Creating a Virtual Network (vNET)


To separate resources, including switch ports, IP addresses, VLANs, and VXLAN IDs, into separate management spaces, create (at least) a vNET and associate the desired resources to it (see below for an example of configuration).


The vNET creation is performed with the vnet-create command followed by a list of required parameters. Subsequently, you can configure a separate vNET administrator to manage each newly created management domain.


CLI (network-admin@switch) > vnet-create

name name-string

Specify the name of the virtual network (vNET).

scope local|cluster|fabric

Specify the scope of the virtual network (vNET)

Specify one or more of the following options:

vrg vrg-name

Specify the name of the virtual resource group (VRG) to be assigned to the vNET.

vlan-type public|private

Specify the type of VLAN used by the vNET.

num-vlans number

Specify the number of VLANs to assign to the vNET. Using this parameter allows you to assign a group of VLANs rather than specific VLANs.

vlans vlan-list

Specify the list of VLANs to assign to the vNET. You can specify a list or range of VLANs that the VNET assigns to VNET interfaces.

public-vlans vlan-list

Specify the public VLANs assigned to private VLAN vNET.

num-private-vlans number

Specify the number of private VLANs that the vNET administrator can create for the VNET. This is a number between 1 and 4094.

num-bridge-domains 0..4094

Specify the number of bridge domains allowed to be created in the vNET.

vxlans vxlan-id

Specify the VXLAN ID assigned to the vNET.

vxlan-end vxlan-id

Specify the last VXLAN ID assigned to the vNET.

managed-ports port-list

Specify the list of managed ports on the vNET.

shared-ports port-list

Specify the shared ports for the vNET.

shared-port-vlans vlan-list

Displays VLANs on the shared ports.

config-admin|no-config-admin

Specify an administrator for the vNET. This is optional.

admin user-name

Specify the user name for the admin role.

create-vnet-mgr|no-create-vnet-mgr

Specify if you want to create or not create a vNET manager.

vnet-mgr-name name-string

Specify the name of the vNET manager. If you don’t specify a name, one is automatically configured.

vnet-mgr-storage-pool storage-pool-name

Specify the storage pool for the vNET.


Note: You cannot create another vNET inside of a vNET.


You can modify a vNET using the vnet-modify command.


CLI (network-admin@switch) > vnet-modify

name name-string

Specify the name of the virtual network (vNET).

Specify one or more of the following options:

vlans vlan-list

Specify the list of VLANs to assign to the vNET. You can specify a list or range of VLANs that the VNET assigns to VNET interfaces.

managed-ports port-list

Specify the list of managed ports on the vNET.

num-private-vlans number

Specify the number of private VLANs that the vNET administrator can create for the VNET. This is a number between 1 and 4094.

public-vlans vlan-list

Specify the public VLANs assigned to private VLAN vNET.

shared-ports port-list

Specify the shared ports for the vNET.

vxlans vxlan-id

Specify the VXLAN ID assigned to the vNET.

vxlan-end vxlan-id

Specify the last VXLAN ID assigned to the vNET.

shared-port-vlans vlan-list

Specify the vNET shared port VLANs.

num-bridge-domains 0..4094

Specify the number of bridge domains allowed to be created in the vNET.


The purpose of vNET objects is to provide independent network domains whose administrators are able to manage a set of dedicated resources without having to involve the fabric administrator, within the constraints that the fabric administrators defines.


Access control is performed based on the scope of a vNET, which includes a number of dedicated ports on which it’s possible to apply certain commands/use certain dedicated resources.


For example, the applicable resources include three categories of commands/entities with vNET admin scope, listed below:


Layer 1 commands (i.e., port-related commands):


    • port-show (shows vNET ports but not internal/cluster ports)
    • port-phy-show
    • port-config-modify/show
    • bezel-portmap-show

       

Layer 2 commands (i.e., VLAN/LACP/STP/vLAG commands):


    • port-lacp-modify/show
    • vlag-create/modify/delete
    • trunk-create/modify/delete
    • stp-port-modify/show/stp-portevent-show
    • A vNET admin is not allowed to change the native VLAN on a shared port with the port-vlan-add command.

       

Layer 3 commands (i.e., vRouter commands):


    • static-ecmp-group-show/static-ecmp-group-nh-show
    • vrouter-ping/traceroute


Note that if any of the above commands are run on a port not in the scope of a vNET, a No permission for port 'port = %d' message is displayed, for example like so:


CLI (network-admin@switch) > vlag-create name vl1 port 99 peer-port 99

vlag-create: No permission for port 'port = 99'        


Let us  take a concrete example of vNET creation and see how the above commands behave within it:


CLI (network-admin@switch) > vnet-create name vn1 scope cluster vlan-type private public-vlans 2000-2099 num-private-vlans 10 vxlans 10000100-10000109 managed-ports 9,17 shared-ports 18 shared-port-vlans 105-109                                                                                             

Creating vn1-mgr zone, please wait...


With this command the fabric administrator creates a vNET as a dedicated domain comprising a number of managed and shared ports as well as private and public VLANs and VXLAN IDs. In other words, the fabric admin is partitioning the resources to provide a dedicated and restricted view on the network.


The following examples show how a vNET’s view gets constrained for each command example:


CLI (network-admin@switch) > port-show


switch    port bezel-port status     config

--------  ---- ---------- ---------- ------

switch     9    9          up,vlan-up fd,10g

switch     17   17         disabled   fd,10g

switch     18   18         disabled   fd,10g


In this example the vNET admin can only show the managed and shared ports chosen as part of the vNET creation process, out of all the front panel ports.


Note: When you run the port-show command for a private vNET, only vNET managed ports are displayed. But for a public vNET, all ports except internal ports and cluster ports are displayed.


CLI (network-admin@aquarius00) > port-phy-show


switch     port state speed eth-mode   max-frame learning def-vlan

---------- ---- ----- ----- ---------- --------- -------- --------

switch     9    up    10000 10Gbase-cr 1540      off      0

switch     17   down  10000 10Gbase-cr 1540      off      1

switch     18   down  10000 10Gbase-cr 1540      off      0


Also, the front panel and PHY information is constrained to the ports selected as part of the vNET creation process. Port configuration gets constrained too:


CLI (network-admin@aquarius00) > port-config-show format port,enable,


port enable

---- ------

9    on

17   off


Regarding the Layer 2 configuration, these commands also get a constrained view:


CLI (network-admin@switch) > port-vlan-add port 9 untagged-vlan 45

port-vlan-add: No permission to modify untagged-vlan field


As shown, untagged VLANs are prevented from being changed.


The vLAGs can be created only using accessible ports (as port 9 in the example below):


CLI (network-admin@switch) > vlag-create name vl1 port 9 peer-port 9

CLI (network-admin@switch) > port-lacp-show layout vertical


switch:        switch

port:        9

name:        v11

port-type:        vlag

mode:        passive

timeout:        slow

system-id:        66:0e:94:b6:ab:01

lacp-key:        36285

system-priority:        32768           

port-priority:        32768

aggregatable:        yes

sync:        yes

coll:        yes

dist:        no

defaulted:        yes

expired:        no

port-state:        0x5c                        


whereas inaccessible ports are blocked in the configuration:


CLI (network-admin@aquarius00) > vlag-create name vl1 port 99 peer-port 99

vlag-create: No permission for port 'port = 99'


Similarly, a VLAN trunk can be created (and then deleted) using accessible ports 9 and 10 like so:


CLI (network-admin@switch) > trunk-create name t ports 9-10

trunk 273 defer-bringup set to 1 based on first port 9

Created trunk t, id 273


CLI (network-admin@switch) > trunk-show format name,trunk-id,ports


name                 trunk-id ports

-------------------- -------- -----

t                    274      9-10

vxlan-loopback-trunk 397


CLI (network-admin@switch) > trunk-delete name t


Furthermore, spanning tree (STP) commands are limited to accessible ports only:        


CLI (network-admin@switch) > stp-port-show port 10


switch     port block filter edge bpdu-guard root-guard priority cost

---------- ---- ----- ------ ---- ---------- ---------- -------- ----

switch     10   on    off    no   no         no         128      2000


CLI (network-admin@switch) > stp-port-modify port 53 cost 10000

stp-port-modify: No permission over ports 53


CLI (network-admin@switch) > stp-port-event-show


switch   time     port vlan   instance count initial-state other-state final-state

-------  -------- ---- ------ -------- ----- ------------- ----------- -----------

switch   01:13:52  17   1,4094 0        3     Disabled      Disabled    Forwarding

switch   01:15:42  9    1      0        1     Disabled      Disabled    Discarding

switch   01:16:02  9    1      0        1     Discarding    Disabled    Learning

switch   01:16:12  9    1      0        1     Learning      Disabled    Forwarding

switch   01:17:53  17   1      0        1     Forwarding    Disabled    Disabled

switch   01:17:53  9    1      0        1     Forwarding    Disabled    Disabled

switch   01:29:00  17   4094   0        1     Disabled      Disabled    Forwarding


The vRouter commands get constrained too (to accessible VLANs and interfaces) like so:

       

CLI (network-admin@switch) > vrouter-create name vr1 vnet vn1 router-type hardware

Creating vr1 zone, please wait...

vrouter created


CLI (network-admin@switch) > vrouter-interface-add vrouter-name vr1 ip 192.168.99.13/24 vlan 100

Added interface eth0.100 with ifIndex 159


CLI (network-admin@switch) > vrouter-interface-show format vrouter-name,ip,vnet,vlan,vlan-type,nic-state,mtu


vrouter-name nic      ip               vnet vlan vlan-type nic-state mtu

------------ -------- ---------------- ---- ---- --------- --------- ----

vr1          eth0.100 192.168.99.13/24 vn1  100  private   up        1500


CLI (network-admin@switch) > vrouter-ping vrouter-name vr1 host-ip 192.168.99.13


PING 192.168.99.13 (192.168.99.13) 56(84) bytes of data.

64 bytes from 192.168.99.13: icmp_seq=1 ttl=64 time=0.066 ms

64 bytes from 192.168.99.13: icmp_seq=2 ttl=64 time=0.071 ms

64 bytes from 192.168.99.13: icmp_seq=3 ttl=64 time=0.063 ms

^C

--- 192.168.99.13 ping statistics ---


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south