Glossary		Print Page		Document Feedback		Support & Services		Pluribus Networks		Pluribus Blog		LinkedIn		Facebook		Twitter

Configuration Example: vNET

Below is a sample configuration that can be considered while configuring vNET on the NetVisor switches:

L2 Configuration

To create a public vNET with managed ports, use the command:

CLI (network-admin@switch) > vnet-create name vnet1 scope fabric

Creating vnet1-mgr zone, please wait...

Vnet created. Vlans assigned: 5

CLI (network-admin@switch) > vnet-modify name vnet1 vlans 100-110

CLI (network-admin@switch) > vnet-modify name vnet1 managed-ports 41,45,13

CLI (network-admin@switch) > vnet-show

name scope vlan-type vlans public-vlans vxlans managed-ports shared-ports shared-port-vlans admin

---- ----- --------- ----- ------------ ------ ------------- ------------ ----------------- ------

vnet1 fabric public 100-110 none 0 13,41,45 none none vnet1-admin

To configure the port speed on a managed port for the vNET manager, use the command:

CLI (vnet1-admin@switch) > port-config-modify port 13 speed 400g

Assign VLANs for all ports in vNET. By default, VLANs are assigned to all the ports in vNET scope:

CLI (vnet1-admin@switch) > vlan-create id 106 scope local

Vlans 106 created

CLI (vnet1-admin@switch) > vlan-show id 106

switch: switch

id: 106

vnet: vnet1

type: public

auto-vxlan: no

scope: local

description: vlan-106

active: yes

stats: yes

ports: 0-1,5,9,13,17,21,25,29,33,37,39,41,43,45,47,49,53,

57,61,63,65,67,69,71,73,77,81,85,89,93,95,97,99,101,

105,109,113,117,121,125,129-130,272-273

active-edge-ports: none

topology:

Note: You can create VLANs only within the vNET VLAN range. NetVisor displays an error message if you create a VLAN outside of the vNET VLAN range, for example:

CLI (vnet1-admin@switch) > vlan-create id 111 scope local

vlan-create: No permission for vlan 'id = 111'

L3 Configuration

You can add multiple subnets to a single VRF and can verify the details in vNET manager. For example:

CLI (vnet1-admin@switch) > vrf-create name vrf1

CLI (vnet1-admin@switch) > vlan-create id 101 scope local

Vlans 101 created

CLI (vnet1-admin@switch) > vlan-create id 102 scope local

Vlans 102 created

CLI (vnet1-admin@switch) > subnet-create name sub2 vxlan 1001 vrf vrf1

CLI (vnet1-admin@switch) > subnet-create name sub3 vlan 1002 vrf vrf1

CLI (vnet1-admin@switch) > vrf-create name vrf2

CLI (vnet1-admin@switch) > subnet-create name sub4 vxlan 1009 vrf vrf2

CLI (vnet1-admin@switch) > subnet-create name sub5 vxlan 1010 vrf vrf2

CLI (vnet1-admin@switch) > subnet-show

name scope vnet vlan vxlan vrf packet-relay forward-proto state enable

---- ------ ----- ---- ----- ---- ------------ ------------- --------- ------

sub1 fabric vnet1 100 1000 vrf1 disable dhcp not-in-hw yes

sub2 fabric vnet1 101 1001 vrf1 disable dhcp not-in-hw yes

sub3 fabric vnet1 102 1002 vrf1 disable dhcp not-in-hw yes

sub4 fabric vnet1 109 1009 vrf2 disable dhcp not-in-hw yes

sub5 fabric vnet1 110 1010 vrf2 disable dhcp not-in-hw yes

CLI (vnet1-admin@switch) > vrf-show

name vnet scope anycast-mac l3-vni active hw-router-mac hw-vrid flags enable

---- ----- ------ ----------------- ------ ------ ----------------- ------- ------ ------

vrf1 vnet1 fabric 64:0e:94:40:00:02 0 yes 66:0e:94:d1:a2:06 2 subnet yes

vrf2 vnet1 fabric 64:0e:94:40:00:02 0 yes 66:0e:94:d1:ce:a6 3 subnet yes

The subnets support Vxlans only in the allowed VXLAN range for the vNET. For example:

CLI (vnet1-admin@switch) > subnet-create name sub1 vrf vrf1 vxlan 2021

subnet-create: No permission for vxlan

CLI (network-admin@switch) > subnet-create name sub9 vrf vrf1 vxlan 2021 vnet vnet1

subnet-create: vxlan 2021 not part of vnet vxlan range 1000-1100

You can create overlapping subnets if they are part of different vNETs. For example:

CLI (vnet1-admin@switch) > subnet-create name subnet1 vrf vrf1 network 10.10.10.2 netmask 24 vxlan 1000 anycast-gw-ip 10.10.10.1

CLI (vnet2-admin@switch) > subnet-create name subnet1 vrf vrf2 network 10.10.10.2 netmask 24 vxlan 1110 anycast-gw-ip 10.10.10.1

CLI (network-admin@switch) > subnet-show

switch name scope vnet vlan vxlan vrf network anycast-gw-ip forward-proto state enable

------------ ------- ------ ----- ---- ----- ---- ------------- ------------- ------------- ------------------------ ------

hydra-colo-3 subnet1 fabric vnet1 100 1000 vrf1 10.10.10.0/24 10.10.10.1 dhcp vrouter interface exists yes

hydra-colo-3 subnet1 fabric vnet2 111 1110 vrf2 10.10.10.0/24 10.10.10.1 dhcp ok yes

To verify the traffic between subnets of two VRFs having overlapping subnets as in the example below (10.0.0.1 is overlapping):

CLI (network-admin@switch) > subnet-show

name scope vnet vlan vxlan vrf network anycast-gw-ip packet-relay forward-proto state enable

---- ------ ----- ---- ----- ---- ----------- ------------- ------------ ------------- ----- ------

sub1 fabric vnet1 10 1001 vrf1 10.0.0.0/24 10.0.0.1 disable dhcp ok yes

sub2 fabric vnet1 20 2001 vrf1 20.0.0.0/24 20.0.0.1 disable dhcp ok yes

sub1 fabric vnet2 50 3000 vrf2 10.0.0.0/24 10.0.0.1 disable dhcp ok yes

sub2 fabric vnet2 40 4000 vrf2 30.0.0.0/24 30.0.0.1 disable dhcp ok yes

CLI (network-admin@switch) > tunnel-stats-show show-diff-interval 1

switch time tunnel-name ibits iUpkts iBpkts iMpkts HER-pkts HER-bits oPkts

------- -------- ---------------------------- ----- ------ ------ ------ -------- -------- -----

switch 07:31:09 tunnel-10.0.100.3-10.0.100.1 311K 174 83 70 33 32.4K 0

switch1 07:31:09 tunnel-10.0.100.1-10.0.100.2 3.94M 3.09K 0 0 0 0 2.99K

switch1 07:31:09 tunnel-10.0.100.1-10.0.100.3 109K 126 0 0 0 0 128

switch2 07:31:10 tunnel-10.0.100.2-10.0.100.1 4.11M 3.27K 0 0 0 0 3.13K

To manage the vRouter from a vNET manager account (vRouter can be created by network admin only):

CLI (root@switch) > vrouter-create name vr1 vnet vnet1 router-type hardware

Creating vr1 zone, please wait...

vrouter created

CLI (vnet1-admin@sag-colo-3) > vrouter-show layout vertical

name: vr1

type: vrouter

scope: fabric

vnet: vnet1

vnet-service: dedicated

state: enabled

router-type: hardware

evpn-dup-addr-freeze: 180

hw-router-mac: 66:0e:94:d1:ce:a6

cluster-active-active-routing: enable

hw-vrid: 0

hw-vrrp-id: -1

ospf-spf-consec-delay: 50

ospf-spf-max-delay: 5000

ospf6-spf-consecu-delay: 50

ospf6-spf-max-delay: 5000

ospf-default-information: none

The vNET admin can create and manage the VRF. For example:

CLI (vnet1-admin@switch) > vrf-show

name vnet scope anycast-mac vrf-gw active hw-router-mac hw-vrid flags enable

---- ----- ------ ----------------- ------ ------ ------ ----------------- ------- ------

vrf1 vnet1 fabric 64:0e:94:40:00:02 :: yes 66:0e:94:d1:a2:06 2 subnet yes

vrf2 vnet1 fabric 64:0e:94:40:00:02 :: yes 66:0e:94:d1:ce:a6 3 subnet yes

You can add a VRF to the vRouter if they are in the same vNET. For example:

CLI (vnet1-admin@switch) > vrouter-vrf-add vrouter-name vr1 vrf vrf1

CLI (vnet1-admin@switch) > vrouter-vrf-add vrouter-name vr1 vrf vrf2

CLI (vnet1-admin@switch) > vrouter-vrf-show

vrouter-name vrf hw-vrid bgp-as router-id bgp-redistribute bgp-cluster-id

------------ ---- ------- ------ --------- ---------------- --------------

vr1 vrf1 2 0 :: ::

vr1 vrf2 3 0 :: ::

To check traffic between interfaces of the same VRF but part of different vRouters:

CLI(vnet1-admin@switch) > vrouter-interface-show

vrouter-name nic ip ip2 linklocal mac vlan nic-state l3-port mtu priority-tag vrf

------------ -------- ------------- --------------- ----------- ----------------- ---- --------- ------- ---- ------------ -----------

s0-vr1 eth1.100 10.0.100.1/30 2001:100::1/126 fe80::100:1 66:0e:94:79:9b:32 100 up 1500 off cus1-vrf

s0-vr1 eth1.300 10.0.30.1/30 2001:30::1/126 fe80::30:1 66:0e:94:79:9b:32 300 up 1500 off

s1-vr1 eth1.101 10.0.101.1/30 2001:101::1/126 fe80::101:1 66:0e:94:2a:96:f1 101 up 1500 off cus1-vrf

s1-vr1 eth1.301 10.0.31.1/30 2001:31::1/126 fe80::31:1 66:0e:94:2a:96:f1 301 up

CLI (vnet1-admin@switch) > vrouter-vrf-show

vrouter-name vrf hw-vrid bgp-as router-id bgp-redistribute bgp-cluster-id

------------ -------- ------- ------ --------- ---------------- --------------

s0-vr1 cus1-vrf 1 60001 10.1.1.1 connected ::

s1-vr1 cus1-vrf 1 61001 11.1.1.1 ::

To check if vSG added to VRF is visible through the vNET Manager:

CLI (vnet1-admin@switch) > vsg-create name vsg1

CLI (vnet1-admin@switch) > vsg-vrf-add vsg-name vsg1 vrf vrf1 vnet vnet1

CLI (vnet1-admin@switch) > vsg-show

switch name

------ ----

switch vsg1

To check the reachability between two VRFs:

CLI (network-admin@switch) > vsg-network-show

vsg-name vrf vnet subnet network network6 network-state

-------- ----- ---------- ---------- ------------ -------- -------------

VSG_1 VRF-6 user_vnet1 sub_mine 130.0.0.0/24 ok

VSG_1 VRF-7 user_vnet1 sub_mine1 140.0.0.0/24 ok

VSG_1 VRF-6 user_vnet1 sub_mine 130.0.0.0/24 ok

VSG_1 VRF-7 user_vnet1 sub_mine1 140.0.0.0/24 ok

VSG_1 VRF-6 user_vnet1 sub_mine 130.0.0.0/24 ok

CLI (user_vnet1-admin@switch) > subnet-show

name scope vnet vlan vxlan vrf network anycast-gw-ip packet-relay forward-proto state enable

--------- ------ ---------- ---- ----- ----- ------------ ------------- ------------ ------------- ----- ------

sub_mine fabric user_vnet1 300 3000 VRF-6 130.0.0.0/24 130.0.0.1 disable dhcp ok yes

sub_mine1 fabric user_vnet1 400 2000 VRF-7 140.0.0.0/24 140.0.0.1 disable dhcp ok yes

Security Related Configuration

The vFlows created usng vNET admin has vNET manager support:

CLI (vnet1-admin@switch) > vflow-create name vflow1 scope local in-port 13 action to-port action-to-ports-value 41 vlan 102

CLI (vnet1-admin@switch) > vflow-show layout vertical

switch: switch

name: vflow1

scope: local

type: vflow

vnet: vnet1

vlan: 102

in-port: 13

burst-size: auto

precedence: default

action: to-port

action-to-ports-value: 41

from-tunnel-decap: none

transparency: disable

tracking: disable

tracking-status: disabled

enable: enable

table-name: System-L1-L4-Tun-1-0

You can configure only managed ports for the vFlow qualifiers and actions. If you try to configure a non-managed port, you get an error message as in:

CLI (vnet1-admin@switch) > vflow-create name vflow1 scope local in-port 17 vlan 102

vflow-create: port/trunk 17 is not managed under vnet vnet1

CLI (vnet1-admin@switch) > vflow-create name vflow1 scope local in-port 13 action to-port action-to-ports-value 17 vlan 102

vflow-create: port/trunk 17 is not managed under vnet vnet1

To check for blocking cases where VLAN is part of the vNET range but VXLAN is not part of the vNET range:

CLI (network-admin@switch) > vnet-show

name scope vlan-type vlans public-vlans vxlans admin

----- ------ --------- ------- ------------ --------- -----------

vnet1 fabric public 100-200 none 1000-2000 vnet1-admin

CLI (network-admin@switch) > vlan-show

id vnet type vxlan description active stats ports untagged-ports active-edge-ports topology

---- ----- ------ ----- --------------- ------ ------ -------- -------------- ----------------- --------

1 public local default-1 yes yes 1-72 1-69 53,69

100 vnet1 public 1000 local vlan-100 yes no 1-68,397 none none

101 vnet1 public 10000 local vlan-101 yes no 1-68,397 none none

102 vnet1 public 2000 local vlan-102 yes no 1-68,397 none none

4093 public local vlan-4093 yes yes 397 397 none

CLI (network-admin@switch) > vflow-create name vflow1 scope local vnet vnet1 vlan 102 action setvlan action-value 101

vflow-create: vlan 101's vxlan 10000 not part of vnet vxlans 1000-2000 <--- blocked

CLI (network-admin@switch) > vflow-create name vflow1 scope local vnet vnet1 vlan 102 action setvlan action-value 300

vflow-create: vlan 300 not mapped in vnet vnet1 vlans <------ blocked

CLI (network-admin@switch) > vflow-create name vflow1 scope local vnet vnet1 vlan 102 action setvlan action-value 100 <-- allowed

CLI (network-admin@switch) > vflow-show

name scope type vnet vlan burst-size precedence action action-value enable table-name

------ ----- ----- ----- ---- ---------- ---------- ------- ------------ ------ --------------------

vflow1 local vflow vnet1 102 auto default setvlan 100 enable System-L1-L4-Tun-1-0

To check system vFlow behavior is same with respect to vNET vFlows:

CLI (network-admin@switch) > vflow-stats-show name System-A

name pkts bytes cpu-pkts cpu-bytes

-------- ---- ----- -------- ---------

System-A 299 18.7K 299 17.5K

CLI (network-admin@switch) > vflow-create name vflow1 scope local vlan 100 vnet vnet1

CLI (network-admin@switch) > vflow-stats-show name vflow1

name pkts bytes cpu-pkts cpu-bytes

------ ---- ----- -------- ---------

vflow1 0 0 0 0

CLI (network-admin@switch) > vflow-show name vflow1

name scope type vnet vlan burst-size precedence enable table-name

------ ----- ----- ----- ---- ---------- ---------- ------ --------------------

vflow1 local vflow vnet1 100 auto default enable System-L1-L4-Tun-1-0

CLI (network-admin@switch) > vflow-modify name vflow1 precedence 13 <--- increased precedence higher than System-A

CLI (network-admin@switch) > vflow-show name System-A

name scope type ether-type flow-class precedence action enable table-name

-------- ----- ------ ---------- ---------- ---------- ----------- ------ --------------------

System-A local system arp class7 12 copy-to-cpu enable System-L1-L4-Tun-1-0

CLI (network-admin@switch) > vflow-stats-show name System-A show-diff-interval 1

switch name pkts bytes cpu-pkts cpu-bytes

------ -------- ---- ----- -------- ---------

switch System-A 0 0 0 0

CLI (network-admin@switch) > vflow-stats-show name vflow1 show-diff-interval 1

switch name pkts bytes cpu-pkts cpu-bytes

------ ------ ---- ----- -------- ---------

switch vflow1 1 64 0 0

QoS Configuration

The port-cos-bw-* commands are supported in vNet manager for ports managed by the vNet. For example:

CLI (vnet1-admin@switch) > port-cos-bw-modify cos 0 port 12 weight 13

port-cos-bw-modify: No permission over ports 12 <------- Allowed only for Managed Ports

CLI (vnet1-admin@switch) > port-cos-bw-show

switch cos port min-bw-guarantee max-bw-limit weight

------ --- ------ ---------------- ------------ ------

switch 0 93,101 0% 100% 32

switch 1 93,101 0% 100% 32

switch 2 93,101 0% 100% 32

switch 3 93,101 0% 100% 32

switch 4 93,101 0% 100% 32

switch 5 93,101 0% 100% 32

switch 6 93,101 0% 100% 64

switch 7 93,101 0% 100% 127

switch 8 93,101 0% 100% 32

switch 9 93,101 0% 100% 64

switch 10 93,101 0% 100% 64

switch 11 93,101 0% 100% 127

CLI (vnet1-admin@switch) > port-cos-bw-modify cos 0 port 101 weight 33

CLI (vnet1-admin@switch) > port-cos-bw-show

switch cos port min-bw-guarantee max-bw-limit weight

------- --- ------ ---------------- ------------ ------

switch 0 93 0% 100% 32

switch 0 101 0% 100% 33

switch 1 93,101 0% 100% 32

switch 2 93,101 0% 100% 32

switch 3 93,101 0% 100% 32

switch 4 93,101 0% 100% 32

switch 5 93,101 0% 100% 32

switch 6 93,101 0% 100% 64

switch 7 93,101 0% 100% 127

switch 8 93,101 0% 100% 32

switch 9 93,101 0% 100% 64

switch 10 93,101 0% 100% 64

switch 11 93,101 0% 100% 127

The mirror created with vNET is visible in vNET Manager and is supported only on the managed ports of the vNet. For example:

CLI (vnet1-admin@switch) > mirror-create name mirror2 in-port 41 out-port 21

mirror-create: mirror out-port 21 is not managed under vnet vnet1 <---- managed ports are only allowed

CLI (vnet1-admin@switch) > mirror-create name mirror2 in-port 41 out-port 45

CLI (vnet1-admin@switch) > mirror-show

switch name direction out-port in-port filtering enable other-egress-out nvie-mirror vnet

------ ------- --------- -------- ------- --------- ------ ---------------- ----------- -----

switch mirror2 ingress 45 41 port yes prevent false vnet1

Displaying Details using Network Admin and vNET Admin Accounts

For Network Admin Account:

CLI (network-admin@switch) > vnet-show

name scope vlan-type vlans public-vlans vxlans managed-ports admin

----------- ------ --------- ------- ------------ --------- ------------- ----------

fab1-global fabric public none none 0 none none

vnet1 fabric public 100-110 none 1000-1100 129 vnet1-admin

CLI (network-admin@switch) > subnet-show

name scope vnet vlan vxlan vrf packet-relay forward-proto state enable

---- ------ ----- ---- ----- ---- ------------ ------------- --------- ------

sub1 fabric vnet1 100 1000 vrf1 disable dhcp not-in-hw yes

CLI (network-admin@switch) > vrf-show

name vnet scope anycast-mac l3-vni active hw-router-mac hw-vrid flags enable

---- ----- ------ ----------------- ------ ------ ----------------- ------- ------ ------

vrf1 vnet1 fabric 64:0e:94:40:00:02 0 yes 66:0e:94:d1:5d:52 1 subnet yes

For vNET Admin Accounts :

CLI (vnet-admin@switch) > subnet-show

name scope vnet vlan vxlan vrf packet-relay forward-proto state enable

---- ------ ----- ---- ----- ---- ------------ ------------- --------- ------

sub1 fabric vnet1 100 1000 vrf1 disable dhcp not-in-hw yes

CLI (vnet-admin@switch) > vrf-show

name vnet scope anycast-mac l3-vni active hw-router-mac hw-vrid flags enable

---- ----- ------ ----------------- ------ ------ ----------------- ------- ------ ------

vrf1 vnet1 fabric 64:0e:94:40:00:02 0 yes 66:0e:94:d1:5d:52 1 subnet yes