前提
対象OS:NX-OS搭載機器
CML2でいうNexus9000です。
知識:CCNA取得レベル。加えてBGPと再配送を知っていること。
検証環境
CML2.5で行いました。
達成条件
192.168.1.0/24のセグメントに所属しているalpine-1が他のセグメントに所属しているalpine-2(192.168.2.1)やalpine-4(192.168.2.1)に疎通できるようになること。
疎通確認
alpine-1からalpine-3へ
同じセグメントなのでpingは通ります。
alpine-1からalpine-2へ
異なるセグメントであり、VRF:AAAに経路情報がないためpingは通りません。
構成図
絵だけだと足りない情報を補足します。
・alpine-1と3はDGWとして192.168.1.254を設定
・apline-2と4はDGWとして192.168.2.254を設定
・VRF:仮想的なルーティングテーブルのこと。
事前確認
①show runを取得(※後述しますが、interface vlan100,200にhsrpの設定が抜けてました)
Nexus-1# show runn
!Command: show running-config
!No configuration change since last restart
!Time: Wed Mar 15 14:55:05 2023
version 10.3(1) Bios:version
hostname Nexus-1
vdc Nexus-1 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
feature sftp-server
cfs eth distribute
feature interface-vlan
feature hsrp
feature lacp
feature vpc
no password strength-check
username admin password 5 $5$ICPCEP$AeZr1hMgjBsbSe55y9hhvMaUJHy/pMuV/a.neHCLD4C role network-admin
username cisco password 5 $5$NNGKBI$L/Vcw3fHBztmmFTqszmwRMKudNj0j.lC5jYJBE./tZA role network-admin
username cisco passphrase lifetime 99999 warntime 14 gracetime 3
ip domain-lookup
copp profile strict
snmp-server user admin network-admin auth md5 49436605AF5246C441270214679480FF88A3 priv aes-128 330D517180938A1CD0E9948AAE2401221D74 localizedV2key
snmp-server user cisco network-admin auth md5 52234D72C03863BC03266B092CB18AEB9DAB priv aes-128 165E0E21A4BBB622BA84E1CAFB675628102B localizedV2key
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
vlan 1,100,200
vlan 100
name peer-link
vrf context AAA
vrf context BBB
vrf context management
vpc domain 1
peer-switch
role priority 100
peer-keepalive destination 172.16.10.2
peer-gateway
auto-recovery
ip arp synchronize
interface Vlan1
no ip redirects
no ipv6 redirects
interface Vlan100
no shutdown
vrf member AAA
no ip redirects
ip address 192.168.1.252/24
no ipv6 redirects
interface Vlan200
no shutdown
vrf member BBB
no ip redirects
ip address 192.168.2.252/24
no ipv6 redirects
interface port-channel1
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
vpc peer-link
interface Ethernet1/1
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
channel-group 1 mode active
interface Ethernet1/2
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
channel-group 1 mode active
interface Ethernet1/3
switchport mode trunk
switchport access vlan 100
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
interface mgmt0
vrf member management
ip address 172.16.10.1/24
icam monitor scale
line console
line vty
boot nxos bootflash:/nxos64-cs.10.3.1.F.bin
nexus-2# show running-config
!Command: show running-config
!No configuration change since last restart
!Time: Wed Mar 15 15:08:18 2023
version 10.3(1) Bios:version
hostname nexus-2
vdc nexus-2 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
feature sftp-server
cfs eth distribute
feature interface-vlan
feature hsrp
feature lacp
feature vpc
no password strength-check
username admin password 5 $5$NMPAMN$CM7.rnb9gqpDEDDD0f438Bzpx45hMIRAF3rCOQ/TeE4 role network-admin
username cisco password 5 $5$AIPLEN$1uwbCGw37V9.K3LCKur5rmy8BnzyBryC8zftez8KDg3 role network-admin
username cisco passphrase lifetime 99999 warntime 14 gracetime 3
ip domain-lookup
copp profile strict
snmp-server user admin network-admin auth md5 367B37472D7E496B023DB7A25281F4BAADAD priv aes-128 2141334232116C664963E5B644D0F5BE85DC localizedV2key
snmp-server user cisco network-admin auth md5 01731260551D6E2B713A8EB2588FA4F9BDEA priv aes-128 005054751F4F3C72525EA2984AD4A6E0B6E8 localizedV2key
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
vlan 1,100,200
vlan 100
name peer-link
vrf context AAA
vrf context BBB
vrf context management
vpc domain 1
peer-switch
role priority 200
peer-keepalive destination 172.16.10.1
peer-gateway
auto-recovery
ip arp synchronize
interface Vlan1
no ip redirects
no ipv6 redirects
interface Vlan100
no shutdown
vrf member AAA
no ip redirects
ip address 192.168.1.253/24
no ipv6 redirects
interface Vlan200
no shutdown
vrf member BBB
no ip redirects
ip address 192.168.2.253/24
no ipv6 redirects
interface port-channel1
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
vpc peer-link
interface Ethernet1/1
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
channel-group 1 mode active
interface Ethernet1/2
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
channel-group 1 mode active
interface Ethernet1/3
switchport mode trunk
switchport access vlan 200
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
interface mgmt0
vrf member management
ip address 172.16.10.2/24
icam monitor scale
line console
line vty
boot nxos bootflash:/nxos64-cs.10.3.1.F.bin
②show ip route vrf allでルーティングテーブルの状態を確認
Nexus-1# show ip route vrf all
IP Route Table for VRF “default”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
IP Route Table for VRF “management”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
172.16.10.0/24, ubest/mbest: 1/0, attached
*via 172.16.10.1, mgmt0, [0/0], 00:12:42, direct
172.16.10.1/32, ubest/mbest: 1/0, attached
*via 172.16.10.1, mgmt0, [0/0], 00:12:42, local
IP Route Table for VRF “AAA”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.252, Vlan100, [0/0], 00:09:16, direct
192.168.1.252/32, ubest/mbest: 1/0, attached
*via 192.168.1.252, Vlan100, [0/0], 00:09:16, local
IP Route Table for VRF “BBB”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.252, Vlan200, [0/0], 00:09:13, direct
192.168.2.252/32, ubest/mbest: 1/0, attached
*via 192.168.2.252, Vlan200, [0/0], 00:09:13, local
nexus-2# show ip rounexus-2# show ip route bvrnexus-2# show ip route vrf allnexus-2# show ip route vrf all
IP Route Table for VRF “default”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
IP Route Table for VRF “management”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
172.16.10.0/24, ubest/mbest: 1/0, attached
*via 172.16.10.2, mgmt0, [0/0], 00:25:03, direct
172.16.10.2/32, ubest/mbest: 1/0, attached
*via 172.16.10.2, mgmt0, [0/0], 00:25:03, local
IP Route Table for VRF “AAA”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.253, Vlan100, [0/0], 00:21:44, direct
192.168.1.253/32, ubest/mbest: 1/0, attached
*via 192.168.1.253, Vlan100, [0/0], 00:21:44, local
IP Route Table for VRF “BBB”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.253, Vlan200, [0/0], 00:21:44, direct
192.168.2.253/32, ubest/mbest: 1/0, attached
*via 192.168.2.253, Vlan200, [0/0], 00:21:44, local
設定変更
NexusではIOSと異なり、staticによるVRF Routeleakを実施することができません。
そのため、MP-BGPを使用してroute-targetによるタグを利用してRouteleakを実現します。
※どうやら機能的には可能みたいですが、負荷が非常に高くなるため設定できないようにされているようです。おそらく隠しコマンドがあるはず…?余談でした。
設定方法は以下の段取りで行います。
①BGPの起動
feature bgp
route-map ALL permit 10
!
router bgp 65535
vrf AAA
address-family ipv4 unicast
redistribute direct route-map ALL
!
router bgp 65535
vrf BBB
address-family ipv4 unicast
redistribute direct route-map ALL
route-map ALL permit 10
!
router bgp 65535
vrf AAA
address-family ipv4 unicast
redistribute direct route-map ALL
!
router bgp 65535
vrf BBB
address-family ipv4 unicast
redistribute direct route-map ALL
route-targetはMP-BGPの拡張コミュニティ属性を使用するためBGPを使います。
そのためfeatureコマンドでbgpを有効にする必要があります。
また、BGPのテーブルに載せたルート情報をさらにタグ付けすることでVRF間での経路情報を共有を実現しているため、Routeleakさせたい経路を含むセグメントを一度全てBGPへ再配布する必要があります。
そのため、コマンド例のように ALLという名前のroute-mapを使用してdirect(connected)をBGPに再配布しています。これによってVRF:AAAでいう以下の情報がBGPへ再配布されました。
[再配布された経路(show ip route vrf allより抜粋)]
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.253, Vlan100, [0/0], 00:21:44, direct
②prefix-listの作成
ip prefix-list AAA-to-BBB seq 10 permit 192.168.1.0/24
ip prefix-list BBB-to-AAA seq 10 permit 192.168.2.0/24
ip prefix-list BBB-to-AAA seq 10 permit 192.168.2.0/24
後述するroute-mapのmatch ip addressコマンドに紐づけるprefix-listを定義します。
タグ付けしたいセグメントやIPアドレスはここで指定します。
タグ付けしたいセグメントやIPアドレスはここで指定します。
③route-mapの定義とタグ付け
route-map m-AAA-to-BBB permit 10
match ip address prefix-list AAA-to-BBB
set extcommunity rt 1000:2000
route-map m-BBB-to-AAA permit 20
match ip address prefix-list BBB-to-AAA
set extcommunity rt 2000:1000
タグ付けを行うためのroute-mapを作成します。
match ip address prefix-listコマンドで先ほど作成したprefix-listを選択します。
その後、set extcommunity rtコマンドでタグ付けを行います。
今回は以下のような採番ルールとしました。
・1000→AAA、2000→BBB
・X:Y→Xは配布元のVRF名、Yは配布先のVRF名とする
④エクスポート及びインポートのルートターゲットの作成
vrf context AAA
address-family ipv4 unicast
export map m-AAA-to-BBB
route-target import 2000:1000
!
vrf context BBB
address-family ipv4 unicast
export map m-BBB-to-AAA
route-target import 1000:2000
address-family ipv4 unicast
export map m-AAA-to-BBB
route-target import 2000:1000
!
vrf context BBB
address-family ipv4 unicast
export map m-BBB-to-AAA
route-target import 1000:2000
各VRFコンテキストに入った後、タグ付けを行います。
export mapコマンドで先ほど作成したroute-mapを指定します。これが、route-target exportコマンド代わりになります。
また、挿入させたいルートのタグを、route-target importコマンドで定義します。
export mapコマンドで先ほど作成したroute-mapを指定します。これが、route-target exportコマンド代わりになります。
また、挿入させたいルートのタグを、route-target importコマンドで定義します。
事後確認
①show runを取得(※後述しますが、interface vlan100,200にhsrpの設定が抜けてました)
Nexus-1# show runnNexus-1# show running-config
!Command: show running-config
!Running configuration last done at: Wed Mar 15 14:59:31 2023
!Time: Wed Mar 15 15:02:45 2023
version 10.3(1) Bios:version
hostname Nexus-1
vdc Nexus-1 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
feature sftp-server
cfs eth distribute
feature bgp
feature interface-vlan
feature hsrp
feature lacp
feature vpc
no password strength-check
username admin password 5 $5$ICPCEP$AeZr1hMgjBsbSe55y9hhvMaUJHy/pMuV/a.neHCLD4C role network-admin
username cisco password 5 $5$NNGKBI$L/Vcw3fHBztmmFTqszmwRMKudNj0j.lC5jYJBE./tZA role network-admin
username cisco passphrase lifetime 99999 warntime 14 gracetime 3
ip domain-lookup
copp profile strict
snmp-server user admin network-admin auth md5 49436605AF5246C441270214679480FF88A3 priv aes-128 330D517180938A1CD0E9948AAE2401221D74 localizedV2key
snmp-server user cisco network-admin auth md5 52234D72C03863BC03266B092CB18AEB9DAB priv aes-128 165E0E21A4BBB622BA84E1CAFB675628102B localizedV2key
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
vlan 1,100,200
vlan 100
name peer-link
ip prefix-list AAA-to-BBB seq 10 permit 192.168.1.0/24
ip prefix-list BBB-to-AAA seq 10 permit 192.168.2.0/24
route-map ALL permit 10
route-map m-AAA-to-BBB permit 10
match ip address prefix-list AAA-to-BBB
set extcommunity rt 1000:2000
route-map m-BBB-to-AAA permit 20
match ip address prefix-list BBB-to-AAA
set extcommunity rt 2000:1000
vrf context AAA
address-family ipv4 unicast
route-target import 2000:1000
export map m-AAA-to-BBB
vrf context BBB
address-family ipv4 unicast
route-target import 1000:2000
export map m-BBB-to-AAA
vrf context management
vpc domain 1
peer-switch
role priority 100
peer-keepalive destination 172.16.10.2
peer-gateway
auto-recovery
ip arp synchronize
interface Vlan1
no ip redirects
no ipv6 redirects
interface Vlan100
no shutdown
vrf member AAA
no ip redirects
ip address 192.168.1.252/24
no ipv6 redirects
interface Vlan200
no shutdown
vrf member BBB
no ip redirects
ip address 192.168.2.252/24
no ipv6 redirects
interface port-channel1
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
vpc peer-link
interface Ethernet1/1
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
channel-group 1 mode active
interface Ethernet1/2
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
channel-group 1 mode active
interface Ethernet1/3
switchport mode trunk
switchport access vlan 100
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
interface mgmt0
vrf member management
ip address 172.16.10.1/24
icam monitor scale
line console
line vty
boot nxos bootflash:/nxos64-cs.10.3.1.F.bin
router bgp 65535
vrf AAA
address-family ipv4 unicast
redistribute direct route-map ALL
vrf BBB
address-family ipv4 unicast
redistribute direct route-map ALL
nexus-2# show runnexus-2# show running-config
!Command: show running-config
!Running configuration last done at: Wed Mar 15 15:08:59 2023
!Time: Wed Mar 15 15:09:51 2023
version 10.3(1) Bios:version
hostname nexus-2
vdc nexus-2 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
feature sftp-server
cfs eth distribute
feature bgp
feature interface-vlan
feature hsrp
feature lacp
feature vpc
no password strength-check
username admin password 5 $5$NMPAMN$CM7.rnb9gqpDEDDD0f438Bzpx45hMIRAF3rCOQ/TeE4 role network-admin
username cisco password 5 $5$AIPLEN$1uwbCGw37V9.K3LCKur5rmy8BnzyBryC8zftez8KDg3 role network-admin
username cisco passphrase lifetime 99999 warntime 14 gracetime 3
ip domain-lookup
copp profile strict
snmp-server user admin network-admin auth md5 367B37472D7E496B023DB7A25281F4BAADAD priv aes-128 2141334232116C664963E5B644D0F5BE85DC localizedV2key
snmp-server user cisco network-admin auth md5 01731260551D6E2B713A8EB2588FA4F9BDEA priv aes-128 005054751F4F3C72525EA2984AD4A6E0B6E8 localizedV2key
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
vlan 1,100,200
vlan 100
name peer-link
ip prefix-list AAA-to-BBB seq 10 permit 192.168.1.0/24
ip prefix-list BBB-to-AAA seq 10 permit 192.168.2.0/24
route-map ALL permit 10
route-map m-AAA-to-BBB permit 10
match ip address prefix-list AAA-to-BBB
set extcommunity rt 1000:2000
route-map m-BBB-to-AAA permit 20
match ip address prefix-list BBB-to-AAA
set extcommunity rt 2000:1000
vrf context AAA
address-family ipv4 unicast
route-target import 2000:1000
export map m-AAA-to-BBB
vrf context BBB
address-family ipv4 unicast
route-target import 1000:2000
export map m-BBB-to-AAA
vrf context management
vpc domain 1
peer-switch
role priority 200
peer-keepalive destination 172.16.10.1
peer-gateway
auto-recovery
ip arp synchronize
interface Vlan1
no ip redirects
no ipv6 redirects
interface Vlan100
no shutdown
vrf member AAA
no ip redirects
ip address 192.168.1.253/24
no ipv6 redirects
interface Vlan200
no shutdown
vrf member BBB
no ip redirects
ip address 192.168.2.253/24
no ipv6 redirects
interface port-channel1
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
vpc peer-link
interface Ethernet1/1
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
channel-group 1 mode active
interface Ethernet1/2
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
spanning-tree port type network
channel-group 1 mode active
interface Ethernet1/3
switchport mode trunk
switchport access vlan 200
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
interface mgmt0
vrf member management
ip address 172.16.10.2/24
icam monitor scale
line console
line vty
boot nxos bootflash:/nxos64-cs.10.3.1.F.bin
router bgp 65535
vrf AAA
address-family ipv4 unicast
redistribute direct route-map ALL
vrf BBB
address-family ipv4 unicast
redistribute direct route-map ALL
②show ip route vrf allでルーティングテーブルの状態を確認
Nexus-1# show ip route vfrNexus-1# show ip route vrf allNexus-1# show ip route vrf all
IP Route Table for VRF “default”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
IP Route Table for VRF “management”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
172.16.10.0/24, ubest/mbest: 1/0, attached
*via 172.16.10.1, mgmt0, [0/0], 00:19:36, direct
172.16.10.1/32, ubest/mbest: 1/0, attached
*via 172.16.10.1, mgmt0, [0/0], 00:19:36, local
IP Route Table for VRF “AAA”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.252, Vlan100, [0/0], 00:16:10, direct
192.168.1.252/32, ubest/mbest: 1/0, attached
*via 192.168.1.252, Vlan100, [0/0], 00:16:10, local
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.252%BBB, Vlan200, [20/0], 00:02:47, bgp-65535, external, tag 65535
IP Route Table for VRF “BBB”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.252%AAA, Vlan100, [20/0], 00:02:47, bgp-65535, external, tag 65535
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.252, Vlan200, [0/0], 00:16:07, direct
192.168.2.252/32, ubest/mbest: 1/0, attached
*via 192.168.2.252, Vlan200, [0/0], 00:16:07, local
nexus-2# show ip route vrf alnexus-2# show ip route vrf all
IP Route Table for VRF “default”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
IP Route Table for VRF “management”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
172.16.10.0/24, ubest/mbest: 1/0, attached
*via 172.16.10.2, mgmt0, [0/0], 00:27:15, direct
172.16.10.2/32, ubest/mbest: 1/0, attached
*via 172.16.10.2, mgmt0, [0/0], 00:27:15, local
IP Route Table for VRF “AAA”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.253, Vlan100, [0/0], 00:23:56, direct
192.168.1.253/32, ubest/mbest: 1/0, attached
*via 192.168.1.253, Vlan100, [0/0], 00:23:56, local
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.253%BBB, Vlan200, [20/0], 00:01:09, bgp-65535, external, tag 65535
IP Route Table for VRF “BBB”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.253%AAA, Vlan100, [20/0], 00:01:09, bgp-65535, external, tag 65535
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.253, Vlan200, [0/0], 00:23:56, direct
192.168.2.253/32, ubest/mbest: 1/0, attached
*via 192.168.2.253, Vlan200, [0/0], 00:23:56, local
赤字のように、各VRFのルーティングテーブルで異なるVRFからのルートが表示されるようになりました。
③hsrp設定完了後のshow ip route vrf allの出力
hsrpの設定を忘れていたので設定完了後に再度取得したものを載せます
Nexus-1# Nexus-1# show ip route vrf all
IP Route Table for VRF “default”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
IP Route Table for VRF “management”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
172.16.10.0/24, ubest/mbest: 1/0, attached
*via 172.16.10.1, mgmt0, [0/0], 01:10:50, direct
172.16.10.1/32, ubest/mbest: 1/0, attached
*via 172.16.10.1, mgmt0, [0/0], 01:10:50, local
IP Route Table for VRF “AAA”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.252, Vlan100, [0/0], 01:07:24, direct
192.168.1.252/32, ubest/mbest: 1/0, attached
*via 192.168.1.252, Vlan100, [0/0], 01:07:24, local
192.168.1.254/32, ubest/mbest: 1/0, attached
*via 192.168.1.254, Vlan100, [0/0], 00:11:30, hsrp
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.252%BBB, Vlan200, [20/0], 00:54:01, bgp-65535, external, tag 65535
IP Route Table for VRF “BBB”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.252%AAA, Vlan100, [20/0], 00:54:01, bgp-65535, external, tag 65535
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.252, Vlan200, [0/0], 01:07:21, direct
192.168.2.252/32, ubest/mbest: 1/0, attached
*via 192.168.2.252, Vlan200, [0/0], 01:07:21, local
192.168.2.254/32, ubest/mbest: 1/0, attached
*via 192.168.2.254, Vlan200, [0/0], 00:09:07, hsrp
Nexus-2# show ip route vrf all
IP Route Table for VRF “default”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
IP Route Table for VRF “management”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
172.16.10.0/24, ubest/mbest: 1/0, attached
*via 172.16.10.2, mgmt0, [0/0], 01:10:57, direct
172.16.10.2/32, ubest/mbest: 1/0, attached
*via 172.16.10.2, mgmt0, [0/0], 01:10:57, local
IP Route Table for VRF “AAA”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.253, Vlan100, [0/0], 01:07:38, direct
192.168.1.253/32, ubest/mbest: 1/0, attached
*via 192.168.1.253, Vlan100, [0/0], 01:07:38, local
192.168.1.254/32, ubest/mbest: 1/0, attached
*via 192.168.1.254, Vlan100, [0/0], 00:11:26, hsrp
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.253%BBB, Vlan200, [20/0], 00:44:51, bgp-65535, external, tag 65535
IP Route Table for VRF “BBB”
‘*’ denotes best ucast next-hop
‘**’ denotes best mcast next-hop
‘[x/y]’ denotes [preference/metric]
‘%<string>’ in via output denotes VRF <string>
192.168.1.0/24, ubest/mbest: 1/0, attached
*via 192.168.1.253%AAA, Vlan100, [20/0], 00:44:51, bgp-65535, external, tag 65535
192.168.2.0/24, ubest/mbest: 1/0, attached
*via 192.168.2.253, Vlan200, [0/0], 01:07:38, direct
192.168.2.253/32, ubest/mbest: 1/0, attached
*via 192.168.2.253, Vlan200, [0/0], 01:07:38, local
192.168.2.254/32, ubest/mbest: 1/0, attached
*via 192.168.2.254, Vlan200, [0/0], 00:09:45, hsrp
疎通確認
VRF間で無事に目的のセグメントをRouteleakできたので
alpine-1から他のalpineに対して疎通してみましょう。
alpine-1からalpine-2へのping(成功)
alpine-1からalpine-4へのping(成功)
alpine-1からalpine-3へのping(成功) ※元々疎通できます。
まとめ
・VRF Routeleakで異なるVRFの疎通は可能
・特定の経路のみを配布したい場合はroute-mapを使用したタグ付けが必要
・NX-OS搭載機器ではBGPによるVRF Routeleakしか出来ない
コメント