I also have an example for this:
Hello Rene,
I have a question about creating static routes in Nexus switches under a VRF. In Nexus environment, a static route is created usually under a VRF in the below pattern. Cisco configuration guides also show to do this way:
**9K-switch(config)# vrf context BLUE-VRF**
9K-switch(config-vrf)# ip route 10.0.0.0/24 10.1.1.1
However, a Nexus switch also supports the below syntax:
**9K-switch(config)#** ip route 10.0.0.0/24 10.1.1.1 vrf BLUE-VRF
I have never executed this command(second one) before to see the output because no experiment can be done in the production network.
However, if you have anything to test on or if you explain the difference between two different syntaxes, it will be really helpful.
One more thing. I am trying to setup VIRL. Is there any step by step documentations to setup VIRL. Also please refer some hardware to install VIRL on.
Thank you so much in advance.
Best Regards,
Azm
Hello AZM
Using the above two types of syntax will essentially provide you with the same result. Looking at this Cisco documentation, about configuring static routes in Nexus 9000 devices, both configurations are described.
The second syntax can be applied by issuing the command ip route 10.0.0.0/24 10.1.1.1
without the VRF instance being mentioned. This would result in applying this static route to the present VRF or the default VRF. If you want to apply it to another VRF, then you can specify it explicitly. (see step 2 here)
I hope this has been helpful!
Laz
You the man Laz.
Would you also please recommend me a step by step documentation to setup Cisco VIRL along with some hardware platform?
Azm
Hi Azm,
Let me jump in on Cisco VIRL. I can highly recommend to run it in VMWare ESXi, itâs free and saves you the hassle of messing with network interfaces etc. Although I really like VIRL, I had some issues with updates that went wrong and deploying a new OVA template in ESXi is much easier than reinstalling a physical box.
Look on eBay for an older server that has plenty of RAM and 2x CPUs or something like that.
I still use an HP proliant DL360 G7 with 96GB of RAM which is great for Cisco VIRL:
$325 for 8 physical cores (16 with hyperthreading) and 64GB RAM. What I like about HP / Dell / any other vendor server is that VMWare ESXi works out of the boxâŚno issues with drivers or anything like that.
Rene
Hi,
iâm bulding a lab for a POC and need some advise.
Topology:
--------------------------
- -
- Firewall -
- -
--------------------------
| int E0/0 (192.168.2.1/24)
|
|
--------------------------
| |
| | int vlan 2 (192.168.2.2/24) - VRF BLUE
| L3 Switch | int vlan 8 (192.168.8.1/24) - VRF GREEN
| | int vlan 12 (192.168.12.1/24 - VRF RED
| |
---------------------------
| |
| |
| |
| |
------------- -------------
| | | |
| Host | | Host |
| GREEN | | RED |
------------- -------------
Goal:
All three VRFâs should use the Default route of VRF BLUE. So traffic from all networks should be routed to 192.168.2.1.
#############################################################
####### Method 1 (using route-target export): #######
#############################################################
ip vrf BLUE
rd 1:1
route-target export 1:1
route-target import 2:2
ip vrf GREEN
rd 2:2
route-target export 2:2
route-target import 1:1
ip vrf RED
rd 3:3
route-target export 3:3
route-target import 1:1
interface Vlan2
ip vrf forwarding BLUE
ip address 192.168.2.2 255.255.255.0
interface Vlan8
ip vrf forwarding GREEN
ip address 192.168.8.1 255.255.255.0
interface Vlan12
ip vrf forwarding RED
ip address 192.168.12.1 255.255.255.0
ip route vrf BLUE 0.0.0.0 0.0.0.0 192.168.2.1
CORE_Router#sho ip route vrf BLUE
Routing Table: BLUE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/0
L 192.168.2.2/32 is directly connected, GigabitEthernet0/0
The route (default route) is not exported to vrf GREEN:
CORE_Router#sho ip route vrf GREEN
Routing Table: GREEN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.8.0/24 is directly connected, GigabitEthernet0/4
L 192.168.8.1/32 is directly connected, GigabitEthernet0/4
CORE_Router#
CORE_Router#ping vrf BLUE 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
CORE_Router#
CORE_Router#ping vrf GREEN 8.8.8.8 so Vlan 8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CORE_Router#
##############################################################################
####### Method 2 (pointing vrf route to global routing table): #######
##############################################################################
ip vrf BLUE
rd 1:1
ip vrf GREEN
rd 2:2
ip vrf RED
rd 3:3
interface Vlan2
ip vrf forwarding BLUE
ip address 192.168.2.2 255.255.255.0
interface Vlan8
ip vrf forwarding GREEN
ip address 192.168.8.1 255.255.255.0
interface Vlan12
ip vrf forwarding RED
ip address 192.168.12.1 255.255.255.0
ip route 192.168.2.1 255.255.255.255 Vlan2
ip route 192.168.8.0 255.255.255.0 Vlan8
ip route 192.168.12.0 255.255.255.0 Vlan12
ip route vrf BLUE 0.0.0.0 0.0.0.0 192.168.2.1
ip route vrf BLUE 192.168.8.0 255.255.255.0 192.168.8.1 global
ip route vrf BLUE 192.168.12.0 255.255.255.0 192.168.12.1 global
ip route vrf GREEN 0.0.0.0 0.0.0.0 192.168.2.1 global
ip route vrf RED 0.0.0.0 0.0.0.0 192.168.2.1 global
With this setup pings from the SVIâs are working:
CORE#ping vrf BLUE 8.8.8.8 so vlan 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
CORE#
CORE#ping vrf GREEN 8.8.8.8 so vlan 8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/9 ms
CORE#
CORE#ping vrf RED 8.8.8.8 so vlan 12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/10 ms
CORE#
CORE#sho ip route vrf BLUE
Routing Table: BLUE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Vlan2
L 192.168.2.2/32 is directly connected, Vlan2
S 192.168.8.0/24 [1/0] via 192.168.8.1
S 192.168.12.0/24 [1/0] via 192.168.12.1
CORE#
CORE#sho ip route vrf GREEN
Routing Table: GREEN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.8.0/24 is directly connected, Vlan8
L 192.168.8.1/32 is directly connected, Vlan8
CORE#
CORE#sho ip route vrf RED
Routing Table: RED
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.2.1
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, Vlan12
L 192.168.12.1/32 is directly connected, Vlan12
CORE#
However Ping from any workstation on an access port in VLAN 8 (VRF GREEN) or VLAN 12 (VRF RED) doesnât work.
Workstation GREEN:
IP: 192.168.8.10/24
Default Gatweway: 192.168.8.1
Workstation RED:
IP: 192.168.8.10/24
Default Gatweway: 192.168.8.1
Ping from Workstation GREEN:
GREEN#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
GREEN#
Debug IP packet on Core:
CORE#
*Oct 6 13:02:05.326: IP: s=8.8.8.8 (Vlan2), d=192.168.8.10, len 100, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 6 13:02:05.330: IP: tableid=5, s=8.8.8.8 (Vlan2), d=192.168.8.10 (Vlan8), routed via FIB
*Oct 6 13:02:05.332: IP: s=8.8.8.8 (Vlan2), d=192.168.8.10, len 100, rcvd 4
*Oct 6 13:02:05.333: IP: s=8.8.8.8 (Vlan2), d=192.168.8.10, len 100, stop process pak for forus packet
CORE#
Debug ICMP on Core:
CORE#
*Oct 6 13:03:47.006: ICMP: echo reply rcvd, src 8.8.8.8, dst 192.168.8.10, topology BASE, dscp 0 topoid 6
CORE#
Does anybody have an idea ? I have tested so many things but iâm losing my faith
Would be great if someone could comment.
Many thanks,
Oliver
Hello Oliver,
Method 1 wonât work since you need MP-BGP for that. Did you see this example?
I explained how to route between VRFs in that lesson. Using static routes and MP-BGP.
MP-BGP is probably the better option. You can make this work with static routes but it quickly becomes a mess since you have to create routes for the different subnets, some default routes, and in 3 VRFs.
Rene
Hello,
thank you for replying.
I found a way around. Simillar to this: https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/200158-Configure-Route-Leaking-between-Global-a.html
However this isnât really a good approach and only a workaround.
Intial the approach with MP-MGP didnât come to my attention as wasnât planning to use BGP in the network.
What i overlooked is that you donât need any BGP neighbors !
I managed to use MP-MGP now, which i ways easiers and my lab is working now.
Many thanks,
Oliver
Hello Laz and community,
I would like to add my comment on this topic. For devices like ASRs or Nexus 3k/5k/7k/9k, they come with a default VRF specifically for management traffic (usually Gig0 interface is assigned to this VRF).
For Nexus, itâs called âmanagementâ and for ASRs itâs called âMgmt-intfâ.
One more thing, if you try to assign another interface under these VRFs, you will get an error message. The management interface (Gig0) is the only one allowed to be a member of these VRFs
Regards.
Hi Rene,
I am a little confused regarding the VRF lite, now when we use vrf lite, do we have to use the RD value for simple segregation of traffic? and when do we use the RD value with vrf lite?
Do we need to used address-family with vrf lite, if not when do we use it then?
Thanks
Hello Sufian
You donât need a RD or target for VRF-lite. However when BGP is involved, you do. As you can see from this lesson on VRF lite, no RD was used, nor was address family used. However, when BGP is involved, you require these functionalities.
I hope this has been helpful!
Laz
Thank you Laz, it sure did. now i have a question for you:
Sometimes under the address family, we use the neighbor command and sometimes
we donât, when do we use either?
Thanks in advance.
Sufian
Hello Sufian
Address family mode is used when you have multiple protocols to route especially when using both IPv4 and IPv6. If youâre not running multiple protocols, then you can create the neighbor adjacencies for BGP using the neighbor
command in normal router mode. However, if you want to the BGP routers to create an adjacency using the specific protocol, then you will have to implement it under the address family mode. It all depends on the needs of the specific application.
I hope this has been helpful!
Laz
Hi Laz,
Im sorry i did not get it, or i did not explain myself clearly. see the config below:
router bgp 1
address-family ipv4 vrf cisco
neighbor 1.1.1.1 remote-as 2
nework 2.2.2.2 mask 255.255.255.0
end
and some times its like this:
router bgp 1
address-family ipv4 vrf cisco
network 2.2.2.2 mask 255.255.255.0
end
My question here is , in the second statement, the neighbor command is not there,
What is the difference between both statements (with neighbor and without the neighbor command) and when to use them?
Thanks Laz.
Hello Sufian
My apologies, I misunderstood. Here goesâŚ
When you configure BGP without any address family, the Cisco IOS automatically (in the background) creates an address family for IPv4 by default and assumes that any neighbor commands fall into that address family. However, when you put the neighbor command within the specific address family, you are declaring that you want to exchange routes from the particular address family with that neighbor. Not having a neighbor listed under a particular address family means that we are not planning to exchange information from that address family with that neighbor.
Can you give an example of a situation where you donât have the neighbor command under a specific address family vrf configuration?
I hope this has been helpful!
Laz
Hi Laz,
something like the below example:
here we are not using the neighbor command:
router bgp 65498
address-family ipv4 vrf Staff
no synchronization
network 10.8.0.0 mask 255.255.240.0
network 10.8.16.0 mask 255.255.240.0
network 10.8.32.0 mask 255.255.240.0
exit-address-family
here we are using the neighbor command:
address-family ipv4 vrf Guest
neighbor 10.10.10.1 remote-as 2
neighbor 10.10.10.1 timers 3 9
neighbor 10.10.10.1 activate
network 10.10.10.0 mask 255.255.255.0
network 192.168.1.0 mask 255.255.255.0
no synchronization
exit-address-family
so my question was, when do we use the address family with/without the neighbor command.
Thanks Laz.
Hello Sufian
The neighbor command is necessary to allow the exchange of BGP routes regardless of whether it is in the address-family mode or not. If no neighbor command is initiated, then routes will not be exchanged. Now by default, the IPv4 address-family is automatically enabled and will exchange routes if the neighbor command is found under the BGP configuration mode.
Now as Cisco notes:
Address exchange for address family IPv4 is enabled by default for each BGP routing session configured with the neighbor remote-as command unless you configure the no bgp default ipv4-activate command before configuring the neighbor remote-as command, or you disable address exchange for address family IPv4 with a specific neighbor by using the no neighbor activate command.
This means that if you have a neighbor command outside of the address-family ipv4 mode, this neighbor command is as if it is configured within the ipv4 address family.
However, when using VRFs, if there is no neighbor command, then you are not exchanging information for that particular VRF with any other BGP devices.
I hope this has been helpful!
Laz
Hi Laz,
Thank you so much, now it makes sense.
Thanks
HI
I have a question, I know networks are advertised in BGP via the network command
but under a config I am reviewing I donât see the network command all I see is this
Router BGP ****
neighbour 10.10.10.10 remote as 5555
address -family IPV4 unicast
route-Map NAME in
route-may NAME out
how are the routes advertised?
thanks
Hello Michael.
Take a look at the posts above from this thread, they should answer your question.
I hope this has been helpful!
Laz