Scribd
Upload
127 views17 pages

AOS-CX Simulator - VRF Part 1 Lab Guide

This lab guide explains how to configure VRFs (Virtual Routing and Forwarding) on AOS-CX switches to allow the reader to gain hands-on experience with VRF and inter VRF route leaking (IVRL). The lab tasks include setting up the network topology in EVE-NG, configuring VRFs and associated Layer 3 interfaces on the switches, testing connectivity between hosts in different VRFs, and configuring inter-VRF route leaking to allow communication between hosts and servers.

Uploaded by

rashmi m
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
127 views17 pages

AOS-CX Simulator - VRF Part 1 Lab Guide

This lab guide explains how to configure VRFs (Virtual Routing and Forwarding) on AOS-CX switches to allow the reader to gain hands-on experience with VRF and inter VRF route leaking (IVRL). The lab tasks include setting up the network topology in EVE-NG, configuring VRFs and associated Layer 3 interfaces on the switches, testing connectivity between hosts in different VRFs, and configuring inter-VRF route leaking to allow communication between hosts and servers.

Uploaded by

rashmi m
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

LAB GUIDE

VRF Lab1 – Static IVRL


Important! This guide assumes that the AOS-CX ova has been installed and works in GNS3 or EVE-NG.
Please refer to GNS3/EVE-NG initial setup labs if required.
https://www.eve-ng.net/index.php/documentation/howtos/howto-add-aruba-cx-switch/

At this time, EVE-NG does not support exporting/importing AOS-CX startup-config. The lab
user should copy/paste the AOS-CX node configuration from the lab guide as described in
the lab guide if required.

TABLE OF CONTENTS
Lab Objective .............................................................................................................................................. 2
Lab Overview .............................................................................................................................................. 2
Lab Network Layout .................................................................................................................................... 3
Lab Tasks ................................................................................................................................................... 3
Task 1 – Lab setup ................................................................................................................................... 3
Task 2 - Configure Layer3 for VRF-lite ..................................................................................................... 5
Step #1: Configure VRFs ....................................................................................................................... 5
Step #2: Configure Host VLANs and Transit VLANs .............................................................................. 5
Step #3: Configure SVI (Switch Virtual Interface = L3 VLAN interface)................................................... 6
Step #4: Configure ROP (Routed Only Port) L3 interface ....................................................................... 6
Step #5: Verify VRF attachment ............................................................................................................. 7
Step #6: Routing .................................................................................................................................... 7
Task 3 – VRF testing .............................................................................................................................. 10
Test #1: connectivity between Hosts .................................................................................................... 11
Test #2: Static inter-VRF Route Leaking .............................................................................................. 12
Appendix – Reference Configurations....................................................................................................... 15

1
VRF Lab1
static IVRL

Lab Objective
This lab will enable the reader to gain hands-on experience with VRF and inter VRF route leaking (IVRL).

Lab Overview
This lab guide explains how to configure VRFs (Virtual Routing and Forwarding) on AOS-CX switch.

Please read the VRF section of the AOS-CX 10.6 IP Routing Guide (https://www.arubanetworks.com/techdocs/AOS-
CX/10.06/HTML/5200-7702/index.html#GUID-F2CC1540-2EFD-41FF-B3A8-9C38E9133488.html).

During this lab, you’ll be able to:

- Configure VRF and attach L3 interfaces to VRF

- Connect network nodes in a VRF-lite model

- Test traffic isolation between hosts in different VRFs

- Configure inter-VRF route leaking to allow communication between hosts and server.

The minimum required AOS-CX Switch Simulator version for this lab is 10.5. It is recommended to use later release 10.6.

This lab uses EVE-NG but GNS3 can be used as well.

2
VRF Lab1
static IVRL

Lab Network Layout


Here is the proposed topology:

Lab Tasks

Task 1 – Lab setup


 In EVE-NG, import the .zip lab file containing the “unl” file.
All the connections between nodes are already set-up. Appropriate numbers of CPUs (2), RAM (4096 MB) and
interfaces are already allocated.
 Check the connectivity as proposed above
 Start all the devices (3 AOS-CX switches and 5 hosts)
 Open each switch console and log in with user “admin”.
The switches will ask to enter a new password. This new password can be an empty password for simplicity in this lab.
 Apply (copy/paste) the baseline configuration as proposed below

3
VRF Lab1
static IVRL

Baseline Configuration proposal (for initial copy/paste):


SW1 SW2
hostname SW1 hostname SW2
! !
vlan 1 vlan 1
interface mgmt interface mgmt
no shutdown no shutdown
ip dhcp ip dhcp
interface 1/1/1 interface 1/1/1
no shutdown no shutdown
description to SW2 description to HostA
interface 1/1/2 interface 1/1/2
no shutdown no shutdown
description to SW3 description to HostB
interface 1/1/9 interface 1/1/9
no shutdown no shutdown
description to SRV-services description to SW1

SW3
hostname SW3
!
vlan 1
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
description to HostC
interface 1/1/2
no shutdown
description to HostD
interface 1/1/9
no shutdown
description to SW1
 Verify the connectivity through LLDP neighbor information as follows:
SW1
SW1# show lldp neighbor-info

LLDP Neighbor Information


=========================

Total Neighbor Entries : 2


Total Neighbor Entries Deleted : 0
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 0

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME


-------------------------------------------------------------------------------------------------------
1/1/1 08:00:09:06:d8:b9 1/1/9 to SW1 120 SW2
1/1/2 08:00:09:8e:d0:6f 1/1/9 to SW1 120 SW3
SW2
SW2# show lldp neighbor-info

LLDP Neighbor Information


=========================

Total Neighbor Entries : 1


Total Neighbor Entries Deleted : 0
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 0

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME


-------------------------------------------------------------------------------------------------------
1/1/9 08:00:09:d7:5f:0f 1/1/1 to SW2 120 SW1
SW3
SW3# show lldp neighbor-info

LLDP Neighbor Information


=========================

4
VRF Lab1
static IVRL

Total Neighbor Entries : 1


Total Neighbor Entries Deleted : 0
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 0

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME


-------------------------------------------------------------------------------------------------------
1/1/9 08:00:09:d7:5f:0f 1/1/2 to SW3 120 SW1

Task 2 - Configure Layer3 for VRF-lite


There are 2 ways to transport VRF in a VRF-lite architecture:

 through ROP (Routed Only Port): one VRF per interface in case of a single VRF or one VRF per sub-interface in case of
multiple VRFs (not yet supported on AOS-CX Simulator)
 through Transit VLANs, each Transit VLAN being associated to one VRF for multiple VRFs case.
Both methods are used in this lab for educational purpose. SW2 will use ROP with one VRF. SW3 will use Transit VLANs.

Step #1: Configure VRFs


SW1 will host 3 VRFs:

 VRF1, for VRF-lite interconnectivity to SW1


 VRF2, for VRF-lite interconnectivity to SW2
 SERVICES, for hosting SRV-services server in the SERVICES VRF.
SW2 will use only default VRF. Indeed, default VRF in access SW2 is mapped to VRF1 on SW1 interconnection. This is done for
simplification. An alternative would have been to configure VRF1 as well on SW2 and attach all L3 interfaces in VRF1. As there
is no other VRFs hosted in SW2, it is simpler to just use default VRF and bind it to VRF1 through the VRF attachment on SW1
interconnection.

SW3 will host 2 VRFs:

 VRF1, for VRF-lite interconnectivity to SW1, and for hosting VRF1 endpoint: HostC.
 VRF2, for VRF-lite interconnectivity to SW1, and for hosting VRF2 endpoint: HostD

SW1(config)# SW3(config)#
vrf VRF1 vrf VRF1
vrf VRF2 vrf VRF2
vrf SERVICES

Note: There is no need for RD (route-distinguisher) in the VRF context as BGP is not used in this lab.

Step #2: Configure Host VLANs and Transit VLANs


VLANs are used for endpoint Hosts, and for Transit VLANs.
Transit VLAN 1115 is used for VRF1 and Transit VLAN 1125 is used for VRF2.
VLAN 110, 111, 119 are endpoints VLANs for VRF1, VLANs 110 and 111 used on SW2, VLAN 119 used on SW3.
VLAN 120 is the endpoint VLAN for VRF2 on SW3.
SW1(config)# SW2(config)#
vlan 1115,1125 vlan 110-111
! !
interface 1/1/2 interface 1/1/1
no shutdown no shutdown
description to SW3 description to HostA

5
VRF Lab1
static IVRL

no routing no routing
vlan trunk native 1 vlan access 110
vlan trunk allowed 1115,1125 interface 1/1/2
no shutdown
description to HostB
no routing
vlan access 111
SW3(config)#
vlan 119-120,1115,1125
!
interface 1/1/1
no shutdown
description to HostC
no routing
vlan access 119
interface 1/1/2
no shutdown
description to HostD
no routing
vlan access 120
interface 1/1/9
no shutdown
description to SW1
no routing
vlan trunk native 1
vlan trunk allowed 1115,1125

Step #3: Configure SVI (Switch Virtual Interface = L3 VLAN interface)


VRF binding is configured in this step. Reminder: it was chosen to not configure VRF in SW2 for simplicity and educational
purpose.
SW1(config)# SW2(config)#
interface vlan 1115 interface vlan 110
vrf attach VRF1 ip address 10.11.110.1/24
ip address 192.168.115.2/31 interface vlan 111
interface vlan 1125 ip address 10.11.111.1/24
vrf attach VRF2
ip address 192.168.125.0/31
SW3(config)#
interface vlan 119
vrf attach VRF1
ip address 10.11.119.1/24
interface vlan 120
vrf attach VRF2
ip address 10.12.120.1/24
interface vlan 1115
vrf attach VRF1
ip address 192.168.115.3/31
interface vlan 1125
vrf attach VRF2
ip address 192.168.125.1/31

Step #4: Configure ROP (Routed Only Port) L3 interface


On SW1, ROP to SW2 is attached to VRF1, whereas it is attached to default VRF on SW2.

On SW1, a ROP is used for Lab simplicity to connect the server SRV-services.
SW1(config)# SW2(config)#
interface 1/1/1 interface 1/1/9
no shutdown no shutdown
vrf attach VRF1 description to SW1
description to SW2 ip address 192.168.115.1/31
ip address 192.168.115.0/31
interface 1/1/9
no shutdown
vrf attach SERVICES

6
VRF Lab1
static IVRL

description to SRV-services
ip address 10.5.50.1/24

Step #5: Verify VRF attachment


SW1(config)# SW2(config)#
SW1# show vrf SW2# show vrf
VRF Configuration: VRF Configuration:
------------------ ------------------
VRF Name : default VRF Name : default
Interfaces Status Interfaces Status
----------------------------- -----------------------------
1/1/3 down 1/1/3 down
1/1/4 down 1/1/4 down
1/1/5 down 1/1/5 down
1/1/6 down 1/1/6 down
1/1/7 down 1/1/7 down
1/1/8 down 1/1/8 down
1/1/9 up
VRF Name : SERVICES vlan110 up
Interfaces Status vlan111 up
-----------------------------
1/1/9 up

VRF Name : VRF1


Interfaces Status
-----------------------------
1/1/1 up
vlan1115 up

VRF Name : VRF2


Interfaces Status
-----------------------------
vlan1125 up

SW3(config)#
SW3# show vrf
VRF Configuration:
------------------
VRF Name : default
Interfaces Status
-----------------------------
1/1/3 down
1/1/4 down
1/1/5 down
1/1/6 down
1/1/7 down
1/1/8 down

VRF Name : VRF1


Interfaces Status
-----------------------------
vlan119 up
vlan1115 up

VRF Name : VRF2


Interfaces Status
-----------------------------
vlan120 up
vlan1125 up

Step #6: Routing


Static routing is used for this lab. More advanced routing configuration with BGP will be proposed in a future lab for route-
leaking.

On SW1, we need to create a route to reach 10.11.110.0/24 and 10.11.111.0/24. This is summarized with 10.11.96.0/20 with

7
VRF Lab1
static IVRL

Next-Hop being SW2 IP address. Similarly a route entry is created for 10.12.0.0/16 pointing to SW3 IP address as Next-Hop.

On SW2, a default route is enough. On SW3, a default route per VRF is used as well.
SW1(config)# SW2(config)#
ip route 10.11.96.0/20 192.168.115.1 vrf VRF1 ip route 0.0.0.0/0 192.168.115.0
ip route 10.11.119.0/24 192.168.115.3 vrf VRF1
ip route 10.12.0.0/16 192.168.125.1 vrf VRF2

SW3(config)#
ip route 0.0.0.0/0 192.168.115.2 vrf VRF1
ip route 0.0.0.0/0 192.168.125.0 vrf VRF2

Verify the routing table on each node. Here on SW1:


SW1
SW1# show ip route

No ipv4 routes configured

There is no route in default VRF in SW1 as expected.


SW1
SW1# show ip route vrf VRF1

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

10.11.96.0/20, vrf VRF1


via 192.168.115.1, [1/0], static
10.11.119.0/24, vrf VRF1
via 192.168.115.3, [1/0], static
192.168.115.0/31, vrf VRF1
via 1/1/1, [0/0], connected
192.168.115.0/32, vrf VRF1
via 1/1/1, [0/0], local
192.168.115.2/31, vrf VRF1
via vlan1115, [0/0], connected
192.168.115.2/32, vrf VRF1
via vlan1115, [0/0], local

For VRF1, there are local /32 entry, connected /31 entry and static routes to SW2 and SW3.
SW1
SW1# show ip route vrf VRF2

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

10.12.0.0/16, vrf VRF2


via 192.168.125.1, [1/0], static
192.168.125.0/31, vrf VRF2
via vlan1125, [0/0], connected
192.168.125.0/32, vrf VRF2
via vlan1125, [0/0], local

Similarly for VRF2. And finally for VRF SERVICES:


SW1
SW1# show ip route vrf SERVICES

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

8
VRF Lab1
static IVRL

10.5.50.0/24, vrf SERVICES


via 1/1/9, [0/0], connected
10.5.50.1/32, vrf SERVICES
via 1/1/9, [0/0], local

On SW2:
SW2
SW2# show ip route

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

0.0.0.0/0, vrf default


via 192.168.115.0, [1/0], static
10.11.110.0/24, vrf default
via vlan110, [0/0], connected
10.11.110.1/32, vrf default
via vlan110, [0/0], local
10.11.111.0/24, vrf default
via vlan111, [0/0], connected
10.11.111.1/32, vrf default
via vlan111, [0/0], local
192.168.115.0/31, vrf default
via 1/1/9, [0/0], connected
192.168.115.1/32, vrf default
via 1/1/9, [0/0], local
On SW3:
SW2
SW3# show ip route

No ipv4 routes configured

SW3# show ip route vrf VRF1

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

0.0.0.0/0, vrf VRF1


via 192.168.115.2, [1/0], static
10.11.119.0/24, vrf VRF1
via vlan119, [0/0], connected
10.11.119.1/32, vrf VRF1
via vlan119, [0/0], local
192.168.115.2/31, vrf VRF1
via vlan1115, [0/0], connected
192.168.115.3/32, vrf VRF1
via vlan1115, [0/0], local

SW3# show ip route vrf VRF2

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

0.0.0.0/0, vrf VRF2


via 192.168.125.0, [1/0], static
10.12.120.0/24, vrf VRF2
via vlan120, [0/0], connected
10.12.120.1/32, vrf VRF2
via vlan120, [0/0], local
192.168.125.0/31, vrf VRF2
via vlan1125, [0/0], connected
192.168.125.1/32, vrf VRF2
via vlan1125, [0/0], local

The main configuration on SW1, SW2 and SW3 is ready to start performing connectivity tests.

9
VRF Lab1
static IVRL

Task 3 – VRF testing


As a reference, configuration of SW1/SW2/SW3 should look like:
SW1 SW2
hostname SW1 hostname SW2
! !
vrf SERVICES vlan 1,110-111
vrf VRF1 interface mgmt
vrf VRF2 no shutdown
! ip dhcp
vlan 1,1115,1125 interface 1/1/1
interface mgmt no shutdown
no shutdown description to HostA
ip dhcp no routing
interface 1/1/1 vlan access 110
no shutdown interface 1/1/2
vrf attach VRF1 no shutdown
description to SW2 description to HostB
ip address 192.168.115.0/31 no routing
interface 1/1/2 vlan access 111
no shutdown interface 1/1/9
description to SW3 no shutdown
no routing description to SW1
vlan trunk native 1 ip address 192.168.115.1/31
vlan trunk allowed 1115,1125 interface vlan 110
interface 1/1/9 ip address 10.11.110.1/24
no shutdown interface vlan 111
vrf attach SERVICES ip address 10.11.111.1/24
description to SRV-services ip route 0.0.0.0/0 192.168.115.0
ip address 10.5.50.1/24 !
interface vlan 1115
vrf attach VRF1
ip address 192.168.115.2/31
interface vlan 1125
vrf attach VRF2
ip address 192.168.125.0/31
ip route 10.11.96.0/20 192.168.115.1 vrf VRF1
ip route 10.11.119.0/24 192.168.115.3 vrf VRF1
ip route 10.12.0.0/16 192.168.125.1 vrf VRF2
!
SW3
hostname SW3
!
vlan 1,119-120,1115,1125
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
description to HostC
no routing
vlan access 119
interface 1/1/2
no shutdown
description to HostD
no routing
vlan access 120
interface 1/1/9
no shutdown
description to SW1
no routing
vlan trunk native 1
vlan trunk allowed 1115,1125
interface vlan 119
vrf attach VRF1
ip address 10.11.119.1/24
interface vlan 120
vrf attach VRF2
ip address 10.12.120.1/24
interface vlan 1115
vrf attach VRF1

10
VRF Lab1
static IVRL

ip address 192.168.115.3/31
interface vlan 1125
vrf attach VRF2
ip address 192.168.125.1/31
ip route 0.0.0.0/0 192.168.115.2 vrf VRF1
ip route 0.0.0.0/0 192.168.125.0 vrf VRF2

Test #1: connectivity between Hosts


Set-up IP address on HostA and HostB:
HostA HostB
VPCS> ip 10.11.110.10/24 10.11.110.1 VPCS> ip 10.11.111.10/24 10.11.111.1
Checking for duplicate address. Checking for duplicate address
VPCS : 10.11.110.10 255.255.255.0 gateway VPCS : 10.11.111.10 255.255.255.0 gateway
10.11.110.1 10.11.111.1

VPCS> show ip VPCS> show ip

NAME : VPCS[1] NAME : VPCS[1]


IP/MASK : 10.11.110.10/24 IP/MASK : 10.11.111.10/24
GATEWAY : 10.11.110.1 GATEWAY : 10.11.111.1
DNS : DNS :
MAC : 00:50:79:66:68:07 MAC : 00:50:79:66:68:06
LPORT : 20000 LPORT : 20000
RHOST:PORT : 127.0.0.1:30000 RHOST:PORT : 127.0.0.1:30000
MTU : 1500 MTU : 1500
HostC HostD
VPCS> ip 10.11.119.10/24 10.11.119.1 VPCS> ip 10.12.120.10/24 10.12.120.1
Checking for duplicate address... Checking for duplicate address...
VPCS : 10.11.119.10 255.255.255.0 gateway VPCS : 10.12.120.10 255.255.255.0 gateway
10.11.119.1 10.12.120.1

VPCS> show ip VPCS> show ip

NAME : VPCS[1] NAME : VPCS[1]


IP/MASK : 10.11.119.10/24 IP/MASK : 10.12.120.10/24
GATEWAY : 10.11.119.1 GATEWAY : 10.12.120.1
DNS : DNS :
MAC : 00:50:79:66:68:05 MAC : 00:50:79:66:68:08
LPORT : 20000 LPORT : 20000
RHOST:PORT : 127.0.0.1:30000 RHOST:PORT : 127.0.0.1:30000
MTU : 1500 MTU : 1500
SRV-services
VPCS> ip 10.5.50.10/24 10.5.50.1
Checking for duplicate address...
VPCS : 10.5.50.10 255.255.255.0 gateway 10.5.50.1

VPCS> show ip

NAME : VPCS[1]
IP/MASK : 10.5.50.10/24
GATEWAY : 10.5.50.1
DNS :
MAC : 00:50:79:66:68:04
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
Ping inside the same VRF:

Ping HostB from HostA (VRF1)


HostA
VPCS> ping 10.11.111.10

84 bytes from 10.11.111.10 icmp_seq=1 ttl=63 time=2.815 ms


84 bytes from 10.11.111.10 icmp_seq=2 ttl=63 time=6.434 ms
84 bytes from 10.11.111.10 icmp_seq=3 ttl=63 time=1.307 ms
84 bytes from 10.11.111.10 icmp_seq=4 ttl=63 time=1.224 ms
84 bytes from 10.11.111.10 icmp_seq=5 ttl=63 time=5.006 ms

11
VRF Lab1
static IVRL

Ping HostC from HostA (VRF1)


HostA
VPCS> ping 10.11.119.10

84 bytes from 10.11.119.10 icmp_seq=1 ttl=61 time=10.754 ms


84 bytes from 10.11.119.10 icmp_seq=2 ttl=61 time=9.072 ms
84 bytes from 10.11.119.10 icmp_seq=3 ttl=61 time=4.065 ms
84 bytes from 10.11.119.10 icmp_seq=4 ttl=61 time=3.620 ms
84 bytes from 10.11.119.10 icmp_seq=5 ttl=61 time=3.573 ms

Ping SW1 VRF2 IP address from HostD (VRF2)


HostD
VPCS> ping 192.168.125.0

84 bytes from 192.168.125.0 icmp_seq=1 ttl=63 time=2.741 ms


84 bytes from 192.168.125.0 icmp_seq=2 ttl=63 time=7.833 ms
84 bytes from 192.168.125.0 icmp_seq=3 ttl=63 time=2.987 ms
84 bytes from 192.168.125.0 icmp_seq=4 ttl=63 time=2.900 ms
84 bytes from 192.168.125.0 icmp_seq=5 ttl=63 time=2.792 ms

Ping between VRFs:

The purpose of VRFs is to isolate routing domains. As a consequence, without any inter-VRF route-leaking, hosts in VRF1
should not communicate with hosts in other VRFs.

Ping HostD (VRF2) from HostA(VRF1):


HostA
VPCS> ping 10.12.120.10

*192.168.115.0 icmp_seq=1 ttl=63 time=3.025 ms (ICMP type:3, code:0, Destination network unreachable)
*192.168.115.0 icmp_seq=2 ttl=63 time=2.367 ms (ICMP type:3, code:0, Destination network unreachable)
*192.168.115.0 icmp_seq=3 ttl=63 time=2.305 ms (ICMP type:3, code:0, Destination network unreachable)
*192.168.115.0 icmp_seq=4 ttl=63 time=2.328 ms (ICMP type:3, code:0, Destination network unreachable)
10.12.120.10 icmp_seq=5 timeout

Ping SRV-services(SERVICES VRF) from HostA(VRF1):


HostA
VPCS> ping 10.5.50.10

*192.168.115.0 icmp_seq=1 ttl=63 time=2.514 ms (ICMP type:3, code:0, Destination network unreachable)
*192.168.115.0 icmp_seq=2 ttl=63 time=7.301 ms (ICMP type:3, code:0, Destination network unreachable)
*192.168.115.0 icmp_seq=3 ttl=63 time=2.651 ms (ICMP type:3, code:0, Destination network unreachable)
*192.168.115.0 icmp_seq=4 ttl=63 time=2.048 ms (ICMP type:3, code:0, Destination network unreachable)
10.5.50.10 icmp_seq=5 timeout

Ping SRV-services(SERVICES VRF) from HostD(VRF2):


HostA
VPCS> ping 10.5.50.10

10.5.50.10 icmp_seq=1 timeout


10.5.50.10 icmp_seq=2 timeout
10.5.50.10 icmp_seq=3 timeout
10.5.50.10 icmp_seq=4 timeout
10.5.50.10 icmp_seq=5 timeout
Between VRF the network is unreachable or timeout, as expected.

The next section explain how to make communication between VRF1 and SERVICES, between VRF2 and SERVICES, and
maintaining isolation between VRF1 and VRF2.

Test #2: Static inter-VRF Route Leaking


Here are the route-leaking lab objectives:

12
VRF Lab1
static IVRL

 Hosts in VRF1 need to access server in SERVICES VRF.


 Hosts in VRF2 need to access server in SERVICES VRF.
 Hosts in VRF1 should not be able to communicate with hosts in VRF2.
The node in this lab to perform inter-VRF route leaking is SW1.

In order for VRF1 routing domain to know how to reach SRV-services, a static route has to be created in VRF1. As this route is a
connected route in the SERVICES VRF, the outgoing interface is used instead of Next-Hop IP address:
ip route 10.5.50.0/24 1/1/9 vrf VRF1
Similarly for VRF2:
ip route 10.5.50.0/24 1/1/9 vrf VRF2
In order for SERVICES routing domain to know how to reach hosts, a static route per subnet has to be created in SERVICES
VRF. Instead of using a Next-Hop IP address that is not in the SERVICES VRF, instead the route is created by specifying the
outgoing interface:

For hosts behind SW2:


ip route 10.11.96.0/20 1/1/1 vrf SERVICES
For hosts behind SW3:
ip route 10.11.119.0/24 vlan1115 vrf SERVICES
ip route 10.12.0.0/16 vlan1125 vrf SERVICES
In summary, configure the following routes on SW1:
SW1(config)#
ip route 10.5.50.0/24 1/1/9 vrf VRF1
ip route 10.5.50.0/24 1/1/9 vrf VRF2
ip route 10.11.96.0/20 1/1/1 vrf SERVICES
ip route 10.11.119.0/24 vlan1115 vrf SERVICES
ip route 10.12.0.0/16 vlan1125 vrf SERVICES

Then check the routing table per VRF:


SW1
SW1# show ip route vrf VRF1

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

10.5.50.0/24, vrf VRF1


via 1/1/9[vrf SERVICES], [1/0], static
10.11.96.0/20, vrf VRF1
via 192.168.115.1, [1/0], static
10.11.119.0/24, vrf VRF1
via 192.168.115.3, [1/0], static
192.168.115.0/31, vrf VRF1
via 1/1/1, [0/0], connected
192.168.115.0/32, vrf VRF1
via 1/1/1, [0/0], local
192.168.115.2/31, vrf VRF1
via vlan1115, [0/0], connected
192.168.115.2/32, vrf VRF1
via vlan1115, [0/0], local

You can see a route entry coming from the egress VRF: SERVICES.
SW1
SW1# show ip route vrf VRF2

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

10.5.50.0/24, vrf VRF2


via 1/1/9[vrf SERVICES], [1/0], static
10.12.0.0/16, vrf VRF2
via 192.168.125.1, [1/0], static

13
VRF Lab1
static IVRL

192.168.125.0/31, vrf VRF2


via vlan1125, [0/0], connected
192.168.125.0/32, vrf VRF2
via vlan1125, [0/0], local

Similarly for VRF2.


SW1
SW1# show ip route vrf SERVICES

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

10.5.50.0/24, vrf SERVICES


via 1/1/9, [0/0], connected
10.5.50.1/32, vrf SERVICES
via 1/1/9, [0/0], local
10.11.96.0/20, vrf SERVICES
via 1/1/1[vrf VRF1], [1/0], static
10.11.119.0/24, vrf SERVICES
via vlan1115[vrf VRF1], [1/0], static
10.12.0.0/16, vrf SERVICES
via vlan1125[vrf VRF2], [1/0], static

Finally, SERVICES routing table includes routes for egress VRFs VRF1 and VRF2.

Test again the connectivity between Hosts and then between hosts and server:

Ping HostD (VRF2) from HostA(VRF1):


HostA
VPCS> ping 10.12.120.10

*192.168.115.0 icmp_seq=1 ttl=63 time=3.064 ms (ICMP type:3, code:0, Destination net work unreachable)
*192.168.115.0 icmp_seq=2 ttl=63 time=6.026 ms (ICMP type:3, code:0, Destination net work unreachable)
*192.168.115.0 icmp_seq=3 ttl=63 time=2.927 ms (ICMP type:3, code:0, Destination net work unreachable)
*192.168.115.0 icmp_seq=4 ttl=63 time=2.455 ms (ICMP type:3, code:0, Destination net work unreachable)
10.12.120.10 icmp_seq=5 timeout

This is still not possible as expected and desired.

Ping SRV-services(SERVICES VRF) from HostA(VRF1):


HostA
VPCS> ping 10.5.50.10

84 bytes from 10.5.50.10 icmp_seq=1 ttl=61 time=11.072 ms


84 bytes from 10.5.50.10 icmp_seq=2 ttl=61 time=3.646 ms
84 bytes from 10.5.50.10 icmp_seq=3 ttl=61 time=3.019 ms
84 bytes from 10.5.50.10 icmp_seq=4 ttl=61 time=2.774 ms
84 bytes from 10.5.50.10 icmp_seq=5 ttl=61 time=2.805 ms

The communication is now possible between Hosts in VRF1 and SRV-services in SERVICES VRF.

Similarly for HostD in VRF2:

Ping SRV-services(SERVICES VRF) from HostD(VRF2):


HostA
VPCS> ping 10.5.50.10

84 bytes from 10.5.50.10 icmp_seq=1 ttl=61 time=14.803 ms


84 bytes from 10.5.50.10 icmp_seq=2 ttl=61 time=3.532 ms
84 bytes from 10.5.50.10 icmp_seq=3 ttl=61 time=3.393 ms
84 bytes from 10.5.50.10 icmp_seq=4 ttl=61 time=3.542 ms
84 bytes from 10.5.50.10 icmp_seq=5 ttl=61 time=3.558 ms

This is the end of this lab.

14
VRF Lab1
static IVRL

Appendix – Reference Configurations


If you face issues during your lab, you can verify your configuration with the configuration extract listed in this section.
SW1
hostname SW1
!
vrf SERVICES
vrf VRF1
vrf VRF2
!
vlan 1,1115,1125
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
vrf attach VRF1
description to SW2
ip address 192.168.115.0/31
interface 1/1/2
no shutdown
description to SW3
no routing
vlan trunk native 1
vlan trunk allowed 1115,1125
interface 1/1/9
no shutdown
vrf attach SERVICES
description to SRV-services
ip address 10.5.50.1/24
interface vlan 1115
vrf attach VRF1
ip address 192.168.115.2/31
interface vlan 1125
vrf attach VRF2
ip address 192.168.125.0/31
ip route 10.11.96.0/20 192.168.115.1 vrf VRF1
ip route 10.11.119.0/24 192.168.115.3 vrf VRF1
ip route 10.12.0.0/16 192.168.125.1 vrf VRF2
!
ip route 10.5.50.0/24 1/1/9 vrf VRF1
ip route 10.5.50.0/24 1/1/9 vrf VRF2
ip route 10.11.96.0/20 1/1/1 vrf SERVICES
ip route 10.11.119.0/24 vlan1115 vrf SERVICES
ip route 10.12.0.0/16 vlan1125 vrf SERVICES

SW2
hostname SW2
!
vlan 1,110-111
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
description to HostA
no routing
vlan access 110
interface 1/1/2
no shutdown
description to HostB
no routing
vlan access 111
interface 1/1/9
no shutdown
description to SW1
ip address 192.168.115.1/31
interface vlan 110
ip address 10.11.110.1/24
interface vlan 111

15
VRF Lab1
static IVRL

ip address 10.11.111.1/24
ip route 0.0.0.0/0 192.168.115.0

SW3
hostname SW3
!
vlan 1,119-120,1115,1125
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
description to HostC
no routing
vlan access 119
interface 1/1/2
no shutdown
description to HostD
no routing
vlan access 120
interface 1/1/9
no shutdown
description to SW1
no routing
vlan trunk native 1
vlan trunk allowed 1115,1125
interface vlan 119
vrf attach VRF1
ip address 10.11.119.1/24
interface vlan 120
vrf attach VRF2
ip address 10.12.120.1/24
interface vlan 1115
vrf attach VRF1
ip address 192.168.115.3/31
interface vlan 1125
vrf attach VRF2
ip address 192.168.125.1/31
ip route 0.0.0.0/0 192.168.115.2 vrf VRF1
ip route 0.0.0.0/0 192.168.125.0 vrf VRF2

16
Document type
Headline text

www.arubanetworks.com
3333 Scott Blvd. Santa Clara, CA 95054
1.844.472.2782 | T: 1.408.227.4500 | FAX: 1.408.227.4550 | [email protected]
17

You might also like