Configuring Unicast Fabric VRFs with Anycast Gateway
The following commands are used for the configuration of VRF instances and of the associated VRF gateway (vrf-gw and vrf-gw2) IP addresses:
CLI network-admin@Leaf1 > vrf-create
name name-string
Specify a name for the VRF.
vnet vnet-name
Specify the name of the vNET to assign the VRF. If you only have a global vNET configured, omit this parameter.
scope local|cluster|fabric
Specify the scope for the VRF.
vrf-gw ip-address
Specify the gateway IP address.
vrf-gw2 ip-address
Specify the second gateway IP address.
vrf-gw-ipv6 ip-address
Specify the IPv6 gateway address.
 
vrf-gw2-ipv6 ip-address
Specify the second IPv6 gateway address.
 
CLI network-admin@Leaf1 > vrf-delete
name name-string
Specify VRF name that you want to delete.
vnet vnet-name
Specify the name of the vNET assigned to the VRF.
CLI network-admin@Leaf1 > vrf-modify
name name-string
Specify a name for the VRF.
vnet vnet-name
Specify the name of the vNET to assign the VRF.
scope local|cluster|fabric
Specify the scope for the VRF.
vrf-gw ip-address
Specify the gateway IP address.
vrf-gw2 ip-address
Specify the second gateway IP address.
vrf-gw-ipv6 ip-address
Specify the IPv6 gateway address.
 
vrf-gw2-ipv6 ip-address
Specify the second IPv6 gateway address.
 
CLI network-admin@Leaf1 > vrf-show
name name-string
Displays the name of the VRF.
vnet vnet-name
Displays the name of the vNET assigned the VRF.
scope local|cluster|fabric
Displays the scope of the VRF.
vrf-gw ip-address
Displays the gateway IP address.
vrf-gw2 ip-address
Displays the second gateway IP address.
vrf-gw-ipv6 ip-address
Displays the IPv6 gateway address.
 
vrf-gw2-ipv6 ip-address
Displays the second IPv6 gateway address.
 
The following commands are used for the configuration of subnet objects for the associated anycast gateway addresses and the associated VNIs:
CLI network-admin@Leaf1 > subnet-create
name name-string
Specify the name of the subnet.
scope local|cluster|fabric
Specify the scope for the VRF.
vnet vnet-name
Specify the name of the vNET to assign the VRF.
vxlan vxlan-id
Specify the VXLAN ID to assign to the subnet.
vrf vrf name
Specify the VRF to which the subnet belongs to.
network ip-address
Specify the IPv4 network IP address.
netmask netmask
Specify the netmask for the IPv4 address.
anycast-gw-ip ip-address
Specify the anycast gateway IPv4 address for the subnet.
network6 ip-address
Specify the IPv6 subnet network address.
netmask6 netmask
Specify the IPv6 subnet netmask address.
anycast-gw-ip6 ip-address
Specify the anycast gateway IPv6 address for the subnet.
packet-relay enable|disable|none
Enable or disable the packet relay.
forward-proto dhcp
Specify the protocol type to forward the packets.
forward-ip ip-address
Specify the forwarding IPv4 address.
forward-ip2 ip-address
Specify the second forwarding IPv4 address.
forward-ip6 ip-address
Specify the forwarding IPv6 address.
forward-ip6-2 ip-address
Specify the second forwarding IPv6 address.
enable|disable
Specify to enable/disable subnet routing.
CLI network-admin@Leaf1 > subnet-delete
name name-string
Specify the name of the subnet.
vnet vnet-name
Specify the name of the vNET to assign the VRF.
vrf name-string
Specify the VRF to assign the subnet.
CLI network-admin@Leaf1 > subnet-modify
name name-string
Specify the name of the subnet.
vnet vnet-name
Specify the name of the vNET to assign the VRF.
Specify one or more of the following options:
network ip-address
Specify the IPv4 network IP address.
netmask netmask
Specify the netmask for the IPv4 address.
anycast-gw-ip ip-address
Specify the anycast gateway IPv4 address for the subnet.
network6 ip-address
Specify the IPv6 subnet network address.
netmask6 netmask
Specify the IPv6 subnet netmask address.
anycast-gw-ip6 ip-address
Specify the anycast gateway IPv6 address for the subnet.
packet-relay enable|disable|none
Enable or disable the packet relay.
forward-proto dhcp
Specify the protocol type to forward the packets.
forward-ip ip-address
Specify the forwarding IPv4 address.
forward-ip2 ip-address
Specify the second forwarding IPv4 address.
forward-ip6 ip-address
Specify the forwarding IPv6 address.
forward-ip6-2 ip-address
Specify the second forwarding IPv6 address.
enable|disable
Specify to enable/disable subnet routing.
CLI network-admin@Leaf1 > subnet-show
name name-string
Displays the name of the subnet.
scope local|cluster|fabric
Displays the scope for the VRF.
vnet vnet-name
Displays the name of the vNET to assign the VRF.
vlan vlan-id
Displays the VLAN ID to assign to the subnet.
vxlan vxlan-id
Displays the VXLAN ID to assign to the subnet.
vrf name-string
Displays the VRF to assign the subnet.
network ip-address
Displays the network IPv4 address.
netmask netmask
Displays the netmask for the IPv4 address.
anycast-gw-ip ip-address
Displays the anycast gateway IPv4 address.
network6 ip-address
Displays the IPv6 subnet network address.
netmask6 netmask
Displays the IPv6 subnet netmask address.
anycast-gw-ip6 ip-address
Displays the anycast gateway IPv6 address for the subnet.
linklocal ip-address
Displays the IPv6 Link Local address.
packet-relay enable|disable|none
Displays the packet relay mode.
forward-proto dhcp
Displays the protocol type forwarding the packets.
forward-ip ip-address
Displays the forwarding IPv4 address.
forward-ip2 ip-address
Displays the second forwarding IPv4 address.
forward-ip6 ip-address
Displays the forwarding IPv6 address.
forward-ip6-2 ip-address
Displays the second forwarding IPv6 address.
state init|ok|vxlan not found|vxlan deactivated|not-in-hw| vrouter interface exists
Displays the subnet state.
hw-state|no-hw-state
Displays if there is a hardware state present.
enable|disable
Displays the state of the subnet routing.
 
format fields-to-display
Display output using a specific parameter. Use all to display all possible output.
parsable-delim character
Display output formatted for machine parsing using a specified delimiter.
sort-asc
Display output in ascending order.
sort-desc
Display output in descending order.
show dups
Display duplicate entries in the output.
layout vertical|horizontal
Format the output in a vertical or horizontal layout.
show-interval seconds-interval
Repeat the show command at a specified interval.
show-headers|
no-show-headers
Display column headers or not.
limit-output number
Limit the display output to a specific number of entries.
count-output
Display the number of entries in the output. This is useful with vRouter show commands.
count-only
Displays the number of entries only.
unscaled
Display full values in the output instead of scaled approximate values.
raw-int-values
Display integer values instead of mapped values
 
The following commands allow you to modify and display anycast gateway information on the fabric:
CLI network-admin@switch > fabric-anycast-mac-show
 
format fields-to-display
Display output using a specific parameter. Use all to display all possible output.
parsable-delim character
Display output formatted for machine parsing using a specified delimiter.
sort-asc
Display output in ascending order.
sort-desc
Display output in descending order.
show dups
Display duplicate entries in the output.
layout vertical|horizontal
Format the output in a vertical or horizontal layout.
show-interval seconds-interval
Repeat the show command at a specified interval.
show-headers|
no-show-headers
Display column headers or not.
limit-output number
Limit the display output to a specific number of entries.
count-output
Display the number of entries in the output. This is useful with vRouter show commands.
count-only
Displays the number of entries only.
unscaled
Display full values in the output instead of scaled approximate values.
raw-int-values
Display integer values instead of mapped values
 
CLI network-admin@switch > fabric-anycast-mac-modify
mac mac-address
Modify the MAC address for anycast. The default MAC address is 64:0e:94:40:00:02.
For example, the following vrf-create command can be used to create VRF-1:
CLI network-admin@switch > CLI (network-admin@Leaf1) > vrf-create name VRF-1 scope fabric
 
The vrf-create command can be issued to configure for instance 1000 VRFs on a single node, as shown in this output:
CLI network-admin@switch > vrf-show count-output
name vnet scope anycast-mac vrf-gw vrf-gw2 active hw-router-mac hw-vrid
------- ---- ------ ----------------- ------ ------- ------ ----------------- -------
VRF-1 0:0 fabric 64:0e:94:40:00:02 :: :: no 00:00:00:00:00:00 -1
VRF_2 0:0 fabric 64:0e:94:40:00:02 :: :: yes 00:00:00:00:00:00 1
VRF_3 0:0 fabric 64:0e:94:40:00:02 :: :: yes 00:00:00:00:00:00 2
VRF_4 0:0 fabric 64:0e:94:40:00:02 :: :: yes 00:00:00:00:00:00 3
VRF_5 0:0 fabric 64:0e:94:40:00:02 :: :: yes 00:00:00:00:00:00 4
VRF_6 0:0 fabric 64:0e:94:40:00:02 :: :: yes 00:00:00:00:00:00 5
[snip]
VRF_999 0:0 fabric 64:0e:94:40:00:02 :: :: yes 00:00:00:00:00:00 999
Count: 999
 
Informational Note: Note that newer ASICs can support an even higher count. The maximum number is ASIC limited.
The following commands can be used to create two subnet objects associated with VRF-1 for East-West traffic segmentation:
CLI network-admin@switch > vlan-create id 12 vxlan 500012 scope fabric ports none
CLI network-admin@switch > vlan-create id 13 vxlan 500013 scope fabric ports none
CLI network-admin@switch > subnet-create name subnet-vxlan-500012 scope fabric vxlan 500012 network 172.10.2.0/24 anycast-gw-ip 172.10.2.1 vrf VRF-1
CLI network-admin@switch > subnet-create name subnet-vxlan-500013 scope fabric vxlan 500013 network 172.10.3.0/24 anycast-gw-ip 172.10.3.1 vrf VRF-1
Finally, the following commands can be used to create two smaller subnets (/29) to provide North-South reachability in and out of VRF-1 to/from VRF gateways 172.10.0.2 and 172.10.1.2:
CLI network-admin@switch > vlan-create id 10 vxlan 500010 scope fabric ports none
CLI network-admin@switch > vlan-create id 11 vxlan 500011 scope fabric ports none
CLI network-admin@switch > subnet-create name subnet-vxlan-500010 scope fabric vxlan 500010 network 172.10.0.0/29 anycast-gw-ip 172.10.0.1 vrf VRF-1
CLI network-admin@switch > CLI (network-admin@Leaf1) > subnet-create name subnet-vxlan-500011 scope fabric vxlan 500011 network 172.10.1.0/29 anycast-gw-ip 172.10.1.1 vrf VRF-1
Informational Note: The scope of the VRF and subnet objects typically would be fabric; however, to cater to specific needs and designs it is also possible to configure local VRFs and subnets in certain cases.
The next step is to configure the VRF gateways for VRF-1:
CLI network-admin@switch > switch <switch_list> vrf-modify name VRF-1 vrf-gw 172.10.0.2 vrf-gw2 172.10.1.2
Figure 8:Fabric VRFs with Border Leaves Connecting External Network
In this example it is assumed that the connectivity is implemented with static routing on the DC gateways. To provide inbound reachability for VRF-1, the DC gateways must be provisioned with static routes for the VRF subnets receiving traffic from external networks, using the adjacent anycast gateway addresses as next-hop:
DC-Gateway-1# ip route vrf VRF-1 172.10.2.0/23 172.10.0.1
DC-Gateway-1# ip route vrf VRF-1 172.10.2.0/23 172.10.1.1
DC-Gateway-2# ip route vrf VRF-1 172.10.2.0/23 172.10.0.1
DC-Gateway-2# ip route vrf VRF-1 172.10.2.0/23 172.10.1.1