Support for VPN Routing and Forwarding Table (VRF)
Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table. A VPN routing table is called a VPN routing/forwarding (VRF) table.
VRF is a feature enabling service providers to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF utilizes input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time.
VRF includes these devices:
Customer edge (CE) devices provide customer access to the service provider network over a data link to one or more provider edge routers. The CE device advertises the site’s local routes to the provider edge router and learns the remote VPN routes from it.
Provider edge (PE) routers exchange routing information with CE devices by using static routing or a routing protocol such as BGP, RIPv1, or RIPv2.
The PE is only required to maintain VPN routes for those VPNs to which it is directly attached, eliminating the need for the PE to maintain all of the service provider VPN routes. Each PE router maintains a VRF for each of its directly connected sites. Multiple interfaces on a PE router can be associated with a single VRF if all of these sites participate in the same VPN. Each VPN is mapped to a specified VRF. After learning local VPN routes from CEs, a PE router exchanges VPN routing information with other PE routers by using internal BGP (iBPG).
Provider routers (or core routers) are any routers in the service provider network that do not attach to CE devices.
With VRF, multiple customers can share one CE, and only one physical link is used between the CE and the PE. The shared CE maintains separate VRF tables for each customer and switches or routes packets for each customer based on the routing table. VRF extends limited PE functionality to a CE device, with the ability to maintain separate VRF tables to extend the privacy and security of a VPN to the branch office.
Figure 1 illustrates the packet-forwarding process in a VRF-lite CE-enabled network.
1. When the CE receives a packet from a VPN, it looks up the routing table based on the input interface. When a route is found, the CE forwards the packet to the PE.
2. When the ingress PE receives a packet from the CE, it performs a VRF lookup. When a route is found, the router adds a corresponding label to the packet and sends it to the network.
3. When an egress PE receives a packet from the network, it strips the label and uses the label to identify the correct VPN routing table. The egress PE then performs the normal route lookup. When a route is found, it forwards the packet to the correct adjacency.
4. When a CE receives a packet from an egress PE, it uses the input interface to look up the correct VPN routing table. If a route is found, the CE forwards the packet within the VPN.
Figure 1: VRF Network Diagram
To configure VRF, create a VRF table and specify the Layer 3 interface associated with the VRF. You then configure the routing protocols in the VPN and between the CE and the PE. BGP is the preferred routing protocol used to distribute VPN routing information across the providers’ backbone. The VRF network has three major components:
VPN route target communities—Lists all other members of a VPN community. You need to configure VPN route targets for each VPN community member.
Multiprotocol BGP peering of VPN community PE routers—Propagates VRF reachability information to all members of a VPN community. You need to configure BGP peering in all PE routers within a VPN community.
VPN forwarding—Transports all traffic between all VPN community members across a VPN service-provider network.
To create a VRF network using Netvisor, use the following steps:
1. Create subnets and VRF on any Leaf with the scope, fabric.
CLI (network-admin@Leaf1)>subnet-create name app-10-subnet subnet 10.0.10.0/24 vrf-name BLUE anycast-gw-ip 10.0.10.1 [vlan 10 | network app-10
CLI (network-admin@Leaf1)>vrf-create name BLUE vni 10100 vnet coke anycast-gw-mac 00:11:22:33:44:55]
2. Install the VRF on all switches in the fabric.
CLI (network-admin@Leaf1)>switch Leaf1,Leaf2,Leaf3,Leaf4,Leaf5,Leaf6 vrf-create name BLUE vlan 100 vrf-gw 100.1.1.1
3. Create the vRouter on the border switch, Leaf1.
CLI (network-admin@Leaf1)>vrf-modify vrouter-name VR-1 vrf-name BLUE
Static anycast gateway provides seamless virtual machine (VM) mobility across all of the leaf (ToR) switches . Even if hosts move among leaf switches, there is no need to reconfigure the default gateway. In this way, forwarding behavior is optimized.
The anycast gateway MAC address for VRF is assigned when the VRF is created. You can modify the MAC address using the fabric-anycast-gateway-modify command.
The default MAC address for the anycast gateway is 64:0e:94:40:00:02.
Creating Subnets
In previous versions of Netvisor, the existing command, vrouter-interface-add, created a virtual NIC (vNIC) to the connected route. Now, Netvisor programs the subnet route into the hardware to send missed host Layer 3 packets to software so Netvisor can send ARP requests for the host. When the ARPs are recognized by the host, more specific Layer 2 and Layer 3 host entries are configured in the hardware.
 
The following commands are used to configure VRF:
(CLI network-admin@Spine1)>vrf-create
name name-string
Specify a name for the VRF.
vnet vnet-name
Specify the name of the VNET to assign the VRF.
scope local|cluster|fabric
Specify the scope for the VRF.
vrf-gw ip-address
Specify the gateway IP address.
vrf-gw2 ip-address
Specify the second gateway IP address.
(CLI network-admin@Spine1)>vrf-delete
name name-string
Specify a name for the VRF.
vnet vnet-name
Specify the name of the VNET to assign the VRF.
(CLI network-admin@Spine1)>vrf-modify
name name-string
Specify a name for the VRF.
vnet vnet-name
Specify the name of the VNET to assign the VRF.
scope local|cluster|fabric
Specify the scope for the VRF.
vrf-gw ip-address
Specify the gateway IP address.
vrf-gw2 ip-address
Specify the second gateway IP address.
(CLI network-admin@Spine1)>vrf-show
name name-string
Displays the name of the VRF.
vnet vnet-name
Displays the name of the VNET assigned the VRF.
scope local|cluster|fabric
Displays the scope of the VRF.
vrf-gw ip-address
Displays the gateway IP address.
vrf-gw2 ip-address
Displays the second gateway IP address.
The following commands configure the subnet:
(CLI network-admin@Spine1)>subnet-create
name name-string
Specify the name of the subnet.
scope local|cluster|fabric
Specify the scope for the VRF.
vnet vnet-name
Specify the name of the VNET to assign the VRF.
vlan vlan-id
Specify the VLAN ID to assign to the subnet.
vxlan vxlan-id
Specify the VXLAN ID to assign to the subnet.
network ip-address
Specify the network IP address.
netmask netmask
Specify the netmask for the IP address.
vrf name-string
Specify the VRF to assign the subnet.
anycast-gw-ip ip-address
Specify the anycast gateway IP address.
(CLI network-admin@Spine1)>subnet-delete
name name-string
Specify the name of the subnet.
vnet vnet-name
Specify the name of the VNET to assign the VRF.
vrf name-string
Specify the VRF to assign the subnet.
(CLI network-admin@Spine1)>subnet-modify
name name-string
Specify the name of the subnet.
scope local|cluster|fabric
Specify the scope for the VRF.
(CLI network-admin@Spine1)>subnet-show
name name-string
Displays the name of the subnet.
scope local|cluster|fabric
Displays the scope for the VRF.
vnet vnet-name
Displays the name of the VNET to assign the VRF.
vlan vlan-id
Displays the VLAN ID to assign to the subnet.
vxlan vxlan-id
Displays the VXLAN ID to assign to the subnet.
network ip-address
Displays the network IP address.
netmask netmask
Displays the netmask for the IP address.
vrf name-string
Displays the VRF to assign the subnet.
anycast-gw-ip ip-address
Displays the anycast gateway IP address.
state init|ok|vxlan not found|vxlan deactivated| subnet is not installed in hw
Displays the subnet state.
hw-state|no-hw-state
Displays if there is a hardware state present.
The following commands allow you to modify and display anycast gateway information on the fabric:
(CLI network-admin@Spine1)>fabric-anycast-mac-modify
mac mac-address
Modify the MAC address for anycast.
(CLI network-admin@Spine1)>fabric-anycast-mac-show
mac: 64:0e:94:40:00:02