Configuring Unicast Fabric VRFs with Anycast Gateway
The following commands are used for the configuration of VRF instances and of the associated VRF gateway (vrf-gw and vrf-gw2) IP addresses:
CLI (network-admin@switch) > vrf-create
|
name name-string |
Specify a name for the VRF. |
|
vnet vnet-name |
Specify the name of the vNET to assign the VRF. If you only have a global vNET configured, omit this parameter. |
|
scope local|cluster|fabric |
Specify the scope for the VRF. |
|
vrf-gw ip-address |
Specify the gateway IP address. |
|
vrf-gw2 ip-address |
Specify the second gateway IP address. |
|
vrf-gw-ipv6 ip-address |
Specify the IPv6 gateway address. |
|
vrf-gw2-ipv6 ip-address |
Specify the second IPv6 gateway address. |
|
enable|disable |
Specify to enable or disable VRF routing. |
|
description description-string |
Specify a VRF description. The maximum number of allowed characters is 59. |
CLI (network-admin@switch) > vrf-delete
|
name name-string |
Specify VRF name that you want to delete. |
|
vnet vnet-name |
Specify the name of the vNET assigned to the VRF. |
CLI (network-admin@switch) > vrf-modify
|
name name-string |
Specify a name for the VRF. |
|
vnet vnet-name |
Specify the name of the vNET to assign the VRF. |
|
scope local|cluster|fabric |
Specify the scope for the VRF. |
|
vrf-gw ip-address |
Specify the gateway IP address. |
|
vrf-gw2 ip-address |
Specify the second gateway IP address. |
|
vrf-gw-ipv6 ip-address |
Specify the IPv6 gateway address. |
|
vrf-gw2-ipv6 ip-address |
Specify the second IPv6 gateway address. |
|
enable|disable |
Specify to enable or disable VRF routing. |
|
description description-string |
Specify a VRF description. The maximum number of allowed characters is 59. |
CLI (network-admin@switch) > vrf-show
|
name name-string |
Displays the name of the VRF. |
|
vnet vnet-name |
Displays the name of the vNET assigned the VRF. |
|
scope local|cluster|fabric |
Displays the scope of the VRF. |
|
vrf-gw ip-address |
Displays the gateway IP address. |
|
vrf-gw2 ip-address |
Displays the second gateway IP address. |
|
vrf-gw-ipv6 ip-address |
Displays the IPv6 gateway address. |
|
vrf-gw2-ipv6 ip-address |
Displays the second IPv6 gateway address. |
|
enable|disable |
Displays the status of VRF routing as enable or disable. |
|
description description-string |
Displays the VRF description. |
The following commands are used for the configuration of subnet objects for the associated anycast gateway addresses and the associated VNIs:
CLI (network-admin@switch) > subnet-create
|
name name-string |
Specify the name of the subnet. |
|
description description-string |
Specify the subnet description. The maximum number of allowed characters is 59. |
|
scope local|cluster|fabric |
Specify the scope for the VRF. |
|
vnet vnet-name |
Specify the name of the vNET to assign the VRF. |
|
vxlan vxlan-id |
Specify the VXLAN ID to assign to the subnet. |
|
vrf vrf name |
Specify the VRF to which the subnet belongs to. |
|
network ip-address |
Specify the IPv4 network IP address. |
|
netmask netmask |
Specify the netmask for the IPv4 address. |
|
anycast-gw-ip ip-address |
Specify the anycast gateway IPv4 address for the subnet. |
|
network6 ip-address |
Specify the IPv6 subnet network address. |
|
netmask6 netmask |
Specify the IPv6 subnet netmask address. |
|
anycast-gw-ip6 ip-address |
Specify the anycast gateway IPv6 address for the subnet. |
|
packet-relay enable|disable|none |
Enable or disable the packet relay. |
|
forward-proto dhcp |
Specify the protocol type to forward the packets. |
|
forward-ip ip-address |
Specify the forwarding IPv4 address. |
|
forward-ip2 ip-address |
Specify the second forwarding IPv4 address. |
|
forward-ip6 ip-address |
Specify the forwarding IPv6 address. |
|
forward-ip6-2 ip-address |
Specify the second forwarding IPv6 address. |
|
flood enable|disable|none |
Specify the flooding state of BUM traffic |
|
enable|disable |
Specify to enable/disable subnet routing. |
CLI (network-admin@switch) > subnet-delete
|
name name-string |
Specify the name of the subnet. |
|
vnet vnet-name |
Specify the name of the vNET to assign the VRF. |
|
vrf name-string |
Specify the VRF to assign the subnet. |
CLI (network-admin@switch) > subnet-modify
|
name name-string |
Specify the name of the subnet. |
|
description description-string |
Specify the subnet description. The maximum number of allowed characters is 59. |
|
vnet vnet-name |
Specify the name of the vNET to assign the VRF. |
|
Specify one or more of the following options: |
|
|
network ip-address |
Specify the IPv4 network IP address. |
|
netmask netmask |
Specify the netmask for the IPv4 address. |
|
anycast-gw-ip ip-address |
Specify the anycast gateway IPv4 address for the subnet. |
|
network6 ip-address |
Specify the IPv6 subnet network address. |
|
netmask6 netmask |
Specify the IPv6 subnet netmask address. |
|
anycast-gw-ip6 ip-address |
Specify the anycast gateway IPv6 address for the subnet. |
|
packet-relay enable|disable|none |
Enable or disable the packet relay. |
|
forward-proto dhcp |
Specify the protocol type to forward the packets. |
|
forward-ip ip-address |
Specify the forwarding IPv4 address. |
|
forward-ip2 ip-address |
Specify the second forwarding IPv4 address. |
|
forward-ip6 ip-address |
Specify the forwarding IPv6 address. |
|
forward-ip6-2 ip-address |
Specify the second forwarding IPv6 address. |
|
enable|disable |
Specify to enable/disable subnet routing. |
CLI (network-admin@switch) > subnet-show
|
name name-string |
Displays the name of the subnet. |
|
description description-string |
Displays the subnet description. |
|
scope local|cluster|fabric |
Displays the scope for the VRF. |
|
vnet vnet-name |
Displays the name of the vNET to assign the VRF. |
|
vlan vlan-id |
Displays the VLAN ID to assign to the subnet. |
|
vxlan vxlan-id |
Displays the VXLAN ID to assign to the subnet. |
|
vrf name-string |
Displays the VRF to assign the subnet. |
|
network ip-address |
Displays the network IPv4 address. |
|
netmask netmask |
Displays the netmask for the IPv4 address. |
|
anycast-gw-ip ip-address |
Displays the anycast gateway IPv4 address. |
|
network6 ip-address |
Displays the IPv6 subnet network address. |
|
netmask6 netmask |
Displays the IPv6 subnet netmask address. |
|
anycast-gw-ip6 ip-address |
Displays the anycast gateway IPv6 address for the subnet. |
|
linklocal ip-address |
Displays the IPv6 Link Local address. |
|
packet-relay enable|disable|none |
Displays the packet relay mode. |
|
forward-proto dhcp |
Displays the protocol type forwarding the packets. |
|
forward-ip ip-address |
Displays the forwarding IPv4 address. |
|
forward-ip2 ip-address |
Displays the second forwarding IPv4 address. |
|
forward-ip6 ip-address |
Displays the forwarding IPv6 address. |
|
forward-ip6-2 ip-address |
Displays the second forwarding IPv6 address. |
|
state init|ok|vxlan not found|vxlan deactivated|not-in-hw|vrouter interface exists |
Displays the subnet state. |
|
hw-state|no-hw-state |
Displays if there is a hardware state present. |
|
enable|disable |
Displays the state of the subnet routing. |
|
format fields-to-display |
Display output using a specific parameter. Use all to display all possible output. |
|
parsable-delim character |
Display output formatted for machine parsing using a specified delimiter. |
|
sort-asc |
Display output in ascending order. |
|
sort-desc |
Display output in descending order. |
|
show dups |
Display duplicate entries in the output. |
|
layout vertical|horizontal |
Format the output in a vertical or horizontal layout. |
|
show-interval seconds-interval |
Repeat the show command at a specified interval. |
|
show-headers| |
Display column headers or not. |
|
limit-output number |
Limit the display output to a specific number of entries. |
|
count-output |
Display the number of entries in the output. This is useful with vRouter show commands. |
|
count-only |
Displays the number of entries only. |
|
unscaled |
Display full values in the output instead of scaled approximate values. |
|
raw-int-values |
Display integer values instead of mapped values |
The following commands allow you to modify and display anycast gateway information on the fabric:
CLI (network-admin@switch) > fabric-anycast-mac-show
|
format fields-to-display |
Display output using a specific parameter. Use all to display all possible output. |
|
parsable-delim character |
Display output formatted for machine parsing using a specified delimiter. |
|
sort-asc |
Display output in ascending order. |
|
sort-desc |
Display output in descending order. |
|
show dups |
Display duplicate entries in the output. |
|
layout vertical|horizontal |
Format the output in a vertical or horizontal layout. |
|
show-interval seconds-interval |
Repeat the show command at a specified interval. |
|
show-headers| |
Display column headers or not. |
|
limit-output number |
Limit the display output to a specific number of entries. |
|
count-output |
Display the number of entries in the output. This is useful with vRouter show commands. |
|
count-only |
Displays the number of entries only. |
|
unscaled |
Display full values in the output instead of scaled approximate values. |
|
raw-int-values |
Display integer values instead of mapped values |
CLI (network-admin@switch) > fabric-anycast-mac-modify
|
mac mac-address |
Modify the MAC address for anycast. The default MAC address is 64:0e:94:40:00:02. |
For example, the following vrf-create command can be used to create VRF-1:
CLI (network-admin@switch) > vrf-create name VRF-1 scope fabric
The vrf-create command can be issued to configure for instance 1000 VRFs on a single node, as shown in this output:
CLI (network-admin@switch) > vrf-show count-output
name vnet scope anycast-mac vrf-gw vrf-gw2 active hw-router-mac hw-vrid
------- ---- ------ ----------------- ------ ------- ------ ----------------- -------
VRF-1 0:0 fabric 64:0e:94:40:00:02 :: :: no 00:00:00:00:00:00 -1
VRF_2 0:0 fabric 64:0e:94:40:00:02 :: :: yes 66:0e:94:1b:59:47 1
VRF_3 0:0 fabric 64:0e:94:40:00:02 :: :: yes 66:0e:94:1b:6c:91 2
VRF_4 0:0 fabric 64:0e:94:40:00:02 :: :: yes 66:0e:94:1b:76:3d 3
VRF_5 0:0 fabric 64:0e:94:40:00:02 :: :: yes 66:0e:94:1b:7f:e2 4
VRF_6 0:0 fabric 64:0e:94:40:00:02 :: :: yes 66:0e:94:1b:89:87 5
...
VRF_999 0:0 fabric 64:0e:94:40:00:02 :: :: yes 66:0e:94:1b:aa:8a 999
Count: 999
Note: The newer ASICs can support an even higher count. The maximum number is ASIC limited.
The following commands can be used to create two subnet objects associated with VRF-1 for East-West traffic segmentation:
CLI (network-admin@switch) > vlan-create id 12 vxlan 500012 scope fabric ports none
CLI (network-admin@switch) > vlan-create id 13 vxlan 500013 scope fabric ports none
CLI (network-admin@switch) > subnet-create name subnet-vxlan-500012 scope fabric vxlan 500012 network 172.10.2.0/24 anycast-gw-ip 172.10.2.1 vrf VRF-1
CLI (network-admin@switch) > subnet-create name subnet-vxlan-500013 scope fabric vxlan 500013 network 172.10.3.0/24 anycast-gw-ip 172.10.3.1 vrf VRF-1
Note: Starting from Netvisor ONE release 6.0.0, the VNI assignment in vlan-create can be automated with the auto-vxlan keyword.
Finally, the following commands can be used to create two smaller subnets (/29) to provide North-South reach-ability in and out of VRF-1 to/from VRF gateways 172.10.0.2 and 172.10.1.2:
CLI (network-admin@switch) > vlan-create id 10 vxlan 500010 scope fabric ports none
CLI (network-admin@switch) > vlan-create id 11 vxlan 500011 scope fabric ports none
CLI (network-admin@switch) > subnet-create name subnet-vxlan-500010 scope fabric vxlan 500010 network 172.10.0.0/29 anycast-gw-ip 172.10.0.1 vrf VRF-1
CLI (network-admin@switch) > subnet-create name subnet-vxlan-500011 scope fabric vxlan 500011 network 172.10.1.0/29 anycast-gw-ip 172.10.1.1 vrf VRF-1
Note: The scope of the VRF and subnet objects typically would be fabric; however, to cater to specific needs and designs it is also possible to configure local VRFs and subnets in certain cases.
The next step is to configure the VRF gateways for VRF-1:
CLI (network-admin@switch) > switch <switch_list> vrf-modify name VRF-1 vrf-gw 172.10.0.2 vrf-gw2 172.10.1.2
Figure 8-15: Fabric VRFs with Border Leaves Connecting External Network
In this example it is assumed that the connectivity is implemented with static routing on the DC gateways (for example, third-party devices). To provide inbound reach-ability for VRF-1, the DC gateways must be provisioned with static routes for the VRF subnets receiving traffic from external networks, using the adjacent anycast gateway addresses as next-hop:
DC-Gateway-1# ip route vrf VRF-1 172.10.2.0/23 172.10.0.1
DC-Gateway-1# ip route vrf VRF-1 172.10.2.0/23 172.10.1.1
DC-Gateway-2# ip route vrf VRF-1 172.10.2.0/23 172.10.0.1
DC-Gateway-2# ip route vrf VRF-1 172.10.2.0/23 172.10.1.1
In addition, you can also leverage the vrf-route-add command to add static routes to specific VRF-enabled networks when required:
CLI (network-admin@switch) > vrf-route-add
vrf-route-add add vrf route
one of the following vrf selectors:
vrf-name name-string vrf name
vrf-vnet vnet name VNET for the VRF
the following route arguments:
network ip-address IP address
netmask netmask netmask
gateway-ip ip-address gateway IP address
vrf-route-remove and vrf-route-show commands are also available.