Configuring Layer 3 Virtualization

This chapter describes how to configure Layer 3 virtualization.

This chapter includes the following sections:

Layer 3 Virtualization

This section includes the following topics:

Overview of Layer 3 Virtualization

Cisco NX-OS supports virtual routing and forwarding instances (VRFs). Each VRF contains a separate address space with unicast and multicast route tables for IPv4 and IPv6 and makes routing decisions independent of any other VRF.

Each router has a default VRF and a management VRF. All Layer 3 interfaces and routing protocols exist in the default VRF until you assign them to another VRF. The mgmt0 interface exists in the management VRF. With the VRF-lite feature, the switch supports multiple VRFs in customer edge (CE) switches. VRF-lite allows a service provider to support two or more Virtual Private Networks (VPNs) with overlapping IP addresses using one interface.

note.gif

Noteblank.gif The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs.


VRF and Routing

All unicast and multicast routing protocols support VRFs. When you configure a routing protocol in a VRF, you set routing parameters for the VRF that are independent of routing parameters in another VRF for the same routing protocol instance.

You can assign interfaces and route protocols to a VRF to create virtual Layer 3 networks. An interface exists in only one VRF. Figure 12-1 shows one physical network split into two virtual networks with two VRFs. Routers Z, A, and B exist in VRF Red and form one address domain. These routers share route updates that do not include router C because router C is configured in a different VRF.

Figure 12-1 VRFs in a Network

 

186416.eps

By default, Cisco NX-OS uses the VRF of the incoming interface to select which routing table to use for a route lookup. You can configure a route policy to modify this behavior and set the VRF that Cisco NX-OS uses for incoming packets.

Cisco NX-OS supports route leaking (import and export) between VRFs in a VRF lite scenario. The following are guidelines for the VRF route-leak feature:

  • Supports route-leak between any two non-default VRFs and route-leak from the default VRF to any other VRF.
  • Route-leak to the default VRF is not allowed as it is a global VRF.
  • The route-leak feature is implemented using export and import route-targets under the VRF context.
  • Leaking (exporting) a part of the prefixes is done by using export-map with the match ip address and set extcommunity rt commands. The regularly used route-target export command should not be used for this purpose.
  • By default, the maximum prefix that can be leaked is 1000 routes. This is configurable.
  • The route-leak feature must have an Enterprise license and the BGP feature enabled.

VRF-Lite

VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time.

note.gif

Noteblank.gif Multiprotocol Label Switching (MPLS) and MPLS control plane are not supported in the VRF-lite implementation.


note.gif

Noteblank.gif VRF-lite interfaces must be Layer 3 interfaces.


VRF-Aware Services

A fundamental feature of the Cisco NX-OS architecture is that every IP-based feature is VRF aware.

The following VRF-aware servics can select a particular VRF to reach a remote server or to filter information based on the selected VRF:

  • AAA—See the Cisco Nexus 6000 Series NX-OS Security Configuration Guide, Release 7.x, for more information.
  • Call Home—See the Cisco Nexus 6000 Series NX-OS System Management Configuration Guide, Release 7.x, for more information.
  • HSRP—See Chapter 17, “Configuring HSRP” for more information.
  • HTTP—See the Cisco Nexus 6000 Series NX-OS Fundamentals Configuration Guide, Release 7.x, for more information.
  • Licensing—See the Cisco NX-OS Licensing Guide for more information.
  • NTP—See the Cisco Nexus 6000 Series NX-OS System Management Configuration Guide, Release 7.x, for more information.
  • RADIUS—See the Cisco Nexus 6000 Series NX-OS Security Configuration Guide, Release 7.x, for more information.
  • Ping and Traceroute —See the Cisco Nexus 6000 Series NX-OS Fundamentals Configuration Guide, Release 7.x, for more information.
  • SSH—See the Cisco Nexus 6000 Series NX-OS Fundamentals Configuration Guide, Release 7.x, for more information.
  • SNMP—See the Cisco Nexus 6000 Series NX-OS System Management Configuration Guide, Release 7.x, for more information.
  • Syslog—See the Cisco Nexus 6000 Series NX-OS System Management Configuration Guide, Release 7.x, for more information.
  • TACACS+—See the Cisco Nexus 6000 Series NX-OS Security Configuration Guide, Release 7.x, for more information.
  • TFTP—See the Cisco Nexus 6000 Series NX-OS Fundamentals Configuration Guide, Release 7.x, for more information.
  • VRRP—See Chapter 18, “Configuring VRRP” for more information.

See the appropriate configuration guide for each service for more information on configuring VRF support in that service.

This section contains the following topics:

Reachability

Reachability indicates which VRF contains the routing information necessary to get to the server providing the service. For example, you can configure an SNMP server that is reachable on the management VRF. When you configure that server address on the router, you also configure which VRF that Cisco NX-OS must use to reach the server.

Figure 12-2 shows an SNMP server that is reachable over the management VRF. You configure router A to use the management VRF for SNMP server host 192.0.2.1.

Figure 12-2 Service VRF Reachability

 

186417.eps

Filtering

Filtering allows you to limit the type of information that goes to a VRF-aware service based on the VRF. For example, you can configure a syslog server to support a particular VRF. Figure 12-3 shows two syslog servers with each server supporting one VRF. syslog server A is configured in VRF Red, so Cisco NX-OS sends only system messages generated in VRF Red to syslog server A.

Figure 12-3 Service VRF Filtering

 

186418.eps

Combining Reachability and Filtering

You can combine reachability and filtering for VRF-aware services. You configure the VRF that Cisco NX-OS uses to connect to that service as well as the VRF that the service supports. If you configure a service in the default VRF, you can optionally configure the service to support all VRFs.

Figure 12-4 shows an SNMP server that is reachable on the management VRF. You can configure the SNMP server to support only the SNMP notifications from VRF Red, for example.

Figure 12-4 Service VRF Reachability Filtering

 

186419.eps

Licensing Requirements for VRFs

The following table shows the licensing requirements for this feature:

 

Product
License Requirement

Cisco NX-OS

VRFs require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Note The NX-OS base license allows you to use the default VRF and you can use the management VRF for the mgmt0 port. The two default VRFs are automatically created. VRF-lite allows you to create additional VRFs. The additional VRFs need the NX-OS base license as well.

Guidelines and Limitations

VRFs have the following configuration guidelines and limitations:

  • When you make an interface a member of an existing VRF, Cisco NX-OS removes all Layer 3 configuration. You should configure all Layer 3 parameters after adding an interface to a VRF.
  • You should add the mgmt0 interface to the management VRF and configure the mgmt0 IP address and other parameters after you add it to the management VRF.
  • If you configure an interface for a VRF before the VRF exists, the interface is operationally down until you create the VRF.
  • Cisco NX-OS creates the default and management VRFs by default. You should make the mgmt0 interface a member of the management VRF.
  • The write erase boot command does not remove the management VRF configuration. You must use the write erase command and then the write erase boot command.

VRF-lite has the following guidelines and limitations:

  • A switch with VRF-lite has a separate IP routing table for each VRF, which is separate from the global routing table.
  • Because VRF-lite uses different VRF tables, the same IP addresses can be reused. Overlapped IP addresses are allowed in different VPNs.
  • VRF-lite does not support all MPLS-VRF functionality; it does not support label exchange, LDP adjacency, or labeled packets.
  • Multiple virtual Layer 3 interfaces can be connected to a VRF-lite switch.
  • The switch supports configuring a VRF by using physical ports, VLAN SVIs, or a combination of both. The SVIs can be connected through an access port or a trunk port.
  • The Layer 3 TCAM resource is shared between all VRFs.
  • A switch using VRF can support one global network and up to 64 VRFs. The total number of routes supported is limited by the size of the TCAM.
  • VRF-lite supports BGP, RIP, static routing, EIGRP, EIGRPv6, OSPF, and OSPFv3.
  • VRF-lite does not affect the packet switching rate.

Default Settings

Table 12-1 lists the default settings for VRF parameters.

 

Table 12-1 Default VRF Parameters

Parameters
Default

Configured VRFs

default, management

routing context

default VRF

Configuring VRFs

This section contains the following topics:

note.gif

Noteblank.gif If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.


Creating a VRF

You can create a VRF in a switch.

SUMMARY STEPS

1.blank.gif configure terminal

2.blank.gif vrf context name

3.blank.gif ip route { ip-prefix | ip-addr ip-mask } {[ next-hop | nh-prefix ] | [ interface next-hop | nh-prefix ]} [ tag tag-value [ pref ]]

4.blank.gif (Optional) show vrf [ vrf-name ]

5.blank.gif (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2

vrf context name

 

Example:

switch(config)# vrf context Enterprise

switch(config-vrf)#

Creates a new VRF and enters VRF configuration mode. The name can be any case-sensitive, alphanumeric string up to 32 characters.

Step 3

ip route { ip-prefix | ip-addr ip-mask } {[ next-hop | nh-prefix ] | [ interface next-hop | nh-prefix ]} [ tag tag-value [ pref ]

 

Example :

switch(config-vrf)# ip route 192.0.2.0/8 ethernet 1/2 192.0.2.4

Configures a static route and the interface for this static route. You can optionally configure the next-hop address. The preference value sets the administrative distance. The range is from 1 to 255. The default is 1.

Step 4

show vrf [ vrf-name ]

 

Example :

switch(config-vrf)# show vrf Enterprise

(Optional) Displays VRF information.

Step 5

copy running-config startup-config

 

Example:

switch(config)# copy running-config startup-config

(Optional) Saves this configuration change.

Use the no vrf context command to delete the VRF and the associated configuration:

 

Command
Purpose

no vrf context name

 

Example:

switch(config)# no vrf context Enterprise

Deletes the VRF and all associated configuration.

Any commands available in global configuration mode are also available in VRF configuration mode.

This example shows how to create a VRF and add a static route to the VRF:

switch# configure terminal
switch(config)# vrf context Enterprise
switch(config-vrf)# ip route 192.0.2.0/8 ethernet 1/2
switch(config-vrf)# exit
switch(config)# copy running-config startup-config
 

Assigning VRF Membership to an Interface

You can make an interface a member of a VRF.

BEFORE YOU BEGIN

Assign the IP address for an interface after you have configured the interface for a VRF.

SUMMARY STEPS

1.blank.gif configure terminal

2.blank.gif interface interface-type slot/port

3.blank.gif no switchport

4.blank.gif vrf member vrf-name

5.blank.gif ip-address ip-prefix/length

6.blank.gif (Optional) show vrf vrf-name interface interface-type number

7.blank.gif (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2

interface interface-type slot/port

 

Example :

switch(config)# interface ethernet 1/2

switch(config-if)#

Enters interface configuration mode.

Step 3

no switchport

 

Example:

switch(config-if)# no switchport

Configures the interface as a Layer 3 routed interface.

Step 4

vrf member vrf-name

 

Example:

switch(config-if)# vrf member RemoteOfficeVRF

Adds this interface to a VRF.

Step 5

ip address ip-prefix/length

 

Example:

switch(config-if)# ip address 192.0.2.1/16

Configures an IP address for this interface. You must do this step after you assign this interface to a VRF.

Step 6

show vrf vrf-name interface interface-type number

 

Example :

switch(config-vrf)# show vrf Enterprise interface ethernet 1/2

(Optional) Displays VRF information.

Step 7

copy running-config startup-config

 

Example:

switch(config)# copy running-config startup-config

(Optional) Saves this configuration change.

This example shows how to add an interface to the VRF:

switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# no switchport
switch(config-if)# vrf member RemoteOfficeVRF
switch(config-if)# ip address 192.0.2.1/16
switch(config-if)# copy running-config startup-config
 

Configuring VRF Parameters for a Routing Protocol

You can associate a routing protocol with one or more VRFs. See the appropriate chapter for information on how to configure VRFs for the routing protocol. This section uses OSPFv2 as an example protocol for the detailed configuration steps.

SUMMARY STEPS

1.blank.gif configure terminal

2.blank.gif router ospf instance-tag

3.blank.gif vrf vrf-name

4.blank.gif (Optional) maximum-paths paths

5.blank.gif interface interface-type slot/port

6.blank.gif no switchport

7.blank.gif vrf member vrf-name

8.blank.gif ip address ip-prefix/length

9.blank.gif ip router ospf i nstance-tag area area-id

10.blank.gif (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2

router ospf instance-tag

 

Example:

switch(config-vrf)# router ospf 201

switch(config-router)#

Creates a new OSPFv2 instance with the configured instance tag.

Step 3

vrf vrf-name

 

Example:

switch(config-router)# vrf RemoteOfficeVRF

switch(config-router-vrf)#

Enters VRF configuration mode.

Step 4

maximum-paths paths

 

Example:

switch(config-router-vrf)# maximum-paths 4

(Optional) Configures the maximum number of equal OSPFv2 paths to a destination in the route table for this VRF. Used for load balancing.

Step 5

interface interface-type slot/port

 

Example :

switch(config)# interface ethernet 1/2

switch(config-if)#

Enters interface configuration mode.

Step 6

no switchport

 

Example:

switch(config-if)# no switchport

Configures the interface as a Layer 3 routed interface.

Step 7

vrf member vrf-name

 

Example:

switch(config-if)# vrf member RemoteOfficeVRF

Adds this interface to a VRF.

Step 8

ip address ip-prefix/length

 

Example:

switch(config-if)# ip address 192.0.2.1/16

Configures an IP address for this interface. You must do this step after you assign this interface to a VRF.

Step 9

ip router ospf instance-tag area area-id

 

Example:

switch(config-if)# ip router ospf 201 area 0

Assigns this interface to the OSPFv2 instance and area configured.

Step 10

copy running-config startup-config

 

Example:

switch(config)# copy running-config startup-config

(Optional) Saves this configuration change.

This example shows how to create a VRF and add an interface to the VRF:

switch# configure terminal
switch(config)# vrf context RemoteOfficeVRF
switch(config-vrf)# exit
switch(config)# router ospf 201
switch(config-router)# vrf RemoteOfficeVRF
switch(config-router-vrf)# maximum-paths 4
switch(config-router-vrf)# interface ethernet 1/2
switch(config-if)# no switchport
switch(config-if)# vrf member RemoteOfficeVRF
switch(config-if)# ip address 192.0.2.1/16
switch(config-if)# ip router ospf 201 area 0
switch(config-if)# exit
switch(config)# copy running-config startup-config
 

Configuring a VRF-Aware Service

You can configure a VRF-aware service for reachability and filtering. See the “VRF-Aware Services” section for links to the appropriate chapter or configuration guide for information on how to configure the service for VRFs. This section uses SNMP and IP domain lists as example services for the detailed configuration steps.

SUMMARY STEPS

1.blank.gif configure terminal

2.blank.gif snmp-server host ip-address [ filter_vrf vrf-name ] [ use-vrf vrf-name ]

3.blank.gif vrf context [ vrf-name ]

4.blank.gif ip domain-list domain-name [ all-vrfs ] [ use-vrf vrf-name ]

5.blank.gif (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2

snmp-server host ip-address [ filter-vrf vrf-name ] [ use-vrf vrf-name ]

 

Example:

switch(config)# snmp-server host 192.0.2.1 use-vrf Red

switch(config-vrf)#

Configures a global SNMP server and configures the VRF that Cisco NX-OS uses to reach the service. Use the filter-vrf keyword to filter information from the selected VRF to this server.

Step 3

vrf context vrf-name

 

Example:

switch(config)# vrf context Blue

switch(config-vrf)#

Creates a new VRF.

Step 4

ip domain-list domain-name [ all-vrfs ][ use-vrf vrf-name ]

 

Example:

switch(config-vrf)# ip domain-list List all-vrfs use-vrf Blue

switch(config-vrf)#

Configures the domain list in the VRF and optionally configures the VRF that Cisco NX-OS uses to reach the domain name listed.

Step 5

copy running-config startup-config

 

Example:

switch(config)# copy running-config startup-config

(Optional) Saves this configuration change.

This example shows how to send SNMP information for all VRFs to SNMP host 192.0.2.1, reachable on VRF Red:

switch# configure terminal
switch(config)# snmp-server host 192.0.2.1 for-all-vrfs use-vrf Red
switch(config)# copy running-config startup-config
 

This example shows how to Filter SNMP information for VRF Blue to SNMP host 192.0.2.12, reachable on VRF Red:

switch# configure terminal
switch(config)# vrf definition Blue
switch(config-vrf)# snmp-server host 192.0.2.12 use-vrf Red
switch(config)# copy running-config startup-config
 

Setting the VRF Scope

You can set the VRF scope for all EXEC commands (for example, show commands). This automatically restricts the scope of the output of EXEC commands to the configured VRF. You can override this scope by using the VRF keywords available for some EXEC commands.

To set the VRF scope, use the following command in EXEC mode:

 

Command
Purpose

routing-context vrf vrf-name

 

Example:

switch# routing-context vrf red

switch%red#

Sets the routing context for all EXEC commands. Default routing context is the default VRF.

To return to the default VRF scope, use the following command in EXEC mode:

 

Command
Purpose

routing-context vrf default

 

Example:

switch%red# routing-context vrf default

switch#

Sets the default routing context.

Verifying the VRF Configuration

To display the VRF configuration information, perform one of the following tasks:

 

Command
Purpose

show vrf [vrf-name]

Displays the information for all or one VRF.

show vrf [vrf-name] detail

Displays detailed information for all or one VRF.

show vrf [vrf-name] [interface interface-type slot/port]

Displays the VRF status for an interface.

Configuration Examples for VRF

This example shows how to configure VRF Red, add an SNMP server to that VRF, and add an instance of OSPF to VRF Red:

configure terminal

vrf context Red

snmp-server host 192.0.2.12 use-vrf Red

router ospf 201

interface ethernet 1/2

no switchport

vrf member Red

ip address 192.0.2.1/16

ip router ospf 201 area 0

 

This example shows how to configure VRF Red and Blue, add an instance of OSPF to each VRF, and create an SNMP context for each OSPF instance in each VRF.:

configure terminal

!Create the VRFs

vrf context Red

vrf context Blue

!Create the OSPF instances and associate them with each VRF

feature ospf

router ospf Lab

vrf Red

router ospf Production

vrf Blue

!Configure one interface to use ospf Lab on VRF Red

interface ethernet 1/2

no switchport

vrf member Red

ip address 192.0.2.1/16

ip router ospf Lab area 0

no shutdown

!Configure another interface to use ospf Production on VRF Blue

interface ethernet 10/2

no switchport

vrf member Blue

ip address 192.0.2.1/16

ip router ospf Production area 0

no shutdown

!configure the SNMP server

snmp-server user admin network-admin auth md5 nbv-12345

snmp-server community public ro

!Create the SNMP contexts for each VRF
snmp-server context lab instance Lab vrf Red
snmp-server context production instance Production vrf Blue
 
Use the SNMP context lab to access the OSPF-MIB values for the OSPF instance Lab in VRF Red in this example.

Related Topics

The following topics can give more information on VRFs:

  • Cisco Nexus 6000 Series NX-OS Fundamentals Configuration Guide, Release 7.x
  • Cisco Nexus 6000 Series NX-OS System Management Configuration Guide, Release 7.x

Additional References

For additional information related to implementing virtualization, see the following sections:

Related Documents

Related Topic
Document Title

VRF CLI

Cisco Nexus 6000 Series Command Reference, Cisco NX-OS Releases 7.x

Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.