Layer 3 Virtualization
This section includes the following topics:
Overview of Layer 3 Virtualization
Cisco NX-OS supports virtual routing and forwarding instances (VRFs). Each VRF contains a separate address space with unicast route tables for IPv4 and makes routing decisions independent of any other VRF.
Each router has a default VRF and a management VRF. All Layer 3 interfaces and routing protocols exist in the default VRF until you assign them to another VRF. The mgmt0 interface exists in the management VRF. With the VRF-lite feature, the switch supports multiple VRFs in customer edge (CE) switches. VRF-lite allows a service provider to support two or more Virtual Private Networks (VPNs) with overlapping IP addresses using one interface.
Note |
The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs. |
VRF and Routing
All unicast and multicast routing protocols support VRFs. When you configure a routing protocol in a VRF, you set routing parameters for the VRF that are independent of routing parameters in another VRF for the same routing protocol instance.
You can assign interfaces and route protocols to a VRF to create virtual Layer 3 networks. An interface exists in only one VRF. The following figure shows one physical network split into two virtual networks with two VRFs. Routers Z, A, and B exist in VRF Red and form one address domain. These routers share route updates that do not include router C because router C is configured in a different VRF.
By default, Cisco NX-OS uses the VRF of the incoming interface to select which routing table to use for a route lookup. You can configure a route policy to modify this behavior and set the VRF that Cisco NX-OS uses for incoming packets.
VRF supports route leaking (import or export) between VRFs. Certain limitations apply to route leaking in VRF-Lite. For more information, see Guidelines and Limitations for VRF Route Leaking.
VRF-Lite
VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time.
Note |
Multiprotocol Label Switching (MPLS) and MPLS control plane are not supported in the VRF-lite implementation. |
Note |
VRF-lite interfaces must be Layer 3 interfaces. |
VRF-Aware Services
A fundamental feature of the Cisco NX-OS architecture is that every IP-based feature is VRF aware.
The following VRF-aware services can select a particular VRF to reach a remote server or to filter information based on the selected VRF:
-
AAA—See the Cisco Nexus 3548 Switch NX-OS Security Configuration Guide for more information.
-
Call Home—See the Cisco Nexus 3548 Switch NX-OS System Management Configuration Guide for more information.
-
HSRP—See the "Configuring HSRP" chapter for more information.
-
HTTP—See the Cisco Nexus 3548 Switch NX-OS Fundamentals Configuration Guide for more information.
-
Licensing—See the Cisco NX-OS Licensing Guide for more information.
-
NTP—See the Cisco Nexus 3548 Switch NX-OS System Management Configuration Guide for more information.
-
RADIUS—See the Cisco Nexus 3548 Switch NX-OS Security Configuration Guide for more information.
-
Ping and Traceroute —See the Cisco Nexus 3548 Switch NX-OS Fundamentals Configuration Guide for more information.
-
SSH—See the Cisco Nexus 3548 Switch Fundamentals Configuration Guide for more information.
-
SNMP—See the Cisco Nexus 3548 Switch NX-OS System Management Configuration Guide for more information.
-
Syslog—See the Cisco Nexus 3548 Switch NX-OS System Management Configuration Guide for more information.
-
TACACS+—See the Cisco Nexus 3548 Switch NX-OS Security Configuration Guide for more information.
-
TFTP—See the Cisco Nexus 3548 Switch NX-OS Fundamentals Configuration Guide for more information.
-
VRRP—See the "Configuring VRRP" chapter for more information.
See the appropriate Cisco Nexus 3548 Switch Configuration Guide for each service for more information on configuring VRF support in that service.
Reachability
Reachability indicates which VRF contains the routing information necessary to get to the server providing the service. For example, you can configure an SNMP server that is reachable on the management VRF. When you configure that server address on the router, you also configure which VRF that Cisco NX-OS must use to reach the server.
The following figure shows an SNMP server that is reachable over the management VRF. You configure router A to use the management VRF for SNMP server host 192.0.2.1.
Filtering
Filtering allows you to limit the type of information that goes to a VRF-aware service based on the VRF. For example, you can configure a syslog server to support a particular VRF. The following figure shows two syslog servers with each server supporting one VRF. syslog server A is configured in VRF Red, so Cisco NX-OS sends only system messages generated in VRF Red to syslog server A.
Combining Reachability and Filtering
You can combine reachability and filtering for VRF-aware services. You configure the VRF that Cisco NX-OS uses to connect to that service as well as the VRF that the service supports. If you configure a service in the default VRF, you can optionally configure the service to support all VRFs.
The following figure shows an SNMP server that is reachable on the management VRF. You can configure the SNMP server to support only the SNMP notifications from VRF Red, for example.