Solved: Nexus 9K - VRF Lite

franklaszlo · ‎09-19-2022

I am wondering if it is possible to bring up an MP-iBGP peering between two, directly connected N9k switches to exchange multi-vrf routing information. No MPLS, but direct P2P connection between them. To begin with, I can't see vpnv4 address family appearing nowhere.

The goal would be to eleminate several, per-vrf P2P peerings between the two.

Andrea Testino · ‎09-19-2022

Hi there!

If Im understanding what you are trying to do..The short answer is 'yes, you can.'

I have two Nexus 9000s connected via Eth1/1 peered over iBGP (RRs). Their sample configurations below:

Nexus-1# show run bgp

!Command: show running-config bgp
!Running configuration last done at: Mon Sep 19 21:20:42 2022
!Time: Mon Sep 19 21:27:39 2022

version 9.3(3) Bios:version 05.45
feature bgp

router bgp 65111
router-id 1.1.1.1
log-neighbor-changes
address-family ipv4 unicast
network 1.1.1.1/32
address-family vpnv4 unicast
neighbor 2.2.2.2
remote-as 65111
update-source loopback0
address-family vpnv4 unicast
send-community
send-community extended
route-reflector-client
vrf BLUE
address-family ipv4 unicast
vrf RED
address-family ipv4 unicast

Nexus-1# show run int loo0

!Command: show running-config interface loopback0
!Running configuration last done at: Mon Sep 19 21:20:42 2022
!Time: Mon Sep 19 21:30:47 2022

version 9.3(3) Bios:version 05.45

interface loopback0
description BGP Router-ID
ip address 1.1.1.1/32
ip router ospf Support-Forum area 0.0.0.0

Nexus-1# show run int e1/1

!Command: show running-config interface Ethernet1/1
!Running configuration last done at: Mon Sep 19 21:20:42 2022
!Time: Mon Sep 19 21:30:49 2022

version 9.3(3) Bios:version 05.45

interface Ethernet1/1
description To Nexus-2 iBGP
mtu 9216
no ip redirects
ip address 172.18.1.1/30
no ipv6 redirects
ip router ospf Support-Forum area 0.0.0.0
no shutdown

Nexus-2, who has a mock prefix in VRF RED and VRF BLUE respectively:

Nexus-2# show run bgp

!Command: show running-config bgp
!Running configuration last done at: Mon Sep 19 21:24:19 2022
!Time: Mon Sep 19 21:29:21 2022

version 9.3(3) Bios:version 05.45
feature bgp

router bgp 65111
router-id 2.2.2.2
log-neighbor-changes
address-family ipv4 unicast
network 2.2.2.2/32
address-family vpnv4 unicast
neighbor 1.1.1.1
remote-as 65111
update-source loopback0
address-family vpnv4 unicast
send-community
send-community extended
route-reflector-client
vrf BLUE
log-neighbor-changes
address-family ipv4 unicast
network 65.33.33.33/32
vrf RED
address-family ipv4 unicast
network 65.22.22.22/32

Nexus-2# show run int loo0-2

!Command: show running-config interface loopback0-2
!Running configuration last done at: Mon Sep 19 21:24:19 2022
!Time: Mon Sep 19 21:29:55 2022

version 9.3(3) Bios:version 05.45

interface loopback0
description BGP Router-Id Loo
ip address 2.2.2.2/32
ip router ospf Support-Forum area 0.0.0.0

interface loopback1
description VRF RED
vrf member RED
ip address 65.22.22.22/32

interface loopback2
description VRF BLUE
vrf member BLUE
ip address 65.33.33.33/32

Nexus-2# show run int e1/1

!Command: show running-config interface Ethernet1/1
!Running configuration last done at: Mon Sep 19 21:24:19 2022
!Time: Mon Sep 19 21:30:16 2022

version 9.3(3) Bios:version 05.45

interface Ethernet1/1
description To Nexus-1 iBGP
mtu 9216
no ip redirects
ip address 172.18.1.2/30
no ipv6 redirects
ip router ospf Support-Forum area 0.0.0.0
no shutdown

You can see that although only peered once, they are exchanging routes from VRF BLUE and RED, without an additional peering over those VRFs as well.

Nexus-1# show bgp vpnv4 unicast summary
BGP summary information for VRF default, address family VPNv4 Unicast
BGP router identifier 1.1.1.1, local AS number 65111
BGP table version is 12, VPNv4 Unicast config peers 1, capable peers 1
4 network entries and 4 paths using 720 bytes of memory
BGP attribute entries [2/336], BGP AS path entries [0/0]
BGP community entries [0/0], BGP clusterlist entries [0/0]

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.2 4 65111 62 48 12 0 0 00:30:35 2
Nexus-1# show bgp vpnv4 unicast
BGP routing table information for VRF default, address family VPNv4 Unicast
BGP table version is 12, Local Router ID is 1.1.1.1
Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best
Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-injected
Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - best2

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65222:65222 (VRF RED)
*>i65.22.22.22/32 2.2.2.2 100 0 i
*>i65.33.33.33/32 2.2.2.2 100 0 i

Route Distinguisher: 65333:65333 (VRF BLUE)
*>i65.22.22.22/32 2.2.2.2 100 0 i
*>i65.33.33.33/32 2.2.2.2 100 0 i

P.S: Im guessing the MPLS features are not enabled in the Nexus switch you are trying to do this in yet and that is likely why you cannot see the vpnv4 AF anywhere yet.

Example -- Quick neighbor config and vpnv4 AF missing:

Nexus-2(config-router-af)# router bgp 65111
Nexus-2(config-router)# router-id 2.2.2.2
Nexus-2(config-router)# log-neighbor-changes
Nexus-2(config-router)# address-family ipv4 unicast
Nexus-2(config-router-af)# neighbor 1.1.1.1

Nexus-2(config-router-neighbor)# address-family ?
ipv4 Configure IPv4 address-family
ipv6 Configure IPv6 address-family
l2vpn Configure L2VPN address-family
link-state Configure link-state address-family

But if I enable the feature set for MPLS, then vpnv4 AF becomes available:

Nexus-2(config)# install feature-set mpls
Nexus-2(config)# feature-set mpls
Nexus-2(config)# feature mpls l3vpn

Now going back to the BGP configuration, you can see vpnv4 is now an option:

Nexus-2(config-router-neighbor)# address-family ?
ipv4 Configure IPv4 address-family
ipv6 Configure IPv6 address-family
l2vpn Configure L2VPN address-family
link-state Configure link-state address-family
vpnv4 Configure IPv4 VPN address-family
vpnv6 Configure IPv6 VPN address-family

Hope that helps get you started on this.

- Andrea, CCIE #56739 R&S

View solution in original post

MHM Cisco World · ‎09-19-2022

but you mention VRF-lite why you not use it ?

I think the link below give you answer, you can use one P2P and using tag to separate the traffic for each VRF

https://wonderdam.altervista.org/blog/multi-vrf-ce-vrf-lite/

franklaszlo · ‎09-19-2022

I believe

Nexus

is the keyword here. There is no address-family vpnv4 on N9K.

MHM Cisco World · ‎09-19-2022

friend
there are two way to exchange VRF traffic
if the Peer is direct connect then use VRF lite
if the Peer is indirect connect then we use MPLS
here I think the both NSK direct connect ?

franklaszlo · ‎09-19-2022

Thank you for clarification @MHM Cisco World

Could you please include a configuration example specific to NX-OS showing how to bring up iBGP peering between two directly connected boxes allowing them to exhange vpnv4 NLRIs ?

MHM Cisco World · ‎09-19-2022

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/label-switching/b-cisco-nexus-9000-series-nx-os-label-switching-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-label-switching-configuration-guide-93x_chapter_0111.ht...

Andrea Testino · ‎09-19-2022

Hi there!

If Im understanding what you are trying to do..The short answer is 'yes, you can.'

I have two Nexus 9000s connected via Eth1/1 peered over iBGP (RRs). Their sample configurations below:

Nexus-1# show run bgp

!Command: show running-config bgp
!Running configuration last done at: Mon Sep 19 21:20:42 2022
!Time: Mon Sep 19 21:27:39 2022

version 9.3(3) Bios:version 05.45
feature bgp

router bgp 65111
router-id 1.1.1.1
log-neighbor-changes
address-family ipv4 unicast
network 1.1.1.1/32
address-family vpnv4 unicast
neighbor 2.2.2.2
remote-as 65111
update-source loopback0
address-family vpnv4 unicast
send-community
send-community extended
route-reflector-client
vrf BLUE
address-family ipv4 unicast
vrf RED
address-family ipv4 unicast

Nexus-1# show run int loo0

!Command: show running-config interface loopback0
!Running configuration last done at: Mon Sep 19 21:20:42 2022
!Time: Mon Sep 19 21:30:47 2022

version 9.3(3) Bios:version 05.45

interface loopback0
description BGP Router-ID
ip address 1.1.1.1/32
ip router ospf Support-Forum area 0.0.0.0

Nexus-1# show run int e1/1

!Command: show running-config interface Ethernet1/1
!Running configuration last done at: Mon Sep 19 21:20:42 2022
!Time: Mon Sep 19 21:30:49 2022

version 9.3(3) Bios:version 05.45

interface Ethernet1/1
description To Nexus-2 iBGP
mtu 9216
no ip redirects
ip address 172.18.1.1/30
no ipv6 redirects
ip router ospf Support-Forum area 0.0.0.0
no shutdown

Nexus-2, who has a mock prefix in VRF RED and VRF BLUE respectively:

Nexus-2# show run bgp

!Command: show running-config bgp
!Running configuration last done at: Mon Sep 19 21:24:19 2022
!Time: Mon Sep 19 21:29:21 2022

version 9.3(3) Bios:version 05.45
feature bgp

router bgp 65111
router-id 2.2.2.2
log-neighbor-changes
address-family ipv4 unicast
network 2.2.2.2/32
address-family vpnv4 unicast
neighbor 1.1.1.1
remote-as 65111
update-source loopback0
address-family vpnv4 unicast
send-community
send-community extended
route-reflector-client
vrf BLUE
log-neighbor-changes
address-family ipv4 unicast
network 65.33.33.33/32
vrf RED
address-family ipv4 unicast
network 65.22.22.22/32

Nexus-2# show run int loo0-2

!Command: show running-config interface loopback0-2
!Running configuration last done at: Mon Sep 19 21:24:19 2022
!Time: Mon Sep 19 21:29:55 2022

version 9.3(3) Bios:version 05.45

interface loopback0
description BGP Router-Id Loo
ip address 2.2.2.2/32
ip router ospf Support-Forum area 0.0.0.0

interface loopback1
description VRF RED
vrf member RED
ip address 65.22.22.22/32

interface loopback2
description VRF BLUE
vrf member BLUE
ip address 65.33.33.33/32

Nexus-2# show run int e1/1

!Command: show running-config interface Ethernet1/1
!Running configuration last done at: Mon Sep 19 21:24:19 2022
!Time: Mon Sep 19 21:30:16 2022

version 9.3(3) Bios:version 05.45

interface Ethernet1/1
description To Nexus-1 iBGP
mtu 9216
no ip redirects
ip address 172.18.1.2/30
no ipv6 redirects
ip router ospf Support-Forum area 0.0.0.0
no shutdown

You can see that although only peered once, they are exchanging routes from VRF BLUE and RED, without an additional peering over those VRFs as well.

Nexus-1# show bgp vpnv4 unicast summary
BGP summary information for VRF default, address family VPNv4 Unicast
BGP router identifier 1.1.1.1, local AS number 65111
BGP table version is 12, VPNv4 Unicast config peers 1, capable peers 1
4 network entries and 4 paths using 720 bytes of memory
BGP attribute entries [2/336], BGP AS path entries [0/0]
BGP community entries [0/0], BGP clusterlist entries [0/0]

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.2 4 65111 62 48 12 0 0 00:30:35 2
Nexus-1# show bgp vpnv4 unicast
BGP routing table information for VRF default, address family VPNv4 Unicast
BGP table version is 12, Local Router ID is 1.1.1.1
Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best
Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-injected
Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - best2

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65222:65222 (VRF RED)
*>i65.22.22.22/32 2.2.2.2 100 0 i
*>i65.33.33.33/32 2.2.2.2 100 0 i

Route Distinguisher: 65333:65333 (VRF BLUE)
*>i65.22.22.22/32 2.2.2.2 100 0 i
*>i65.33.33.33/32 2.2.2.2 100 0 i

P.S: Im guessing the MPLS features are not enabled in the Nexus switch you are trying to do this in yet and that is likely why you cannot see the vpnv4 AF anywhere yet.

Example -- Quick neighbor config and vpnv4 AF missing:

Nexus-2(config-router-af)# router bgp 65111
Nexus-2(config-router)# router-id 2.2.2.2
Nexus-2(config-router)# log-neighbor-changes
Nexus-2(config-router)# address-family ipv4 unicast
Nexus-2(config-router-af)# neighbor 1.1.1.1

Nexus-2(config-router-neighbor)# address-family ?
ipv4 Configure IPv4 address-family
ipv6 Configure IPv6 address-family
l2vpn Configure L2VPN address-family
link-state Configure link-state address-family

But if I enable the feature set for MPLS, then vpnv4 AF becomes available:

Nexus-2(config)# install feature-set mpls
Nexus-2(config)# feature-set mpls
Nexus-2(config)# feature mpls l3vpn

Now going back to the BGP configuration, you can see vpnv4 is now an option:

Nexus-2(config-router-neighbor)# address-family ?
ipv4 Configure IPv4 address-family
ipv6 Configure IPv6 address-family
l2vpn Configure L2VPN address-family
link-state Configure link-state address-family
vpnv4 Configure IPv4 VPN address-family
vpnv6 Configure IPv6 VPN address-family

Hope that helps get you started on this.

- Andrea, CCIE #56739 R&S

franklaszlo · ‎09-20-2022

Thank you @Andrea Testino

As I mentioned, my problem is that not vpnv4 afi is available:

r1#(config)# router bgp 65300
r1#(config-router)# address-family ?
  ipv4        Configure IPv4 address-family
  ipv6        Configure IPv6 address-family
  l2vpn       Configure L2VPN address-family
  link-state  Configure link-state address-family

r1#(config-router)# address-family

This is a cisco Nexus9000 C93180YC-FX Chassis running NXOS: version 9.3(6)

r1(config-router)# sh feature | i enabled
bash-shell             1          enabled 
bfd                    1          enabled 
bgp                    1          enabled 
dhcp                   1          enabled 
hsrp_engine            1          enabled 
icam                   1          enabled 
interface-vlan         1          enabled 
lacp                   1          enabled 
lldp                   1          enabled 
netconf                1          enabled 
ospf                   1          enabled(not-running)
ospf                   2          enabled(not-running)
ospf                   3          enabled(not-running)
ospf                   4          enabled(not-running)
ospf                   5          enabled(not-running)
ospf                   6          enabled(not-running)
ospf                   7          enabled(not-running)
ospf                   8          enabled(not-running)
ospf                   9          enabled(not-running)
ospf                   10         enabled(not-running)
ospf                   11         enabled(not-running)
ospf                   12         enabled(not-running)
ospf                   13         enabled(not-running)
ospf                   14         enabled(not-running)
ospf                   15         enabled(not-running)
ospf                   16         enabled(not-running)
pim                    1          enabled 
restconf               1          enabled 
scpServer              1          enabled 
sftpServer             1          enabled 
sshServer              1          enabled 
tacacs                 1          enabled 
tunnel                 1          enabled 
udld                   1          enabled 
r1(config-router)#

What am I missing ? Some feature perhaps ?

MHM Cisco World · ‎09-20-2022

Nexus-2(config)# install feature-set mpls
Nexus-2(config)# feature-set mpls
Nexus-2(config)# feature mpls l3vpn

these feature you missing as @Andrea Testino mention above

franklaszlo · ‎09-20-2022

@HMHMHM @Andrea Testino

My bad, did not read through but stopped at first config

Much appreciate your help

MHM Cisco World · ‎09-20-2022

You are so so welcome any time