Allied Telesis C613-16164-00 REV E инструкция обслуживания

Te c h n i c a l G u i d e alliedtelesis .com x How T o | C613-16164-00 REV E Introduction In IP-based networ ks, VRF stands for Vir tual Ro uting and Forwarding. Th is technology allo ws multiple routing domains to co-exist within the same dev ice at the same time. As the routing domains are independent, ov er lapping IP addre sses can be used wit[...]

I n tr od u ctio n Page 2 | Co n fig u re VRF-lite Who sho u ld r ead this doc u me n t? This document is aimed at advanced networ k engineer s. Which pr od u cts a n d softwar e v ersio n does it a pply to? The information provided in this document applies to:  SwitchBlade A T -x908 and A T -x900 series sw itches r unning 5.4.1 and above.  x[...]

Co n fig u re VRF-lite | Page 3 I n trod u ctio n Co nt e nt s Introduction ....... ............... ................. ................. ............... ................. .............. ............... ............ ................. ............... ............ 1 What is VRF-lite? ............ ................. .............. ................. .....[...]

Glossar y Page 4 | Co n fig u re VRF-lite Glossar y ACRON YM DESCRIPTION AS Autonomous System AC L Access Control List BGP Border Gatewa y Protocol FIB Forwarding Information Base MPLS Multi-Protocol Label S witching OSPF Open Shor test P ath Fir st RIP Routing Information Protocol VPN Vir tual Pr ivate Network VR Vir tual Router VRF Vir tual Routi[...]

Co n fig u re VRF-lite | Page 5 U n dersta n di n g VRF-lite Under standing VRF-lite The pur pose of VRF is to enable separate IP net w or ks, possibly using o ver lapping IP addresses, to share the same links and router s. IP traffic is constr ained to a set of separ ate IP Vir tual Private Networ ks (VPNs). These VPNs provide a s ecure way f or a[...]

U n dersta n di n g VRF-lite Page 6 | Co n fig u re VRF-lite VRF-lite sec u rit y d o ma i n s VRF-lite provides networ k isolation on a single device at Lay er 3. Each VRF domain can use the same or ov er lapping networ k addresses, as they hav e independent routing tables. This separation of the routing tables pre vents communi cation to La yer 3[...]

awplus(config)#arp ? A.B.C.D IP address of the A RP entry log Arp log vrf VRF instance awplus(config)#arp vrf <name> ? A.B.C.D IP address of the A RP entry Co n fi g u re VRF-lite | Page 7 U n dersta n di n g VRF-lite When a Lay er 3 interface is mov ed to a VRF inst ance from the default global VRF domain, or when a Lay er 3 interface is mov[...]

U n dersta n di n g VRF-lite Page 8 | Co n fig u re VRF-lite I n ter -VRF comm un icatio n Whilst the pr ime purpose of VRF-lite is to ke ep routing domains separ ate from each other , there are cases where y ou do want some comm unication betw een VRFs. Internal Co m pany Network VRF red (Wi-Fi) VRF green (company) VRF shared Internet Wi-F i acces[...]

Co n fig u re VRF-lite | Page 9 U n dersta n di n g VRF-lite Static a n d dy n amic i n ter -VRF r o u ti n g As mentioned abo ve, "Inter -VRF commu nication" on page 8 , in some circumstances it is required to (selec tivel y ) allow traffic between two interfaces that are not in the same VRF . This will be useful if there is common ne tw[...]

U n dersta n di n g VRF-lite Page 10 | Co n fig u re VRF-lite VRF-lite feat u res i n AW + Here is a summar y of the features pro v ide d by the A W+ VRF-lite i mplementation:  Multiple independent routing table instances may co-exist within the same device . The same or ov er lapping IP addresses can be pres ent in diff erent route table instan[...]

Co n fig u re VRF-lite | Page 11 U n dersta n di n g VRF-lite Ro u te limiti n g per VRF i n sta n ce In a multi-VRF network environment, it may be problematic if one VRF injects too many routes and fills up the hardware f orwarding ta bl e (FIB) on the device, which can affect other VRFs as well as the global VRF . For more information see "R[...]

U n dersta n di n g VRF-lite Page 12 | Co n fig u re VRF-lite  T elnet client awplus#telnet ? WORD IPv4/IPv6 address or hostname of a remote system ip IP telnet ipv6 IPv6 telnet vrf VRF instance awplus#telnet vrf <name> ? WORD IPv4 address or ho stname of a remote system ip IP telnet awplus#telnet vrf <name> i p x.x.x.x  SSH clien[...]

Co n fig u re VRF-lite | Page 13 Co n fig u ri n g VRF-lite Configur ing VRF-lite The follo wing section describes the gener ic commands used to conf igure VRF-lite .  CONFIGURING A CLS PURPOSE Step 1 Enter Global Configuration mode . Step 2 Optional. This command configures a standard named access-control -list (A CL). Matching networ ks (route[...]

Co n fig u ri n g VRF-lite Page 14 | Co n fig u re VRF-lite CONFIGURING VLANS AND VLAN DATABASE PURPOSE Step 1 awplus(config)# vlan database VLANs are created in the VLAN database , and por ts are assigned to relevant VLANs. Step 2 awplus(config-vlan)# vlan x state enable Step 3 awplus(config-vlan)# exit Step 4 awplus(config)# interface portx.x.x S[...]

Co n fig u re VRF-lite | Page 15 Co n fig u ri n g VRF-lite DYNAMIC ROUTING PROTOCOL - RIP ADDR ESS-FAMILY PURPOSE Step 1 awplus(config)# router rip Optional. Enter rout er configur ation mode for RIP . Step 2 awplus(config-router)# address-family ipv4 vrf <vrf-name> Associate a RIP address-family with a specific VRF instance . Step 3 awplus([...]

Co n fig u ri n g VRF-lite Page 16 | Co n fig u re VRF-lite STATIC R OUTES PURPOSE Step 1 awplus(config)# ip route vrf <name> <network> {<gateway> <interface>| <interface>} Optional. T o add a static route into the Routing table for a VRF instan ce. This can be a route pointing exter nall y to a nexthop reachable via a[...]

Co n fig u re VRF-lite | Page 17 Co n fig u ri n g VRF-lite Static i n ter -VRF r o u ti n g Static inter -VRF routing involv es creating static routes in one VRF instance whose egress VLAN is in a different egress VLAN. These stat ic routes must specify both the egress VLAN and next hop IP address. 192.168. 1.0 /24 192.168. 20.0 /24 192.168. 20.0 [...]

Dy n amic i n ter -VRF comm un icatio n explai n ed Page 18 | Co n fig u re VRF-lite Dynamic inter -VRF comm unication explained The foll owin g section expl ains how VRF routing domain isolati on is maintained, and how routes that exist in one VRF instance are leaked to another VRF instance via BGP . Only B GP can be used to dynamically leak rout [...]

Co n fig u re VRF-lite | Page 19 Dy n amic i n ter -VRF comm un icatio n explai n ed The command re dis tr ib u te <pr otocol> can be configured in an OSPF instance, BGP address-family , or RIP address-fam ily . Via this command, routes are impor ted from the FIB associated with the VRF instance into the dynamic routing protocol table. Any ro[...]

Dy n amic i n ter -VRF comm un icatio n explai n ed Page 20 | Co n fig u re VRF-lite I n ter -VRF comm un icatio n via BGP Dynamic inter -VRF route leakage is achieved by making copies of BGP routes that exist in one BGP address-family associated with one VRF instance , to another BGP address-family associated with a different VRF instance. VRF Dev[...]

Co n fig u re VRF-lite | Page 21 Dy n amic i n ter -VRF comm un icatio n explai n ed Usi n g the r o u te-target comma n d When BGP is used for inter - VRF comm unication, dynamic route leakage of BGP routes from one VRF instance to anothe r is achieved via the VRF ro u te-target command. There are three var iations of the route-tar get command: 1.[...]

Dy n amic i n ter -VRF comm un icatio n explai n ed Page 22 | Co n fig u re VRF-lite The follo wing three examples demonstrate how the ro u te-target command facili tates inter - VRF commu nication: 1. If VRF red conf iguration includes: ip vrf red rd 100:1 route-target export 100:1 And if VRF red initially has routes to networ ks 10 .0.0.0/24, 20.[...]

Co n fig u re VRF-lite | Page 23 Dy n amic i n ter -VRF comm un icatio n explai n ed 3. If VRF red conf igur ation includes*: ip vrf red rd 100:1 route-target export 100:1 route-target export 100:2 route-target export 100:3 route-target export 100:4 route-target import 100:5 route-target import 100:6 And if VRF red initiall y has routes to netw or [...]

Dy n amic i n ter -VRF comm un icatio n explai n ed Page 24 | Co n fig u re VRF-lite How VRF-lite sec u rit y i s m ai n tai n ed Incidentally , only the or iginal routes can be co pied from one VRF to another . Copied routes cannot be subsequently copied to another VRF , to ensure VRF securi ty domains ar e enforced. For example: VRFred----VRFshar[...]

Co n fig u re VRF-lite | Page 25 Simple VRF-lite co n fig u ratio n examples Simple VRF-lite configur ation examples The follo wing section contains simple configuratio n examples to explain the basics of V RF-lite configur ation used in conjunction with a var iety of routing protocols. Fir stly , alwa ys create a clear VRF communicatio n plan. Thi[...]

Simple VRF-lite co n fig u ratio n examples Page 26 | Co n fig u re VRF-lite !  interface vlan12 ip vrf forwarding red ip address 10.2.2.1/24 ! interface vlan13 ip vrf forwarding green ip address 10.1.1.1/24 ! interface vlan14 ip vrf forwarding green ip address 10.2.2.1/16 ! router ospf 1 red network 10.1.1.0/24 area 0 network 10.2.2.0/24 area 0[...]

Co n fig u re VRF-lite | Page 27 Simple VRF-lite co n fig u ratio n examples VRFs accessi n g a shared n etw o rk. A n example of static i n ter -VRF ro u ti n g The par tial configuration example belo w shows the key compon ents required to suppor t static inter -VRF routing. 100.100.100.0/24 - Inter VRF (IVR) co mm unications via static IVR route[...]

Simple VRF-lite co n fig u ratio n examples Page 28 | Co n fig u re VRF-lite Dy n amic i n ter -VRF comm un icatio n with RIP r o u ti n g to exter n al peers The par tial configur ation example below sho ws the key components required to suppor t dynamic inter -VRF communication betw een tw o VR F instances using BGP , with RIP routing to exter na[...]

Co n fig u re VRF-lite | Page 29 Simple VRF-lite co n fig u ratio n examples Dy n amic i n ter -VRF comm un icatio n with BGP r o u ti n g to exter n al peers The par tial configuration example belo w shows the key compon ents required to suppor t dynamic inter -VRF communication using BGP , with BGP routing to exter nal peer s. ... ! ip vrf red rd[...]

Simple VRF-lite co n fig u ratio n examples Page 30 | Co n fig u re VRF-lite Dy n amic i n ter -VRF comm un icatio n with OSPF r o u ti n g to exter n al peers The complete configuration example below sho w s the key components required to suppor t dynamic inter -VRF commun ication using BGP , with OSPF routing to exter nal peer s. red router 192.1[...]

Co n fig u re VRF-lite | Page 31 Simple VRF-lite co n fig u ratio n examples ! access-list standard greenBlock3334 de ny 192.168.33.0/24 access-list standard greenBlock3334 de ny 192.168.34.0/24 access-list standard greenBlock3334 pe rmit any access-list standard redBlock3435 deny 192.168.34.0/24 access-list standard redBlock3435 deny 192.168.35.0/[...]

Simple VRF-lite co n fig u ratio n examples Page 32 | Co n fig u re VRF-lite interface vlan1 ip vrf forwarding red ip address 192.168.10.1/24 ! interface vlan2 ip vrf forwarding green ip address 192.168.20.1/24 ! interface vlan3 ip vrf forwarding shared ip address 192.168.30.1/24 ! router ospf 1 red network 192.168.10.0/24 area 0 redistribute bgp ![...]

Co n fig u re VRF-lite | Page 33 I n ter -VRF co n fig u ratio n examples with I n ter n et access Inter -VRF configur ation examples with Inter net access The follo wing three complete examples are usin g a similar topology , how ever , each example inv olves a diff erent communication plan and a var iety of routing protocols. All of the follo win[...]

I n ter -VRF co n fig u ratio n examples with I n ter n et acce ss Page 34 | Co n fig u re VRF-lite Co n fig u rati o n ! ip vrf remote1 1 ! ip vrf remote2 2 ! ip vrf shared3 3 ! ip vrf office4 4 ! vlan database vlan 10 name remote1_a vlan 11 name remote1_b vlan 12 name remote1_c vlan 13 name remote1_d vlan 20 name remote2_a vlan 90 name remote1_e [...]

Co n fig u re VRF-lite | Page 35 I n ter -VRF co n fig u ratio n examples with I n ter n et access ! interface vlan13 ip vrf forwarding remote1 ip address 13.0.0.1/8 ! interface vlan20 ip vrf forwarding remote2 ip address 10.0.0.1/8 ! interface vlan90 ip vrf forwarding remote1 ip address 14.0.0.1/8 ! interface vlan100 ip vrf forwarding shared3 ip a[...]

I n ter -VRF co n fi g u ratio n examples with I n ter n et acce ss Page 36 | Co n fig u re VRF-lite Example B Internet Intranet re m ote 1 VRF 1 Intranet 1 static route Intranet re m ote2 Internet de f ault route VRF2 RIP Intranet route VRF4 RIP route Internet Router Private to public NA T Router Private to public NA T Internet de f ault route VRF[...]

Co n fig u re VRF-lite | Page 37 I n ter -VRF co n fig u ratio n examples with I n ter n et access Co n fig u ratio n ! access-list standard deny_overlap deny 10.0.0.0/8 access-list standard deny_overlap perm it any ! ip vrf remote1 1 rd 100:1 route-target export 100:1 route-target import 100:3 export map block10 ! ip vrf remote2 2 rd 100:2 route-t[...]

I n ter -VRF co n fig u ratio n examples with I n ter n et acce ss Page 38 | Co n fig u re VRF-lite ! interface port1.0.6-1.0.26 switchport switchport mode access ! interface vlan10 ip vrf forwarding remote1 ip address 10.0.0.1/8 ! interface vlan11 ip vrf forwarding remote1 ip address 11.0.0.1/8 ! interface vlan12 ip vrf forwarding remote1 ip addre[...]

Co n fig u re VRF-lite | Page 39 I n ter -VRF co n fig u ratio n examples with I n ter n et access ! address-family ipv4 vrf remote2 redistribute connected exit-address-family ! address-family ipv4 vrf shared3 redistribute connected exit-address-family ! ip route vrf remote1 0.0.0.0/0 10.0.0. 2 ip route vrf shared3 0.0.0.0/0 30.0.0. 2 ip route vrf [...]

I n ter -VRF co n fi g u ratio n examples with I n ter n et acce ss Page 40 | Co n fig u re VRF-lite Example C Intranet re m ote 1 VRF 1 Intranet 1 static route Intranet re m ote2 Internet de f ault route VRF2 RIP Intranet route VRF4 RIP route Internet Router Private to public NA T VRF 1 re m ote 1 VLAN 1 0 re m ote 1 _a VLAN 11 re m ote 1 _b VLAN [...]

Co n fig u re VRF-lite | Page 41 I n ter -VRF co n fig u ratio n examples with I n ter n et access Co n fig u ratio n ! access-list standard deny_overlap deny 10.0.0.0/8 access-list standard deny_overlap perm it any ! ip vrf remote1 1 rd 100:1 route-target export 100:1 route-target import 100:3 export map block10 ! ip vrf remote2 2 rd 100:2 route-t[...]

I n ter -VRF co n fig u ratio n examples with I n ter n et acce ss Page 42 | Co n fig u re VRF-lite ! interface port1.0.4 switchport switchport mode trunk switchport trunk allowed vlan add 200 ! interface port1.0.5 switchport switchport mode access switchport access vlan 100 ! interface port1.0.6-1.0.26 switchport switchport mode access ! interface[...]

Co n fig u re VRF-lite | Page 43 I n ter -VRF co n fig u ratio n examples with I n ter n et access exit-address-family ! address-family ipv4 vrf office4 network vlan200 exit-address-family ! router bgp 100 address-family ipv4 vrf remote1 redistribute connected exit-address-family ! address-family ipv4 vrf remote2 redistribute connected exit-address[...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 44 | Co n fig u re VRF-lite Configur ing a complex inter -VRF solution A networ k compr ising of mu ltiple devices that demonstrates inter -VRF routing. A variety of routing protocols are used in this example . Netw ork descr iptio n VRF ov erlap L06=6.6.6.6 VRF red L01=1.1.1.1 OSPF-1 VRF gr[...]

Co n fig u re VRF-lite | Page 45 Co n fig u ri n g a complex i n ter -VRF s ol u tio n VRF comm un icatio n pla n  VRF shared can a ccess all VRF s red, green, b lue and orange (excluding VRF ov er lap).  VRFs red, green, blue , and orange are only ab le to access VRF shared. They cannot access each other in this example.  VRF ov er lap re[...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 46 | Co n fig u re VRF-lite Co n fig u ratio n br eakdow n When configuring a c omplex inter -VFR awar e device, such as in our example , the configuration order is impor tant. W e ha ve pro vided a breakdown before each step to explain the key points y ou will need to consider . CONFIGURE S[...]

Co n fig u re VRF-lite | Page 47 Co n fig u ri n g a complex i n ter -VRF s ol u tio n Local interfaces can be utili sed b y a number of protocols for various pur poses. They can be used as a reliable address via wh ich to access a device - an address that is alwa ys accessib le , irrespective of th e link status of an y individual exte r nal in te[...]

CONFIGURE VRFS Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 48 | Co n fig u re VRF-lite awplus(config)#ip vrf red 1 awplus(config-vrf)#rd 100:1 awplus(config-vrf)#route-target export 100:1 awplus(config-vrf)#route-target import 100:5 awplus(config-vrf)#import map red43 awplus(config-vrf)#exit awplus(config)#ip vrf green 2 awplus(config[...]

Co n fig u re VRF-lite | Page 49 Co n fig u ri n g a complex i n ter -VRF s ol u tio n Configure the hardware A CLs The command access-list hardware < n ame> creates the hardware access list. The access list is associated with individual switch por ts as an access-group . Each a ccess group contains one or more filter s, which filter source t[...]

CONFIGURE HARD WARE A CLS Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 50 | Co n fig u re VRF-lite Configure the VLANs VLANs are created i n the VLAN database, an d por ts are assigned to relevant VLANs. The access lists are assigned in order to the individual switch por ts as access groups. The order in which the access groups are att[...]

Co n fig u re VRF-lite | Page 51 Co n fig u ri n g a complex i n ter -VRF s ol u tio n The third access group allow100_den y_pr ivat e per mits VRF red to access shared VRF network 192.168.100.0/24. Subsequently traffi c to all netw or ks within the 192.168 .0.0/16 address ranges is denied. The order of f ilter ing is: 1. Allow access to the subnet[...]

CONFIGURE IP ADDR ESSES awplus(config-if)#exit [cont...] Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 52 | Co n fig u re VRF-lite Configure the IP addresses An IP address is allocated t o each Local interface . Also, VLANs are as sociated with each VRF inst ance. Each VRF instance can contain m ultiple VL A Ns . A V LA N ca nn o t b e [...]

Co n fig u re VRF-lite | Page 53 Co n fig u ri n g a complex i n ter -VRF s ol u tio n awplus(config)#interface vlan1 awplus(config-if)#ip vrf forwarding red awplus(config-if)#ip address 192.168.10.1/24 awplus(config)#interface vlan2 awplus(config-if)#ip vrf forwarding green awplus(config-if)#ip address 192.168.20.1/24 awplus(config-if)#exit awplus[...]

CONFIGURE DYNAMIC R OUTING Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 54 | Co n fig u re VRF-lite Configure routing Dynamic routing protocols are conf igured as required and associated with each VRF . OSPF instance 1 is associated with VRF red. OS PF instance 2 is associated with VRF orange . RIP and BGP use address-families as the e[...]

Co n fig u re VRF-lite | Page 55 Co n fig u ri n g a complex i n ter -VRF s ol u tio n Connected routes associated with VRF green are redistributed into BGP , and also adver tised to the external BGP neighbor router . VRF gree n has an i-BGP peering relationship to its neighbor as the neighb or ASN is the same (ASN 100). BGP routes lear ned from th[...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 56 | Co n fig u re VRF-lite Static routes are conf igured. Each VRF instance is also conf igured with its own s tatic default route (via VRF shared) to allow each of them to access the intern et. Default routes are not able to be leaked dynamically via BGP betw een VRF instances as the BGP d[...]

CONFIGURE STATIC ROUTING CONFIGURE R OUTE MAPS Co n fi g u re VRF-lite | Page 57 Co n fig u ri n g a complex i n ter -VRF s ol u tio n denotes a static route to de stination network 192.168.45.0/24 which has a next hop of 192.168.100.2, which originates from VRF shared, which egresses VLAN5 in VRF shared. In this example each VRF instan ce red, gre[...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 58 | Co n fig u re VRF-lite Complete show r un o u tp u t fr om VRF device is below awplus>ena awplus#sh run ! service password-encryption ! no banner motd ! username manager privilege 15 pas sword 8 $1$bJoVec4D$JwOJGPr7YqoE xA0GVasdE0 ! access-list standard blueBlock4344 deny 192.168.43.[...]

Co n fig u re VRF-lite | Page 59 Co n fig u ri n g a complex i n ter -VRF s ol u tio n ! ip vrf shared 5 rd 100:5 route-target import 100:1 route-target import 100:2 route-target import 100:3 route-target import 100:4 route-target export 100:5 ! ip vrf overlap 6 ! no ip multicast-routing ! spanning-tree mode rstp ! access-list hardware access43 per[...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 60 | Co n fig u re VRF-lite switchport access vlan 4 access-group allow_to_self_40 access-group access43 access-group access44 access-group access45 access-group allow100_deny_private ! interface port1.0.6-1.0.7 switchport switchport mode access switchport access vlan 5 ! interface port1.0.8[...]

Co n fig u re VRF-lite | Page 61 Co n fig u ri n g a complex i n ter -VRF s ol u tio n interface vlan6 ip vrf forwarding overlap ip address 192.168.10.1/24 ! interface vlan7 ip vrf forwarding overlap ip address 192.168.50.1/24 ! router ospf 1 red network 192.168.10.0/24 area 0 redistribute bgp default-information originate ! router ospf 2 orange ne[...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 62 | Co n fig u re VRF-lite ip route vrf orange 192.168.20.0/2 4 192.168.40.2 ip route vrf orange 192.168.140.0/ 24 192.168.40.2 ip route vrf shared 0.0.0.0/0 192. 168.100.254 ip route vrf shared 192.168.43.0/2 4 192.168.100.2 ip route vrf shared 192.168.44.0/2 4 192.168.100.2 ip route vrf s[...]

Co n fig u re VRF-lite | Page 63 Co n fig u ri n g a complex i n ter -VRF s ol u tio n [VRF: blue] S* 0.0.0.0/0 [1/0] via 192.168.10 0.254, vlan5 C 3.3.3.3/32 is directly connect ed, lo3 B 5.5.5.5/32 [20/0] is directly connected, lo5, 00:07:21 R 192.168.17.0/24 [120/2] via 19 2.168.30.2, vlan3, 00:06:48 R 192.168.18.0/24 [120/2] via 19 2.168.30.2, [...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 64 | Co n fig u re VRF-lite Co n fig u rati o n file s for eac h ext er n al ro u ter u sed i n the topology a n d its associated ro u te table is belo w . No n e of the exte r n al r o u ters are VRF a ware. hostname Internet_router ! vlan database vlan 2 state enable ! interface port1.0.2 [...]

Co n fig u re VRF-lite | Page 65 Co n fig u ri n g a complex i n ter -VRF s ol u tio n hostname shared_router ! vlan database vlan 2-4 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface port1.0.4 switchport access vlan 4 ! interface vlan1 ip address 192.168.100.2/24 ! interface vla[...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 66 | Co n fig u re VRF-lite hostname red_ospf_peer ! vlan database vlan 2-3 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface vlan1 ip address 192.168.10.2/24 ! interface vlan2 ip address 192.168.13.1/24 ! interface vlan3 i[...]

Co n fig u re VRF-lite | Page 67 Co n fig u ri n g a complex i n ter -VRF s ol u tio n hostname green_i_BGP_peer ! vlan database vlan 2-3 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface vlan1 ip address 192.168.20.2/24 ! interface vlan2 ip address 192.168.15.1/24 ! interface vla[...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 68 | Co n fig u re VRF-lite hostname blue_rip_peer ! vlan database vlan 2-3 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface vlan1 ip address 192.168.30.2/24 ! interface vlan2 ip address 192.168.17.1/24 ! interface vlan3 i[...]

Co n fig u re VRF-lite | Page 69 Co n fig u ri n g a complex i n ter -VRF s ol u tio n hostname orange_router ! vlan database vlan 2-3 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface vlan1 ip address 192.168.40.2/24 ! interface vlan2 ip address 192.168.20.1/24 ! interface vlan3 [...]

Co n fig u ri n g a complex i n ter -VRF sol u tio n Page 70 | Co n fig u re VRF-lite hostname orange_ospf_peer ! vlan database vlan 2 state enable ! interface port1.0.2 switchport access vlan 2 ! interface vlan1 ip address 192.168.40.3/24 ! interface vlan2 ip address 192.168.19.1/24 ! router ospf 1 ospf router-id 192.168.40.3 network 192.168.40.0/[...]

Co n fig u re VRF-lite | Page 71 VCStack a n d VRF-lite VCStack and VRF-lite The following example illustr ates how to conf igure VRF-lite in a VCStacked environment. x900 x610 DUT A stack member 1 Port1.0.1 1 VLAN 1 1 grey e-BGP peering VRF grey from x900 lo8 80.80.80.2 to DUT A lo8 8.8.8.1 via VLAN 15 Port2.0.10 VLAN 10 violet Port2.0.15 VLAN 15 [...]

VCStack a n d VRF-lite Page 72 | Co n fig u re VRF-lite Virt u al Chassis ID Also, the optional command stack vir t u al-chassis-id <val u e> specif ies the VCS vir tual chassis ID . If not configured, the stack will automaticall y sele ct a vir tual-chassis-id from a number within the assigned r ange 0-4095. The ID selected will determine wh[...]

Co n fig u re VRF-lite | Page 73 VCStack a n d VRF-lite ip address 11.11.11.1/24 ! interface vlan14 ip vrf forwarding violet ip address 192.168.14.1/24 ! interface vlan15 ip vrf forwarding grey ip address 192.168.15.1/24 ! router bgp 100 ! address-family ipv4 vrf violet redistribute connected neighbor 70.70.70.2 remote-as 300 neighbor 70.70.70.2 eb[...]

VCStack a n d VRF-lite Page 74 | Co n fig u re VRF-lite ! interface vlan14 ip vrf forwarding violet ip address 192.168.14.2/24 ! interface vlan15 ip vrf forwarding grey ip address 192.168.15.2/24 ! router bgp 300 ! address-family ipv4 vrf grey network 80.80.80.2/32 redistribute connected neighbor 8.8.8.1 remote-as 100 neighbor 8.8.8.1 ebgp-multihop[...]

Co n fig u re VRF-lite | Page 75 VCStack a n d VRF-lite Shari n g VRF r o u ti n g a n d do u ble taggi n g o n the same port In this scenario, both VRF-lite tr affic and doub le vlan tagged tr affic is transpor ted between the two x610 switches via a si ngle shared por t. The double tagging f eature (nested vlans) makes use of the ta g-in-tag tech[...]

VCStack a n d VRF-lite Page 76 | Co n fig u re VRF-lite Co n fig u rati o n s x610 A ip vrf red 1 ip vrf green 2  vlan database vlan 20 name nested vlan 11-12,20,111-112 state enabl e interface port1.0.5 switchport access vlan 111 interface port1.0.6 switchport access vlan 112 interface port1.0.12 switchport access vlan 20 switchport vlan-stacki[...]

Co n fig u re VRF-lite | Page 77 VCStack a n d VRF-lite interface port1.0.20 switchport mode trunk switchport trunk allowed vlan add 11- 12,20 switchport trunk native vlan none switchport vlan-stacking provider-por t interface vlan11 ip vrf forwarding red ip address 192.168.11.2/24 interface vlan12 ip vrf forwarding green ip address 192.168.12.2/24[...]

Dy n amic i n ter -VRF r o u ti n g betwe e n the global VRF domai n a n d a VRF i n sta n ce Page 78 | Co n fig u re VRF-lite Dynamic inter -VRF routing betw een the global VRF domain and a VRF instance This section contains tw o configuration examp les. Both examples show ho w to configure dynamic inter -VRF routing via BGP between th e default g[...]

Co n fig u re VRF-lite | Page 79 Dy n amic i n ter -VRF ro u ti n g bet wee n the global VRF domai n a n d a VRF i n sta n ce For both these examples all BGP neighbor rela tionships in volv e peer ing between IP local addresses, not to VLAN interface IP addresses within the same subnet. BGP co n fig u ratio n tips The following BGP configuratio n t[...]

Dy n amic i n ter -VRF r o u ti n g betwe e n the global VRF domai n a n d a VRF i n sta n ce Page 80 | Co n fig u re VRF-lite The global par ameter in the command n eighbor x.x.x.x r emote-as <64515> global is required to facilitate an e-BGP peer ing to the global VRF domain from VRF red. Conv er sely , the target vrf- n ame in the command n[...]

Co n fig u re VRF-lite | Page 81 Dy n amic i n ter -VRF ro u ti n g bet wee n the global VRF domai n a n d a VRF i n sta n ce Dy n amic i n ter -VRF comm un icatio n with i-BGP r o u ti n g to exter n al peer VRF device access-list standard redblock4445 deny 192.168.44.0/24 access-list standard redblock4445 deny 192.168.45.0/24 access-list standard[...]

Dy n amic i n ter -VRF r o u ti n g betwe e n the global VRF domai n a n d a VRF i n sta n ce Page 82 | Co n fig u re VRF-lite red router vlan database vlan 2-3 state enable ! interface port1.0.13 switchport access vlan 2 ! interface port1.0.14 switchport access vlan 3 ! interface lo ip address 7.7.7.7/32 ! interface vlan1 ip address 192.168.10.2/2[...]

Co n fig u re VRF-lite | Page 83 Dy n amic i n ter -VRF ro u ti n g bet wee n the global VRF domai n a n d a VRF i n sta n ce redistribute connected redistribute static neighbor 2.2.2.2 remote-as 64512 vrf r ed neighbor 2.2.2.2 local-as 64515 neighbor 2.2.2.2 update-source 1.1.1.1 neighbor 2.2.2.2 route-map 43 out ! address-family ipv4 vrf red redi[...]

Ro u te Limits Page 84 | Co n fig u re VRF-lite Route Limits In multi-VRF netw or k environment, it may be di sastrous if one VRF injects too man y routes and fills up the hardware f orwarding table (FIB ) on a device which can aff ect other VRFs (as well as the global VRF). In software v er sion 5.4.2 and later , it is possible to mitigate this ri[...]

Co n fig u re VRF-lite | Page 85 Ro u te Limits Co n fig u ri n g Dy n amic ro u te limits A W+ suppor ts the ability to limit dyna mic ro utes via the max-fib-r o u tes command in the global VRF domain, which is unlimited by defaul t. This same A W+ command is no w also able to be applied on a per VRF basis. max-fi b-routes Descr iption Use the co[...]

Ro u te Limits Page 86 | Co n fig u re VRF-lite awplus(config)# ip vrf red awplus(config-vrf)# max-fib-routes 2000 75 Alter nativ ely , to ensure a war ning message is genera ted when the n umber of routes exceeds the limit (whilst ensuring routes exceeding the limit can still b e added), conf igure the following: awplus(config)# ip vrf red awplus([...]

Co n fig u re VRF-lite | Page 87 VRF-lite u sage g u ideli n es VRF-lite usage guidelines The gener al guideline is that all cur rent ser vic es remain a vailable in the default global VRF domain only , unless the ser vice is either explic itly VRF aware, or the ser vice r uns completely independently of VRF and th erefore has no requirement to be [...]

Usef u l VRF-r elated diag n ostics comma n d list Page 88 | Co n fig u re VRF-lite Useful VRF-related diagnostics command list Below is a summar y list of diagnostics comman ds that y ou may find helpful when troubleshooting VRF-related issues . Many exi sting commands ha ve been made VRF aw are and some are included below . Please refer to the so[...]

Co n fig u re VRF-lite | Page 89 Usef u l VRF-r elated diag n osti cs comma n d list connected Connected database IP routing table database global Global Routing/Forwarding table ospf Open Shortest Path First (OSPF) rip Routing Information Proto col (RIP) static Static routes summary Summary of all routes vrf Display routes from a VRF instance | Ou[...]

Usef u l VRF-r elated diag n ostics comma n d list Page 90 | Co n fig u re VRF-lite awplus#sh ip ospf interface  awplus#sh ip ospf ? <0-65535> Process ID numbe r border-routers Border and Bound ary Router Information database Database summary interface Interface inform ation neighbor Neighbor list route OSPF routing tab le virtual-links Vi[...]

C613-16164-00 REV E awplus#show ip bgp vrf <name> ? A.B.C.D IP prefix <netw ork>, e.g., 35.0.0.0 A.B.C.D/M IP prefix <netw ork>/<length>, e.g., 35.0.0.0/8 cidr-only Display only ro utes with non-natural netmasks community Display routes matching the communities community-list Display routes matching the community-list dampen[...]