Creating a Virtual Network (vNET)

To separate resources, including switch ports, IP addresses, VLANs, and VXLAN IDs, into separate management spaces, create (at least) a vNET and associate the desired resources to it (see below for an example of configuration).


The vNET creation is performed with the vnet-create command followed by a list of required parameters. Subsequently, you can configure a separate vNET administrator to manage each newly created management domain.


Note: You cannot create another vNET inside of a vNET.


The purpose of vNET objects is to provide independent network domains whose administrators are able to manage a set of dedicated resources without having to involve the fabric administrator, within the constraints that the fabric administrators defines.


Access control is performed based on the scope of a vNET, which includes a number of dedicated ports on which it’s possible to apply certain commands/use certain dedicated resources.


For example, the applicable resources include three categories of commands/entities, listed below:


Layer 1 commands (i.e., port-related commands):


    • port-show (shows vNET ports but not internal/cluster ports)
    • port-phy-show
    • port-config-modify/show
    • bezel-portmap-show

       

Layer 2 commands (i.e., VLAN/LACP/STP/vLAG commands):


    • port-lacp-modify/show
    • vlag-create/modify/delete
    • trunk-create/modify/delete
    • stp-port-modify/show/stp-portevent-show
    • A VNET admin is not allowed to change the native VLAN on a shared port with the port-vlan-add command.

       

Layer 3 commands (i.e., vRouter commands):


    • static-ecmp-group-show/static-ecmp-group-nh-show
    • vrouter-ping/traceroute


Note that if any of the above commands are run on a port not in the scope of a vNET, a No permission for port 'port = %d' message is displayed, for example like so:


CLI (network-admin@switch) > vlag-create name vl1 port 99 peer-port 99

vlag-create: No permission for port 'port = 99'        


Let us  take a concrete example of vNET creation and see how the above commands behave within it:


CLI (network-admin@switch) > vnet-create name vn1 scope cluster vlan-type private public-vlans 2000-2099 num-private-vlans 10 vxlans 10000100-10000109 managed-ports 9,17 shared-ports 18 shared-port-vlans 105-109                                                                                            

Creating vn1-mgr zone, please wait...


With this command the fabric administrator creates a vNET as a dedicated domain comprising a number of managed and shared ports as well as private and public VLANs and VXLAN IDs. In other words, the fabric admin is partitioning the resources to provide a dedicated and restricted view on the network.


The following examples show how a vNET’s view gets constrained for each command example:


CLI (network-admin@switch) > port-show


switch    port bezel-port status     config

--------  ---- ---------- ---------- ------

switch     9    9          up,vlan-up fd,10g

switch     17   17         disabled   fd,10g

switch     18   18         disabled   fd,10g


In this example the vNET admin can only show the managed and shared ports chosen as part of the vNET creation process, out of all the front panel ports.


CLI (network-admin@aquarius00) > port-phy-show


switch     port state speed eth-mode   max-frame learning def-vlan

---------- ---- ----- ----- ---------- --------- -------- --------

switch     9    up    10000 10Gbase-cr 1540      off      0

switch     17   down  10000 10Gbase-cr 1540      off      1

switch     18   down  10000 10Gbase-cr 1540      off      0


Also, the front panel and PHY information is constrained to the ports selected as part of the vNET creation process. Port configuration gets constrained too:


CLI (network-admin@aquarius00) > port-config-show format port,enable,


port enable

---- ------

9    on

17   off


Regarding the Layer 2 configuration, these commands also get a constrained view:


CLI (network-admin@switch) > port-vlan-add port 9 untagged-vlan 45

port-vlan-add: No permission to modify untagged-vlan field


As shown, untagged VLANs are prevented from being changed.


The vLAGs can be created only using accessible ports (as port 9 in the example below):


CLI (network-admin@switch) > vlag-create name vl1 port 9 peer-port 9

CLI (network-admin@switch) > port-lacp-show layout vertical


switch:        switch

port:        9

name:        v11

port-type:        vlag

mode:        passive

timeout:        slow

system-id:        66:0e:94:b6:ab:01

lacp-key:        36285

system-priority:        32768          

port-priority:        32768

aggregatable:        yes

sync:        yes

coll:        yes

dist:        no

defaulted:        yes

expired:        no

port-state:        0x5c                        


whereas inaccessible ports are blocked in the configuration:


CLI (network-admin@aquarius00) > vlag-create name vl1 port 99 peer-port 99

vlag-create: No permission for port 'port = 99'


Similarly, a VLAN trunk can be created (and then deleted) using accessible ports 9 and 10 like so:


CLI (network-admin@switch) > trunk-create name t ports 9-10

trunk 273 defer-bringup set to 1 based on first port 9

Created trunk t, id 273


CLI (network-admin@switch) > trunk-show format name,trunk-id,ports


name                 trunk-id ports

-------------------- -------- -----

t                    274      9-10

vxlan-loopback-trunk 397


CLI (network-admin@switch) > trunk-delete name t


Furthermore, spanning tree (STP) commands are limited to accessible ports only:        


CLI (network-admin@switch) > stp-port-show port 10


switch     port block filter edge bpdu-guard root-guard priority cost

---------- ---- ----- ------ ---- ---------- ---------- -------- ----

switch     10   on    off    no   no         no         128      2000


CLI (network-admin@switch) > stp-port-modify port 53 cost 10000

stp-port-modify: No permission over ports 53


CLI (network-admin@switch) > stp-port-event-show


switch   time     port vlan   instance count initial-state other-state final-state

-------  -------- ---- ------ -------- ----- ------------- ----------- -----------

switch   01:13:52  17   1,4094 0        3     Disabled      Disabled    Forwarding

switch   01:15:42  9    1      0        1     Disabled      Disabled    Discarding

switch   01:16:02  9    1      0        1     Discarding    Disabled    Learning

switch   01:16:12  9    1      0        1     Learning      Disabled    Forwarding

switch   01:17:53  17   1      0        1     Forwarding    Disabled    Disabled

switch   01:17:53  9    1      0        1     Forwarding    Disabled    Disabled

switch   01:29:00  17   4094   0        1     Disabled      Disabled    Forwarding


The vRouter commands get constrained too (to accessible VLANs and interfaces) like so:

       

CLI (network-admin@switch) > vrouter-create name vr1 vnet vn1 router-type hardware

Creating vr1 zone, please wait...

vrouter created


CLI (network-admin@switch) > vrouter-interface-add vrouter-name vr1 ip 192.168.99.13/24 vlan 100

Added interface eth0.100 with ifIndex 159


CLI (network-admin@switch) > vrouter-interface-show format vrouter-name,ip,vnet,vlan,vlan-type,nic-state,mtu


vrouter-name nic      ip               vnet vlan vlan-type nic-state mtu

------------ -------- ---------------- ---- ---- --------- --------- ----

vr1          eth0.100 192.168.99.13/24 vn1  100  private   up        1500


CLI (network-admin@switch) > vrouter-ping vrouter-name vr1 host-ip 192.168.99.13


PING 192.168.99.13 (192.168.99.13) 56(84) bytes of data.

64 bytes from 192.168.99.13: icmp_seq=1 ttl=64 time=0.066 ms

64 bytes from 192.168.99.13: icmp_seq=2 ttl=64 time=0.071 ms

64 bytes from 192.168.99.13: icmp_seq=3 ttl=64 time=0.063 ms

^C

--- 192.168.99.13 ping statistics ---