Glossary		Print Page		Document Feedback		Support & Services		Pluribus Networks		Pluribus Blog		LinkedIn		Facebook		Twitter

About Unicast Fabric Virtual Routing and Forwarding (VRF) with Anycast Gateway

NetVisor OS Unified Cloud Fabric adds Layer 3 segmentation to VXLAN interconnections with the support of VRF (Virtual Routing and Forwarding) instances, complementing the vRouter construct and offering a highly scalable distributed routing solution to network architects.

NetVisor supports VRF as a hardware technology allowing multiple routing spaces to coexist on the same distributed fabric architecture. Furthermore, with the addition of the Anycast Gateway functionality, the Unified Cloud Fabric enables distributed forwarding at the first hop router as well as intrinsic VM mobility capabilities across complex multi-site data center designs. This guarantees the maximum VRF scalability possible, limited only by the specific forwarding ASIC capabilities.

Figure 8-10: East-West Traffic Segmentation with Multiple VRF Instances

NetVisor Fabric VRFs have the following advantages:

High scalability with support for a large number of VRF instances on a single fabric node (in the order of thousands depending on hardware capacity especially with newer ASICs and as an aggregate number fabric-wide).

High performance distributed routing of East-West traffic at the Top-of-Rack (ToR) switch level. The distributed routing capability hosted on each leaf node avoids the need for hair pinning traffic to a centralized vRouter.

Small forwarding state to manage on each node.

Native redundancy without needing dedicated redundancy protocols (and potentially extra overhead).

Dual stack support for IPv4 and IPv6 subnets.

Simple fabric-wide configuration and management (typical provisioning overhead is proportional to: (number_of_VRFs + number_of_VLANs + number_of_switches) instead of the industry average of up to (number_of_VLANs * number_of_switches).

IPv4 and IPv6 subnets can be automatically stretched to multiple locations without extra configuration.

Starting from NetVisor OS release 6.0.1, subnet prefixes can be imported/exported between VRFs by using an innovative feature called virtual service group (vSG).

Fabric VRFs are lightweight distributed atomic constructs created without the need for a local vRouter and they do not currently support any routing protocols on VRF instances. This choice enables very high scalability and very low overhead in the management of the distributed segmentation and routing function.

You can connect fabric VRFs to third party VRF routers or gateways either directly using static routing or through a redundant group of border leaf switch(es) running the vRouter function mapping 1:1 to the Fabric VRF instances. In the latter case, border leaf switches can run any supported IGP protocol to interconnect with third party VRF routers or gateways.

For redundancy purposes, you can configure two VRF routers or gateways, sometimes referred to as DC gateways, can be configured per VRF (vrf-gw and vrf-gw2).

To be more precise, these two important configuration parameters represent two static default routes for northbound traffic. They can be quite flexible: after VRF global creation, they can be locally modified by using the vrf-modify command and allowing the implementation of different exit points for a VRF depending on the switch location.

In addition, static routing (with the vrf-route-add command) can be leveraged to augment them, for example, to install more than two routes or to change the VRF exit point for specific destination prefixes.

Figure 8-11: East-West Traffic Segmentation with North-South VRF (DC) Gateways

As part of the Fabric VRFs configuration, you can create IPv4 and IPv6 subnets, which are atomic objects in the Fabric data plane to associate to the VRF instances in order to implement distributed traffic segmentation.

In particular, Fabric leaf switches use subnet objects for management purposes to represent groups of directly connected hosts with a fabric wide scope across the VXLAN interconnect. NetVisor OS also uses them to program subnet routes into the hardware to send Layer 3 packets corresponding to unresolved adjacencies to the software so that next-hop resolution through ARP requests can be performed. When a host responds to the ARP request(s), more specific Layer 2 and Layer 3 host entries are configured in the hardware so that end-to-end forwarding ensues.

In addition, NetVisor OS supports the anycast gateway routing function for the Fabric VRFs to enable distributed first-hop routing, redundancy and mobility. This capability uses a dedicated virtual MAC address, called the anycast gateway MAC address, which gets associated with configurable anycast gateway IP addresses as part of the subnet object configuration.

The default MAC address for the anycast gateway function is 64:0e:94:40:00:02. It can be displayed with the fabric-anycast-mac-show command. If necessary, you can also modify it using the fabric-anycast-mac-modify command.

Furthermore, as a key VRF-aware service, NetVisor OS supports end host address assignment through the DHCP packet relay function for up to two DHCP servers.