This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Configuring VPN Routing and Forwarding (VRF) on Juniper J4300 router and Cisco 3550 Catalyst Multi-layer Switch to support Avaya IP Telephony - Issue 1.0
Abstract
These Application Notes describes a procedure for configuring Multi-VRF (aka VRF-Lite) for the purpose of maintaining separate, independent virtual routing tables, one dedicated to voice traffic and another one dedicated to data traffic. The configuration described in these Application Notes implement Multi-VRF between a Juniper J4300 enterprise router at a main site and a Cisco Catalyst 3550 multi-layer switch at a branch site. These application notes were requested by a customer for a proof of concept.
1. Introduction and Scope Multiprotocol Label Switching (MPLS) based networks implementing IP-VPN services must maintain multiple, independent routing tables per VPN instance. The VPN Routing and Forwarding (VRF) feature of the Provider Edge (PE) router accomplishes this by logically splitting the router into multiple virtual routers, where each virtual router contains its own set of interfaces, routing table, and forwarding table. A VRF is associated with the following components:
• IP routing table • Derived forwarding table • Set of interfaces; physical or virtual • Set of routing protocols and routing peers that inject information into the VRF
VRF functionally was initially reserved only for MPLS PE routers. A subset of the PE VRF functionality, known as "Multi-VRF" or "VRF-Lite", was later made available for non-PE routers. Some of the highlights of a Multi-VRF router are:
• VRF functionality with out using MPLS labels • Multiprotocol BGP not required • Detailed routing scenarios can be implemented without being connected to an MPLS
VPN network via PE. A key requirement for implementing any converged voice and data network is to be able to identify, segment and prioritize traffic types. At Layer 2, 802.1Q VLANs are used for this by implementing a separate Voice VLAN and Data VLAN with appropriate prioritization however a common routing table is used for both of these traffic types at Layer 3. Multi-VRF enables separately routed (virtual) networks with distinct routing tables and potentially overlapping address space to co-exist on the same router. Multi-VRF provides an option to further segment data and voice traffic by maintain separate virtual routing instances providing Layer 3 segmentation, complimenting Layer 2 VLAN segmentation. The configuration described in these Application Notes implement Multi-VRF between a Juniper J4300 enterprise router at a main site and a Cisco Catalyst 3550 multi-layer switch at a branch site. Two VRF tables, “vrf Voice” and “vrf Data” are configured on each router. The Open Shortest Path First (OSPF) routing protocol is used by the VRF tables. Two OSPF instances are configured for each VRF table. These Application Notes focus on the VRF configuration of the Juniper J4300 Router and Cisco 3550 Multi-layer switch providing full configurations for each.
Configures the buffer size of minimum reserve levels 5 – 8 to be used by the four egress queues. Level 1-4 can hold 100 packets (default) Level 5 can hold 170 packets Level 6 can hold 85 packets Level 7 can hold 51 packets Level 8 can hold 34 packets When the buffer specified for the minimum-reserve level is full, packets are dropped until space is available.
no ip domain-lookup !
ip vrf Data rd 100:2 ! ip vrf Voice rd 100:1
Names the VRF table. vrf Data is the name of the routing table to be used for data traffic and vrf Voice is the name of the routing table to be used for voice traffic..
Route Distinguisher (RD) creates the VRF table and specifies the default route-distinguisher for a VPN. The RD is added to the beginning of the networks IPv4 prefixes to change them into globally unique VPN-IPv4 prefixes. The RD feature allows for use of private, overlapping IP address across different VPN networks.
Global Configuration Description is composed of an autonomous system number and an arbitrary number, or it is an IP-address, in which case it is composed of an IP address and an arbitrary number.
You can enter an RD in either of these formats:
16-bit AS number: your 32-bit number For example, 101:3
32-bit IP address: your 16-bit number For example, 192.168.122.15:1
We have chosen to use ASN format for this configuration.
no file verify auto spanning-tree mode pvst
Enables per-vlan spanning-tree.
! vlan internal allocation policy ascending !
Sets the VLAN ID allocation direction for internally assigned VLAN’s starting with ID 4096.
! interface Loopback1 no ip address ! interface Loopback2 no ip address !
Physical port connection to Avaya G700 MG.. Binds port to VLAN 20 (voice VLAN) and sets mode to support VLAN tagging using standard 802.1Q tags. Configures port to trust DSCP value of ingress traffic.
interface FastEthernet0/13 switchport access vlan 60 switchport mode access duplex full speed 100 mls qos trust dscp auto qos voip trust wrr-queue bandwidth 20 20 5 80
Physical port connection to IXIA data traffic generator. Binds port to VLAN 60 (data VLAN) and sets port to access mode. Configures port to trust DSCP value of ingress traffic.
Weighted Round Robin (WRR) is a mechanism used in output QoS scheduling on the 3550. WRR works between three or four queues (if there is no strict priority queue). The queues used in the WRR are emptied in a round robin fashion, and you can configure the
In our lab configuration, we’ve defined WRR so the 4 queues are served 20%, 20%, 5%, and 80% of the time.
Assigns one of the min-reserve values, specified earlier in this config with the mls qos min-reserve command, to each of four the queues. Maps each of the eight possible CoS values to one of the four possible queues using the CoS to queue map command: Places CoS values 0,1,2 in Q1 Places CoS values 4 in Q2 Places CoS values 3,6,7 in Q3 Places CoS values 5 in Q4
Physical port connection to Juniper J4300. Bind the port to specific VLAN and sets the mode to support VLAN tagging using standard 802.1q tags. Speed set to 10MB to simulate Metro Ethernet service uplink.
interface Vlan20 ip vrf forwarding Voice ip address 172.28.20.1 255.255.255.0 ! interface Vlan38 ip vrf forwarding Data ip address 38.0.0.8 255.255.255.0 ! interface Vlan60 ip vrf forwarding Data ip address 172.28.60.1 255.255.255.0 ! interface Vlan80 ip vrf forwarding Voice ip address 80.0.0.8 255.255.255.0
Creates a Layer 3 switch virtual interface (SVI). Vlan20 = the Interface ID. Associates the interface with a VRF table and assigns the interface an ip address.
router ospf 2 vrf Voice log-adjacency-changes network 80.0.0.0 0.0.0.255 area 0.0.0.0 network 172.28.20.0 0.0.0.255 area 0.0.0.0 ! router ospf 1 vrf Data
Enables OSPF routing for the specified VRF table, Defines the network address(s)/mask and area ID for OSPF to use per VRF instance.
Global Configuration Description log-adjacency-changes network 38.0.0.0 0.0.0.255 area 0.0.0.0 network 172.28.60.0 0.0.0.255 area 0.0.0.0
! ip classless ip http server ip http secure-server ! ! snmp-server community public RW snmp-server community avaya RW ! control-plane ! ! line con 0 exec-timeout 0 0 privilege level 15 line vty 0 4 exec-timeout 0 0 privilege level 15 password cisco login line vty 5 15 login ! ! end
3.2. Juniper J4300 Enterprise Router configuration – Main Site
system { host-name CE1; root-authentication { encrypted-password "$1$NsK8iEEW$4lnbpL1mdL8olJKLVcglh."; ## SECRET-DATA } login { user admin { uid 2001; class super-user; authentication { encrypted-password "$1$EHH3Zjx0$Ow4LkDfh0sCOWUIkNtATr0"; ## SECRET-DATA } } }
services { ssh; telnet; web-management { http; } } syslog { file messages { any any; } } } -------------------------------------------------------------------------------------- Configure FastEthernet physical interfaces fe-0/0/0 and fe-0/0/1. Assign Vlan ID’s and IP address to logical interfaces unit 2, unit 10, unit 38, unit 80 --------------------------------------------------------------------------------------
policy-statement data-import { term 1 { from { protocol bgp; community Data; } then accept; } } policy-statement voice-export { term learn-ospf { from protocol ospf; then accept; } term learn-direct { from protocol direct; then accept; } term nothing-else { then reject; } } policy-statement voice-import { term learn-all-CE-route { from { protocol bgp; community Voice; } then accept; } term learn-no-more { then reject; } } community Data members target:10:1; community Voice members target:10:2; community externalce members target:101:1; community public-comm1 members target:1:111; } -------------------------------------------------------------------------------------- Create classifier rules to select traffic based on DSCP value. Use expedited-forwarding for DSCP 101110 (46) and assured-forwarding for DSCP 100010 (34) --------------------------------------------------------------------------------------
} -------------------------------------------------------------------------------------- Create QoS scheduler-map “voip” and assign forwarding-class to each scheduler. --------------------------------------------------------------------------------------
scheduler-maps { voip { forwarding-class expedited-forwarding scheduler voip-ef; forwarding-class assured-forwarding scheduler voip-af; forwarding-class best-effort scheduler novoip; } } -------------------------------------------------------------------------------------- Assign priority value to each scheduler. --------------------------------------------------------------------------------------
schedulers { voip-ef { priority high; } voip-af { priority low; } novoip { drop-profile-map loss-priority high protocol any drop-profile novoip; } } } -------------------------------------------------------------------------------------- Routing-instances is were the VRF routing tables are defined with the associated interfaces and routing protocols. Two VRF tables are created, vrf Data and vrf Voice --------------------------------------------------------------------------------------
routing-instances { Data { - Names VRF table instance-type vrf; - Defines it to be a VRF route table
interface fe-0/0/0.2; - Logical interfaces to be associated with
interface fe-0/0/1.38; this VRF table. route-distinguisher 10.0.0.1:1; - The RD is added to the beginning of the
vrf-import data-import; networksIPv4 prefixes to change it into vrf-export data-export; globally unique VPN-IPv4 prefixes. The IP address format is used here. protocols { - Enables OSPF routing for the specified VRF ospf { table area 0.0.0.0 { - Defines the network address(s)/mask and area interface fe-0/0/0.2; ID for OSPF to use per VRF instance
4. Verification and Troubleshooting Commands Several VRF specific commands are described here to assist in troubleshooting and configuring a Multi-VRF implementation. Several standard practice commands, such as ping, traceroute and telnet, require a VRF attribute in the syntax, as described below. .
show ip vrf Shows a summary of all VRF tables present on the router and their associated route-distinguishers and interface(s). CE2# show ip vrf
Name Default RD Interfaces Data 100:2 Vlan38 Vlan60 Voice 100:1 Vlan20 Vlan80 show ip vrf detail Shows detailed configurations about each VRF table present in the router.
VRF Data; default RD 100:2; default VPNID <not set> VRF Table ID = 1 Interfaces: Vlan38 Vlan60 Connected addresses are not in global routing table No Export VPN route-target communities No Import VPN route-target communities No import route-map No export route-map
VRF Voice; default RD 100:1; default VPNID <not set> VRF Table ID = 2 Interfaces: Vlan20 Vlan80 Connected addresses are not in global routing table No Export VPN route-target communities No Import VPN route-target communities No import route-map No export route-map
show ip vrf interfaces Shows additional information on the interfaces associated with each VRF table.
CE2# show ip vrf interfaces Interface IP-Address VRF Protocol Vlan38 38.0.0.8 Data up Vlan60 172.28.60.1 Data up Vlan20 172.28.20.1 Voice up Vlan80 80.0.0.8 Voice down
show ip route vrf {vrf name} Shows the routing table contents of a specific vrf table.
CE2# show ip route vrf Data Routing Table: Data Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 38.0.0.0/24 is subnetted, 1 subnets C 38.0.0.0 is directly connected, Vlan38 172.25.0.0/24 is subnetted, 1 subnets O 172.25.2.0 [110/2] via 38.0.0.3, 00:28:48, Vlan38 172.28.0.0/24 is subnetted, 1 subnets C 172.28.60.0 is directly connected, Vlan60
CE2# show ip route vrf Voice Routing Table: Voice Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 172.28.0.0/24 is subnetted, 1 subnets C 172.28.20.0 is directly connected, Vlan20
Ping vrf {vrf name} ip {ip address} Operates same as standard ping command but requires a VRF table name to be specified. Ping vrf must be used when the route to the destination is associated with a VRF table. Using standard ping format to a destination address associated with a VRF table will fail as shown in the example below. Global routes can continue to use standard ping format. CE2# ping vrf Data ip 38.0.0.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 38.0.0.3, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms
CE2# ping ip 38.0.0.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 38.0.0.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Traceroute vrf {vrf name} ip {ip address} Operates same as standard traceroute command but requires a VRF table name to be specified. Traceroute vrf must be used when the route to the destination is associated with a VRF table. Using standard traceroute format to a destination address associated with a VRF table will fail. Global routes can continue to use standard traceroute format.
CE2# traceroute vrf Data ip 38.0.0.3 Type escape sequence to abort. Tracing the route to 38.0.0.3 1 38.0.0.3 12 msec 8 msec 12 msec
Telnet {ip address} /vrf {vrf name} Operates same as standard telnet command but requires a VRF table name to be specified. Telnet vrf must be used when the route to the destination is associated with a VRF table. Using standard telnet format to a destination address associated with a VRF table will fail as show in the example below. Global routes can continue to use standard telnet format.
CE2# telnet 38.0.0.3 /vrf Data Trying 38.0.0.3 ... Open CE1 (ttyp1) login: admin Password: --- JUNOS 7.4R1.7 built 2005-10-21 01:55:06 UTC
admin@CE1> admin@CE1> exit [Connection to 38.0.0.3 closed by foreign host] CE2# CE2#
CE2# telnet 38.0.0.3
Trying 38.0.0.3 ...
% Destination unreachable; gateway or host down
CE2#
5. Conclusion As illustrated in these Application Notes, implementing Multi-VRF provides an option for Layer 3 traffic segmentation. Several potential benefits exist by using Multi-VRF, in addition to traffic segmentation for customers interfacing with an MPLS VPN service provider. Multi-VRF connectivity between the Juniper and Cisco products depicted can be achieved by following the guidelines demonstrated in these Application Notes.