Another great feature supported by DCNM 11 concerns the extension of Layer 3 network connections from a VXLAN EVPN fabric across an external Layer 3 network using VRF-Lite hand-off from the Border leaf node toward the external Edge router.
There are different options to deploy a VRF-Lite connection to the outside of the VXLAN fabric. Either using a manual deployment or leveraging the auto-configuration process that will configure automatically the VRF-lite on a Border Leaf node toward an external Layer 3 network. VRF Lite is supported on border devices with the role of either Border Leaf node, Border Spine node or Border Gateway node. Thus, the later providing both functions, Layer 3 connectivity from a VXLAN EVPN Fabric to outside a Layer 3 network, as well as VXLAN EVPN Multi-site service offering hierarchical and integrated VXLAN EVPN to VXLAN EVPN fabric interconnection.
Prior to deploy the external VRF-lite, an External Fabric must exist, and if not, it must be created, in which the concerned external router (DCI-WAN-1) should be imported.
Manual VRF Lite Configuration
One of the key reasons for configuring the interfaces manually could be for example when the Layer 3 network is managed by an external service entity, thus the Network team has no control on the configuration which is traditionally managed by a different organization, internal or external such as a Layer 3 service operator. The first demo follows this scenario and illustrates an end-to-end manual configuration of VRF-Lite connections from the Border leaf node to an external Edge router. Actually, this manual mode comes with the default Fabric settings.
The Border leaf nodes, BW1 and BW2, being vPC peer devices, it is a best practice to configure a routed interface per device connecting the external Layer 3 network. As a result, one physical link per Border Gateway connects toward the WAN Edge router as depicted in the figure above, and demo’ed.
For that particular scenario, the external fabric management can be left to Monitor mode (default mode under Fabric setup) as we don’t need DCNM to push any configuration to the Edge router
The role of the targeted external router must be set to “Edge Router” in order to extend the VRF-Lite network. As elaborated in the previous demo, the role of “Core Router” is used for the Multi-site deployment.
The interface E1/3 of the Edge router (DCI-WAN-1) connecting the Border Leaf node BW1 of the VXLAN Fabric is manually configured with the associated sub-interface for the VRF Tenant-1. Notice the choice for the Dot1Q tag being “2” in order to be aligned with the 1st sub-interface Dot1Q from the pool (see figure below):
encapsulation dot1q 2
vrf member Tenant-1
ip address 172.16.1.2/30
Finally, for connectivity and testing purposes, a Loop-back 100 is configured for the VRF Tenant-1 in the external Edge router:
vrf member Tenant-1
ip address 22.214.171.124/3
Under the Fabric builder topology, it is crucial to check and set the role of the Border leaf node to “Border”.
From the VXLAN Fabric setup, the deployment for the VRF Lite is left to “Manual” (default).
When both, VXLAN and External Fabrics are ready, VRF-Lite can be deployed as illustrated in the video below.
Automatic VRF Lite Configuration
The second demo illustrates the automatic configuration for an external network connection using VRF Lite. We use the Border Leaf node, BW3, from the VXLAN EVPN Fabric 2 that connects the Edge Router DCI-WAN-2 belonging an External Fabric.
DCNM allows the Network Manager to automatically detect and create the external links. In order to succeed the automatic configuration for the VRF Lite IFC (Inter-Fabric Connection) stage, each physical interface should belong to a Border Leaf node set with the role “Border”, and should be connected to a device with the Edge Router role belonging to an External Fabric. Under the VXLAN Fabric setting, the VRF Lite deployment must be configured to “To External Only”. This mode gives automatically a subnet IP address range for the VRF lite interfaces (Point-to-Point).
On the External Fabric, we need to allow DCNM to manage the Edge Router. By default the External Fabric comes in “Monitor” only mode. It is crucial to uncheck the Monitor mode under the Fabric setting, thus DCNM can push the configuration to the Edge router.
As soon as the roles has been attributed for each device, Border Leaf node and Edge router) and both Fabrics has been configured accordingly, DCNM 11 will detect and provision automatically the external Links (IFC) for each interface of the Border Leaf node(s) that connects a Edge router role device. DCNM allocates the VRF Policy setup automatically to those external links using the policy called “ext_fabric_setup”.
The following demo covers two different stages. First of all, it shows the deployment of the VRF Lite with the automatic configurations for the Border Leaf node. Secondly, it demonstrates how DCNM can manage an external router using the Interface Control windows to configure a Loopback interface for network continuity testing purposes, a Sub-interface for the extension of the VRF Lite network, as well as how to push configuration using line commands (CLI) directly from DCNM via a “freeform config” template. In this example, we configure BGP setup for the VRF Tenant-1 network as the neighbor information.