Virtual Routing and Forwarding

Feature Summary and Revision History

Summary Data

Table 1. Summary Data

Applicable Product(s) or Functional Area

SMF

Applicable Platform(s)

SMI

Feature Default Setting

Disabled – Configuration Required

Related Changes in this Release

Not Applicable

Related Documentation

Not Applicable

Revision History

Table 2. Revision History

Revision Details

Release

The following enhancements are introduced:

  • Extended the maximum number of VRFs to 129

  • Static and Dynamic Policy Removal

2023.01.0

Support overlapping AAA server addresses for PAPN use case

2022.04.0

First introduced.

2020.02.5

Feature Description

Virtual Routing and Forwarding (VRF) is a technology that allows multiple instances of a routing table to coexist within the same router at the same time. As the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other.

In private APN (PAPN) deployments, the same SMF can support multiple PAPNs, requiring authentication and accounting with the enterprise AAA servers. As the AAA servers belong to different mobile virtual network operators (MVNOs), it is possible that their address ranges overlap. The SMF uses VRF to allow the overlapping AAA server addresses in PAPN or Mobile Virtual Network Operator (MVNO).


Important

Overlapping addresses for the AAA client is currently not supported.

SMF uses VRF to also remove the Dynamic and Static routes based on UDP interfaces that are optimized by using the default route of VRF. This action replaces the policies with one default route per interface to improve the operational performance.

SMF enables configuration of VRF in the IP pool. The SMF sends IP address details along with the configured VRF name to UPF. UPF maps the IP address to VRF configured within UPF.

SMF supports up to 129 VRFs with a scale of 2K TPS for private APNs and DNNs.

How it Works

This section describes how the SMF uses the VRF technology for the following use cases:

  • PAPN

  • Static and dynamic policy removal

VRF Creation

To create the VRF, perform the following steps:

  1. Create VRF with gateway through CLI configuration.

    VRF gets created with a default route in the VRF routing table.

  2. For the PAPN use case, each PAPN is associated with its own VRF having the default route. Each PAPN VRF must be defined on SMF and leaf switch.

  3. For the Static and Dynamic policy removal use case, VRF with default route is created on SMF to handle outbound routes through the default route added by VRF.

    SMF continues to use global VRF for L3 VIP advertisement toward leaf switch. Hence, on leaf, no specific VRF is required for this use case.

VRF Modification

To modify the device or gateway on the existing VRF, use the following steps:

  1. Disassociate the VRF to be modified from endpoint and router.

  2. Delete the VRF and apply the configuration changes.


    Important

    Make sure you delete the VRF in running system only.

  3. Create VRF with modified device or gateway.

  4. Associate newly created VRF with modified device or gateway with the endpoint and router. Apply the configuration changes.

VRF Deletion

To delete the device or gateway on the existing VRF, use the following steps:

  1. Disassociate the VRF to be deleted from the endpoint and router.

  2. Delete the VRF and apply the configuration changes.


    Important

    Make sure you delete the VRF in running system only.

  3. If the VRF is shared across logical SMFs, delete the VRF from all logical SMFs to completely remove the VRF configuration from the interface. This is applicable only for static and dynamic use case.

Limitations

This feature has the following limitations:

  • NAS-IP for authentication and accounting requests must be the same as the interface CoA-NAS VIP-IP in the RADIUS endpoint CoA-NAS interface configuration.

  • The VRFs configured under RADIUS server-group and RADIUS endpoint must be the same.

  • For the Disconnect Message (DM) request, the client VRF and the server VRF (CoA-NAS VIP VRF) must match. If there is a mismatch, the DM request is discarded.

VRF Feature Configuration

VRF Configuration

The VRF configuration is applicable for both PAPN, and Static and Dynamic use cases.

To configure the VRFs in global configuration mode, use the following sample configuration:

config 
   vrf name vrf_name gateway gateway_ipv4_address gatewayIpv6 gateway_ipv6_address device interface_name linkDevice linked_device_name 
   end

Important

VRF creation and deletion operations are supported. To modify the existing VRF, VRF must be deleted and then added again.

NOTES:

  • vrf name vrf_name —Specify the VRF name. The maximum VRF length supported is 15.

  • gateway gateway_ipv4_address —Specify the IPv4 address of the gateway.

  • gatewayIpv6 gateway_ipv6_address —Specify the IPv6 address of the gateway.

  • device interface_name —Specify the name of the public bonded interface.

  • linkDevice linkedDevice_name —Specify the name of the private bonded interface. This field is applicable only for Static and Dynamic use case.

Configuration Example

The following are example configurations of VRFs with gateway:

vrf name papn_vrf_1 gateway 209.165.202.131 device bd2.radius.2161 
vrf name papn_vrf_2  gateway 209.165.202.131 device bd2.radius.2162 
vrf name vrf_s11 gateway 209.165.202.131 device bd1.s11.1692 linkDevice bd1.s11.1696

Endpoint Configuration

To configure the endpoint and associate with the VRF, use the following sample configuration:

config 
   instance instance-id instance_id 
       endpoint { gtp | pfcp | radius } 
          interface { coa-nas | s5 | s5e | s2b | s11 | n4 } 
             vip-ip ip_address [ vip-interface  interface_name| vip-port vip_port | vrf vrf_name ] 
             end

NOTES:

  • endpoint { gtp | pfcp | radius } —Specify the endpoint name. It can be GTP, PFCP protocol, or RADIUS.

    For PAPN support, use the RADIUS endpoint. For the static and dynamic policy removal use case, select the GTP or PFCP protocol.

  • interface { coa-nas | s5 | s5e | s2b | s11 | n4 } —Specify the interface based on the use case. For PAPN support, select coa-nas interface. For the policy removal use case, use any of the other available interfaces.

  • vip-ip ip_address —Specify the IPv4 address of the configured endpoint.

  • vip-port vip_port —Specify the port number of endpoint.

  • vip-interface interface_name —Specify the interface name. Note that this is a bonded interface which is associated with VRF.

  • vrf vrf_name —Specify the VRF name defined using global VRF configuration.

Configuration Example

The following are example configurations:

instance instance-id 1 endpoint radius interface coa-nas vip-ip 209.165.202.131 vip-port 8112 vip-interface bd2.radius.2161 vrf papn_vrf_1 
instance instance-id 1 endpoint radius interface coa-nas vip-ip 209.165.202.133 vip-port 8112 vip-interface bd2.radius.2162 vrf papn_vrf_2 
instance instance-id 1 endpoint pfcp interface n4 vip-ip 209.165.202.134 vip-interface bd2.n4.2105 vrf vrf_n4_ls1 
instance instance-id 1 endpoint gtp interface s11 vip-ip 209.165.202.135 vip-interface bd1.s11.1692 vrf vrf_s11

VRF Configuration in RADIUS Profile

To configure the VRF in RADIUS server group, use the following sample configuration:

config 
   profile radius   
      server-group group_name 
         vrf vrf_name 
         server-private { radius_server_ip_address port_number  | [ range ] }  
            priority radius_server_priority 
            secret radius_server_secret_key 
            type { acct | auth } 
            end

NOTES:

  • server-private { radius_server_ip_address port_number | [ range ] } —Specify the IP address and port number of the private RADIUS servers used for accounting and authentication requests. This server is private to the specific server-group.

    Private servers in the server-group will be given priority over global servers that are associated to the group. If private servers are unreachable or dead, global servers will be selected to send authentication or accounting requests.

  • priority radius_server_priority —Specify the priority of RADIUS server.

  • secret radius_server_secret_key —Specify the RADIUS server shared secret key.

    Must be a string.

  • type { acct | auth } —Specify the type of private RADIUS server used for accounting and authentication requests.

  • server-private { radius_server_ip_address port_number [ priority radius_server_priority | secret radius_server_secret | type { acct | auth } ] | [ range ] }

  • range —Specify the IP address range.

  • vrf vrf_name —Specify the VRF name to be configured in AAA server group.

    If VRF is configured in server-group, it is recommended to configure servers using server-private and not associate the global servers.

To define the VRF in RADIUS Dynamic-authorization/COA configuration, use the following sample configuration:

config 
   profile radius-dynamic-author 
      client client_ip_address vrf vrf_name 
         nas-identifier nas_identifier_port 
         secret secret_key 
         end

NOTES:

  • client client_ip_address —Specify the RADIUS Dynamic-authorization client configuration.

  • vrf vrf_name —Specify the VRF name to be configured in AAA server group.

    If VRF is configured in server-group, it is recommended to configure servers using server-private and not associate the global servers.

  • nas-identifier nas_identifier_port —Specify the dynamic authorization NAS identifier.

  • secret secret_key —Specify the dynamic authorization server shared secret key.

VRF Association for BGP Peering

To associate VRF with BGP for BGP peering, use the following sample configuration:

config 
   router bgp bgp_name 
       interface interface_name 
           vrf  vrf_name 
           end

NOTES:

  • interface interface_name —Specify the local BGP interface.

  • vrf `vrf_name —Specify the VRF details to be associated with BGP.

Configuration Example

The following is an example of BGP peering configuration with no VRF association:

interface enp94s0f0.3921
  bondingInterface enp216s0f0
  bondingInterface enp94s0f0
  neighbor 209.165.202.254 remote-as 65141 fail-over bfd
exit
interface enp94s0f1.3922
  bondingInterface enp216s0f1
  bondingInterface enp94s0f1
  neighbor 209.165.202.254 remote-as 65141 fail-over bfd
exit

The following is an example of BGP Peering configuration with association with papn_vrf_1.

interface enp94s0f0.3923  leaf1
  vrf papn_vrf_1
  bondingInterface enp216s0f0
  bondingInterface enp94s0f0
  neighbor 209.165.202.254 remote-as 65141 fail-over bfd
exit
interface enp94s0f1.3924  leaf2
  vrf papn_vrf_1 
  bondingInterface enp216s0f1
  bondingInterface enp94s0f1
  neighbor 209.165.202.254 remote-as 65141 fail-over bfd
exit

The following is an example of BGP Peering configuration with association with papn_vrf_2.

interface enp94s0f0.3925
  vrf papn_vrf_2
  bondingInterface enp216s0f0
  bondingInterface enp94s0f0
  neighbor 209.165.202.254 remote-as 65141 fail-over bfd
exit
interface enp94s0f1.3926
  vrf papn_vrf_2 
  bondingInterface enp216s0f1
  bondingInterface enp94s0f1
  neighbor 209.165.202.254 remote-as 65141 fail-over bfd
exit

Configuration Verification

To view the VRF information, use the show vrf-info command.

Following is a sample output of the show vrf-info command. 


                           GATEWAY                            TABLE
NAME        GATEWAY         IPV6    DEVICE      LINK DEVICE   ID     STATE  POD NAME
------------------------------------------------------------------------------------------------
npapn-vrf12 209.165.200.225      bd2.npv12.756                2516    true  bgpspeaker-pod-1
papn-vrf18  209.165.200.226      bd2.pv18.1236                2621    true  bgpspeaker-pod-1
vrf_s11     209.165.200.227      bd1.s11.1692  bd1.s11.1696   2631    true  bgpspeaker-pod-1
vrf_n4_ls1  209.165.200.228      bd2.n4.2105   bd2.n4.3915    2630    true  bgpspeaker-pod-1

To view the VRF route information, use the show vrf-route-info command.

Following is a sample output of the show vrf-route-info command. 

Vrf TableId Route
papn-vrf11 2614 default via 209.165.200.225 dev bd2.pv11.1229 proto 217 metric 217
papn-vrf11 2614 broadcast 209.165.200.226 dev bd2.pv11.1229 proto kernel scope link src 209.165.200.225
papn-vrf11 2614 209.165.200.227/29 dev bd2.pv11.1229 proto kernel scope link src 209.165.200.225
papn-vrf11 2614 local 209.165.200.225 dev bd2.pv11.1229 proto kernel scope host src 209.165.200.225
papn-vrf11 2614 broadcast 209.165.200.227 dev bd2.pv11.1229 proto kernel scope link src 209.165.200.225
papn-vrf11 2614 anycast fe80:: dev bd2.pv11.1229 proto kernel
papn-vrf11 2614 local fe80::42a6:b7ff:fe37:38 dev bd2.pv11.1229 proto kernel
papn-vrf11 2614 fe80::/64 dev bd2.pv11.1229 proto kernel metric 256
papn-vrf11 2614 ff00::/8 dev bd2.pv11.1229 proto 3 metric 256

Vrf TableId Route
vrf_s5 2633 default via 209.165.200.225 dev bd1.s5.1691 proto 217 metric 217
vrf_s5 2633 local 209.165.200.226 dev bd1.s5.1691 proto kernel scope host src 209.165.200.225
vrf_s5 2633 broadcast 209.165.200.226 dev bd1.s5.1691 proto kernel scope link src 209.165.200.225
vrf_s5 2633 local 209.165.200.226 dev bd1.s5.1691 proto kernel scope host src 209.165.200.225
vrf_s5 2633 broadcast 209.165.200.226 dev bd1.s5.1691 proto kernel scope link src 209.165.200.225
vrf_s5 2633 broadcast 209.165.200.226 dev bd1.s5.1691 proto kernel scope link src 209.165.200.225
vrf_s5 2633 209.165.200.226/24 dev bd1.s5.1691 proto kernel scope link src 209.165.200.225
vrf_s5 2633 local 209.165.200.225 dev bd1.s5.1691 proto kernel scope host src 209.165.200.225
vrf_s5 2633 broadcast 209.165.200.226 dev bd1.s5.1691 proto kernel scope link src 209.165.200.225
vrf_s5 2633 broadcast 209.165.200.226 dev bd1.s5.1691 proto kernel scope link src 209.165.200.225
vrf_s5 2633 209.165.200.226/24 dev bd1.s5.1691 proto kernel scope link src 209.165.200.225
vrf_s5 2633 local 209.165.200.226 dev bd1.s5.1691 proto kernel scope host src 209.165.200.225
vrf_s5 2633 broadcast 209.165.200.226 dev bd1.s5.1691 proto kernel scope link src 209.165.200.225
vrf_s5 2633 anycast fe80:: dev bd1.s5.1691 proto kernel
vrf_s5 2633 anycast fe80:: dev bd1.s5.1691 proto kernel
vrf_s5 2633 local fe80::42a6:b7ff:fe37:39 dev bd1.s5.1691 proto kernel
vrf_s5 2633 local fe80::42a6:b7ff:fe37:39 dev bd1.s5.1691 proto kernel
vrf_s5 2633 fe80::/64 dev bd1.s5.1691 proto kernel metric 256
vrf_s5 2633 fe80::/64 dev bd1.s5.1691 proto kernel metric 256
vrf_s5 2633 ff00::/8 dev bd1.s5.1691 proto 3 metric 256
vrf_s5 2633 ff00::/8 dev bd1.s5.1691 proto 3 metric 256

OAM Support

Bulk Statistics Support

The following statistics are updated to support the VRF feature.

  • bgp_outgoing_routerequest_total - This statistics includes "vrf" label to indicate the total count of successful BGP outgoing routes per VRF.

  • bgp_outgoing_failedrouterequest_total - This statistics includes "vrf" label to indicate the total count of failed BGP outgoing routes per VRF.

  • bgp_speaker_bfd_peer_status - This statistics includes "vrf" label to indicate the BFD peer status.