About Easy Virtual Network
Easy Virtual Network (EVN) builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN provides enhancements in path isolation, simplified configuration and management, and improved shared service support. EVN is backward compatible with VRF-Lite to enable seamless network migration from VRF-Lite to EVN.
EVN supports IPv4, static routes, Open Shortest Path First version 2 (OSPFv2), and Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) for IPv4 Multicast routing. EVN also supports Cisco Express Forwarding (CEF) and Simple Network Management Protocol (SNMP).
Virtual Network Tags Provide Path Isolation
It is not uncommon to have different user groups running on the same IP infrastructure. Various business reasons require traffic isolation between different groups. The figure below shows two user groups, Red and Green, running on the same network. Prior to network virtualization, there is no separation of traffic between the two groups. Users in the Red user group can access the server in the Green user group, and vice versa.
Without network virtualization, path isolation can be achieved by using access control, which is expensive to maintain, prone to error and does not support unique routing and forwarding tables per network
Figure 83-1 Network without Virtualization
Virtual networks provide a coarse-grained segmentation of different user groups on one physical network. By configuring virtual networks, you can virtualize a single IP infrastructure to provide a number of virtual networks end to end. In the figure below, a single IP infrastructure is virtualized into two VPNs by creating two VRFs, Red and Green.
Figure 83-2 Network with Virtualization
In addition to utilizing VRFs to provide device-level separation, each virtual network has path isolation from the other. Path isolation is achieved by tagging the traffic so it carries the same tag value throughout the same virtual network. Each network device along the path uses the tags to provide separation among different VRFs. A single tag number ties VRF red, for example, on one device to VRF red on another device.
Virtual Network Tags
Each VPN and associated EVN has a tag value that you assign during configuration. The tag value is global, meaning that on each device, the same EVN must be assigned the same numerical tag value. Tag values range from 2 to 4094.
An EVN is allowed on any interface that supports 802.1q encapsulation, such as Fast Ethernet, Gigabit Ethernet, and port channels. To allow for backward compatibility with the VRF-Lite solution, the vLAN ID field in the 802.1q frame is used to carry the virtual network tag.
Traffic that carries a virtual network tag is called tagged traffic. Traffic that does not carry a virtual network tag is called untagged traffic.
Tags are illustrated in the following configuration with two VRFs, red and green:
! Define two VRFs, red and green.
A virtual network is defined as a VRF instance with a virtual network tag assigned.
vnet Global
A predefined EVN known as vnet global is on the device. It refers to the global routing context and it corresponds to the default RIB. In figure 2 and figure 3, vnet global is represented by a black line connecting devices. The vnet global carries untagged traffic. By default, interfaces belong to the vnet global. Furthermore, vnet global is always running on trunk interfaces. The vnet global is also known as the default routing table.
Note IPv6 traffic is supported in vnet global only.
Edge Interfaces and EVN Trunk Interfaces
User devices are connected to a Layer 2 switch port, which is assigned to a VLAN. A VLAN can be thought of as a Layer 2 VPN. Customers will group all of the devices that need to be supported in a common Layer 3 VPN in a single VLAN. The point where data traffic is handed off between a VLAN and VRF is called an edge interface.
An edge interface connects a user device to the EVN and in effect defines the boundary of the EVN. Edge interfaces connect end devices such as hosts and servers that are not VRF-aware. Traffic carried over the edge interface is untagged. The edge interface classifies which EVN the received traffic belongs to. Each edge interface is configured to belong to only one EVN.
An EVN trunk interface connects VRF-aware devices together and provides the core with a means to transport traffic for multiple EVNs. Trunk interfaces carry tagged traffic. The tag is used to de-multiplex the packet into the corresponding EVN. A trunk interface has one subinterface for each EVN.
The vnet trunk command is used to define an interface as an EVN trunk interface.
An EVN interface uses two types of interfaces: edge interfaces and trunk interfaces. An interface can be an edge or trunk interface, but not both. Figure 3 illustrates devices A and D, which have edge interfaces that belong to VRF Red. Devices D and E have edge interfaces that belong to VRF Green.
Devices B, C, D, F, and G have trunk interfaces that make up the EVN core. These five devices have interfaces that belong to both VRF Red and VRF Green.
Figure 83-3 EVN Edge and EVN Trunk Interfaces
Identifying Trunk Interfaces in Display Output
Because a trunk interface carries multiple EVNs, sometimes it is not sufficient to display only the trunk interface name. When it is necessary to indicate that display output pertains to a particular EVN running on the trunk interface, the convention used is append a period and the virtual network tag, making the format interface.virtual-network-tag. Examples are gigabitethernet1/1/1.101 and gigabitethernet1/1/1.102.
By default, when a trunk interface is configured, all of the EVNs and associated virtual network tags are configured, and a virtual network subinterface is automatically created. As stated above, a period and the virtual network tag number are appended to the interface number.
In the following example, VRF red is defined with virtual network tag 3. Hence, the system created Fast Ethernet 0/0/0.3 (in VRF red).
Device# show running-config vrf red
Building configuration...
Current configuration : 1072 bytes
You can display this hidden interface with the show derived-config command and see that all of the commands entered on Fast Ethernet 0/0/0 have been inherited by Fast Ethernet 0/0/0.3:
Device# show derived-config interface fastethernet0/0/0.3
Derived configuration : 478 bytes
interface FastEthernet0/0/0.3
description Subinterface for VRF NG red
ip address 10.1.1.1 255.255.255.0
Single IP Address on Trunk Interfaces
A trunk interface can carry traffic for multiple EVNs. To simplify the configuration process, all the subinterfaces and associated EVNs have the same IP address assigned. In other words, a trunk interface is identified by the same IP address in different EVN contexts. This is because each EVN has a unique routing and forwarding table, thereby enabling support for overlapping IP addresses across multiple EVNs.
Relationship Between VRFs Defined and VRFs Running on a Trunk Interface
By default, the trunk interfaces on a router will carry traffic for all VRFs defined by the vrf definition command. For example, in the following configuration, every VRF defined on the router is included on the interface:
interface FastEthernet 1/0/0 vnet trunk ip address 10.1.1.1 255.255.255.0
However, you might want to enable only a subset of VRFs over a certain trunk interface for traffic separation purposes. This is achieved by creating a VRF list, which is referenced in the vnet trunk command. When a trunk interface is enabled with a VRF list, only VRFs on the list are enabled on the interface. The exception is that vnet global is always enabled on the trunk interface.
In the following example, only the two specified VRFs on the list (red and green) are enabled on the interface:
interface FastEthernet 1/0/0
ip address 10.1.1.1 255.255.255.0
VRF Awareness
A device connected to a virtual network may not understand virtual network tags and can send and receive only untagged traffic. Such a device is referred to as VRF unaware. For example, a laptop computer is usually VRF unaware.
By contrast, a device that can send and receive tagged traffic and therefore takes the tag value into account when processing such traffic is known as VRF aware. For example, a VRF-aware server shared among different EVNs could use the virtual network tag to distinguish requests received and send responses. A VRF-aware device is connected to the EVN using a trunk interface, as shown in figure 4.
Figure 83-4 VRF Aware Server
The term “VRF aware” can also be used to describe a software component running on the device. A software component is VRF aware if it can operate on different EVNs. For example, ping is VRF aware because it allows you to choose the EVN to which you want to send the ping packet.
Routing Protocols Supported by EVN
Each EVN runs a separate instance of a routing protocol. This allows each EVN to fine-tune its routing separately and also limits fate sharing. Different virtual networks may run different routing protocols concurrently.
EVN supports static routes, OSPFv2, and PIM, MSDP, and IGMP for multicast routing.
Packet Flow in a Virtual Network
Packets enter an EVN through an edge interface, traverse multiple trunk interfaces, and exit the virtual network through another edge interface. At the ingress edge interface, packets are mapped from a VLAN into a particular EVN. Once the packet is mapped to an EVN, it is tagged with the associated virtual network tag. The virtual network tag allows the trunk interface to carry packets for multiple EVNs. The packets remain tagged until they exit the EVN through the egress edge interface.
On the edge interface, the EVN associated with the interface is used for route lookup. On the trunk interface, the virtual network tag carried in the packet is used to locate the corresponding EVN for routing the packets.
If the egress interface is an edge interface, the packet is forwarded untagged. However, if the egress interface is a trunk interface, the packet is forwarded with the tag of the ingress EVN.
The figure below illustrates how traffic from two VRFs, red and green, can coexist on the same IP infrastructure, using the tags 101 and 102.
Figure 83-5 Packet Flow in a Virtual Network
The packet flow from Laptop 1 to Server 1 in VRF red occurs as follows:
1. Laptop 1 send an untagged packet to Server 1.
2. Device A receives the packet over an edge interface, which is associated with VRF red.
a. Device A does route lookup in VRF red and sees that the next hop is Device B through a trunk interface.
b. Device A encapsulates the packet with VRF red’s tag (101) and sends it over the trunk interface.
3. Device B receives the packet over a trunk interface. Seeing virtual network tag 101, Device B identifies that the packet belongs to VRF red.
a. Device B does route lookup in VRF red and sees that the next hop is Device C through a trunk interface.
b. Device B encapsulates the packet with VRF red’s tag (101) and sends it over the trunk interface.
4. Device C receives the packet over a trunk interface. Using virtual network tag 101, Device C identifies that the packet belongs to VRF red.
a. Device C does route lookup in VRF red and sees that the next hop is Device D through a trunk interface.
b. Device C encapsulates the packet with VRF red’s tag (101) and sends it over the trunk interface.
5. Device D receives the packet over a trunk interface. Using virtual network tag 101, Device D identifies that the packet belongs to VRF red.
a. Device D does route lookup in VRF red and sees that the next hop is through an edge interface.
b. Device D sends the untagged packet over the edge interface to Server 1.
6. Server 1 receives the untagged packet originated from Laptop 1.
Command Inheritance on EVN Trunk Interfaces
One of the benefits of EVN is the ability to easily configure multiple EVNs on a common trunk interface without the need to configure each interface associated with an EVN individually. An EVN trunk interface takes advantage of the fact that the configuration requirements for different EVNs will be similar over a single trunk interface. When specific commands are configured on the trunk interface, they define default values that are inherited by all EVNs running over the same interface, including vnet global. If you feel that the settings are acceptable for all of the EVNs sharing an interface, then no individual configuration is necessary.
For example, the OSPF hello interval can be set for all EVNs over the trunk interface with the following configuration:
interface gigabitethernet1/1/1
ip address 10.1.2.1 255.255.255.0
! set OSPF hello interval for all VRFs on this interface.
ip ospf hello-interval 20
Overriding Command Inheritance Virtual Network Interface Mode
You can set up EVNs on the same trunk interface to have different configurations, by override inherited values using specific commands in virtual network interface mode for individual EVNs. In this mode, the command’s settings override the Cisco default value or the value you set in interface configuration mode.
In interface configuration mode, entering the vnet name command causes the system to enter virtual network interface mode.
Beginning in Cisco IOS XE Release 3.9.1E, you can override the inherited IP address for subinterfaces. For more information, see Changing the Inherited IP Address for Subinterfaces.
The following list displays the commands for which inherited values can be overridden:
|
Values Inherited by EVNs on Interface?
|
Values Can Be Overriden in Virtual Network Interface Mode?
|
ip accounting |
Yes |
No |
ip address |
Yes |
Yes |
ip broadcast-address |
Yes |
No |
ip directed broadcast |
Yes |
No |
ip information-reply |
Yes |
No |
ip irdp |
Yes |
No |
ip load-sharing |
Yes |
No |
ip mask-reply |
Yes |
No |
ip mtu |
Yes |
No |
ip proxy-arp |
Yes |
No |
ip redirects |
Yes |
No |
ip unnumbered |
Yes |
No |
ip unreachables |
Yes |
No |
ip ospf process-id area |
No |
Yes |
ip ospf authentication |
Yes |
Yes |
ip ospf authentication-key |
Yes |
Yes |
ip ospf cost |
Yes |
Yes |
ip ospf database-filter |
Yes |
Yes |
ip ospf dead-interval |
Yes |
Yes |
ip ospf demand-circuit |
Yes |
Yes |
ip ospf flood-reduction |
Yes |
Yes |
ip ospf hello-interval |
Yes |
Yes |
ip ospf lls |
Yes |
Yes |
ip ospf message-digest-key |
Yes |
Yes |
ip ospf mtu-ignore |
Yes |
Yes |
ip ospf network |
Yes |
Yes |
ip ospf priority |
Yes |
Yes |
ip ospf resync-timeout |
Yes |
Yes |
ip ospf shutdown |
Yes |
Yes |
ip ospf transmit-delay |
Yes |
Yes |
ip ospf transmit-interval |
Yes |
Yes |
ip ospf ttl-security |
Yes |
Yes |
ip ospf vnet area |
No |
No |
ip igmp access-group |
Yes |
Yes |
ip igmp explicit-tracking |
Yes |
Yes |
ip igmp helper-address |
Yes |
Yes |
ip igmp immediate-leave |
Yes |
Yes |
ip igmp last-member-query-count |
Yes |
Yes |
ip igmp last-member-query-interval |
Yes |
Yes |
ip igmp limit |
Yes |
Yes |
ip igmp mroute-proxy |
Yes |
Yes |
ip igmp proxy-service |
Yes |
Yes |
ip igmp querier-timeout |
Yes |
Yes |
ip igmp query-interval |
Yes |
Yes |
ip igmp query-max-response-time |
Yes |
Yes |
ip igmp tcn |
Yes |
Yes |
ip igmp unidirectional-link |
Yes |
Yes |
ip igmp v3lite |
Yes |
Yes |
ip igmp version |
Yes |
Yes |
ip multicast boundary |
Yes |
Yes |
ip pim bidir-neighbor-filter |
Yes |
Yes |
ip pim bsr-border |
Yes |
Yes |
ip pim dense-mode |
Yes |
Yes |
ip pim dr-priority |
Yes |
Yes |
ip pim nbma-mode |
Yes |
Yes |
ip pim neighbor-filter |
Yes |
Yes |
ip pim passive |
Yes |
Yes |
ip pim query-interval |
Yes |
Yes |
ip pim sparse-dense-mode |
Yes |
Yes |
ip pim sparse-mode |
Yes |
Yes |
ip pim state-refresh |
Yes |
Yes |
ip mfib cef |
Yes |
Yes |
ip mfib forwarding |
Yes |
Yes |
Removing Overrides and Restoring Values Inherited from EVN Trunk
The no and default keywords result in different outcomes, depending on whether they are used for a trunk interface or in virtual network interface mode. This section describes the different outcomes.
When the no or default keyword is entered before a command on a trunk interface, the trunk is restored to the system’s default value for that command. (This is standard behavior resulting for the no or default keyword).
When the default keyword is entered before a command in virtual network interface mode, the override value is removed and the value that is inherited from the trunk is restored. The override value for the specific EVN is no longer in effect.
In the following example, the trunk interface is configured with an OSPF cost of 20, but VRF blue overrides that value with an OSPF cost of 30:
interface gigabitethernet 2/0/0
ip address 10.1.1.1 255.255.255.0
! Set OSPF cost for all VRFs on this interface to 20.
! Set OSPF cost for blue to 30.
When the following commands are entered, the OSPF cost value is restored to 20, which is the cost inherited from the trunk interface. (Note that 20 is not the default value of the ip ospf cost command.)
Device(config-if)# vnet name blue
Device(config-if-vnet)# default ip ospf cost
Determining if No Form of Commands Appear in Configuration Files
If a command switches a feature on or off, the no form of the command appears in the configuration file when configured. Nonvolatile generation (NVGEN) overrides the setting from the EVN trunk, as shown in the following example:
interface gigabitethernet 2/0/0
If a command takes an argument in its syntax, such as ip ospf cost cost, the no form of the command will remove the configuration, but does not appear in the configuration file. That is, it will not be NVGEN’ed because the user could enter ip ospf cost default-value to override the inherited value.
EVN Compatibility with VRF-Lite
EVN is wire compatible with VRF-Lite. In other words, on the outside, 802.1q, SNMP MIBs, and all the EVN infrastructure will look exactly the same as VRF-Lite.
In the figure below, both devices have VRFs defined. The device on the left uses VRF-Lite, and the device on the right uses an EVN trunk with tags. The two configurations follow the figure.
Example: VRF-Lite Subinterface Configuration EVN Trunk Configuration
interface TenGigabitEthernet1/1/1 interface TenGigabitEthernet 1/1/1
ip address 10.122.5.31 255.255.255.254 vnet trunk
ip pim query-interval 333 msec ip address 10.122.5.32 255.255.255.254
ip pim sparse-mode pim sparse-mode
logging event link-status logging event link-status
interface TenGigabitEthernet1/1/1.101 Global Configuration:
description Subinterface for Red VRF vrf definition red
encapsulation dot1Q 101 vnet tag 101
ip address 10.122.5.31 255.255.255.254 vrf definition green
ip pim query-interval 333 msec vnet tag 102
logging event subif-link-status
interface TenGigabitEthernet1/1/1.102
description Subinterface for Green VRF
ip address 10.122.5.31 255.255.255.254
ip pim query-interval 333 msec
logging event subif-link-status
SQoS and EVN
Quality of Service (QoS) configurations are applied to the main physical interface on an EVN trunk. The QoS policy affects all traffic that flows out the physical interface in all the VRFs at the same time. In other words, QoS and network virtualization are mutually independent. For example, traffic marked with the DSCP value specified for voice will be put into the voice queue if the packet is from the red VRF, blue VRF, or green VRF. The traffic for all the VRFs is queued together.