• Troubleshooting EVN Configuration

    • Configuring Easy Virtual Network

    Easy Virtual Network (EVN) is an IP-based virtualization technology that provides end-to-end virtualization of two or more Layer-3 networks. You can use a single IP infrastructure to provide separate virtual networks whose traffic paths remain isolated from each other.

    This chapter contains the following sections

    Prerequisites for Configuring Easy Virtual Network

    • Implementing EVN in a network requires a single IP infrastructure that you want to virtualize into two or more logical networks or L3VPNs. EVN provides path isolation for the traffic on the different virtual networks.
    • You must have a functioning campus design in place before adding virtualization to a network.
    • You should understand virtual routing and forwarding (VRF) instances and how they are used to maintain traffic separation across the network.

    Restrictions for EVN

    • EIGRP command inheritance is not supported on VNET interfaces.
    • The vnet tag command does not support management VRFs.
    • We recommend that you configure a value between 2 and 1000 as the VNET tag. Configuring a value above this range will conflict with the switch internal VLAN assignments.
    • An EVN trunk is allowed on any interface that supports 802.1q encapsulation, such as Fast Ethernet, Gigabit Ethernet, and port channels.
    • There are additional platform and line-card restrictions for an EVN trunk. Check Cisco Feature Navigator, for supported platforms and line cards.
    • A single IP infrastructure can be virtualized to provide up to 32 virtual networks end-to-end.
    • If an EVN trunk is configured on an interface, you cannot configure VRF-Lite on the same interface.
    • OSPFv3 is not supported; OSPFv2 is supported.
    • The following features are not supported by EVN:

    blank.gif IS-IS

    blank.gif RIP

    blank.gif Route replication is not supported with BGP

    blank.gif Certain SNMP set operations

    • The following are not supported on an EVN trunk:

    blank.gif Access control lists (ACLs)

    blank.gif BGP interface commands are not inherited

    blank.gif IPv6, except on vnet global

    blank.gif Network address translation (NAT)

    blank.gif NetFlow

    blank.gif Web Cache Communication Protocol (WCCP)

    About Easy Virtual Network

    Easy Virtual Network (EVN) builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN provides enhancements in path isolation, simplified configuration and management, and improved shared service support. EVN is backward compatible with VRF-Lite to enable seamless network migration from VRF-Lite to EVN.

    EVN supports IPv4, static routes, Open Shortest Path First version 2 (OSPFv2), and Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) for IPv4 Multicast routing. EVN also supports Cisco Express Forwarding (CEF) and Simple Network Management Protocol (SNMP).

    Virtual Network Tags Provide Path Isolation

    It is not uncommon to have different user groups running on the same IP infrastructure. Various business reasons require traffic isolation between different groups. The figure below shows two user groups, Red and Green, running on the same network. Prior to network virtualization, there is no separation of traffic between the two groups. Users in the Red user group can access the server in the Green user group, and vice versa.

    Without network virtualization, path isolation can be achieved by using access control, which is expensive to maintain, prone to error and does not support unique routing and forwarding tables per network

    Figure 83-1 Network without Virtualization

     

    277893.eps

    Virtual networks provide a coarse-grained segmentation of different user groups on one physical network. By configuring virtual networks, you can virtualize a single IP infrastructure to provide a number of virtual networks end to end. In the figure below, a single IP infrastructure is virtualized into two VPNs by creating two VRFs, Red and Green.

    Figure 83-2 Network with Virtualization

     

    277894.eps

    In addition to utilizing VRFs to provide device-level separation, each virtual network has path isolation from the other. Path isolation is achieved by tagging the traffic so it carries the same tag value throughout the same virtual network. Each network device along the path uses the tags to provide separation among different VRFs. A single tag number ties VRF red, for example, on one device to VRF red on another device.

    Virtual Network Tags

    Each VPN and associated EVN has a tag value that you assign during configuration. The tag value is global, meaning that on each device, the same EVN must be assigned the same numerical tag value. Tag values range from 2 to 4094.

    An EVN is allowed on any interface that supports 802.1q encapsulation, such as Fast Ethernet, Gigabit Ethernet, and port channels. To allow for backward compatibility with the VRF-Lite solution, the vLAN ID field in the 802.1q frame is used to carry the virtual network tag.

    Traffic that carries a virtual network tag is called tagged traffic. Traffic that does not carry a virtual network tag is called untagged traffic.

    Tags are illustrated in the following configuration with two VRFs, red and green:

    ! Define two VRFs, red and green.
    vrf definition red
    vnet tag 101
    !
    address-family ipv4
    exit-address-family
    !
    vrf definition green
    vnet tag 102
    !
    address-family ipv4
    exit-address-family
    !

    A virtual network is defined as a VRF instance with a virtual network tag assigned.

    vnet Global

    A predefined EVN known as vnet global is on the device. It refers to the global routing context and it corresponds to the default RIB. In figure 2 and figure 3, vnet global is represented by a black line connecting devices. The vnet global carries untagged traffic. By default, interfaces belong to the vnet global. Furthermore, vnet global is always running on trunk interfaces. The vnet global is also known as the default routing table.

    note.gif

    Noteblank.gif IPv6 traffic is supported in vnet global only.

     

    Edge Interfaces and EVN Trunk Interfaces

    User devices are connected to a Layer 2 switch port, which is assigned to a VLAN. A VLAN can be thought of as a Layer 2 VPN. Customers will group all of the devices that need to be supported in a common Layer 3 VPN in a single VLAN. The point where data traffic is handed off between a VLAN and VRF is called an edge interface.

    An edge interface connects a user device to the EVN and in effect defines the boundary of the EVN. Edge interfaces connect end devices such as hosts and servers that are not VRF-aware. Traffic carried over the edge interface is untagged. The edge interface classifies which EVN the received traffic belongs to. Each edge interface is configured to belong to only one EVN.

    An EVN trunk interface connects VRF-aware devices together and provides the core with a means to transport traffic for multiple EVNs. Trunk interfaces carry tagged traffic. The tag is used to de-multiplex the packet into the corresponding EVN. A trunk interface has one subinterface for each EVN.

    The vnet trunk command is used to define an interface as an EVN trunk interface.

    An EVN interface uses two types of interfaces: edge interfaces and trunk interfaces. An interface can be an edge or trunk interface, but not both. Figure 3 illustrates devices A and D, which have edge interfaces that belong to VRF Red. Devices D and E have edge interfaces that belong to VRF Green.

    Devices B, C, D, F, and G have trunk interfaces that make up the EVN core. These five devices have interfaces that belong to both VRF Red and VRF Green.

    Figure 83-3 EVN Edge and EVN Trunk Interfaces

     

    277895.eps

    Identifying Trunk Interfaces in Display Output

    Because a trunk interface carries multiple EVNs, sometimes it is not sufficient to display only the trunk interface name. When it is necessary to indicate that display output pertains to a particular EVN running on the trunk interface, the convention used is append a period and the virtual network tag, making the format interface.virtual-network-tag. Examples are gigabitethernet1/1/1.101 and gigabitethernet1/1/1.102.

    By default, when a trunk interface is configured, all of the EVNs and associated virtual network tags are configured, and a virtual network subinterface is automatically created. As stated above, a period and the virtual network tag number are appended to the interface number.

    In the following example, VRF red is defined with virtual network tag 3. Hence, the system created Fast Ethernet 0/0/0.3 (in VRF red).

    Device# show running-config vrf red
     
    Building configuration...
    Current configuration : 1072 bytes
    vrf definition red
    vnet tag 3
    !
    address-family ipv4
    exit-address-family
    !

    You can display this hidden interface with the show derived-config command and see that all of the commands entered on Fast Ethernet 0/0/0 have been inherited by Fast Ethernet 0/0/0.3:

    Device# show derived-config interface fastethernet0/0/0.3
     
    Derived configuration : 478 bytes
    !
    interface FastEthernet0/0/0.3
    description Subinterface for VRF NG red
    vrf forwarding red
    encapsulation dot1Q 3
    ip address 10.1.1.1 255.255.255.0
    end

    Single IP Address on Trunk Interfaces

    A trunk interface can carry traffic for multiple EVNs. To simplify the configuration process, all the subinterfaces and associated EVNs have the same IP address assigned. In other words, a trunk interface is identified by the same IP address in different EVN contexts. This is because each EVN has a unique routing and forwarding table, thereby enabling support for overlapping IP addresses across multiple EVNs.

    Relationship Between VRFs Defined and VRFs Running on a Trunk Interface

    By default, the trunk interfaces on a router will carry traffic for all VRFs defined by the vrf definition command. For example, in the following configuration, every VRF defined on the router is included on the interface:

    interface FastEthernet 1/0/0 vnet trunk ip address 10.1.1.1 255.255.255.0

    However, you might want to enable only a subset of VRFs over a certain trunk interface for traffic separation purposes. This is achieved by creating a VRF list, which is referenced in the vnet trunk command. When a trunk interface is enabled with a VRF list, only VRFs on the list are enabled on the interface. The exception is that vnet global is always enabled on the trunk interface.

    In the following example, only the two specified VRFs on the list (red and green) are enabled on the interface:

    vrf list mylist
    member red
    member green
    !
    interface FastEthernet 1/0/0
    vnet trunk list mylist
    ip address 10.1.1.1 255.255.255.0

    VRF Awareness

    A device connected to a virtual network may not understand virtual network tags and can send and receive only untagged traffic. Such a device is referred to as VRF unaware. For example, a laptop computer is usually VRF unaware.

    By contrast, a device that can send and receive tagged traffic and therefore takes the tag value into account when processing such traffic is known as VRF aware. For example, a VRF-aware server shared among different EVNs could use the virtual network tag to distinguish requests received and send responses. A VRF-aware device is connected to the EVN using a trunk interface, as shown in figure 4.

    Figure 83-4 VRF Aware Server

     

    277896.eps

    The term “VRF aware” can also be used to describe a software component running on the device. A software component is VRF aware if it can operate on different EVNs. For example, ping is VRF aware because it allows you to choose the EVN to which you want to send the ping packet.

    Routing Protocols Supported by EVN

    Each EVN runs a separate instance of a routing protocol. This allows each EVN to fine-tune its routing separately and also limits fate sharing. Different virtual networks may run different routing protocols concurrently.

    EVN supports static routes, OSPFv2, and PIM, MSDP, and IGMP for multicast routing.

    Packet Flow in a Virtual Network

    Packets enter an EVN through an edge interface, traverse multiple trunk interfaces, and exit the virtual network through another edge interface. At the ingress edge interface, packets are mapped from a VLAN into a particular EVN. Once the packet is mapped to an EVN, it is tagged with the associated virtual network tag. The virtual network tag allows the trunk interface to carry packets for multiple EVNs. The packets remain tagged until they exit the EVN through the egress edge interface.

    On the edge interface, the EVN associated with the interface is used for route lookup. On the trunk interface, the virtual network tag carried in the packet is used to locate the corresponding EVN for routing the packets.

    If the egress interface is an edge interface, the packet is forwarded untagged. However, if the egress interface is a trunk interface, the packet is forwarded with the tag of the ingress EVN.

    The figure below illustrates how traffic from two VRFs, red and green, can coexist on the same IP infrastructure, using the tags 101 and 102.

    Figure 83-5 Packet Flow in a Virtual Network

     

    277897.eps

    The packet flow from Laptop 1 to Server 1 in VRF red occurs as follows:

    1.blank.gif Laptop 1 send an untagged packet to Server 1.

    2.blank.gif Device A receives the packet over an edge interface, which is associated with VRF red.

    a.blank.gif Device A does route lookup in VRF red and sees that the next hop is Device B through a trunk interface.

    b.blank.gif Device A encapsulates the packet with VRF red’s tag (101) and sends it over the trunk interface.

    3.blank.gif Device B receives the packet over a trunk interface. Seeing virtual network tag 101, Device B identifies that the packet belongs to VRF red.

    a.blank.gif Device B does route lookup in VRF red and sees that the next hop is Device C through a trunk interface.

    b.blank.gif Device B encapsulates the packet with VRF red’s tag (101) and sends it over the trunk interface.

    4.blank.gif Device C receives the packet over a trunk interface. Using virtual network tag 101, Device C identifies that the packet belongs to VRF red.

    a.blank.gif Device C does route lookup in VRF red and sees that the next hop is Device D through a trunk interface.

    b.blank.gif Device C encapsulates the packet with VRF red’s tag (101) and sends it over the trunk interface.

    5.blank.gif Device D receives the packet over a trunk interface. Using virtual network tag 101, Device D identifies that the packet belongs to VRF red.

    a.blank.gif Device D does route lookup in VRF red and sees that the next hop is through an edge interface.

    b.blank.gif Device D sends the untagged packet over the edge interface to Server 1.

    6.blank.gif Server 1 receives the untagged packet originated from Laptop 1.

    Command Inheritance on EVN Trunk Interfaces

    One of the benefits of EVN is the ability to easily configure multiple EVNs on a common trunk interface without the need to configure each interface associated with an EVN individually. An EVN trunk interface takes advantage of the fact that the configuration requirements for different EVNs will be similar over a single trunk interface. When specific commands are configured on the trunk interface, they define default values that are inherited by all EVNs running over the same interface, including vnet global. If you feel that the settings are acceptable for all of the EVNs sharing an interface, then no individual configuration is necessary.

    For example, the OSPF hello interval can be set for all EVNs over the trunk interface with the following configuration:

     
    interface gigabitethernet1/1/1
    vnet trunk
    ip address 10.1.2.1 255.255.255.0
    ! set OSPF hello interval for all VRFs on this interface.
    ip ospf hello-interval 20

     

    Overriding Command Inheritance Virtual Network Interface Mode

    You can set up EVNs on the same trunk interface to have different configurations, by override inherited values using specific commands in virtual network interface mode for individual EVNs. In this mode, the command’s settings override the Cisco default value or the value you set in interface configuration mode.

    In interface configuration mode, entering the vnet name command causes the system to enter virtual network interface mode.

    Beginning in Cisco IOS XE Release 3.9.1E, you can override the inherited IP address for subinterfaces. For more information, see Changing the Inherited IP Address for Subinterfaces.

    The following list displays the commands for which inherited values can be overridden:

    Command
    Values Inherited by EVNs on Interface?
    Values Can Be Overriden in Virtual Network Interface Mode?

    ip accounting

    Yes

    No

    ip address

    Yes

    Yes

    ip broadcast-address

    Yes

    No

    ip directed broadcast

    Yes

    No

    ip information-reply

    Yes

    No

    ip irdp

    Yes

    No

    ip load-sharing

    Yes

    No

    ip mask-reply

    Yes

    No

    ip mtu

    Yes

    No

    ip proxy-arp

    Yes

    No

    ip redirects

    Yes

    No

    ip unnumbered

    Yes

    No

    ip unreachables

    Yes

    No

    ip ospf process-id area

    No

    Yes

    ip ospf authentication

    Yes

    Yes

    ip ospf authentication-key

    Yes

    Yes

    ip ospf cost

    Yes

    Yes

    ip ospf database-filter

    Yes

    Yes

    ip ospf dead-interval

    Yes

    Yes

    ip ospf demand-circuit

    Yes

    Yes

    ip ospf flood-reduction

    Yes

    Yes

    ip ospf hello-interval

    Yes

    Yes

    ip ospf lls

    Yes

    Yes

    ip ospf message-digest-key

    Yes

    Yes

    ip ospf mtu-ignore

    Yes

    Yes

    ip ospf network

    Yes

    Yes

    ip ospf priority

    Yes

    Yes

    ip ospf resync-timeout

    Yes

    Yes

    ip ospf shutdown

    Yes

    Yes

    ip ospf transmit-delay

    Yes

    Yes

    ip ospf transmit-interval

    Yes

    Yes

    ip ospf ttl-security

    Yes

    Yes

    ip ospf vnet area

    No

    No

    ip igmp access-group

    Yes

    Yes

    ip igmp explicit-tracking

    Yes

    Yes

    ip igmp helper-address

    Yes

    Yes

    ip igmp immediate-leave

    Yes

    Yes

    ip igmp last-member-query-count

    Yes

    Yes

    ip igmp last-member-query-interval

    Yes

    Yes

    ip igmp limit

    Yes

    Yes

    ip igmp mroute-proxy

    Yes

    Yes

    ip igmp proxy-service

    Yes

    Yes

    ip igmp querier-timeout

    Yes

    Yes

    ip igmp query-interval

    Yes

    Yes

    ip igmp query-max-response-time

    Yes

    Yes

    ip igmp tcn

    Yes

    Yes

    ip igmp unidirectional-link

    Yes

    Yes

    ip igmp v3lite

    Yes

    Yes

    ip igmp version

    Yes

    Yes

    ip multicast boundary

    Yes

    Yes

    ip pim bidir-neighbor-filter

    Yes

    Yes

    ip pim bsr-border

    Yes

    Yes

    ip pim dense-mode

    Yes

    Yes

    ip pim dr-priority

    Yes

    Yes

    ip pim nbma-mode

    Yes

    Yes

    ip pim neighbor-filter

    Yes

    Yes

    ip pim passive

    Yes

    Yes

    ip pim query-interval

    Yes

    Yes

    ip pim sparse-dense-mode

    Yes

    Yes

    ip pim sparse-mode

    Yes

    Yes

    ip pim state-refresh

    Yes

    Yes

    ip mfib cef

    Yes

    Yes

    ip mfib forwarding

    Yes

    Yes

    Removing Overrides and Restoring Values Inherited from EVN Trunk

    The no and default keywords result in different outcomes, depending on whether they are used for a trunk interface or in virtual network interface mode. This section describes the different outcomes.

    When the no or default keyword is entered before a command on a trunk interface, the trunk is restored to the system’s default value for that command. (This is standard behavior resulting for the no or default keyword).

    When the default keyword is entered before a command in virtual network interface mode, the override value is removed and the value that is inherited from the trunk is restored. The override value for the specific EVN is no longer in effect.

    In the following example, the trunk interface is configured with an OSPF cost of 20, but VRF blue overrides that value with an OSPF cost of 30:

     
    interface gigabitethernet 2/0/0
    vnet trunk
    ip address 10.1.1.1 255.255.255.0
    ! Set OSPF cost for all VRFs on this interface to 20.
    ip ospf cost 20
    vnet name blue
    ! Set OSPF cost for blue to 30.
    ip ospf cost 30

     

    When the following commands are entered, the OSPF cost value is restored to 20, which is the cost inherited from the trunk interface. (Note that 20 is not the default value of the ip ospf cost command.)

    Device(config-if)# vnet name blue
    Device(config-if-vnet)# default ip ospf cost

     

    Determining if No Form of Commands Appear in Configuration Files

    If a command switches a feature on or off, the no form of the command appears in the configuration file when configured. Nonvolatile generation (NVGEN) overrides the setting from the EVN trunk, as shown in the following example:

     
    interface gigabitethernet 2/0/0
    vnet trunk
    vnet name red
    no ip pim sparse-mode
    no ip route-cache cef
    vnet global
    ip ospf cost 100

     

    If a command takes an argument in its syntax, such as ip ospf cost cost, the no form of the command will remove the configuration, but does not appear in the configuration file. That is, it will not be NVGEN’ed because the user could enter ip ospf cost default-value to override the inherited value.

    EVN Compatibility with VRF-Lite

    EVN is wire compatible with VRF-Lite. In other words, on the outside, 802.1q, SNMP MIBs, and all the EVN infrastructure will look exactly the same as VRF-Lite.

    In the figure below, both devices have VRFs defined. The device on the left uses VRF-Lite, and the device on the right uses an EVN trunk with tags. The two configurations follow the figure.

     

    245522.eps

    Example: VRF-Lite Subinterface Configuration EVN Trunk Configuration

     
    interface TenGigabitEthernet1/1/1 interface TenGigabitEthernet 1/1/1
    ip address 10.122.5.31 255.255.255.254 vnet trunk
    ip pim query-interval 333 msec ip address 10.122.5.32 255.255.255.254
    ip pim sparse-mode pim sparse-mode
    logging event link-status logging event link-status
    interface TenGigabitEthernet1/1/1.101 Global Configuration:
    description Subinterface for Red VRF vrf definition red
    encapsulation dot1Q 101 vnet tag 101
    ip vrf forwarding Red
    ip address 10.122.5.31 255.255.255.254 vrf definition green
    ip pim query-interval 333 msec vnet tag 102
    ip pim sparse-mode
    logging event subif-link-status
    interface TenGigabitEthernet1/1/1.102
    description Subinterface for Green VRF
    encapsulation dot1Q 102
    ip vrf forwarding Green
    ip address 10.122.5.31 255.255.255.254
    ip pim query-interval 333 msec
    ip pim sparse-mode
    logging event subif-link-status
     

    SQoS and EVN

    Quality of Service (QoS) configurations are applied to the main physical interface on an EVN trunk. The QoS policy affects all traffic that flows out the physical interface in all the VRFs at the same time. In other words, QoS and network virtualization are mutually independent. For example, traffic marked with the DSCP value specified for voice will be put into the voice queue if the packet is from the red VRF, blue VRF, or green VRF. The traffic for all the VRFs is queued together.

    Configuring Easy Virtual Networks

    note.gif

    Noteblank.gif We recommend that you draw your network topology, indicating the interfaces on each router that belong to the EVNs. The diagram facilitates tracking the interfaces you are configuring as edge interfaces and the interfaces you are configuring as trunk interfaces.

    Command
    Purpose

    Step 1
    Switch# configure terminal

    Enters global configuration mode.

    Step 2
    Switch(config)# vrf definition vrf name

    Configures a VRF routing table instance and enters VRF configuration mode.

    Step 3
    Switch(config-vrf)# vnet tag number
     

    Specifies the global numeric tag for the VRF.

    Configure the same tag number for the virtual network on each edge and trunk interface.

    Step 4
    Switch(config-vrf)# description string
     

    (Optional) Describes a VRF to help a network administrator review the configuration files. to it.You can specify up to 3 control-plane IP addresses for the edge device.

    Step 5
    Switch(config-vrf)# adddress-family ipv4

    Enters address family configuration mode to configure a routing session using standard IP version 4 address prefixes.

    Step 6
    Switch(config-vrf-af)# exit-address-family

    Exits address family configuration mode.

    Step 7
    Switch(config-vrf)# exit

    Exits to global configuration mode.

    Step 8
     

    Repeat steps 2 to 7 to configure another VRF instance and associate a vnet tag.

    Step 9
    Switch(config)# interface interface number

    Configures an interface type and enters interface configuration mode.

    Step 10
    Switch(config-if)# ip address ip address mask

    Sets a primary IP address for the interface.

    Step 11
    Switch(config-if)# vrf trunk [list vrf-list name ]

    Defines a trunk interface.

    By default, all VRFs defined with the vrf definition command run on all trunk interfaces on the router. Therefore, VRF red and VRF blue are now running on this interface.

    Use the list vrf-list-name command elements to restrict VRFs running on a trunk interface.

    Step 12
    Switch(config-if)# no shutdown

    Restarts an interface.

    Step 13
    Switch(config-if)# exit

    Returns to global configuration mode.

    Step 14
    Switch(config)# router ospf process ID

    Configures an Open Shortest Path First (OSPF) routing process and associates it with a VRF.

    This OSPF instance has no VRF, so it is vnet global.

    Step 15
    Switch(config-router)# network ip address wildcard area area ID

    Defines the interfaces and associated area IDs on which OSPF runs, and the area ID for those interfaces.

    Step 16
    Switch(config-if)# exit

    Returns to global configuration mode.

    Step 17
    Switch(config)# router ospf process ID vrf vrf name

    Configures an OSPF routing process and associates it with a VRF.

    Specifies a different process-id for each VRF because they each need their own OSPF instance.

    Step 18
    Switch(config-router)# network ip address wildcard area area ID

    Defines the interfaces and associated area IDs on which OSPF runs, and the area ID for those interfaces.

    Step 19
    Switch(config-router)# end

    Ends the configuration session and returns to privileged EXEC mode.

    Enabling a Subset of VRFs over a Trunk Interface

    To create a VRF list and enable only a subset of VRFs over a trunk interface, enter the following commands:

    note.gif

    Noteblank.gif This task presumes that the VRF has already been configured.

    Command
    Purpose

    Step 1
    Switch# configure terminal

    Enters global configuration mode.

    Step 2
    Switch(config)# vrf list vrf list name

    Defines a list of VRFs and enters VRF list configuration mode.

    The vrf-list-name argument may contain up to 32 characters. Quotation marks, spaces, and * are not allowed.

    Step 3
    Switch(config-vrf-list)# member vrf name

    Specifies an existing VRF as a member of a VRF list.

    The VRF must be defined before it can be added to a list.

    Step 4

    Repeat Step 3 to add other VRFs to the list.

    (Optional) If you want a trunk interface with one VRF, your list only needs one VRF.

    Step 5
    Switch(config-vrf-list)# exit-vrf-list

    Exits VRF list configuration mode.

    Step 6
    Switch(config)# interface type number

    Configures an interface and enters interface configuration mode.

    Step 7
    Switch(config-if)# vnet trunk list vrf list name

    Defines a trunk interface and enables the VRFs that are in the VRF list.

    Use the vrf list name you defined earlier in this task.

    Step 8
    Switch(config-if)# ip address ip address mask

    Sets a primary IP address for the interface.

    Step 9
    Switch(config-if)# end

    Ends the configuration session and returns to privileged EXEC mode.

    Step 10
    Switch# show vrf list [ vrf list name ]

    Displays information about the specified VRF list.

    Configuring EVN Edge Interfaces

    Perform this task to configure an edge interface, which connects a user device to a virtual network. Traffic carried over an edge interface is untagged. The edge interface determines which virtual network the received traffic belongs to. Each edge interface is mapped to only one virtual network.

    Command
    Purpose

    Step 1
    Switch# configure terminal

    Enters global configuration mode.

    Step 2
    Switch(config)# interface type number

    Configures an interface type and enters interface configuration mode.

    Step 3
    Switch(config)# vrf forwarding vrf name

    Defines an edge interface and determines the VRF to which the incoming traffic belongs.

    The vrf name must already be defined using the vrf definition command.

    Note Ensure that you are not on the trunk interface when you configure an edge interface.

    Step 4
    Switch(config-if)# ip address ip address mask

    Sets a primary IP address for the interface.

    Step 5
    Switch(config-if)# end

    Ends the configuration session and returns to privileged EXEC mode.

    Verifying EVN Configuration

    Enter the following commands to verify your configuration. All the existing VRF show commands are supported in virtual networks. If a device has a mix of VRFs and virtual networks, the various show vrf commands will include both VRFs and virtual networks in the output.

    Command
    Purpose
    Switch# show vnet tag

    Displays where each tag has been configured or used.
    Switch# show running-config [vrf | vnet][ vrf-name ]

    Displays the VRFs in the running configuration, displays the interfaces in the VRFs, and displays the protocol configurations for Multi-VRF.
    Switch# show vrf list [ vrf-list-name ]

    Displays information about VRF lists, such as the VRFs in each list.
    Switch# show {vrf | vnet}[ipv4 | ipv6][interface | brief | detail | lock] [ vrf-name]

    Displays information about the VRFs.
    Switch# show {vrf | vnet} counters

    Displays information about the number of VRFs or virtual networks supported and configured.

    Changing the Inherited IP Address for Subinterfaces

    All subinterfaces created on the vnet interface inherit values from the main interface.

    Beginning in Cisco IOS XE Release 3.9.1E, you can change the inherited IP address for subinterfaces in interface vnet configuration mode:

    Command
    Purpose

    Step 1
    Switch# configure terminal

    Enters global configuration mode.

    Step 2
    Switch(config)# interface interface name

    Specifies the interface name and enters interface configuration mode.

    Step 3
    Switch(config-if)# vnet name vrf name

    Enters virtual network interface mode to configure features that apply to a specified VRF to override global VRF values.

    Step 4
    Switch(config-if-vnet)# (no) ip address ipv4 address mask

    Sets the IP address for the VNET subinterface.

    The no ip address command on the vnet interface configuration mode will change the IP address of the subinterface back to match the IP address of the main interface.

    Step 5
    Switch(config-if-vnet)# ip address ipv4 address mask secondary

    Sets the secondary IP address for the subinterface. A secondary IP from the main interface is not inherited if you set a secondary IP address for the subinterface.

    Step 6
    Switch(config-if-vnet)# do show interface ip brief

    Displays the IP addresses for the main interface and the subinterfaces.

    For example, consider the following configuration:

    vrf definition vRED
    vnet tag 131
    !
    address-family ipv4
    exit-address-family
     
     
    vrf definition vBLUE
    vnet tag 132
    !
    address-family ipv4
    exit-address-family
     
    interface Eth0/0
    no shutddown
    vnet trunk
    ip add 10.1.1.1 255.255.255.0
     
    Switch(config-if)#int eth0/0
    Switch(config-if)#vnet name vRED
    Switch(config-if-vnet)# ip address 100.1.1.1 255.255.255.0
    Switch(config-if-vnet)#do show ip interface brief
    Interface IP-Address OK? Method Status Protocol
    Ethernet0/0 10.1.1.1 YES manual up up
    Ethernet0/0.131 100.1.1.1 YES manual up up
    Ethernet0/0.132 10.1.1.1 YES manual up up
     
    Switch(config)#int eth0/0
    Switch(config-if)#vnet name vBLUE
    Switch(config-if-vnet)#ip address 101.1.1.1 255.255.255.0
    Switch(config-if-vnet)#do show ip interface brief
    Interface IP-Address OK? Method Status Protocol
    Ethernet0/0 10.1.1.1 YES manual up up
    Ethernet0/0.131 100.1.1.1 YES manual up up
    Ethernet0/0.132 101.1.1.1 YES manual up up
     

    Configuration Examples for Configuring EVN

    Example: Virtual Networks Using OSPF with network Commands

    In this example, network commands associate a shared VRF interface with a base VRF and two named VRFs, red and blue. There are three OSPF instances because each VRF needs its own OSPF instance. OSPF 1 has no VRF, so it is vnet global.

     
    vrf definition red
    vnet tag 100
    address-family ipv4
    exit-address-family
    !
    vrf definition blue
    vnet tag 200
    address-family ipv4
    exit-address-family
    !
    interface gigabitethernet 0/0/0
    ip address 10.0.0.1 255.255.255.0
    vnet trunk
    vnet name red
    ip ospf cost 100
    !
    router ospf 1
    log-adjacency-changes detail
    network 10.0.0.0 255.255.255.0 area 0
    router ospf 2 vrf red
    log-adjacency-changes
    network 10.0.0.0 255.255.255.0 area 0
    router ospf 3 vrf blue
    log-adjacency-changes
    network 10.0.0.0 255.255.255.0 area

     

    Example: Virtual Networks Using OSPF with ip ospf vnet area Command

    This example differs from the prior example regarding the association between OSPF instances and a particular interface. In this example, OSPF is running on all of the virtual networks of a trunk interface. The ip ospf vnet area command associates the GigabitEthernet 0/0/0 interface with the three OSPF instances.

    vrf definition red
    vnet tag 100
    address-family ipv4
    exit-address-family
    !
    vrf definition blue
    vnet tag 200
    address-family ipv4
    exit-address-family
    !
    interface gigabitethernet 0/0/0
    ip address 10.0.0.1 255.255.255.0
    vnet trunk
    ip ospf vnet area 0
    vnet name red
    ip ospf cost 100
    vnet name blue
    ip ospf 3 area 2
    !
    router ospf 1
    log-adjacency-changes detail
    router ospf 2 vrf red
    log-adjacency-changes
    router ospf 3 vrf blue
    log-adjacency-changes

    Example: Overriding Command Inheritance

    In the following example, the OSPF cost of 30 for VRF blue overrides the OSPF cost of 20 for the other VRFs on the interface:

     
    interface gigabitethernet 2/0/0
    vnet trunk
    ip address 10.1.1.1 255.255.255.0
    ! Set OSPF cost for all VRFs on this interface to 20.
    ip ospf cost 20
    vnet name blue
    description Subinterface for VRF NG blue
    ! Set OSPF cost for blue to 30.
    ip ospf cost 30

    The show derived command indicates the subinterface changed to a cost of 30:

    Device(config-if-vnet)# do show derived | s interface GigabitEthernet2/0/0
     
    interface GigabitEthernet2/0/0
    vnet trunk
    ip address 10.1.1.1 255.255.255.0
    ip ospf cost 20
    interface GigabitEthernet2/0/0.200
    description Subinterface for VRF NG blue
    vrf forwarding blue
    ip address 10.1.1.1 255.255.255.0
    ip ospf cost 30
    Device(config-if-vnet)#

    Example: Enabling an Attribute to vnet Global Only

    Similarly, you might want to enable an attribute to vnet global only. To do so, use the vnet global interface submode, as follows:

     
    interface gigabitethernet1/1/1
    vnet trunk
    ip address 10.1.2.1 255.255.255.0
    vnet global
    ! Set OSPF cost for global to 40.
    ip ospf cost 40

     

    Example: Command Inheritance and Virtual Network Interface Mode Override in a Multicast Environment

    The following example illustrates command inheritance and virtual network interface mode override in a multicast network. A trunk interface leverages the fact that configuration requirements from different VRFs will be similar over the same trunk interface. Eligible commands configured on the trunk interface are inherited by all VRFs running over the same interface.

    In this example, IP multicast (PIM sparse mode) is configured on the trunk interface, which has several VRFs:

    vrf definition red
    vnet tag 13
    !
    address-family ipv4
    exit-address-family
    !
    ip multicast-routing
    ip multicast-routing vrf red
    interface GigabitEthernet0/1/0
    vnet trunk
    ip address 125.1.15.18 255.255.255.0
    ip pim sparse-mode

    The user decides that he does not want IP multicast configured for VRF red on GigabitEthernet 0/1/0, so he uses the virtual network interface mode override. IP Multicast is disabled for VRF red only. The no ip pim command disables all modes of Protocol Independent Multicast (PIM), including sparse mode, dense mode, and sparse-dense mode, for VRF red.

    interface GigabitEthernet0/1/0
    vnet trunk
    ip address 125.1.15.18 255.255.255.0
    ip pim sparse-mode
    vnet name red
    no ip pim

    Example: EVN Using IP Multicast

    The following example configures PIM sparse mode and leverages Anycast RP for RP redundancy. In this example, only one VRF is configured.

    The example shows how to enable multicast routing globally and on each L3 interface. The black text indicates the group of commands configuring the global table; the red text indicates the group of commands configuring VRF red.

    ip multicast-routing
    interface GigabitEthernet 1/1/1
    description GigabitEthernet to core (Global) GLOBAL TABLE
    ip pim sparse-mode
    vrf definition red
    vnet tag 100
    !
    address-family ipv4
    exit-address-family
    !
    ip multicast-routing vrf red VRF RED
    !
    interface gigabitethernet1/1/1.100
    description GigabitEthernet to core (VRF red)
    vrf forwarding red
    ip pim sparse-mode
    Configure the RP in the VRF using Anycast RP.
     
    interface loopback0
    description Anycast RP Global
    ip address 10.122.5.200 255.255.255.255
    ip pim sparse-mode
    !
    interface loopback1
    description MDSP Peering interface
    ip address 10.122.5.250 255.255.255.255 GLOBAL TABLE
    ip pim sparse-mode
    !
    ip msdp peer 10.122.5.251 connect-source loopback 1
    ip msdp originator-id loopback 1
    ip pim rp-address 10.122.5.200
    access-list 10 permit 239.0.0.0 0.255.255.255

    !

    !
    interface loopback 10
    description Anycast RP VRF Red
    vrf forwarding red
    ip address 10.122.15.200 255.255.255.255
    ip pim sparse-mode
    interface loopback 11
    description MSDP Peering interface VRF red VRF RED
    vrf forwarding red
    ip address 10.122.15.250 255.255.255.255
    ip pim sparse-mode
    !
    ip msdp vrf red peer 10.122.15.251 connect-source loopback 11
    ip msdp vrf red originator-id loopback 11
    !
    ip pim vrf red rp-address 10.122.15.200
    access-list 11 permit 239.192.0.0 0.0.255.255

    Troubleshooting EVN Configuration

    Routing Context for EXEC Mode Reduces Repetitive VRF Specification

    There may be occasions when you want to issue several EXEC commands to apply to a single virtual network. In order to reduce the repetitive entering of virtual routing and forwarding (VRF) names for multiple EXEC commands, the routing-context vrf command allows you to set the VRF context of such EXEC commands once, and then proceed using EXEC commands.

    The table below shows four EXEC commands in Cisco IOS XE software without routing context and in routing context. Note that in the left column, each EXEC command must specify the VRF. In the right column, the VRF context is specified once and the prompt changes to reflect that VRF; there is no need to specify the VRF in each command.

    EXEC Commands CLI without Routing Context
    EXEC Commands CLI with Routing Context

     
    Device# routing-context vrf red
    Device%red#
    Device# show ip route vrf red

    [Routing table output for VRF red]

    Device%red# show ip route

    [Routing table output for VRF red]

    Device# ping vrf red 10.1.1.1

    [Ping result using VRF red]

    Device%red# ping 10.1.1.1

    [Ping result using VRF red]

    Device# telnet vrf red 10.1.1.1

    [Telnet to 10.1.1.1 in VRF red]

    Device%red# telnet 10.1.1.1

    [Telnet to 10.1.1.1 in VRF red]

    Device# traceroute vrf red 10.1.1.1

    [Traceroute output in VRF red]

    Device%red# traceroute 10.1.1.1

    [Traceroute output in VRF red]

    traceroute Output Indicates VRF Name and VRF Tag

    The output of the traceroute command is enhanced to make troubleshooting easier by displaying the incoming VRF name/tag and the outgoing VRF name/tag, as shown in the following example:

    Device# traceroute vrf red 10.0.10.12
    Type escape sequence to abort.
    Tracing the route to 10.0.10.12
    VRF info: (vrf in name/id, vrf out name/id)
    1 10.1.13.15 (red/13,red/13) 0 msec
    10.1.16.16 (red/13,red/13) 0 msec
    10.1.13.15 (red/13,red/13) 1 msec
    2 10.1.8.13 (red/13,red/13) 0 msec
    10.1.7.13 (red/13,red/13) 0 msec
    10.1.8.13 (red/13,red/13) 0 msec
    3 10.1.2.11 (red/13,blue/10) 1 msec 0 msec 0 msec
    4 * * *

    Debug Output Filtering Per VRF

    Using EVN, you can filter debug output per VRF by using the debug condition vrf command. The following is sample output from the debug condition vrf command:

    Device# debug condition vrf red
     
    Condition 1 set
    CEF filter table debugging is on
    CEF filter table debugging is on
    D1#
    *Aug 19 23:06:38.178: vrfmgr(0) Debug: Condition 1, vrf red triggered, count 1

     

    CISCO-VRF-MIB

    EVN provides a CISCO-VRF-MIB for VRF discovery and management.