Router# show run

. . .


vnet trunk

ip address 10.122.6.11 255.255.255.0

ip pim sparse-mode

. . .


EVN - show ip int brief

25

show ip int brief - Displays All Subinterfaces

vrf definition red

vnet tag 101


vnet tag 102

!


vnet trunk

ip address 10.1.95.1 255.255.255.0

!


vnet trunk

ip address 10.1.96.1 255.255.255.0

Router# show ip int brief Interface IP-Address OK? Method Status Protocol

Ethernet1/0 10.1.95.1 YES NVRAM up up

Ethernet1/0.101 10.1.95.1 YES NVRAM up up


.

Ethernet2/0 10.1.96.1 YES NVRAM up up




EVN - show vnet, show vnet int

26

show vnet int - Info sorted by int, status, ip address

Router#show vnet

Name Tag Protocols Interfaces

red 101 ipv4 Gi0/0/0.101

Gi0/0/3.101

blue 102 ipv4 Gi0/0/0.102

Gi0/0/3.102

Green 103 ipv4 Gi0/0/0.103

es1-asr-w8#show vnet int

Interface State VNET Tag IP-Address

Gi0/0/0.101 Up red 101 1.1.1.1

Gi0/0/0.102 Up blue 102 1.1.1.1

Gi0/0/0.103 Up green 103 1.1.1.1

Gi0/0/3.101 Up red 101 1.1.2.2

Gi0/0/3.102 Up blue 102 1.1.2.2

Gi0/0/3.103 Up green 103 1.1.2.2

VRF VRF

Global

show vnet - VRF names, Tags, Sub intf


VNET Trunk – Overriding Inheritance

27

VRF-Lite Subinterface Config VNET Trunk Config interface TenGigabitEthernet1/1

ip address 10.122.5.1 255.255.255.252

ip ospf cost 20

ip pim sparse-mode





ip address 10.122.5.1 255.255.255.252

ip ospf cost 20

ip pim sparse-mode


description Subinterface for Green VRF



ip address 10.122.5.1 255.255.255.252

ip ospf cost 30


vnet trunk

ip address 10.122.5.2 255.255.255.252

ip ospf cost 20

ip pim sparse-mode

vnet name green

no ip pim sparse-mode

ip ospf cost 30

Global Config: vrf definition red

vnet tag 101


vnet tag 102

Specific Interface Commands Can Be Overridden on a per VRF Basis


R2

R3

Yellow VRF

Green VRF

Red VRF

Green VRF

Red VRF

Yellow VRF

Red VRF

R1

R6

R4 R5

R7

vrf list group-a

member red

member yellow

interface g1/0

vnet trunk vrf-list group-a

vrf list group-b

member red

member green

interface g2/0

vnet trunk vrf-list group-b Group B

Group A

VRF Lists Can Filter Traffic Carried over VNET Trunks

VRF List Specify VRFs Carried on Trunks

28


VRF Simplification - Trunk Advantage

29

Virtual

Networks Neighbors

VRF

Subinterfaces

VNET

Trunks

4 4 16 4

10 4 40 4

20 4 80 4

30 4 120 4

VRF-Lite Requires 1 Point-to-Point Subinterface Configuration per VRF per Physical Interface VNET Trunks Requires 1 Point-to-Point Trunk Configuration per Physical Interface

VRF-Lite Subinterfaces VNET Trunks interface TenGigabitEthernet1/1.101

description 10GE to core 3



ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode





ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode



vnet trunk

ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode

1 Point-to-Point Subinterface Configuration, per VRF per Physical Interfaces

1 Point-to-Point Trunk Configuration per Physical Interface

Easy Virtual Network Enhanced Troubleshooting and Usability


Routing Context – IOS

31

Router# routing-context vrf red

Router%red#

Router%red# show ip route

Routing table output for red

Router%red# ping 10.1.1.1

Ping result using VRF red

Router%red# telnet 10.1.1.1

Telnet to 10.1.1.1 in VRF red

Router%red# traceroute 10.1.1.1

Traceroute output in VRF red

Router# show ip route vrf red

Routing table output for red

Router# ping vrf red 10.1.1.1

Ping result using VRF red

Router# telnet 10.1.1.1 /vrf red

Telnet to 10.1.1.1 in VRF red

Router# traceroute vrf red 10.1.1.1

Traceroute output in VRF red

Routing Context IOS CLI


VRF Aware show run

32

router# show run vrf green


!

address-family ipv4

exit-address-family

!

interface GigabitEthernet0/1


ip address 11.2.2.1 255.255.255.0

!

interface Tunnel2


ip address 11.2.1.1 255.255.255.0

tunnel source Loopback101

tunnel destination 126.101.1.2

!

router eigrp 100

!

address-family ipv4 vrf green

network 11.2.0.0 0.0.255.255

autonomous-system 102

exit-address-family

!

Displays VRF Configuration Info for:

VRF Definitions

Interfaces in VRFs

Protocol configs for Multi-VRF


EVN - VRF Verification – Operator Interface

33

Router%Red# trace 10.1.3.1

Tracing the route to 125.0.10.12

VRF info: (vrf in name/id, vrf out name/id)

1 10.1.1.2 (red/1001, red/1001)

2 10.2.1.2 (red/1001, red/1001)

Router%Red# trace 10.1.2.1

Tracing the route to 125.0.10.12

VRF info: (vrf in name/id, vrf out name/id)

1 10.1.1.2 (red/1001, red/1001)

2 10.2.1.2 (red/1001, green/1002)

3 10.2.2.2 (green/1002, green/1002)

4 * * *

• Improved CLI for VRF-aware SNMP

• New CISCO-VRF-MIB for VRF discovery and management

R2# debug condition vrf red

R2# debug condition vrf blue

R2# debug ip ospf hello

R2# debug ip ospf spf

Display Debug Output for Configured VRF

VRF Traceroute

VRF Instrumentation VRF-Aware Debug

Multicast in a Multi-VRF

Environment


VRF-Lite End-to-End

Simplest design choice is leveraging in

each VRF the same multicast configuration

already in place in global table

‒ PIM mode, RP placement, RP advertisement

protocol

Simple deployment when multicast source

and receivers are part of the same VRF

‒ Alternative is to deploy the multicast source as

a shared resource (Shared Services)

Multicast VRF functionality supported

across all Catalyst platforms

‒ Support for Catalyst 4000 family limited to

Sup6E supervisors (modular) or 4900M models

(12.2(50)SG IOS release)

Multicast

35


VRF-Lite End-to-End

36

2. Configure the RP in the VRF using Anycast RP

1. Enable multicast routing globally and on each L3 interface

ip multicast-routing

!


description 10GE to core (Global)

ip pim sparse-mode

ip multicast-routing vrf red

!


description 10GE to core (VRF red)


ip pim sparse-mode

interface Loopback0

description Anycast RP Global

ip address 10.122.5.200 255.255.255.255

ip pim sparse-mode

!

interface Loopback1

description MSDP Peering interface

ip address 10.122.5.250 255.255.255.255

ip pim sparse-mode

!

ip msdp peer 10.122.5.251 connect-source loopback 1

ip msdp originator-id loopback 1

!

ip pim rp-address 10.122.5.200

access-list 10 permit 239.0.0.0 0.255.255.255

Global Table VRF Red

Example valid config for PIM Sparse Mode Deployment, Leveraging Anycast RP for RP Redundancy

interface Loopback10

description Anycast RP VRF red


ip address 10.122.15.200 255.255.255.255

ip pim sparse-mode

!


description MSDP Peering interface VRF red


ip address 10.122.15.250 255.255.255.255

ip pim sparse-mode

!

ip msdp vrf red peer 10.122.15.251 connect-source loopback 11

ip msdp vrf red originator-id loopback 11

!

ip pim vrf red rp-address 10.122.15.200


VRF Red Global Table

Multicast VPNs


Enterprise Network Design

Distribution Blocks

SiSiSiSiSiSiSiSi

SiSi

SiSi SiSi

SiSi

Internet

Data Center 2

WAN

Campus

Yellow VRF

Green VRF

Red VRF

Branch 1

Branch 2

Branch 3

Data Center 1

Building 1 Building 2

Yellow VRF

Green VRF

Red VRF

Yellow VRF

Green VRF

Red VRF

MPLS-VPN in Campus Core or WAN

38


MVPN - Cisco’s Implementation

Multicast not supported with MPLS-VPN (in RFC2547,RFC4364)

Cisco‘s implementation is based on IETF draft:

‒ Multicast in MPLS/BGP IP VPNs

‒ draft-ietf-l3vpn-2547bis-mcast-07

‒ Provider builds independent multicast network in the core

‒ All customer multicast traffic is encapsulated and multicast across Provider

Network

‒ Separate multicast group used in Provider Network for each customer VPN

(Default MDT / MI-PMSI)

Provider multicast address space independent of customer address space.

Avoids overlap of customers‘ multicast addresses

39


MPLS Core

PE

PE

PE

PE

Join High Bandwidth Source

Join High Bandwidth Source

MPLS VPN and Multicast Concept and Fundamentals

40

First step is to enable multicast in the Campus core

No difference from a normal multicast deployment

High Bandwidth Multicast Source

Receiver 1

Receiver 2

Default MDT

For Low Bandwidth &

Control Traffic Only

Data MDT

For High Bandwidth Traffic Only

ip multicast-routing vrf red ! ip vrf red rd 3:3 mdt default 232.0.0.1 mdt data 232.0.1.0 0.0.0.255 threshold 500

A default MDT for each VRF is established between PEs

A High-bandwidth source for that customer starts sending traffic

Interested receivers 1 & 2 join that High Bandwidth source

Data-MDT is formed between PEs

for this High-Bandwidth source

Shared Services


Shared Services

42

Services That You Don‘t Want to Duplicate:

Internet Gateway

Firewall and NAT - DMZ

DNS

DHCP

Corporate Communications - Hosted Content

Requires IP Connectivity Between VRFs

This Is Usually Accomplished Through Some Type of Extranet Capability or Fusion Router/FW

Best Methods for Shared Services

Fusion Router/FW – Internet Gateway, NAT/DMZ

Extranet – DNS, DHCP, Corp Communications


Sharing Services

Traffic leaving a specific virtual network

is steered to the services edge

Deployment of a fusion router in the

services edge to provide:

‒ Inter-VPN connectivity

‒ Protected access to shared resources

Positioning of a firewall front-ending each VPN

‒ VPN isolation/protection

‒ Application of per VPN policies

‒ Leverage the multi-context functionality

available with Cisco FWSM, PIX, and ASA

Routing between VRFs and Fusion Router depends on

the FW mode of operation

‒ FW in Transparent Mode IGP or eBGP

‒ FW in Routed Mode Static Routing or eBGP

Protected Services

43


Sharing Services

Provides access to services without

requiring traffic to be enforced through

the firewall front-ending each VPN

Useful for sharing specific services

(DHCP and DNS servers, for example)

‒ Services commonly deployed in a dedicated

Shared VPN

‒ Not recommended to provide inter-VPN

communication

Leverage the BGP route-target

mechanism for route leaking

‒ No support for overlapping IP addresses

across VPNs

Route Import/Export Between VRFs

44


Unprotected Services - Extranet

Usually utilized in conjunction with

the use of MPLS VPN as path

isolation strategy

‒ Requires the deployment of MP-BGP to exchange

VPN routes between devices

Leverage MP-BGP ―route-target‖ attribute to

determine the type of connectivity achieved

‒ Hub-and-spoke is usually deployed to provide

access to shared services

Route leaking is performed on the PE

devices receiving BGP updates

No routes exchanged between

―Red‖ and ―Green‖

‒ Red and Green devices remain isolated

from each other

Multi-Device Deployment

45

SiSi

SiSi SiSi

MP-BGP MP-BGP

PE2 PE3

PE1

PC Red PC Green

Shared Server

MP-BGP


Unprotected Services - Extranet Configuration

46

ip vrf Shared

rd 3:3




ip vrf Red

rd 1:1



SiSi

SiSi SiSi

MP-BGP MP-BGP

PE2 PE3

PE1

PC Red PC Green

Shared Server

ip vrf Green

rd 2:2



MP-BGP


Unprotected Services - Extranet Verification

47

SiSi

SiSi SiSi

MP-BGP MP-BGP

PE2 PE3

PE1

PC Red

10.137.12.0/24

PC Green

10.137.22.0/24

Shared Subnet

10.138.32.0/24

PE2#sh ip route vrf Red 10.138.32.0

Routing entry for 10.138.32.0/24

Known via "bgp 100", distance 200, metric 0

Last update from 192.168.100.100 00:29:47 ago

<snip>

PE2#sh ip route vrf Red 10.137.22.0

% Subnet not in table

PE3#sh ip route vrf Green 10.138.32.0




<snip>

PE3#sh ip route vrf Green 10.137.12.0


Shared Server

PE1#sh ip route vrf Shared 10.137.12.0




<snip>

PE1#sh ip route vrf Shared 10.137.22.0




<snip>

MP-BGP


Unprotected Services - Extranet

Applicable to VRF-Lite End-to-End

scenarios

‒ Configuration of a local BGP process to enable

the route import/export mechanism

‒ No BGP neighbor relationships are established

since BGP is required only on the local device

―Shared‖ routes locally imported/exported

to ―Red‖ and ―Green‖ VRFs

‒ The ―Shared‖ routes locally leaked into the

―Red‖ and ―Green‖ VRFs can be advertised to

other devices via the IGP running in the context

of each VRF

Red and Green devices can reach the

Shared server but remain isolated from

each other

Single Device Deployment

48

SiSi

SiSi SiSi

IGP IGP

PC Red PC Green

R1

R2 R3

Local Route Leaking (BGP)

Shared Server


ip vrf Red

rd 100:100



!

ip vrf Green

rd 200:200



!

ip vrf Shared

rd 300:300




router bgp 100

!

address-family ipv4 vrf Red

redistribute eigrp 100

no synchronization

exit-address-family

!

address-family ipv4 vrf Green

redistribute eigrp 100

no synchronization

exit-address-family

!

address-family ipv4 vrf Shared

redistribute connected

no synchronization

exit-address-family

router eigrp 100

!

address-family ipv4 vrf Red

redistribute bgp 100 metric 100000 1 255 1 1500

network 10.0.0.0

no auto-summary


exit-address-family

!

address-family ipv4 vrf Green

redistribute bgp 100 metric 100000 1 255 1 1500

network 10.0.0.0

no auto-summary


exit-address-family

Unprotected Services - Extranet Configuration

49


Unprotected Services - Extranet Verification

50

PC Red

10.137.12.0/24

PC Green

10.137.22.0/24

Shared Subnet

10.138.32.0/24

SiSi

SiSi SiSi

IGP IGP

R1

R2 R3

Local Route Leaking (BGP)

R1#sh ip route vrf Red 10.138.32.0



Redistributing via eigrp 100, bgp 100

Routing Descriptor Blocks:

* directly connected, via Vlan32

<snip>

R1#sh ip route vrf Green 10.138.32.0



Redistributing via eigrp 100, bgp 100


* directly connected, via Vlan32

<snip>



Known via "eigrp 100", distance 90, metric 3840

<snip>





Known via "eigrp 100", distance 90, metric 3840

<snip>



Shared Server


Route Import - GlobalVRF / VRFGlobal

51

VRF to VRF – No issues

Global to/from VRF - Import/Export

Static routes can be used

import map <route-map> / export map <route-map>

Limited to 5 VRFs, 1000 routes per VRF

Route Replication will add this functionality

Recommended approach

– Put services in VRF and leak routes

– Or use route-replication


VRF Simplification - Shared Services

52

Before: Sharing Services in Existing Technologies

Route-Replication Advantage: • No BGP required • No Route Distinguisher required • No Route Targets required • No Import/Export required • Simple Deployment • Supports both Unicast/Mcast

vrf definition SHARED

address-family ipv4

route-replicate from vrf RED unicast all route-map red-map

route-replicate from vrf GREEN unicast all route-map grn-map

After: Simple Shared Service Definition

vrf definition RED

address-family ipv4

route-replicate from vrf SHARED unicast all

vrf definition GREEN

address-family ipv4

route-replicate from vrf SHARED unicast all

ip vrf SHARED

rd 3:3




!

ip vrf RED

rd 1:1



!

ip vrf GREEN

rd 2:2



!

router bgp 65001

bgp log-neighbor-changes

!

address-family ipv4 vrf SHARED

redistribute ospf 3

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf RED

redistribute ospf 1

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf GREEN

redistribute ospf 2

no auto-summary

no synchronization

exit-address-family

!


Route Redistribution

53

Route Redistribution will copy routes between different routing processes or protocols within a single RIB

Each VRF has a separate and distinct RIB

OSPF Process 2

Route Type Dest

Int NextHop

126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

router ospf 1

network 126.1.0.0 0.0.255.255 area 0

OSPF Process 1

Route Type Dest

Int NextHop

126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

RIB – Routing Information Base

Route Type Dest Int NextHop

126.1.17.0/24 Connected Gi0/1

126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

router ospf 2

redistribute ospf 1 subnets


Route Replication

54

RIB – VRF Services


126.1.17.0/24 Connected Gi0/1

126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

Route Replication creates

a link to a route in a RIB

from a different VRF

RIB – VRF User-A


126.1.9.0/24 OSPF Gi0/1 126.1.17.13

126.1.12.0/24 OSPF Gi0/1 126.1.17.13

126.1.14.0/24 OSPF Gi0/1 126.1.17.13

vrf definition services

!

address-family ipv4

route-replicate from vrf user-a unicast all

exit-address-family

!

vrf definition user-a

!

address-family ipv4

route-replicate from vrf services unicast all

exit-address-family

router ospf 99 vrf services

network 126.1.0.0 0.0.255.255 area 0

!

router ospf 98 vrf user-a

network 126.1.0.0 0.0.255.255 area 0


Route Replication Output

55

The routes now show up in the destination VRF with

a ‗+‘ and the source VRF identified

Router# routing-context vrf user-a

Router%user-a# show ip route

Routing Table: user-a

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP

+ - replicated route, % - next hop override

Gateway of last resort is not set

126.0.0.0/8 is variably subnetted, 124 subnets, 4 masks

....

O + 126.1.9.0/24 [110/2] via 126.1.17.13 (services), 1d04h, GigabitEthernet0/1



C + 126.1.17.0/24 is directly connected (services), GigabitEthernet0/1

L + 126.1.17.31/32 is directly connected (services), GigabitEthernet0/1


Route Replication Output

56

The routes show up in the RIB as replicated with the same

OSPF metrics, distance, next hop, etc.

Router# routing-context vrf services

Router%services# show ip route 126.1.9.0

Routing Table: services


Known via "ospf 99", distance 110, metric 2, type intra area

Last update from 126.1.17.13 on GigabitEthernet0/1, 1d05h ago


* 126.1.17.13, from 126.0.1.15, 1d05h ago, via GigabitEthernet0/1

Route metric is 2, traffic share count is 1

Router%services# routing-context vrf user-a

Router%user-a# show ip route 126.1.9.0

Routing Table: user-a


Known via "ospf 99", distance 110, metric 2, type intra area, replicated

Last update from 126.1.17.13 on GigabitEthernet0/1, 1d05h ago


* 126.1.17.13 (services), from 126.0.1.15, 1d05h ago, via GigabitEthernet0/1

Route metric is 2, traffic share count is 1


vrf definition red

route-replicate from vrf SERVICES unicast all


route-replicate from vrf SERVICES unicast all


route-replicate from vrf RED unicast all route-map red-map

route-replicate from vrf GREEN unicast all route-map grn-map

192.168.1.1

10.1.1.1

20.1.1.1

20.0.0.0/8

10.0.0.0/8

R1 and R2 Do Not Have Route to 192.168.1.1 – Need Route Redistribution on R3

show ip route vrf services

Routes to 10.0.0.0/8 and 20.0.0.0/8 R1

R2

R3 R4

192.168.1.0/24

Fusion Point

R4 Does Not Have Routes to 10.0.0.0/8 and 20.0.0.0/8 – Need Route Redistribution on R3

Shared Services Using Route Replication

57


Shared Services Using Route Replication and

Redistribution

10.1.1.1

20.0.0.0/8

10.0.0.0/8

show ip route vrf green

Route to 192.168.1.1 Through R3

show ip route vrf services

Routes to 10.0.0.0/8 and 20.0.0.0/8 R1

R2

R3 R4

192.168.1.0/24


redistribute vrf red ospf 98 subnets

redistribute vrf green ospf 97 subnets

router ospf 98 vrf red

redistribute vrf services ospf 99 subnets

router ospf 97 vrf green


20.1.1.1

192.168.1.1

58


Global

Route replication enables the ability to dynamically share

routes between the global/default VRF and a user defined VRF


!

address-family ipv4

route-replicate from vrf global unicast all route-map g-map

exit-address-family

!

global-address-family ipv4

route-replicate from vrf services unicast all route-map services-map

!


redistribute connected subnets

redistribute vrf global ospf 1 subnets

network 0.0.0.0 255.255.255.255 area 0

!

router ospf 1


network 0.0.0.0 255.255.255.255 area 0

VRF Route Replication

59


Shared Services Summary

60

Support for shared services across VRFs

Shared services approach is best for DNS, DHCP, Corp

Communications – Not Internet Gateway

Consideration needs to be taken for the location of

Extranet Fusion point for unicast and multicast

Route replication simplifies deployment

‒ Works with IGPs without any additional protocol

‒ Multicast Extranet will work with route replication

‒ Supports VRFGlobal and GlobalVRF

QoS in a Virtualized Network


QoS with GRE, MPLS over GRE

62

Router will copy original ToS marking to outer GRE header

For MPLS over GRE, the EXP marking is copied to the outer header of the

GRE tunnel

This allows the IPv4 ―transport‖ to perform QoS on the multi-encapsulated

packet

ToS (IP Hdr) EXP (MPLS Shim) GRE IP Hdr

IP Payload

IP Payload

IP Payload

GRE

GRE

Original IP Header

Original IP Header

ToS

Original IP Header

ToS

GRE

Outer GRE IP Header

EXP

MPLS Shim Outer GRE IP Header To

S

Outer GRE IP Header

ToS

ToS (IP Hdr) GRE IP Hdr

GRE Header

GRE Header with ToS Reflection

MPLS over GRE Header with ToS

Reflection

MPLS Shim EX

P

ToS Reflection


QoS Is Orthogonal to Virtualization

The Same Approach Should Be Used for a Typical Enterprise Network Design as a Virtualized Network

Deployment Models in a Virtualized Environment

63

Aggregate Model

A common QoS strategy is used for all VRFs

(i.e. same marking for voice, video, critical data, best effort)

The aggregate of all markings is applied at the WAN Agg

Prioritized VRF Model

Traffic in some VRFs are prioritized over other VRFs

(i.e. Production over Guest VRF)


Branch 1

Campus

Branch 2

Branch 3

SiSi

SiSi

Classify and Mark Traffic

at Edge


at Edge

WAN

WAN Int

Voice

Scavenger

Best Effort

Video

Traffic Is Queued, Shaped According to DSCP Values

Typical QoS Deployment Without Network Virtualization

64

Voice

Scavenger

Best Effort

Video

Voice

Scavenger

Best Effort

Video


Branch 1

Campus

Branch 2

Branch 3

SiSi

SiSi


at Edge


at Edge

Green VRF

Red VRF

Green VRF

Red VRF

Traffic Is Aggregated Across VRFs (e.g. All Voice Traffic Is Queued Together)

WAN

Aggregate Model


Typical QoS Deployment With NV – Aggregate Model

65

Voice

Scavenger

Best Effort

Video

Voice

Scavenger

Best Effort

Video

Voice

Scavenger

Best Effort

Video

Green VRF

Red VRF

Green VRF

Red VRF


Branch 1

Campus

Branch 2

Branch 3

SiSi

SiSi


at Edge


at Edge

Green VRF

Red VRF

WAN

Prioritized VRF

Scavenger

Best Effort


Green VRF Is Guest. All Traffic Is Marked as Best Effort or Scavenger

Typical QoS Deployment – With NV – Prioritized VRF

66

Voice

Scavenger

Best Effort

Video

Voice

Scavenger

Best Effort

Video

Green VRF

Red VRF

Green VRF

Red VRF

Green VRF

Red VRF


QoS for Virtualization – Summary

67

Aggregate QoS model is the simplest and straight

forward approach – Recommended

Prioritized VRF model can be used to prefer traffic

originating in one VRF over another

(e.g. guest access)

The same QoS approach should be used for a non-

virtualized and virtualized enterprise network design

Network Management in a

Virtualized Environment


Network Mgmt Strategy for NV

69

Two Approaches to Managing a Multi-VRF Environment

Manage the network through the Global VRF

The global VRF must be accessible to all devices that need to be managed

Routers are managed normally

Create a Management VRF

The Mgmt VRF must be accessible to all devices that need to be managed. Many SPs take this approach for a managed CE service.

All of the mgmt services will need to be VRF aware.


VRF Aware Services

70

Feature ISR ASR1K Cat6K Cat4K Cat3K N7K

ping Yes Yes Yes Yes Yes Yes

traceroute Yes Yes Yes Yes Yes Yes

telnet Yes Yes Yes Yes Yes Yes

ssh Yes Yes Yes Yes Yes Yes

tftp/ftp Yes Yes Yes Yes Yes Yes

snmp Yes Yes Yes Yes Yes Yes

syslog Yes Yes Yes Yes Yes Yes

ntp Yes Yes Yes Yes Yes Yes

tacacs Yes Yes Yes No No Yes

radius Yes Yes Yes Yes No Yes

netflow Yes Yes Yes Yes Yes Yes

DNS Yes Yes No No No Yes

IP SLA Yes Yes Yes Yes Yes No

ERSPAN No Yes Yes No No Yes

DHCP Relay Yes Yes Yes Yes Yes Yes

routing-context No Yes Yes Yes No Yes

Yes Feature completely supported Yes Feature NOT completely supported - but key functions are supported

No Feature NOT supported


Ping / Traceroute / Telnet

71

Ping, Traceroute and Telnet Are All VRF Aware

ping vrf green 10.1.1.1

traceroute vrf green 10.1.1.1

telnet 10.1.1.1 /vrf red

If an Access-Class Is Configured on the VTY: Telnet and ssh from VRFs will be denied without the vrf-also keyword With vrf-also – Sessions will be allowed based on ACL No way to have separate access classes for each VRF

These Commands All Have Keywords to Operate Within a VRF

line vty 0 15

access-class 10 in vrf-also

login

transport input telnet ssh



ISR ASR1K Cat6K Cat4K Cat3K N7K

Yes Yes Yes Yes Yes Yes


SSH and SCP

72

SSH Is VRF Aware

ssh –vrf red –l john 10.1.1.1

ip ssh source-interface loopback 252

interface loopback 252


You Can Set the Source-Interface Inside a VRF. Some SPs require a connection from a particular IP address.

SSH uses –vrf keyword to connect through VRF SSH server on router is VRF aware to receive connections Cat3k does not support ssh client (CLI) but does support server

SCP Is Not VRF Aware

router# copy scp://10.1.1.1/latest-image disk2:

You cannot use SCP to copy a file inside a VRF




TFTP and FTP

73

TFTP and FTP Are VRF Aware

ip tftp source-interface loopback 1

ip ftp source-interface loopback 1

interface loopback 1


These Commands Do Not Have a VRF Keyword.

They Operate in a VRF by Setting the Source Interface to a VRF Interface:

router# copy tftp://10.0.89.3/latest-image disk2:

router# copy ftp://10.0.89.3/latest-image disk2:




What is VRF Aware SNMP?

If a MIB Is VRF Aware Then:

SNMP gets and sets can be made to the individual

VRFs

The MIB will have the ability to detect conditions for

a trap inside of a VRF and lookup the additional

information in the VRF context

Traps will be sent to a manager located inside a

VRF

snmp-server host 1.1.1.1 vrf blue



74


VRF Aware MIBs

75

VRF Independent MIB

Reports info on entire system – every VRF

MPLS-VPN MIB, CISCO-MVPN-MIB

e.g. How many VRF are defined, names, RD and RT of those VRFs, etc

VRF Aware MIB

Uses Context field in SNMP PDU to specify VRF to access

IF-MIB, IP-FORWARD-MIB, OSPF-MIB, CISCO-EIGRP-MIB, etc.

These MIBs report the routing/forwarding info for each VRF – one at a time

Context Aware MIB

Any MIB that uses the Context field to specify another set of info

Context Aware does not necessarily mean VRF Aware

e.g. BRIDGE-MIB uses context field to specify bridge group

show snmp mib context

Displays Which MIBs Are Context Aware


VRF Aware and VRF Independent MIBS

76

MPLS-VPN-MIB

MPLS-L3VPN-STD-MIB

MPLS-LSR-STD-MIB

MPLS-LDP-STD-MIB

IF-MIB

CISCO-PING-MIB

IP-FORWARD-MIB

IP-MIB

OSPF-MIB

CISCO-EIGRP-MIB

CISCO-CEF-MIB

CISCO-IETF-ISIS-MIB

CISCO-IPSEC-MIB

CISCO-IPSEC-FLOW-MONITOR-MIB

CISCO-MVPN-MIB

IGMP-STD-MIB

IPMROUTE-STD-MIB

CISCO-IPMROUTE-MIB

PIM-MIB

CISCO-PIM-MIB

MSDP-MIB

Partial List of MIBs with VRF Information:

VRF Independent MIBS are RED


MPLS-VPN MIB – Useful Objects

77

MPLS-VPN-MIB

Based on draft-ietf-ppvpn-mpls-vpn-mib-03

Available on platforms that support MPLS

MPLS-L3VPN-STD-MIB

Based on RFC 4382

Will be replacing MPLS-VPN-MIB

Key Objects in MPLS-VPN-MIB

mplsVpnConfiguredVrfs – Number of VRFs configured

mplsVpnVrfOperStatus – VRF is configured on interface that is up

mplsVpnVrfRouteNextHop – Next hop (neighbor) for routes in VRF


CISCO-VRF-MIB – Useful Objects

78

CISCO-VRF-MIB

Developed by Cisco for routers that do not have MPLS

Contains additional information for EVN – VNET Tags, etc.

Key Objects in MPLS-VPN-MIB

cvVrfName – Name of VRFs configured (blue, red, etc.)

cvVrfVnetTag – VNET Tags configured per VRF

cvVrfOperStatus – VRF is configured on interface that is up

cvVrfRouteDistProt – IGPs that are configured per VRF (OSPF, EIGRP, etc.)


Monitoring with VRF Aware MIBs Example

79

snmp-server view mcastview pim included

snmp-server context blue_ctx

ip vrf blue

context blue_ctx

snmp-server user blue_user blue_group v2c

snmp-server group blue_group v2c context blue_ctx read

mcastview write mcastview notify mcastview

snmp mib community-map blue_user context blue_ctx

snmp-server host 10.77.241.66 vrf blue version 2c

blue_user pim

Example Using SNMP v2c

An SNMP Query with a Community Name of blue_user Will Return Data

from VRF Blue


Monitoring with VRF Aware MIBs Example

80

vrf definition blue

!

address-family ipv4

snmp context blue community blue_comm RW

exit-address-family

!

snmp-server host 10.1.1.1 vrf blue version 2c blue_comm

Updated Simpler CLI Example Using SNMP v2c Community

An SNMP query with a Community String of blue_comm will return data from VRF Blue


NX-OS VRF Aware MIBs Example

81

vrf context BLUE

snmp-server community BLUE group network-operator

snmp-server context BLUE instance BLUE vrf BLUE

snmp-server mib community-map BLUE context BLUE

Example Using SNMP v2c Community

An SNMP query with a Community String of BLUE will return data from VRF Blue


Syslog in a VRF

82

Syslog can be configured to forward to a log server in a VRF

logging host 10.1.1.1 vrf red

logging host 20.1.1.1 vrf blue

All syslogs will be sent to all log servers

The transport is VRF aware – not the content

The source address will be the address of the egress

interface. The source interface cannot be set in a VRF.

router(config)#logging source-interface loopback 999

Interface Loopback999 is not in the global table

Addresses of the router egress interfaces could be entered into the Host File

on the server so they could be identified.

* Fix for Cat6k shipped in 12.2(33)SXJ1. Other platforms – Future Releases




NTP in a VRF

83

NTP servers and peers can be in a VRF

Routers can set source interface to be in a VRF

ntp server vrf green 10.1.1.1

ntp peer vrf green 10.1.1.1

ntp source FastEthernet5/0

NTP Is VRF Aware




AAA/Tacacs/Radius in a VRF

84

aaa group server tacacs+ tacacs1

server-private 10.1.1.1 port 19 key red


ip tacacs source-interface Loopback0

interface Loopback0

ip address 10.0.0.2 255.0.0.0


aaa group server radius red

server-private 10.10.132.4 auth-port 1645 acct-port 1646 key ww


ip radius source-interface loopback0

radius-server attribute 44 include-in-access-req vrf red

Tacacs and Radius Servers Can Be Configured in a VRF.

Example Tacacs Config:

Example Radius Config:


Yes Yes Yes No No Yes

Yes Yes Yes Yes No Yes


NetFlow – VRF Aware

85

NetFlow is VRF independent

Flow info can be collected for interfaces in any VRF

Flows can be collected on Sub-interfaces for VRF-Lite

ISR, ASR1K, N7K, 7600, Cat6K and Cat4K (Sup7-E) can export flows to the collector through a VRF

NetFlow is now supported on the Cat3K with the X-Series with the C3KX-SM-10G service module




How Does NFC Correlate Flows with VRFs?

86

Src IP Dest IP IF Index ...

10.2.2.2 10.20.4.2 21 ...

Netflow Collector

Traffic

NetFlow Enabled Device

NetFlow Export Packet

SNMP Query:

IF-MIB – Interface Name

MPLS-VPN MIB – VRF Info

Fa5/1

VRF Input Int Pkts Protocol NextHop

Red Fa5/1 11000 11 10.0.23.2

Red Fa5/3 2491 6 10.0.24.6

Blue Fa2/2 2210 6 10.0.25.8

Traffic Analysis Report

NetFlow is VRF agnostic

Collects info for any VRF

NFC uses SNMP to find

out VRF membership on

interfaces

Source IP Address

Destination IP Address

Source Port

Destination Port

Layer 3 Protocol

TOS byte (DSCP)

Input Interface – Fa5/1


Traditional NetFlow with Multi-VRF

87

interface GigabitEthernet0/0/0

ip address 1.1.1.2 255.255.255.0

ip flow ingress

!

interface GigabitEthernet0/0/0.101

description Subinterface for VRF red

vrf forwarding red


ip address 1.1.1.2 255.255.255.0

ip flow ingress

!


description Subinterface for VRF blue

vrf forwarding blue


ip address 1.1.1.2 255.255.255.0

!


description Subinterface for VRF yellow

vrf forwarding yellow


ip address 1.1.1.2 255.255.255.0

ip flow ingress

ip flow ingress

is configured on main interface

May Be Configured on the Main

Interface or Subinterface

It can be configured on a per

subinterface/VRF basis

Traffic


Fa5/1


Flexible NetFlow with Multi-VRF

88

interface GigabitEthernet0/0/0

ip address 1.1.1.2 255.255.255.0

ip flow monitor VRF-Monitor input

ip flow monitor VRF-Monitor output

!


description Subinterface for VRF red

vrf forwarding red


ip address 1.1.1.2 255.255.255.0

!


description Subinterface for VRF blue

vrf forwarding blue


ip address 1.1.1.2 255.255.255.0

ip flow monitor VRF-Monitor input

ip flow monitor VRF-Monitor output

!


description Subinterface for VRF yellow

vrf forwarding yellow


ip address 1.1.1.2 255.255.255.0

ip flow monitor [Monitor]

[input | output]

May Be Configured on the Main

Interface or Subinterface

It can be configured on a per

subinterface/VRF basis

Traffic


Fa5/1


DNS

89

The Router Can Perform a Name Lookup to a Server in a VRF. The Name-Server Must Be Configured with the VRF Keyword. The Source-Interface Can Be Specified If Required. VRF Aware DNS Is Not supported on Cat6k, Cat4k and Cat3k Workaround: Setup DNS as a Shared Service

ip name-server vrf green 10.1.1.1

ip domain lookup source-interface FastEthernet5/0

DNS Is VRF Aware

ip host vrf green MAIL-SERVER 10.1.10.20

Static Host Entries Can Be Configured Inside a VRF


Yes Yes No No No Yes


IP SLA

90

IP SLA can measure response time inside VRFs Starting 12.2(2)T, 12.2(33)SXH, 12.2(40)SE: ICMP echo, ICMP path echo, ICMP path jitter, UDP echo, UDP jitter Starting 12.4(6)T: ICMP Jitter Starting 12.4(20)T, 15.1(1)T: TCP Connect, FTP, HTTP, DNS IP SLA IPv6 VRF Aware – 12.4(20)T: ICMP Echo, UDP Echo, UDP Jitter, TCP Connect

ip sla 1

udp-jitter 1.1.1.2 233

vrf red

ip sla schedule 4 start-time now life forever

IP SLA is VRF Aware


Yes Yes Yes Yes Yes No


ERSPAN in a VRF

91

ERSPAN can monitor flows in any VRF

Captures can be exported (transported) in a VRF

ASR1K cannot export through the ―Mgmt VRF‖ but

may be exported through any other VRF

No support for ERSPAN on Cat4K, Cat3K

Support for ERSPAN shipped on the

N7K in 5.1(1)


No Yes Yes No No Yes


DHCP in Multi-VRF

92

3 Approaches to DHCP in Multi-VRF Environment

Separate DHCP Server for Each VRF - Recommended

Each one could be a different VM on VMware

Each server needs to be administered separately

Supports Address overlap between VRFs

Shared Server with No Address Overlap – Recommended

DHCP Server IP address (IP Helper addr) is redistributed using BGP/Extranet, fusion router or Route Replication

Shared Server that Is VRF Aware

Requires VRF Aware DHCP Relay

Supports Address overlap between VRFs

Cisco Network Registrar v5.5 supports VPN option – Option 82

* Option 82 not supported on Cat6K today – coming in future release




DHCP in Multi-VRF (Cont.)

93

Dedicated Servers per VRF or Shared Servers Without

Address Overlap Are Configured Normally:

Shared Servers that Are VRF Aware Need VPN Options:

ip helper-address 10.10.1.1

ip dhcp relay information option vpn

!

interface ethernet 0/1

ip helper-address vrf red 10.44.23.7

DHCP VPN Options (Option 82) – Includes These Fields: • VPN identifier — VRF name if configured on the interface • Subnet selection — Incoming interface subnet address • Server identifier override — Incoming interface IP address

The DHCP Server Must Be Reachable in the Client VRF


Network Mgmt Summary

94

The global or a Mgmt VRF can be used to access and manage the router

If you use a Mgmt VRF – need to make sure that all the services are VRF aware on your platform/version

Many services just work by setting source interface. Others require specifying the VRF in CLI command

Present and Future Services for

Network Virtualization

WAN Design Options


EVN

Yellow VRF

Green VRF

Red VRF

EVN

Yellow VRF

Green VRF

Red VRF

IP Service

eBGP eBGP

L3VPNoMGRE MP-BGP

WAN Options for EVN

96

EVN

Yellow VRF

Green VRF

Red VRF

EVN

Yellow VRF

Green VRF

Red VRF MPLS-VPN

eBGP eBGP

Multi-VRF

EVN

Yellow VRF

Green VRF

Red VRF

EVN

Yellow VRF

Green VRF

Red VRF

IP Service

eBGP eBGP

LISP

EVN

Yellow VRF

Green VRF

Red VRF

EVN

Yellow VRF

Green VRF

Red VRF

IP Service

eBGP eBGP

DMVPN Encryption

Single VRF

Single VRF

Single VRF

© 2012 Cisco and/or its affiliates. All rights reserved. BRKRBRKVIR-2009_Kessler Cisco Public

Extending EVN over the WAN Leverage MPLS-VPN for EVN Extension

R1 R2 OSPF OSPF R3

BGP Update

VNET Trunk

E 1/0 E 0/0

VNET Tag = 10

WAN

On MPLS ―PE‖, apply the ‗vnet tag‘ under the ―vrf definition‖

This connects the campus VNET with the MPLS VRF and is handled as normal VRF forwarding

!

vrf definition red

vnet tag 10

rd 1:1



!

!

address-family ipv4

exit-address-family

!

VNET Tag Applied under the “vrf Definition”

Normal ‘rd’ and ‘route-target’ Applied in MPLS VPN Case

Injects Routes from VNET Trunk into VRF, Allowing Any VRF over WAN Solution to Be Applied Using VNET

R4

VNET Trunk

MPLS VPN + VNET

MPLS


Multi-VRF Across IP Based WAN

98

Customer is able to multiplex 3 VRFs across 1 VRF from the Provider

– Provider Transparency

– Provider Independent Blue

CE2

CE3

Blue

CE1 PE3

PE1

PE2

Provider Net

Blue

L0 10.2.1.1 Yellow VRF

Green VRF

Red VRF

Yellow VRF

Green VRF

Red VRF

Yellow VRF

Green VRF

Red VRF

L0 10.2.1.2

MPLS VPN

Red

CE

Red

CE


MPLS VPNs over mGRE (a.k.a. L3VPNoMGRE)

99

No LDP or NHRP required

BGP replaces LDP and NHRP

Allows MPLS-VPN over GRE without manual GRE tunnel configuration

Leverages multipoint GRE (mGRE) and the tunnel is not connection oriented

mGRE is a multipoint unidirectional GRE tunnel

Support for multicast is mVPN

Requires BGP config on E-PE routers

IP Service

MPLS Campus/

MAN

E-PE

E-PE

E-PE E-PE

Remote Branches

RR RR

Enterprise

GRE Tunnels

Branch LAN

802.1q Trunk Physical Cable

VPNv4 Label over GRE Encapsulation

mGRE

Campus-PE

Spoke to

Spoke

© 2012 Cisco and/or its affiliates. All rights reserved. BRKVIR-2009 Cisco Public 100

eBGP

AS 65000

172.16.1.1

MPLS Campus/MAN

E-PE

Branch Site

MPLS VPN over Multipoint GRE (mGRE) Control Plane

RR E-PE

mGRE iBGP

SP Cloud

AS 1

Interface Loopback0

ip address 10.100.1.201 255.255.255.255

router bgp 65000

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 10.100.1.204 remote-as 65000

neighbor 10.100.1.204 update-source Loopback0

neighbor 172.16.1.1 remote-as 1

neighbor 172.16.1.1 update-source Ethernet0/0

!

address-family ipv4

no synchronization

redistribute connected metric 1

neighbor 172.16.1.1 activate

no auto-summary

exit-address-family

!

address-family vpnv4

neighbor 10.100.1.204 activate

neighbor 10.100.1.204 send-community both

neighbor 10.100.1.204 route-map mgre_v4 in

exit-address-family

eBGP Peer to SP

Address Family for eBGP to SP

iBGP Peer for MP-BGP (VPNv4)

Address Family for MPLS-VPN over IP (i-BGP)

100


VRF-Lite over GRE

101

One tunnel per VRF

IGP Neighbor maintained from end-2-end

GRE Tunnel could be across arbitrary cloud e.g. CE-2-CE

Can transport EVN traffic in the Campus over WAN

vrf-router-a vrf-router-b

11.1.1.1

11.2.1.1

11.3.1.1

11.1.1.2

11.2.1.2

11.3.1.2

126.101.1.2 126.101.1.1

126.102.1.1

126.103.1.1

126.102.1.2

126.103.1.2

Tunnel1

Tunnel2

Tunnel3

IP IP IP

GRE GRE GRE

IP IP IP IP IP IP IP IP IP


VRF-Lite over GRE

102

One tunnel per VRF

IGP Neighbor maintained from end-2-end

GRE Tunnel could be across arbitrary cloud e.g. CE-2-CE

Can transport EVN traffic in the Campus over WAN

vrf-router-a vrf-router-b

11.1.1.1

11.2.1.1

11.3.1.1

11.1.1.2

11.2.1.2

11.3.1.2

126.101.1.2 126.101.1.1

126.102.1.1

126.103.1.1

126.102.1.2

126.103.1.2

Tunnel1

Tunnel2

Tunnel3

IP IP IP

GRE GRE GRE

IP IP IP IP IP IP IP IP IP


ip address 126.101.1.1 255.255.255.0

!


ip address 126.102.1.1 255.255.255.0

!


ip address 126.103.1.1 255.255.255.0

interface Tunnel1


ip address 11.1.1.1 255.255.255.0



!

interface Tunnel2


ip address 11.2.1.1 255.255.255.0



!

interface Tunnel3

ip vrf forwarding yellow

ip address 11.3.1.1 255.255.255.0




EVN over DMVPN Multi-VRF Transported over Several NHRP Domains

103

Yellow VRF

Green VRF

Red VRF

Yellow VRF

Green VRF

Red VRF

Yellow VRF

Green VRF

Red VRF

Yellow VRF

Green VRF

Red VRF

Hub

Branch 1 Branch 2 Branch 3

Hub-2-Spoke

vrf definition Red

!

interface Loopback0

ip address 10.126.100.1 255.255.255.255

!

interface Tunnel0

description mGRE for Red

vrf forwarding Red

ip address 11.1.1.1 255.255.255.0

no ip redirects

ip nhrp map multicast dynamic

ip nhrp network-id 100


tunnel mode gre multipoint

Hub Configuration

vrf definition Green

!

interface Loopback1

ip address 10.126.101.1 255.255.255.255

!

interface Tunnel1

description mGRE for Green

vrf forwarding Green

ip address 11.1.2.1 255.255.255.0

no ip redirects





vrf definition Yellow

!

interface Loopback2

ip address 10.126.102.1 255.255.255.255

!

interface Tunnel2

description mGRE for Yellow

vrf forwarding Yellow

ip address 11.1.3.1 255.255.255.0

no ip redirects





Spoke Configuration

vrf definition Red

!

interface Loopback0

ip add 10.123.100.1 255.255.255.255

!

interface Tunnel0

description GRE to hub

vrf forwarding Red

ip address 11.1.1.10 255.255.255.0


ip nhrp nhs 11.1.1.1



!

interface Vlan10

description Red Subnet

vrf forwarding Red

ip address 11.1.100.1 255.255.255.0

vrf definition Green

!

interface Loopback1

ip add 10.123.101.1 255.255.255.255

!

interface Tunnel1



ip address 11.1.2.10 255.255.255.0





!

interface Vlan11

description Green Subnet


ip address 11.1.101.1 255.255.255.0

vrf definition Yellow

!

interface Loopback2

ip add 10.123.102.1 255.255.255.255

!

interface Tunnel2



ip address 11.1.3.10 255.255.255.0





!

interface Vlan12

description Yellow Subnet


ip address 11.1.102.1 255.255.255.0


EVN over LISP – Location/ID Separation Protocol

104

Branch Site

Branch Site

Corp Campus

LISP xTR

LISP

LISP

LISP

EVN

Green VRF

Red VRF

IP Service

SP Cloud

Blue VRF

EVN

Green VRF

Red VRF

EVN

Green VRF Blue VRF

Red VRF

LISP xTR

LISP xTR

• LISP can be used to multiplex several VRFs across a Provider IP Service

• LISP will encapsulate the traffic across the provider and internal IP addresses will be hidden from the provider

• LISP is a compatible WAN solution with EVN in the campus


EVN over LISP – Location/ID Separation Protocol

105

Branch Site

Branch Site

Corp Campus

LISP xTR

LISP

LISP

LISP

EVN

Green VRF

Red VRF

IP Service

SP Cloud

Blue VRF

EVN

Green VRF

Red VRF

EVN

Green VRF Blue VRF

Red VRF

LISP xTR

LISP xTR

• LISP can be used to multiplex several VRFs across a Provider IP Service

• LISP will encapsulate the traffic across the provider and internal IP addresses will be hidden from the provider

• LISP is a compatible WAN solution with EVN in the campus

router lisp

eid-table vrf default instance-id 0

exit

!

eid-table vrf Red instance-id 101

...

exit

!

eid-table vrf Green instance-id 102

...

exit

!

eid-table vrf Blue instance-id 103

...

exit

!


EVN - Easy Virtual Network Roadmap

106

Cat4K Release/Platforms: 15.1(1)SG: Sup6-E, Sup6L-E, 4900M, 4948E, 4940E-F IOS XE 3.3.0SG: Sup7-E, Sup7L-E, 4500-X * Sup720 will not support VNET Trunk

“Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.”

Platform Release FCS Date

ASR1K IOS XE 3.2S Nov 2010

Cat6K – Sup2T 15.0(1)SY1 March 2012

Cat4K 15.1(1)SG

IOS XE 3.3.0SG April 2012

Cat6K – Sup720* Roadmap Future

Cat3K-X Roadmap Future

ISR-G2 Roadmap Future

Nexus 7K Roadmap Future


More Info

107

Other Sessions:

BRKCRS-2033 Deploying a Virtualized Campus Network Infrastructure

– Ray Blair

BRKRST-2045 Network Virtualization Design Concepts over the WAN

– Craig Hill

Mailing List: [email protected]

WWW http://www.cisco.com/go/evn


Network Virtualization Questions?

108


Complete Your Online

Session Evaluation Give us your feedback and you

could win fabulous prizes.

Winners announced daily.

Receive 20 Passport points for each

session evaluation you complete.

Complete your session evaluation

online now (open a browser through

our wireless network to access our

portal) or visit one of the Internet

stations throughout the Convention

Center.

Don‘t forget to activate your

Cisco Live Virtual account for access to

all session material, communities, and

on-demand and live activities throughout

the year. Activate your account at the

Cisco booth in the World of Solutions or visit

www.ciscolive.com.

109

http://www.ciscolive.com


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of

Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco

booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-

demand session videos, networking, and more!

Follow Cisco Live! using social media:

‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

110

http://www.ciscolive365.com/

https://www.facebook.com/ciscoliveus

https://twitter.com/

http://linkd.in/CiscoLI


Documents

Present and Future Services for Network Virtualizationd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKVIR-2009.pdf · Present and Future Services for Network Virtualization ... BRKCRS-2033