Simplifying Campus Network Virtualization with Easy Virtual Network (EVN)

Transcription

1

2 Simplifying Campus Network Virtualization with Easy Virtual Network (EVN) Chris Le, Product Manager

3 Agenda Network Virtualization Easy Virtual Network Network Management in a Virtualized Environment NV WAN Architectures 3

4 Agenda Network Virtualization Easy Virtual Network Network Management in a Virtualized Environment NV WAN Architectures 4

5 What is Network Virtualization? One physical network supports multiple virtual networks Virtual Network Virtual Network Virtual Network Actual Physical Network 5

6 Network Virtualization Applications and Benefits Reduce Costs Secure & Comply Scalable & Flexible 6

7 Enterprise Network Design Data Center 1 WAN Internet Red VRF Green VRF Yellow VRF Branch 1 Campus Si Si Red VRF Green VRF Yellow VRF Si Si Branch 2 Si Si Si Si Red VRF Green VRF Yellow VRF Data Center 2 Branch 3 Building 1 Building 2 Distribution Blocks 7

8 MPLS-VPN Overview Red CE Blue ebgp CE3 Blue ebgp PE2 PE1 ebgp CE2 Provider Net MPLS VPN PE3 CE1 ebgp PE4 ebgp CE Common core Secure IP Address Overlap Red Blue 8

9 Path Isolation Functional Components Device virtualization Data path virtualization Hop-by-Hop VRF VRF Global Virtual Routing & Forwarding Table 802.1q Multi-Hop IP 9

10 Evolution of VRFs Easy Virtual Network MPLS-VPN VRFs were born from MPLS-VPN VRFs grew into adolescence with Multi-VRF (aka VRF-Lite) EVN brings VRFs into maturity VRFs VRF-Lite Easy Virtual Network 10

11 Easy Virtual Network Key Technology Components Simplifies solution for Shared Services Inter-VRF and Global-to-VRF Unicast and Multicast Route Leaking Replaces traditional BGP based route-leaking Route Replication VNET Trunk Routing Context Zero-Touch Virtual Network Interface Provisioning Simplifies Virtual Network Designs Simplifies Virtual Network Interface Management Per-VRF Routing Context Enhances usability and troubleshooting 11

12 Network Virtualization Technique Comparison Chart VRF-lite EVN MPLS SGA Network Scale / Positioning Low Medium Large Large VN Scale Limit K 1K+ Operational Complexity Medium Low High Medium Transport / Infrastructure IP IP MPLS or GRE IP Troubleshooting Medium Low High High Provisioning Hop-by-Hop Hop-by-Hop LDP & mbgp ISE & dacl L2VPN Extension No No Yes Yes WAN Extension GRE, LISP, DMVPN GRE, LISP, DMVPN MPLS, MPLSoGRE, 2547oMPLS, L3VPNoMGRE IP, L3-TF Underlying Infrastructure IP IP MPLS IP Multicast Native Native mvpn or GRE Native QoS COS/DSCP COS/DSCP EXP COS/DSCP Standards Based Yes Yes Yes No MTU Considerations No No Yes L3-TF Wired Support Yes Yes Yes Yes Wireless Support No No No Yes End-to-End Yes No No No IPv6 support Yes No Yes Yes 12

13 VRF-Lite Overview Hop-by-hop configuration Standards based One interface per VRF No BGP or MPLS required Leverages campus design Limited scalability 13

14 VRF-Lite Interface Config Example VRF-Lite Subinterface Config ip vrf red ip vrf green interface TenGigabitEthernet1/1 ip address ip pim query-interval 1 ip pim sparse-mode interface TenGigabitEthernet1/1.101 description Subinterface for Red VRF encapsulation dot1q 101 ip vrf forwarding red ip address ip pim query-interval 1 ip pim sparse-mode interface TenGigabitEthernet1/1.102 description Subinterface for green VRF encapsulation dot1q 102 ip vrf forwarding green ip address ip pim query-interval 1 ip pim sparse-mode ip vrf red ip vrf green interface TenGigabitEthernet1/1 ip address ip pim query-interval 1 ip pim sparse-mode interface TenGigabitEthernet1/1.101 description Subinterface for red VRF encapsulation dot1q 101 ip vrf forwarding red ip address ip pim query-interval 1 ip pim sparse-mode interface TenGigabitEthernet1/1.102 description Subinterface for green VRF encapsulation dot1q 102 ip vrf forwarding green ip address ip pim query-interval 1 ip pim sparse-mode 14

15 VRF-Lite Packet Flows Global Traffic Is UnTagged VRF Global IGP Update IP Data Packet VRF Global VRF Red VLAN ID 101 IGP Update IP Data Packet VLAN ID 101 VRF Red VRF Green VLAN ID 102 IGP Update IP Data Packet VLAN ID 102 VRF Green Red and Green Traffic Are Tagged with 802.1Q VLAN 101 and

16 VRF-Lite Routing Protocol Example EIGRP Example router eigrp 100 network passive-interface default no passive-interface vlan 2000 no auto-summary address-family ipv4 vrf green autonomous-system 100 network no auto-summary exit-address-family address-family ipv4 vrf red autonomous-system 100 network no auto-summary exit-address-family OSPF Example router ospf 1 network area 0 passive-interface default no passive-interface vlan 2000 router ospf 100 vrf green network area 0 no passive-interface vlan 2001 router ospf 200 vrf red network area 0 no passive-interface vlan

17 VRF-Lite End-to-End How Does It Work? Create L2 VLANs at the edge of the network and trunk them to the first L3 device VRFs need to be defined on each L3 device, Map the VLANs to a VRF IGPs are configured for each VRF on each L3 device Trunks need to be configured to carry each of the VRFs Create sub-interfaces and map them to the correct VRF Traffic is now carried end-to-end across the network maintaining logical isolation between the defined groups VLAN 11 VLAN 21 IGPs VLAN 13 VLAN 23 VLAN 16 VLAN 26 VLAN 10 VLAN 20 VLAN 12 VLAN 22 VLAN 15 VLAN 25 VLAN 14 VLAN 24 17

18 Multi-AF VRF Structure Old VRF CLI only applies to IPv4 Address Family ip vrf blue New VRF CLI allows multiple address families under same VRF multi-protocol VRF Policies for the VRF can apply to IPv4 and IPv6 VPNs at the same time routing tables are still different vrf definition blue 18

19 Multi-AF VRF Structure Existing IPv4 VRFs Will Need to Be Converted to Multi-AF VRFs to Support IPv6 router(config)# vrf upgrade-cli multi-af-mode common-policies Converts Existing Config ip vrf blue rd 2:2 route-target export 2:2 route-target import 2:2 interface Ethernet0 ip vrf forwarding blue ip address vrf definition blue rd 2:2 route-target export 2:2 route-target import 2:2 address-family ipv4 exit-address-family interface Ethernet0 vrf forwarding blue ip address

20 Agenda Network Virtualization Easy Virtual Network Network Management in a Virtualized Environment NV WAN Architectures 20

21 Easy Virtual Network End-to-End How Does It Work? Create L2 VLANs at the edge of the network and trunk them to the first L3 device VRFs need to be defined on each L3 device, Map the VLANs to a VRF IGPs are configured for each VRF on each L3 device Configure a VNET Trunk on each of the physical core interfaces. Uses the same 802.1Q tag Trunks are Pre-Provisioned for new VRFs When you add a new VRF you don t have to configure a new sub-interface. It is automatically done by the VNET Trunk. VLAN 11 VLAN 21 IGPs VLAN 13 VLAN 23 VLAN 16 VLAN 26 VLAN 10 VLAN 20 VLAN 12 VLAN 22 VLAN 15 VLAN 25 VLAN 14 VLAN 24 21

22 VRF-Lite and VNET Trunk Compatibility VRF-Lite Subinterface Config interface TenGigabitEthernet1/1 ip address ip pim query-interval 1 ip pim sparse-mode interface TenGigabitEthernet1/1.101 description Subinterface for Red VRF encapsulation dot1q 101 ip vrf forwarding red ip address ip pim query-interval 1 ip pim sparse-mode interface TenGigabitEthernet1/1.102 description Subinterface for Green VRF encapsulation dot1q 102 ip vrf forwarding green ip address ip pim query-interval 1 ip pim sparse-mode VNET Trunk Config interface TenGigabitEthernet1/1 vnet trunk ip address ip pim query-interval 1 ip pim sparse-mode Both routers have VRFs defined Global Config: vrf definition red vnet tag 101 vrf definition green vnet tag 102 EVN router has VNET Tags 22

23 What is VNET Tag VNET Tag is standards based and backward compatible 23

24 VRF Integration with L2 Edge Multi-tier Deployment Layer 3 Layer 2 Si Campus Core Layer 2 Trunks Si g1/0 vrf definition red vnet tag 101 vrf definition green vnet tag 102 vrf definition blue vnet tag 103 interface g1/0 vnet trunk g1/1 interface vlan 21 vrf forwarding red interface vlan 22 vrf forwarding green interface vlan 23 vrf forwarding blue VLAN 21 Red VLAN 22 Green VLAN 23 Blue VLAN 31 Red VLAN 32 Green VLAN 33 Blue interface vlan 31 vrf forwarding red interface vlan 32 vrf forwarding green interface vlan 33 vrf forwarding blue 24

25 EVN - Show Derived-config Normal show run Router# show run... interface Ethernet1/0 vnet trunk ip address ip pim sparse-mode... show derived-config Router# show derived-config... interface Ethernet1/0 vnet trunk ip address ip pim sparse-mode interface Ethernet1/0.101 description Subinterface for VNET red vrf forwarding red encapsulation dot1q 101 ip address ip pim sparse-mode interface Ethernet1/0.102 description Subinterface for VNET green vrf forwarding green encapsulation dot1q 102 ip address ip pim sparse-mode... 25

26 EVN - Show ip int Brief vrf definition red vnet tag 101 vrf definition green vnet tag 102 interface Ethernet1/0 vnet trunk ip address interface Ethernet2/0 vnet trunk ip address show ip int brief - Displays All Subinterfaces Router# show ip int brief Interface IP-Address OK? Method Status Protocol Ethernet1/ YES NVRAM up up Ethernet1/ YES NVRAM up up Ethernet1/ YES NVRAM up up. Ethernet2/ YES NVRAM up up Ethernet2/ YES NVRAM up up Ethernet2/ YES NVRAM up up 26

27 EVN - Show vnet, Show vnet int VRF VRF Global show vnet - VRF names, Tags, Sub intf Router# show vnet Name Tag Protocols Interfaces red 101 ipv4 Gi0/0/0.101 Gi0/0/3.101 blue 102 ipv4 Gi0/0/0.102 Gi0/0/3.102 Green 103 ipv4 Gi0/0/0.103 show vnet int - Info sorted by int, status, ip address es1-asr-w8# show vnet int Interface State VNET Tag IP-Address Gi0/0/0.101 Up red Gi0/0/0.102 Up blue Gi0/0/0.103 Up green Gi0/0/3.101 Up red Gi0/0/3.102 Up blue Gi0/0/3.103 Up green

28 VNET Trunk Overriding Inheritance Specific Interface Commands Can Be Overridden on a per VRF Basis VRF-Lite Subinterface Config interface TenGigabitEthernet1/1 ip address ip ospf cost 20 ip pim sparse-mode interface TenGigabitEthernet1/1.101 description Subinterface for Red VRF encapsulation dot1q 101 ip vrf forwarding red ip address ip ospf cost 20 ip pim sparse-mode interface TenGigabitEthernet1/1.102 description Subinterface for Green VRF encapsulation dot1q 102 ip vrf forwarding green ip address ip ospf cost 30 VNET Trunk Config interface TenGigabitEthernet1/1 vnet trunk ip address ip ospf cost 20 ip pim sparse-mode vnet name green no ip pim sparse-mode ip ospf cost 30 Global Config: vrf definition red vnet tag 101 vrf definition green vnet tag

29 VRF List Specify VRFs Carried on Trunks Red VRF Yellow VRF Group A R2 vrf list group-a member red member yellow interface g1/0 vnet trunk vrf-list group-a R4 R5 R1 Red VRF Green VRF Yellow VRF R6 R7 Red VRF Green VRF R3 Group B vrf list group-b member red member green interface g2/0 vnet trunk vrf-list group-b 29

30 VRF Simplification - Trunk Advantage VRF-Lite Subinterfaces interface TenGigabitEthernet1/1.101 description 10GE to core 3 encapsulation dot1q 101 ip vrf forwarding red ip address ip pim query-interval 1 ip pim sparse-mode interface TenGigabitEthernet1/1.102 description 10GE to core 3 encapsulation dot1q 102 ip vrf forwarding green ip address ip pim query-interval 1 ip pim sparse-mode VRF-Lite Requires 1 Point-to-Point Subinterface Configuration per VRF per Physical Interface Virtual Networks Neighbors VNET Trunks interface TenGigabitEthernet1/1 description 10GE to core 3 vnet trunk ip address ip pim query-interval 1 ip pim sparse-mode VNET Trunks Requires 1 Point-to- Point Trunk Configuration per Physical Interface VRF Subinterfaces VNET Trunks

31 Routing Context IOS IOS CLI Routing Context Router# show ip route vrf red Routing table output for red Router# ping vrf red Ping result using VRF red Router# telnet /vrf red Telnet to in VRF red Router# traceroute vrf red Traceroute output in VRF red Router# routing-context vrf red Router%red# Router%red# show ip route Routing table output for red Router%red# ping Ping result using VRF red Router%red# telnet Telnet to in VRF red Router%red# traceroute Traceroute output in VRF red 31

32 VRF Aware Show Run Displays: VRF Definitions Interfaces in VRFs Protocol configs for Multi-VRF router# show run vrf green vrf definition green address-family ipv4 exit-address-family interface GigabitEthernet0/1 vrf forwarding green ip address interface Tunnel2 vrf forwarding green ip address tunnel source Loopback101 tunnel destination router eigrp 100 address-family ipv4 vrf green network autonomous-system 102 exit-address-family 32

33 EVN - VRF Verification & Operator Interface VRF Traceroute Router%Red# trace Tracing the route to VRF info: (vrf in name/id, vrf out name/id) (red/1001, red/1001) (red/1001, red/1001) Router%Red# trace Tracing the route to VRF info: (vrf in name/id, vrf out name/id) (red/1001, red/1001) (red/1001, green/1002) (green/1002, green/1002) 4 * * * VRF Instrumentation Improved CLI for VRF-aware SNMP New CISCO-VRF-MIB for VRF discovery and management VRF-Aware Debug R2# debug condition vrf red R2# debug condition vrf blue R2# debug ip ospf hello R2# debug ip ospf spf 33

34 Shared Services Services That You Don t Want to Duplicate: Internet Gateway NAT / DMZ DNS DHCP Hosted Content Firewall Route Leak Route-Replicate 34

35 EVN Route-Replication for Shared Services Before: EVN Route-Replicate ip vrf SHARED rd 3:3 route-target export 3:3 route-target import 1:1 route-target import 2:2 ip vrf RED rd 1:1 route-target export 1:1 route-target import 3:3 ip vrf GREEN rd 2:2 route-target export 2:2 route-target import 3:3 router bgp bgp log-neighbor-changes address-family ipv4 vrf SHARED redistribute ospf 3 no auto-summary no synchronization exit-address-family address-family ipv4 vrf RED redistribute ospf 1 no auto-summary no synchronization exit-address-family address-family ipv4 vrf GREEN redistribute ospf 2 no auto-summary no synchronization exit-address-family After: EVN Route-Replicate vrf definition SHARED address-family ipv4 route-replicate from vrf RED unicast all route-map red-map route-replicate from vrf GREEN unicast all route-map grn-map vrf definition RED address-family ipv4 route-replicate from vrf SHARED unicast all vrf definition GREEN address-family ipv4 route-replicate from vrf SHARED unicast all 35

36 EVN Route-Replication Advantages No BGP No Route Distinguisher No Route Targets No Import / Export Supports Unicast and Multicast 36

37 Route Redistribution RIB Routing Information Base Route Type Dest Int NextHop /24 Connected Gi0/ /24 OSPF Gi0/ /24 OSPF Gi0/ Creates a copy for each routing process or protocol Each VRF has a separate RIB /24 OSPF Gi0/ router ospf 1 network area 0 router ospf 2 redistribute ospf 1 subnets OSPF Process 1 OSPF Process 2 Route Type Dest Int NextHop Route Type Dest Int NextHop /24 OSPF Gi0/ /24 OSPF Gi0/ /24 OSPF Gi0/ /24 OSPF Gi0/ /24 OSPF Gi0/ /24 OSPF Gi0/

38 Route Replication RIB VRF Services Route Type Dest Int NextHop /24 Connected Gi0/ /24 OSPF Gi0/ /24 OSPF Gi0/ /24 OSPF Gi0/ RIB VRF User-A Route Type Dest Int NextHop /24 OSPF Gi0/ /24 OSPF Gi0/ Creates a link to a route in RIB from a VRF router ospf 99 vrf services network area 0 router ospf 98 vrf user-a network area 0 vrf definition services address-family ipv4 route-replicate from vrf user-a unicast all exit-address-family vrf definition user-a address-family ipv4 route-replicate from vrf services unicast all exit-address-family /24 OSPF Gi0/

39 Route Replication Output The routes now show up in the destination VRF with a + and the source VRF identified Router# routing-context vrf user-a Router%user-a# show ip route Routing Table: user-a Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP + - replicated route, % - next hop override Gateway of last resort is not set /8 is variably subnetted, 124 subnets, 4 masks... O /24 [110/2] via (services), 1d04h, GigabitEthernet0/1 O /24 [110/4] via (services), 1d04h, GigabitEthernet0/1 O /24 [110/3] via (services), 1d04h, GigabitEthernet0/1 C /24 is directly connected (services), GigabitEthernet0/1 L /32 is directly connected (services), GigabitEthernet0/1 39

40 Route Replication Output The routes show up in the RIB as replicated with the same OSPF metrics, distance, next hop, etc. Router# routing-context vrf services Router%services# show ip route Routing Table: services Routing entry for /24 Known via "ospf 99", distance 110, metric 2, type intra area Last update from on GigabitEthernet0/1, 1d05h ago Routing Descriptor Blocks: * , from , 1d05h ago, via GigabitEthernet0/1 Route metric is 2, traffic share count is 1 Router%services# routing-context vrf user-a Router%user-a# show ip route Routing Table: user-a Routing entry for /24 Known via "ospf 99", distance 110, metric 2, type intra area, replicated Last update from on GigabitEthernet0/1, 1d05h ago Routing Descriptor Blocks: * (services), from , 1d05h ago, via GigabitEthernet0/1 Route metric is 2, traffic share count is 1 40

41 Shared Services Using Route Replication R1 show ip route vrf services Routes to /8 and /8 R4 Does Not Have Routes to /8 and /8 Need Route Redistribution on R /8 R3 R /24 R /8 Fusion Point R1 and R2 Do Not Have Route to Need Route Redistribution on R3 vrf definition services route-replicate from vrf RED unicast all route-map red-map route-replicate from vrf GREEN unicast all route-map grn-map vrf definition red route-replicate from vrf SERVICES unicast all vrf definition green route-replicate from vrf SERVICES unicast all 41

42 Shared Services Using Route Replication and Redistribution R1 show ip route vrf services Routes to /8 and / /8 R3 R /24 R / router ospf 99 vrf services redistribute vrf red ospf 98 subnets redistribute vrf green ospf 97 subnets router ospf 98 vrf red redistribute vrf services ospf 99 subnets show ip route vrf green Route to Through R3 router ospf 97 vrf green redistribute vrf services ospf 99 subnets 42

43 Route Import / Export Before: Route-Replication VRF to VRF No issues Global to/from VRF Static routes can be used Limited to 5 VRFs, 1000 routes per VRF import map <route-map> / export map <route-map> Route Replication adds this functionality Alternate approach Put services in VRF and leak routes 43

44 Route Replication Between Global and VRF Route replication enables the ability to dynamically share routes between the global/default VRF and a user defined VRF vrf definition services address-family ipv4 route-replicate from vrf global unicast all route-map g-map exit-address-family global-address-family ipv4 route-replicate from vrf services unicast all route-map services-map router ospf 10 vrf services redistribute connected subnets redistribute vrf global ospf 1 subnets network area 0 router ospf 1 redistribute vrf services ospf 10 subnets network area 0 44

45 QOS Deployment Models In Virtualized Environments Aggregate Model Prioritized VRF Model QOS is VRF Independent Leverage Existing Best Practices 45

46 Typical QoS Deployment Without Network Virtualization Branch 1 DSCP Egress QOS Voice Video Best Effort Classify and Mark Traffic at Edge Scavenger Si Voice Branch 2 WAN Video Best Effort Scavenger WAN Int Campus Si Branch 3 Voice Video Best Effort Scavenger Classify and Mark Traffic at Edge 46

47 Typical QoS Deployment With NV Aggregate Model Red VRF Green VRF Branch 1 DSCP Egress QOS Voice Video Best Effort Scavenger Red VRF Classify and Mark Traffic at Edge Si Voice Red VRF Branch 2 WAN Video Best Effort Scavenger Campus Green VRF Green VRF Si Red VRF Green VRF Branch 3 Voice Video Best Effort Scavenger Traffic Aggregated Across VRFs Classify and Mark Traffic at Edge 47

48 Typical QoS Deployment With NV Prioritized VRF Red VRF Green VRF Branch 1 DSCP Egress QOS Voice Video Best Effort Scavenger Red VRF Classify and Mark Traffic at Edge Si Voice Red VRF Branch 2 WAN Video Best Effort Scavenger Campus Green VRF Green VRF Si Red VRF Branch 3 Best Effort Scavenger Classify and Mark Traffic at Edge Green VRF Guest VRF only uses 2 classes 48

49 Agenda Network Virtualization Easy Virtual Network Network Management in a Virtualized Environment NV WAN Architectures 49

50 Network Management Strategy for NV Manage the network through the Global VRF Must be accessible to all devices Routers managed normally Create a Management VRF Must be accessible to all devices Common among SPs VRF-aware required features 50

51 IPv4 VRF Aware Services Feature ISR ASR1K Cat6K Cat4K Cat3K ping Yes Yes Yes Yes Yes traceroute Yes Yes Yes Yes Yes telnet Yes Yes Yes Yes Yes ssh Yes Yes Yes Yes Yes tftp/ftp Yes Yes Yes Yes Yes snmp Yes Yes Yes Yes Yes syslog Yes Yes Yes Yes Yes ntp Yes Yes Yes Yes Yes TACACS Yes Yes Yes Yes Yes RADIUS Yes Yes Yes Yes No netflow Yes Yes Yes Yes No DNS Yes Yes CY14 1HCY14 Yes IP SLA Yes Yes Yes Yes Yes ERSPAN No Yes Yes No No DHCP Relay Yes Yes 1HCY14 Yes Yes routing-context Yes Yes Yes Yes No Yes No Feature completely supported or CC (concept committed) Feature NOT supported or pre-cc (pre-concept committed) 51

52 Ping / Traceroute / Telnet Ping, Traceroute and Telnet Are All VRF Aware ping vrf green traceroute vrf green telnet /vrf red These Commands All Have Keywords to Operate Within a VRF If an Access-Class Is Configured on the VTY: Telnet and ssh from VRFs will be denied without the vrf-also keyword With vrf-also Sessions will be allowed based on ACL No way to have separate access classes for each VRF line vty 0 15 access-class 10 in vrf-also login transport input telnet ssh ISR, ASR1K, C6K, C4K, C3K Yes access-list 10 permit access-list 10 permit

53 SSH and SCP SSH is VRF Aware ssh vrf red l john SSH uses vrf keyword to connect through VRF SSH server on router is VRF aware to receive connections Cat3k does not support ssh client (CLI) but does support server ip ssh source-interface loopback 252 interface loopback 252 ip vrf forwarding red You Can Set the Source-Interface Inside a VRF. Some SPs require a connection from a particular IP address. SCP Is Not VRF Aware router# copy scp:// /latest-image disk2: You cannot use SCP to copy a file inside a VRF ISR, ASR1K, C6K, C4K, C3K Yes 53

54 TFTP and FTP ISR, ASR1K, C6K, C4K, C3K Yes TFTP and FTP Are VRF Aware router# copy tftp:// /latest-image disk2: router# copy ftp:// /latest-image disk2: These Commands Do Not Have a VRF Keyword. They Operate in a VRF by Setting the Source Interface to a VRF Interface: ip tftp source-interface loopback 1 ip ftp source-interface loopback 1 interface loopback 1 ip vrf forwarding red 54

55 What Is VRF Aware SNMP? If a MIB Is VRF Aware Then: SNMP gets and sets can be made to the individual VRFs ISR, ASR1K, C6K, C4K, C3K Yes The MIB will have the ability to detect conditions for a trap inside of a VRF and lookup the additional information in the VRF context Traps will be sent to a manager located inside a VRF snmp-server host vrf blue 55

56 VRF Aware and VRF Independent MIBS Partial List of MIBs with VRF Information: MPLS-VPN-MIB MPLS-L3VPN-STD-MIB MPLS-LSR-STD-MIB MPLS-LDP-STD-MIB IF-MIB CISCO-PING-MIB IP-FORWARD-MIB IP-MIB OSPF-MIB CISCO-EIGRP-MIB CISCO-CEF-MIB CISCO-IETF-ISIS-MIB CISCO-IPSEC-MIB CISCO-IPSEC-FLOW-MONITOR-MIB CISCO-MVPN-MIB IGMP-STD-MIB IPMROUTE-STD-MIB CISCO-IPMROUTE-MIB PIM-MIB CISCO-PIM-MIB MSDP-MIB VRF Independent MIBS are RED 56

57 MPLS-VPN MIB Useful Objects MPLS-VPN-MIB Based on draft-ietf-ppvpn-mpls-vpn-mib-03 Available on platforms that support MPLS MPLS-L3VPN-STD-MIB Based on RFC 4382 Will be replacing MPLS-VPN-MIB Key Objects in MPLS-VPN-MIB mplsvpnconfiguredvrfs Number of VRFs configured mplsvpnvrfoperstatus VRF is configured on interface that is up mplsvpnvrfroutenexthop Next hop (neighbor) for routes in VRF 57

58 CISCO-VRF-MIB Useful Objects CISCO-VRF-MIB Developed by Cisco for routers that do not have MPLS Contains additional information for EVN VNET Tags, etc. Key Objects in CISCO-VRF-MIB cvvrfname Name of VRFs configured (blue, red, etc.) cvvrfvnettag VNET Tags configured per VRF cvvrfoperstatus VRF is configured on interface that is up cvvrfroutedistprot IGPs that are configured per VRF (OSPF, EIGRP, etc.) 58

59 Monitoring with VRF Aware MIBs Example Before Simplified CLI snmp-server view mcastview pim included snmp-server context blue_ctx ip vrf blue context blue_ctx snmp-server user blue_comm blue_group v2c snmp-server group blue_group v2c context blue_ctx read mcastview write mcastview notify mcastview snmp mib community-map blue_comm context blue_ctx snmp-server host vrf blue version 2c blue_comm pim After Simplified CLI vrf definition blue address-family ipv4 snmp context blue community blue_comm RW exit-address-family snmp-server host vrf blue version 2c blue_comm SNMP query with a Community String of blue_comm returns data for VRF Blue 59

60 Syslog in a VRF Syslog can be configured to forward to a log server in a VRF logging host vrf red logging host vrf blue All syslogs will be sent to all log servers The transport is VRF aware not the content ISR, ASR1K, C6K, C4K, C3K Yes The source address will be the address of the egress interface. The source interface cannot be set in a VRF. router(config)#logging source-interface loopback 999 Interface Loopback999 is not in the global table Addresses of the router egress interfaces could be entered into the Host File on the server so they could be identified. * Fix for Cat6k shipped in 12.2(33)SXJ1. Other platforms Future Releases 60

61 NTP in a VRF NTP Is VRF Aware ntp server vrf green ntp peer vrf green ntp source FastEthernet5/0 ISR, ASR1K, C6K, C4K, C3K Yes NTP servers and peers can be in a VRF Routers can set source interface to be in a VRF 61

62 AAA/TACACS/RADIUS in a VRF TACACS and RADIUS Servers Can Be Configured in a VRF. Example TACACS Config: aaa group server tacacs+ tacacs1 server-private port 19 key red ip vrf forwarding red ISR, ASR1K, C6K, C4K, C3K Yes *No RADIUS Support ip tacacs source-interface Loopback0 interface Loopback0 ip address ip vrf forwarding red Example RADIUS Config: aaa group server radius red server-private auth-port 1645 acct-port 1646 key ww ip vrf forwarding red ip radius source-interface loopback0 radius-server attribute 44 include-in-access-req vrf red 62

63 NetFlow VRF Aware ISR, ASR1K, C6K, C4K, Yes NetFlow is VRF independent Flow info can be collected for any interface in any VRF Devices export flows to the collector through a VRF NetFlow is now supported on the Cat3K 63

64 How Do Netflow Collectors Correlate Flows with VRFs? Traffic NetFlow Enabled Device Fa5/1 Source IP Address Destination IP Address Source Port Destination Port Layer 3 Protocol TOS byte (DSCP) Input Interface Fa5/1 SNMP Query: IF-MIB Interface Name MPLS-VPN MIB VRF Info Netflow Collector NetFlow is VRF agnostic Collects info for any VRF NFC uses SNMP to find out VRF membership on interfaces Traffic Analysis Report VRF Input Int Pkts Prot NextHop NetFlow Export Packet Src IP Dest IP IF Index Red Fa5/ Red Fa5/ Blue Fa2/

65 DNS DNS is VRF Aware ip name-server vrf green ip domain lookup source-interface FastEthernet5/0 ISR, ASR1K, C3K, C3K-X C6K Yes CY14 The Router Can Perform a Name Lookup to a Server in a VRF. The Name-Server Must Be Configured with the VRF Keyword. The Source-Interface Can Be Specified If Required. VRF Aware DNS is not supported on Cat6k and Cat4k until CY14 Workaround: Setup DNS as a Shared Service ip host vrf green MAIL-SERVER Static Host Entries Can Be Configured Inside a VRF 65

66 IP SLA IP SLA is VRF Aware IP SLA can measure response time inside VRFs Starting 12.2(2)T, 12.2(33)SXH, 12.2(40)SE: ICMP echo, ICMP path echo, ICMP path jitter, UDP echo, UDP jitter Starting 12.4(6)T: ICMP Jitter Starting 12.4(20)T, 15.1(1)T: TCP Connect, FTP, HTTP, DNS IP SLA IPv6 VRF Aware 12.4(20)T: ICMP Echo, UDP Echo, UDP Jitter, TCP Connect ip sla 1 udp-jitter vrf red ip sla schedule 4 start-time now life forever ISR, ASR1K, C6K, C4K, C3K Yes 66

67 ERSPAN in a VRF ASR1K, C6K ISR, C4K, C3K Yes No ERSPAN can monitor flows in any VRF Captures can be exported (transported) in a VRF ASR1K cannot export through the Mgmt VRF but may be exported through any other VRF No support for ERSPAN on Cat4K, Cat3K 67

68 DHCP in Multi-VRF Separate DHCP Server for Each VRF Use discrete VM s Each administered separately Supports Address overlap between VRFs Shared Server with No Address Overlap DHCP Server IP address (IP Helper addr) is redistributed using BGP/Extranet, fusion router or Route Replication Shared Server that Is VRF Aware Requires VRF Aware DHCP Relay Supports Address overlap between VRFs Cisco Network Registrar v5.5 supports VPN option Option 82 ISR, ASR1K, C6K, C4K, C3K Yes 68

69 DHCP in Multi-VRF (Cont.) Dedicated Servers per VRF or Shared Servers Without Address Overlap Are Configured Normally: ip helper-address The DHCP Server Must Be Reachable in the Client VRF Shared Servers that Are VRF Aware Need VPN Options: ip dhcp relay information option vpn interface ethernet 0/1 ip helper-address vrf red DHCP VPN Options (Option 82) Includes These Fields: VPN identifier VRF name if configured on the interface Subnet selection Incoming interface subnet address Server identifier override Incoming interface IP address 69

70 Agenda Network Virtualization Easy Virtual Network Network Management in a Virtualized Environment NV WAN Architectures 70

71 WAN Options for EVN Multi-VRF EVN Red VRF Green VRF Yellow VRF ebgp MPLS- VPN ebgp EVN Red VRF Green VRF Yellow VRF EVN MP-BGP L3VPNoMGRE Single VRF EVN Red VRF Green VRF Yellow VRF ebgp IP Service ebgp Red VRF Green VRF Yellow VRF EVN Encryption DMVPN Single VRF EVN Red VRF Green VRF Yellow VRF ebgp IP Service ebgp Red VRF Green VRF Yellow VRF EVN LISP Single VRF EVN Red VRF Green VRF Yellow VRF ebgp IP Service ebgp Red VRF Green VRF Yellow VRF 71

72 Extending EVN over the WAN Leverage MPLS-VPN for EVN Extension R3 VNET Tag = 10 VNET Trunk E 0/0 OSPF MPLS VPN + VNET E 1/0 R1 BGP Update WAN MPLS R2 VNET Trunk OSPF R4 vrf definition red vnet tag 10 rd 1:1 route-target export 1:1 route-target import 1:1 address-family ipv4 exit-address-family VNET Tag Applied under the vrf Definition Typical RD and RT config used to inject routes from VNET Trunk to MPLS WAN 72

73 Multi-VRF Across IP Based WAN Blue Red VRF Green VRF Yellow VRF How to get provider transparency? CE2 L Red CE PE2 PE1 Provider Net MPLS VPN PE3 CE1 L Blue Red VRF Green VRF Yellow VRF Blue Red VRF Green VRF Yellow VRF CE3 CE Red 73

74 MPLS VPNs over mgre (a.k.a. L3VPNoMGRE) Enterprise MPLS Campus-PE RR RR mgre E-PE VPNv4 Label over GRE Encapsulation 802.1q Trunk Physical Cable GRE Tunnels IP Service E-PE Branch LAN E-PE E-PE Remote Branches 74

75 MPLS VPN over mgre Control Plane Interface Loopback0 ip address router bgp no bgp default ipv4-unicast bgp log-neighbor-changes neighbor remote-as neighbor update-source Loopback0 neighbor remote-as 1 neighbor update-source Ethernet0/0 address-family ipv4 no synchronization redistribute connected metric 1 neighbor activate no auto-summary exit-address-family address-family vpnv4 neighbor activate neighbor send-community both neighbor route-map mgre_v4 in exit-address-family Branch Site E-PE mgre ibgp SP Cloud AS 1 AS ibgp Peer for MP-BGP (VPNv4) ebgp Peer to SP Address Family for ebgp to SP ebgp Address Family for MPLS-VPN over IP (i-bgp) E-PE MPLS Campus/MAN RR 75

76 VRF-Lite over GRE One tunnel per VRF IGP Neighbor maintained end-to-end Tunnel Tunnel Tunnel vrf-router-a vrf-router-b IP IP IP IP IP IP GRE GRE GRE IP IP IP IP IP IP 76

77 VRF-Lite over GRE One tunnel per VRF interface Loopback101 ip address interface Loopback102 ip address interface Loopback103 ip address IGP Neighbor maintained end-to-end interface Tunnel1 ip vrf forwarding red ip address tunnel source Loopback tunnel destination Tunnel interface Tunnel Tunnel2 ip vrf forwarding green ip address tunnel source Loopback Tunnel tunnel destination vrf-router-a interface Tunnel3 vrf-router-b ip vrf forwarding yellow IP IP IP ip address IP IP IP IP IP IP GRE GRE tunnel GRE source Loopback103 tunnel destination IP IP IP 77

78 EVN over DMVPN Multi-VRF Transported over Several NHRP Domains Hub Configuration vrf definition Red interface vrf definition Loopback0 Green ip address interface interface vrf definition Loopback1 Tunnel0 Yellow ip description address mgre for Red vrf forwarding interface Loopback2 interface Red ip address ip address Tunnel description no ip mgre for Green vrf redirects ip nhrp interface forwarding Green ip address map multicast Tunnel dynamic ip no nhrp description ip redirects network-id mgre 100 for Yellow tunnel vrf ip nhrp source forwarding map multicast Loopback0 Yellow dynamic tunnel ip ip nhrp mode address network-id gre multipoint no ip redirects 101 tunnel ip nhrp source map Loopback1 multicast dynamic tunnel ip nhrp mode network-id gre multipoint 102 tunnel source Loopback2 tunnel mode gre multipoint Hub Red VRF Green VRF Yellow VRF Spoke Configuration vrf definition Red interface vrf definiton Loopback0 Green ip add interface interface vrf definition Loopback1 Tunnel0 Yellow ip description add GRE to hub vrf forwarding interface Red Loopback2 interface ip address ip add Tunnel description ip nhrp GRE to hub vrf network-id 100 ip nhrp interface forwarding nhs Tunnel2 Green ip address tunnel description source Loopback0 GRE to hub ip nhrp network-id 101 tunnel vrf ip nhrp destination forwarding nhs Yellow ip address tunnel source Loopback1 interface ip nhrp tunnel destination Vlan10 network-id description nhrp Red nhs Subnet vrf interface forwarding tunnel source Vlan11 Red Loopback2 ip address tunnel description destination Green Subnet vrf interface forwarding Vlan12 Green ip address description Yellow Subnet vrf forwarding Yellow ip address Branch 1 Branch 2 Branch 3 Red VRF Red VRF Red VRF Green VRF Green VRF Green VRF Yellow VRF Yellow VRF Yellow VRF 78

79 EVN over LISP Location/ID Separation Protocol LISP Tunnels EVN Red VRF Green VRF Branch Site LISP xtr EVN Red VRF Green Blue VRF LISP xtr IP Service SP Cloud LISP xtr EVN Red VRF Green VRF router Blue VRF lisp eid-table vrf default instance-id 0 exit Corp Campus eid-table vrf Red instance-id exit eid-table vrf Green instance-id exit eid-table vrf Blue instance-id exit Branch Site 79

80 EVN - Easy Virtual Network Roadmap Platform Release Status ASR1K IOS XE 3.2S Shipping Cat6K Sup2T 15.0(1)SY1 Shipping Cat6K Sup720* 15.1(1)SY Shipping Cat6880-X / 6807-XL 15.1(2)SY1 Shipping Cat4K Sup6-E, Sup6L-E, 49xx Sup7E, Sup7LE, 4500X Sup8E 15.1(1)SG IOS XE 3.3.0SG IOS XE 3.3.0XO Shipping Shipping Q3CY14 ISR-G2 15.3(2)T Shipping Cat3850 Roadmap TBD Nexus TBD TBD * Sup720 will not support VNET Trunk This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document. 80

81 Network Virtualization Questions? 81

82 Wrap Up Network Virtualization satisfies many business requirements Easy Virtual Network Simplifies Campus Network Virtualization 82

83 More Info Chris Le Mailing List: Other Sessions: BRKRST-2045 Advanced WAN Design Topics (Craig Hill) BRKCRS-2033 Deploying a Virtualized Campus Infrastructure (Ray Blair) EVN on CCO: 83

84 More Info Chris Le Mailing List: Other Sessions: BRKRST-2045 Advanced WAN Design Topics (Craig Hill) BRKCRS-2033 Deploying a Virtualized Campus Infrastructure (Ray Blair) EVN on CCO: 84

85 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 85

86