Allied Telesis C613-16164-00 REV E - Manual

Page 2 - This document is aimed at advanced network engineers.

I n trod u ctio n Page 2 | Co n fig u re VRF-lite Who sho u ld read this doc u me n t? This document is aimed at advanced network engineers. Which prod u cts a n d software versio n does it apply to? The information provided in this document applies to:  SwitchBlade AT-x908 and AT-x900 series switc...

Page 3 - Contents

Co n fig u re VRF-lite | Page 3 I n trod u ctio n Contents Introduction ............................................................................................................................................................................. 1 What is VRF-lite? .....................................

Page 4 - Glossar y

Glossary Page 4 | Co n fig u re VRF-lite Glossar y ACRONYM DESCRIPTION AS Autonomous System ACL Access Control List BGP Border Gateway Protocol FIB Forwarding Information Base MPLS Multi-Protocol Label Switching OSPF Open Shor test Path First RIP Routing Information Protocol VPN Vir tual Private Net...

Page 5 - Understanding VRF-lite; The different

Co n fig u re VRF-lite | Page 5 U n dersta n di n g VRF-lite Understanding VRF-lite The purpose of VRF is to enable separate IP networks, possibly using overlapping IP addresses, to share the same links and routers. IP traffic is constrained to a set of separate IP Vir tual Private Networks (VPNs). ...

Page 6 - rity domai; SW; te table a; terface ma

U n dersta n di n g VRF-lite Page 6 | Co n fig u re VRF-lite VRF-lite sec u rity domai n s VRF-lite provides network isolation on a single device at Layer 3. Each VRF domain can use the same or overlapping network addresses, as they have independent routing tables. This separation of the routing tab...

Page 7 - Adding a VRF-aware static ARP; te ma; The command

awplus(config)#arp ? A.B.C.D IP address of the ARP entry log Arp log vrf VRF instance awplus(config)#arp vrf <name> ? A.B.C.D IP address of the ARP entry Co n fig u re VRF-lite | Page 7 U n dersta n di n g VRF-lite When a Layer 3 interface is moved to a VRF instance from the default global VRF...

Page 8 - un

U n dersta n di n g VRF-lite Page 8 | Co n fig u re VRF-lite I n ter-VRF comm un icatio n Whilst the prime purpose of VRF-lite is to keep routing domains separate from each other, there are cases where you do want some communication between VRFs. Internal Co m pany Network VRF r ed (Wi-Fi) VRF gr ee...

Page 9 - Static a; , in some circumstances it is

Co n fig u re VRF-lite | Page 9 U n dersta n di n g VRF-lite Static a n d dy n amic i n ter-VRF ro u ti n g As mentioned above, "Inter-VRF communication" on page 8 , in some circumstances it is required to (selectively) allow traffic between two interfaces that are not in the same VRF. This ...

Page 10 - res i; Detailed diagnostic and debugging information is available.

U n dersta n di n g VRF-lite Page 10 | Co n fig u re VRF-lite VRF-lite feat u res i n AW+ Here is a summar y of the features provided by the AW+ VRF-lite implementation:  Multiple independent routing table instances may co-exist within the same device. The same or overlapping IP addresses can be pr...

Page 11 - te limiti; VRF aware services i; Ping

Co n fig u re VRF-lite | Page 11 U n dersta n di n g VRF-lite Ro u te limiti n g per VRF i n sta n ce In a multi-VRF network environment, it may be problematic if one VRF injects too many routes and fills up the hardware forwarding table (FIB) on the device, which can affect other VRFs as well as th...

Page 12 - Telnet client

U n dersta n di n g VRF-lite Page 12 | Co n fig u re VRF-lite  Telnet client awplus#telnet ? WORD IPv4/IPv6 address or hostname of a remote system ip IP telnet ipv6 IPv6 telnet vrf VRF instance awplus#telnet vrf <name> ? WORD IPv4 address or hostname of a remote system ip IP telnet awplus#tel...

Page 13 - Enter Global Configuration mode.; Return to Global Configuration mode.

Co n fig u re VRF-lite | Page 13 Co n fig u ri n g VRF-lite Configuring VRF-lite The following section describes the generic commands used to configure VRF-lite.  CONFIGURING ACLS PURPOSE Step 1 Enter Global Configuration mode. Step 2 Optional. This command configures a standard named access-contro...

Page 14 - access vlanx

Co n fig u ri n g VRF-lite Page 14 | Co n fig u re VRF-lite CONFIGURING VLANS AND VLAN DATABASE PURPOSE Step 1 awplus(config)# vlan database VLANs are created in the VLAN database, and por ts are assigned to relevant VLANs. Step 2 awplus(config-vlan)# vlan x state enable Step 3 awplus(config-vlan)# ...

Page 16 - ip route vrf; word; match ip

Co n fig u ri n g VRF-lite Page 16 | Co n fig u re VRF-lite STATIC ROUTES PURPOSE Step 1 awplus(config)# ip route vrf <name> <network> {<gateway> <interface>| <interface>} Optional. To add a static route into the Routing table for a VRF instance. This can be a route poi...

Page 17 - Static i

Co n fig u re VRF-lite | Page 17 Co n fig u ri n g VRF-lite Static i n ter-VRF ro u ti n g Static inter-VRF routing involves creating static routes in one VRF instance whose egress VLAN is in a different egress VLAN. These static routes must specify both the egress VLAN and next hop IP address. 1 9 ...

Page 18 - Dynamic inter-VRF communication explained; Each dynamic routing protocol

Dy n amic i n ter-VRF comm un icatio n explai n ed Page 18 | Co n fig u re VRF-lite Dynamic inter-VRF communication explained The following section explains how VRF routing domain isolation is maintained, and how routes that exist in one VRF instance are leaked to another VRF instance via BGP. Only ...

Page 19 - , then BGP routes will be copied from VRF red FIB to OSPF

Co n fig u re VRF-lite | Page 19 Dy n amic i n ter-VRF comm un icatio n explai n ed The command redistrib u te <protocol> can be configured in an OSPF instance, BGP address-family, or RIP address-family. Via this command, routes are impor ted from the FIB associated with the VRF instance into ...

Page 20 - In the diagram above, the following is configured:

Dy n amic i n ter-VRF comm un icatio n explai n ed Page 20 | Co n fig u re VRF-lite I n ter-VRF comm un icatio n via BGP Dynamic inter-VRF route leakage is achieved by making copies of BGP routes that exist in one BGP address-family associated with one VRF instance, to another BGP address-family ass...

Page 21 - Usi; There are three variations of the route-target command:; can be replaced with:; *Use of the command

Co n fig u re VRF-lite | Page 21 Dy n amic i n ter-VRF comm un icatio n explai n ed Usi n g the ro u te-target comma n d When BGP is used for inter-VRF communication, dynamic route leakage of BGP routes from one VRF instance to another is achieved via the VRF ro u te-target command. There are three ...

Page 23 - target export

Co n fig u re VRF-lite | Page 23 Dy n amic i n ter-VRF comm un icatio n explai n ed 3. If VRF red configuration includes*: ip vrf red rd 100:1 route-target export 100:1 route-target export 100:2 route-target export 100:3 route-target export 100:4 route-target import 100:5 route-target import 100:6 A...

Page 24 - rity is mai; Copied from VRF: green

Dy n amic i n ter-VRF comm un icatio n explai n ed Page 24 | Co n fig u re VRF-lite How VRF-lite sec u rity is mai n tai n ed Incidentally, only the original routes can be copied from one VRF to another. Copied routes cannot be subsequently copied to another VRF, to ensure VRF security domains are e...

Page 25 - Simple VRF-lite configuration examples; ltiple VRFs witho

Co n fig u re VRF-lite | Page 25 Simple VRF-lite co n fig u ratio n examples Simple VRF-lite configuration examples The following section contains simple configuration examples to explain the basics of VRF-lite configuration used in conjunction with a variety of routing protocols. Firstly, always cr...

Page 27 - VRFs accessi

Co n fig u re VRF-lite | Page 27 Simple VRF-lite co n fig u ratio n examples VRFs accessi n g a shared n etwork. A n example of static i n ter-VRF ro u ti n g The par tial configuration example below shows the key components required to suppor t static inter-VRF routing. 100.100.100.0/24 - Inter VRF...

Page 33 - Example A; VRF3 has communication with VRF1

Co n fig u re VRF-lite | Page 33 I n ter-VRF co n fig u ratio n examples with I n ter n et access Inter-VRF configuration examples with Internet access The following three complete examples are using a similar topology, however, each example involves a different communication plan and a variety of r...

Page 34 - Co

I n ter-VRF co n fig u ratio n examples with I n ter n et access Page 34 | Co n fig u re VRF-lite Co n fig u ratio n ! ip vrf remote1 1 ! ip vrf remote2 2 ! ip vrf shared3 3 ! ip vrf office4 4 ! vlan database vlan 10 name remote1_a vlan 11 name remote1_b vlan 12 name remote1_c vlan 13 name remote1_d...

Page 36 - Example B; No communication between:

I n ter-VRF co n fig u ratio n examples with I n ter n et access Page 36 | Co n fig u re VRF-lite Example B Internet Intranet re m ote 1 VRF 1 Intranet 1 static r oute Intranet re m ote2 Internet de f ault r oute VRF2 RIP Intranet r oute VRF4 RIP r oute Internet Router Private to public NAT Router P...

Page 39 - Additio

Co n fig u re VRF-lite | Page 39 I n ter-VRF co n fig u ratio n examples with I n ter n et access ! address-family ipv4 vrf remote2 redistribute connected exit-address-family ! address-family ipv4 vrf shared3 redistribute connected exit-address-family ! ip route vrf remote1 0.0.0.0/0 10.0.0.2 ip rou...

Page 40 - Example C

I n ter-VRF co n fig u ratio n examples with I n ter n et access Page 40 | Co n fig u re VRF-lite Example C Intranet re m ote 1 VRF 1 Intranet 1 static r oute Intranet re m ote2 Internet de f ault r oute VRF2 RIP Intranet r oute VRF4 RIP r oute Internet Router Private to public NAT VRF 1 re m ote 1 ...

Page 44 - Configuring a complex inter-VRF solution; Network descriptio

Co n fig u ri n g a complex i n ter-VRF sol u tio n Page 44 | Co n fig u re VRF-lite Configuring a complex inter-VRF solution A network comprising of multiple devices that demonstrates inter-VRF routing. A variety of routing protocols are used in this example. Network descriptio n VRF o verla p L06=...

Page 45 - VRF comm

Co n fig u re VRF-lite | Page 45 Co n fig u ri n g a complex i n ter-VRF sol u tio n VRF comm un icatio n pla n  VRF shared can access all VRFs red, green, blue and orange (excluding VRF overlap).  VRFs red, green, blue, and orange are only able to access VRF shared. They cannot access each other ...

Page 46 - Configure the

Co n fig u ri n g a complex i n ter-VRF sol u tio n Page 46 | Co n fig u re VRF-lite Co n fig u ratio n breakdow n When configuring a complex inter-VFR aware device, such as in our example, the configuration order is impor tant. We have provided a breakdown before each step to explain the key points...

Page 47 - RD

Co n fig u re VRF-lite | Page 47 Co n fig u ri n g a complex i n ter-VRF sol u tio n Local interfaces can be utilised by a number of protocols for various purposes. They can be used as a reliable address via which to access a device - an address that is always accessible, irrespective of the link st...

Page 51 - The order of filtering is:

Co n fig u re VRF-lite | Page 51 Co n fig u ri n g a complex i n ter-VRF sol u tio n The third access group allow100_deny_private permits VRF red to access shared VRF network 192.168.100.0/24. Subsequently traffic to all networks within the 192.168.0.0/16 address ranges is denied. The order of filte...

Page 52 - Configure the IP

CONFIGURE IP ADDRESSES awplus(config-if)#exit [cont...] Co n fig u ri n g a complex i n ter-VRF sol u tio n Page 52 | Co n fig u re VRF-lite Configure the IP addresses An IP address is allocated to each Local interface. Also, VLANs are associated with each VRF instance. Each VRF instance can contain...

Page 54 - Configure

CONFIGURE DYNAMIC ROUTING Co n fig u ri n g a complex i n ter-VRF sol u tio n Page 54 | Co n fig u re VRF-lite Configure routing Dynamic routing protocols are configured as required and associated with each VRF. OSPF instance 1 is associated with VRF red. OSPF instance 2 is associated with VRF orang...

Page 55 - defa

Co n fig u re VRF-lite | Page 55 Co n fig u ri n g a complex i n ter-VRF sol u tio n Connected routes associated with VRF green are redistributed into BGP, and also adver tised to the external BGP neighbor router. VRF green has an i-BGP peering relationship to its neighbor as the neighbor ASN is the...

Page 56 - command only applies when peering to an external BGP neighbor.

Co n fig u ri n g a complex i n ter-VRF sol u tio n Page 56 | Co n fig u re VRF-lite Static routes are configured. Each VRF instance is also configured with its own static default route (via VRF shared) to allow each of them to access the internet. Default routes are not able to be leaked dynamicall...

Page 57 - Configure route

CONFIGURE STATIC ROUTING CONFIGURE ROUTE MAPS Co n fig u re VRF-lite | Page 57 Co n fig u ri n g a complex i n ter-VRF sol u tio n denotes a static route to destination network 192.168.45.0/24 which has a next hop of 192.168.100.2, which originates from VRF shared, which egresses VLAN5 in VRF shared...

Page 58 - Complete show r

Co n fig u ri n g a complex i n ter-VRF sol u tio n Page 58 | Co n fig u re VRF-lite Complete show r un o u tp u t from VRF device is below awplus>ena awplus#sh run ! service password-encryption ! no banner motd ! username manager privilege 15 password 8 $1$bJoVec4D$JwOJGPr7YqoExA0GVasdE0 ! acces...

Page 62 - IP ro

Co n fig u ri n g a complex i n ter-VRF sol u tio n Page 62 | Co n fig u re VRF-lite ip route vrf orange 192.168.20.0/24 192.168.40.2 ip route vrf orange 192.168.140.0/24 192.168.40.2 ip route vrf shared 0.0.0.0/0 192.168.100.254 ip route vrf shared 192.168.43.0/24 192.168.100.2 ip route vrf shared ...

Page 64 - hostname Internet_router

Co n fig u ri n g a complex i n ter-VRF sol u tio n Page 64 | Co n fig u re VRF-lite Co n fig u ratio n files for each exter n al ro u ter u sed i n the topology a n d its associated ro u te table is below. No n e of the exter n al ro u ters are VRF aware. hostname Internet_router ! vlan database vl...

Page 65 - hostname shared_router

Co n fig u re VRF-lite | Page 65 Co n fig u ri n g a complex i n ter-VRF sol u tio n hostname shared_router ! vlan database vlan 2-4 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface port1.0.4 switchport access vlan 4 ! interface v...

Page 69 - hostname orange_router

Co n fig u re VRF-lite | Page 69 Co n fig u ri n g a complex i n ter-VRF sol u tio n hostname orange_router ! vlan database vlan 2-3 state enable ! interface port1.0.2 switchport access vlan 2 ! interface port1.0.3 switchport access vlan 3 ! interface vlan1 ip address 192.168.40.2/24 ! interface vla...

Page 72 - Virt; Also, the optional command; fig

VCStack a n d VRF-lite Page 72 | Co n fig u re VRF-lite Virt u al Chassis ID Also, the optional command stack virt u al-chassis-id <val u e> specifies the VCS vir tual chassis ID. If not configured, the stack will automatically select a vir tual-chassis-id from a number within the assigned ran...

Page 75 - Comm

Co n fig u re VRF-lite | Page 75 VCStack a n d VRF-lite Shari n g VRF ro u ti n g a n d do u ble taggi n g o n the same port In this scenario, both VRF-lite traffic and double vlan tagged traffic is transpor ted between the two x610 switches via a single shared por t. The double tagging feature (nes...

Page 78 - and

Dy n amic i n ter-VRF ro u ti n g betwee n the global VRF domai n a n d a VRF i n sta n ce Page 78 | Co n fig u re VRF-lite Dynamic inter-VRF routing between the global VRF domain and a VRF instance This section contains two configuration examples. Both examples show how to configure dynamic inter-V...

Page 79 - BGP co; ltihop 2

Co n fig u re VRF-lite | Page 79 Dy n amic i n ter-VRF ro u ti n g betwee n the global VRF domai n a n d a VRF i n sta n ce For both these examples all BGP neighbor relationships involve peering between IP local addresses, not to VLAN interface IP addresses within the same subnet. BGP co n fig u rat...

Page 80 - The

Dy n amic i n ter-VRF ro u ti n g betwee n the global VRF domai n a n d a VRF i n sta n ce Page 80 | Co n fig u re VRF-lite The global parameter in the command n eighbor x.x.x.x remote-as <64515> global is required to facilitate an e-BGP peering to the global VRF domain from VRF red. Conversel...

Page 81 - VRF device

Co n fig u re VRF-lite | Page 81 Dy n amic i n ter-VRF ro u ti n g betwee n the global VRF domai n a n d a VRF i n sta n ce Dy n amic i n ter-VRF comm un icatio n with i-BGP ro u ti n g to exter n al peer VRF device access-list standard redblock4445 deny 192.168.44.0/24 access-list standard redblock...

Page 82 - red router

Dy n amic i n ter-VRF ro u ti n g betwee n the global VRF domai n a n d a VRF i n sta n ce Page 82 | Co n fig u re VRF-lite red router vlan database vlan 2-3 state enable ! interface port1.0.13 switchport access vlan 2 ! interface port1.0.14 switchport access vlan 3 ! interface lo ip address 7.7.7.7...

Page 84 - Route Limits; Existing AW+ commands; AW+ suppor ts the ability to limit static routes via the; Static routes limits are applied before adding routes to the; RIB; routes will not be in the running config.

Ro u te Limits Page 84 | Co n fig u re VRF-lite Route Limits In multi-VRF network environment, it may be disastrous if one VRF injects too many routes and fills up the hardware forwarding table (FIB) on a device which can affect other VRFs (as well as the global VRF). In software version 5.4.2 and l...

Page 85 - AW+ suppor ts the ability to limit dynamic routes via the; Set maximum fib routes number; Allowed number of fib routes excluding Connect and Static

Co n fig u re VRF-lite | Page 85 Ro u te Limits Co n fig u ri n g Dy n amic ro u te limits AW+ suppor ts the ability to limit dynamic routes via the max-fib-ro u tes command in the global VRF domain, which is unlimited by default. This same AW+ command is now also able to be applied on a per VRF bas...

Page 86 - Dynamic limits routes are applied before adding routes to the; FIB; tes; Negate a command or set its defaults; show ip route

Ro u te Limits Page 86 | Co n fig u re VRF-lite awplus(config)# ip vrf red awplus(config-vrf)# max-fib-routes 2000 75 Alternatively, to ensure a warning message is generated when the number of routes exceeds the limit (whilst ensuring routes exceeding the limit can still be added), configure the fol...

Page 87 - VRF-lite usage guidelines; GVRP is not suppor ted in conjunction with VRF-lite.

Co n fig u re VRF-lite | Page 87 VRF-lite u sage g u ideli n es VRF-lite usage guidelines The general guideline is that all current ser vices remain available in the default global VRF domain only, unless the ser vice is either explicitly VRF aware, or the ser vice runs completely independently of V...

Page 88 - Useful VRF-related diagnostics command list

Usef u l VRF-related diag n ostics comma n d list Page 88 | Co n fig u re VRF-lite Useful VRF-related diagnostics command list Below is a summar y list of diagnostics commands that you may find helpful when troubleshooting VRF-related issues. Many existing commands have been made VRF aware and some ...

Page 89 - ti

Co n fig u re VRF-lite | Page 89 Usef u l VRF-related diag n ostics comma n d list connected Connected database IP routing table database global Global Routing/Forwarding table ospf Open Shortest Path First (OSPF) rip Routing Information Protocol (RIP) static Static routes summary Summary of all rou...

Allied Telesis C613-16164-00 REV E - Manual

Table of Contents:

Summary

Other Allied Telesis Models