Scribd
Upload
111 views37 pages

Cisco Day at The Movies GLBP & VRF-lite: Tim Thomas

Uploaded by

Paul Zeto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
111 views37 pages

Cisco Day at The Movies GLBP & VRF-lite: Tim Thomas

Uploaded by

Paul Zeto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Cisco Day at the

Movies
GLBP & VRF-lite

Tim Thomas
Customer Solutions Architect

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Agenda

  Gateway Load-Balancing Protocol (GLBP)


  Network Virtualization with VRF-lite

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
First Hop Routing Protocols
  Hot Standby Router Protocol (HSRP)
Cisco informational RFC 2281 ( March 1998)
Patented: US Patent 5,473,599, December 5, 1995
  Virtual Router Redundancy Protocol (VRRP)
IETF Standard RFC 2338 (April 1998)
Now made obsolete by www.ietf.org/rfc/rfc3768.txt
  Gateway Load Balancing Protocol (GLBP)
Cisco innovation, load sharing, patent pending

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Previous Multi-VLAN Load Balancing
Methods
Layer-2 Mode Layer-3 Mode
Load Balancing Load Balancing

HSRP 1A HSRP 1S
HSRP 2S HSRP 2A
VLAN Trunk A&B

VLAN A and B VLAN A and B

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Gateway Load Balancing Protocol
  Cisco innovation (patent pending)
  GLBP goes beyond both HSRP and VRRP
Previously, backup Layer-3 devices in the HSRP or VRRP group remained
inactive, leaving underutilized capacity
  With GLBP, ALL L3 devices in the GLBP group actively participate in
packet forwarding
Without allocating additional subnets
Without configuring multiple groups per subnet
Without pre-directing end stations to specific gateways (vIP addresses)
  The intelligence is in the network
No extra administrative burden
Better return on investment
Fully utilize resources, reduce potential for packet loss

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
GLBP Campus Deployment
Use both Multiple virtual
Multiple GLBP
switches, all MACs, one per
groups, one
uplinks forwarder per
virtual IP per
group Campus Network group

vMACs A vMACs B
0007.B400.0101 0007.B400.0102
0007.B400.0201 10.88.1.10 0007.B400.0202
10.88.2.10
One subnet per vIP addresses Automatic load
wiring closet sharing on a
switch per host basis

A B
B A
A B
B A
GW= 10.88.1.10 GW= 10.88.2.10

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
How GLBP Works
R1—AVG; R1, R2, R3 All Forward Traffic
GLBP AVG/AVF,SVF GLBP AVF,SVF GLBP AVF,SVF
IP: 10.0.0.254 IP:
IP: 10.0.0.253
10.0.0.253 IP: 10.0.0.252
MAC: 0000.0c12.3456 MAC:
MAC: 0000.0C78.9abc
0000.0C78.9abc MAC: 0000.0cde.f123
vIP: 10.0.0.10 vIP:
vIP: 10.0.0.10
10.0.0.10 vIP: 10.0.0.10
vMAC: 0007.b400.0101 vMAC: 0007.b400.0102 vMAC: 0007.b400.0103

AVG R1 R2 R3
Gateway Routers

ARP ARP ARP

ARP ARP
Reply Reply
Clients CL1
ARP CL2 CL3
Reply

IP:
IP: 10.0.0.1
10.0.0.1 IP:
IP: 10.0.0.2
10.0.0.2 IP:
IP: 10.0.0.3
10.0.0.3
MAC:
MAC: aaaa.aaaa.aa01
aaaa.aaaa.aa01 MAC:
MAC: aaaa.aaaa.aa02
aaaa.aaaa.aa02 MAC:
MAC: aaaa.aaaa.aa03
aaaa.aaaa.aa03
GW:
GW: 10.0.0.10
10.0.0.10 GW:
GW: 10.0.0.10
10.0.0.10 GW:
GW: 10.0.0.10
10.0.0.10
ARP:
ARP: 0007.B400.0101 ARP:
ARP: 0007.B400.0102 ARP:
ARP: 0007.B400.0103
BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
How GLBP Works
R1—AVG; R1, R2, R3 All Forward Traffic
GLBP AVG/AVF,SVF GLBP AVF,SVF GLBP AVF,SVF
IP: 10.0.0.254 IP: 10.0.0.253 IP: 10.0.0.252
MAC: 0000.0c12.3456 MAC: 0000.0C78.9abc MAC: 0000.0cde.f123
vIP: 10.0.0.10 vIP: 10.0.0.10 vIP: 10.0.0.10
vMAC: 0007.b400.0101 vMAC: 0007.b400.0102 vMAC: 0007.b400.0103

AVG R1 R2 R3
Gateway Routers

Clients CL1 CL2 CL3

IP: 10.0.0.1 IP: 10.0.0.2 IP: 10.0.0.3


MAC: aaaa.aaaa.aa01 MAC: aaaa.aaaa.aa02 MAC: aaaa.aaaa.aa03
GW: 10.0.0.10 GW: 10.0.0.10 GW: 10.0.0.10
ARP: 0007.B400.0101 ARP: 0007.B400.0102 ARP: 0007.B400.0103
BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
What about Flooding?

  Traffic from ‘B’ devices may not


be seen on switch A
Switch Switch
  CAM aging may cause A B
excessive flooding for
Layer 3 Link
asymmetric return traffic
  Mitigate by matching CAM
aging timer with ARP cache
timeout (default, 4 hours)
CAM aging > ARP cache
timeout

A B A B A B A B A B A B A B A B

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
GLBP – Protocol Details
  ‘Hello’ messages are exchanged between group members
AVG election by priority
vMAC distribution, learning of VF instances
  GLBP will use the following multicast destination for packets sent
to all GLBP group members:
224.0.0.102, UDP port 3222
  Virtual MAC addresses will be of the form:
0007.b4yy.yyyy
where yy.yyyy equals the lower 24 bits; these bits consist of 6 zero bits, 10 bits that
correspond to the GLBP group number, and 8 bits that correspond to the virtual forwarder
number
0007.b400.0102 : last 24 bits = 0000 0000 0000 0001 0000 0010 = GLBP group 1,
forwarder 2
  Protocol allows for 1024 groups and 255 forwarders
Number of forwarders are capped at 4
Hardware restrictions limit actual number of groups and forwarders

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10
GLBP Configuration Example

!
interface GigabitEthernet2/0
ip address 10.88.49.1 255.255.255.0
duplex full
glbp 1 ip 10.88.49.10
glbp 1 priority 105
glbp 1 authentication text magicword
glbp 1 weighting 100 lower 95
glbp 1 weighting track 10 decrement 10
glbp 1 forwarder preempt delay minimum 0

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Agenda

  Gateway Load-Balancing Protocol (GLBP)


  Network Virtualization with VRF-lite
What Is Network Virtualization?
Network Virtualization Components
Deploying Network Virtualization in the Campus
Extending VRFs Across the MAN/WAN

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Network Virtualization
Problem Definition
Employee Remediation
Servers Servers   NV provides an answer to
Internet
multiple business problems
Communities of interest
NAC remediation
Regulatory compliance

Unhealthy   Closed user groups


Posture
Private
Secure
Independent policies

  End-to-end shared infrastructure

Employee Partner Guest

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Network Virtualization
Creation of Logical Partitions
  Virtualization: one-to-many (one network supports many virtual networks)
  End-user perspective is that of being connected to a dedicated network
(security, independent set of policies, routing decisions…)
  Must have a rock-solid campus design in place before adding virtualization to the
network

COI 1 COI 2 Segregated Department


(Regulatory Compliance)

Virtual Network Virtual Network Virtual Network

Actual Physical Infrastructure


BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Agenda

  Gateway Load-Balancing Protocol (GLBP)


  Network Virtualization with VRF-lite
What Is Network Virtualization?
Network Virtualization Components
Deploying Network Virtualization in the Campus
Extending VRFs Across the MAN/WAN

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Network Virtualization
Functional Architecture

Access Control Path Isolation Services Edge


Branch – Campus WAN – MAN – Campus Data Center – Internet Edge –
Campus

GRE MPLS

VRFs

Functions   Authenticate client   Maintain traffic partitioned over   Provide access to


(user, device, app) Layer 3 infrastructure services
attempting to gain Shared
  Transport traffic over isolated
network access
Layer 3 partitions Dedicated
  Authorize client into a
  Map Layer 3 isolated path   Apply policy per partition
partition (VLAN)
to VLANs in access and   Isolate application
  Deny access to services edge environments if
unauthenticated clients
necessary

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Access Control
Authentication, Authorization

  Authentication—Who/what is
requesting access?
Holistic control—Client-based,
infrastructure integrated— 802.1X
User-based control—Clientless—
Web authentication
Device-specific control—MAC-
address based
Static control—Physical security

  Authorization—Where/how is
the access granted?
Allow access to the network from a
particular VLAN
Edge Access Control

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Path Isolation
Functional Components
Per VRF:
Virtual Routing Table
  Device virtualization Virtual Forwarding Table

Control plane virtualization


Data plane virtualization
Services virtualization VRF
VRF
Global

  Data path virtualization


802.1q
Hop-by-Hop
(VRF-Lite End-to-End) IP
Multi-Hop
(VRF-Lite+GRE, MPLS-VPN)

VRF: Virtual Routing and Forwarding


BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Services Edge
Sharing Services Between VPNs

  Services usually not duplicated per group


  Economical Shared
Resource
  Efficient and manageable Internet/ Campus
Shared Core
  Policies centrally deployed
Shared for All Groups:
Internet
Gateway

Video Red User


Server
Blue VPN
Firewall
and NAT
Green VPN
Hosted Blue User Green User
Content
Red VPN
DHCP
Resources

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Agenda

  Gateway Load-Balancing Protocol (GLBP)


  Network Virtualization with VRF-lite
What Is Network Virtualization?
Network Virtualization Components
Deploying Network Virtualization in the Campus
Extending VRFs Across the MAN/WAN

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Step 1: Definition of New VLANs
Multitier Deployment

  Campus best practice


design is to keep VLAN IDs
Campus unique per access layer
Core switch
  Total number of required
VLANs is the product of the
L3
number of VRFs configured
and the number of access
layers switches
Layer 2
Trunks   Requirement to plan for new
VLANs and IP subnets
allocation
  Increase control plane load
VLAN 21 Red
VLAN 22 Green
VLAN 31 Red
VLAN 32 Green
for protocols like STP,
VLAN 23 Blue VLAN 33 Blue HSRP, etc.

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Step 2: VLANs to VRF Mapping
Multitier Deployment

  Define VRFs on the


distribution layer devices
(first L3 hop in a campus
Campus multitier design)
Core
  One VRF dedicated to
each virtual network
(“Red”, “Green”, etc.)
L3
  Multiple VLANs defined at
the access layer map to the
Layer 2 Layer 2 same VRF
Trunks Trunks “Red” VLANs (21, 31) are
VRF Red mapped to the same “Red” VRF
VRF Green   The chosen path Isolation
VLAN 21 Red
VRF Blue
VLAN 31 Red
technique is deployed from
VLAN 22 Green VLAN 32 Green the distribution layer toward
VLAN 23 Blue VLAN 33 Blue
the routed core

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Step 1: Definition of New VLANs
Routed Access Deployment

  Move the boundaries


Campus between L2 and L3 domains
Core down to the access layer
  Same VLAN IDs can be used
on each access layer switch
L3
  Requirement to plan for new
IP subnets allocation
Layer 3
Links   No increase on control
plane load
No need for HSRP/GLBP/VRRP
or STP between access and
distribution layer devices
VLAN 21 Red VLAN 21 Red
VLAN 22 Green VLAN 22 Green
VLAN 23 Blue VLAN 23 Blue

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Step 2: VLANs to VRF Mapping
Routed Access Deployment

  Define VRFs on the access


layer devices (first L3 hops in
Campus a campus routed access
Core design)
  One VRF dedicated to
each virtual network
L3
(“Red”, “Green”, etc.)
  Each VLAN defined at the
Layer 3 Access Layer maps to the
Links corresponding VRF
“Red” VLANs (21, 31) are
VRF Red
mapped to the same “Red” VRF
VRF Green defined in the different switches
VRF Blue
VLAN 21 Red VLAN 21 Red   The chosen path isolation
VLAN 22 Green VLAN 22 Green technique must be deployed
VLAN 23 Blue VLAN 23 Blue
from the access layer devices

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Example CLI
VLANs to VRF Mapping Configuration
ip vrf Red
rd 1:1
!
ip vrf Green Defining the VRFs
rd 2:2
!
vlan 21
name Red_access_switch_1
!
vlan 22
name Green_access_switch_1
!
Defining the VLANs
interface Vlan21 (L2 and SVI) and Mapping
description Red on Access Switch 1 Them to the VRFs
ip vrf forwarding Red
ip address 10.137.21.1 255.255.255.0
!
interface Vlan22
description Green on Access Switch 1
ip vrf forwarding Green
ip address 10.137.22.1 255.255.255.0

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
VRF-Lite End-to-End
How Does It Work?
1.  Create L2 VLANs and trunk them to the
first L3 device VLAN 10
VLAN 20
2.  Define VRFs at the first L3 device and
map the L2 VLANs to the proper VRF
3.  Define VRFs on all the other L3 devices in VLAN 11 VLAN 12
VLAN 21 VLAN 22
the network
4.  Configure as trunks all the physical links
connecting the L3 devices in the network
Create VLAN interfaces or subinterfaces IGPs
and map them to the corresponding VRF
VLAN 15
5.  Define unique VLANs on each trunk to be VLAN 13 VLAN 25
VLAN 23
associated to each VRF
VLAN 14
6.  Enable a routing protocol in each VRF VLAN 24
VLAN 16
7.  Traffic is now carried end-to-end across VLAN 26
the network maintaining logical isolation
between the defined groups
BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
VRF-Lite End-to-End
General Design Considerations

  VRF-lite on all routed hops:


core and distribution (sometimes
access)

L2
Routed Hop
VLANs are not extended across the Not Bridged
Campus network

  Every physical link is virtualized to


carry multiple logical routed links
802.1q tags provide single hop data 802.1q

Layer 3
path virtualization Tags
  These virtualized links do not
extend VLANs throughout the
campus
  The relationship of physical to
logical networks is a matter of
replication
Virtualization of every network device

L2
and every physical link connecting them

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27
VRF-Lite End-to-End Catalyst-1

Trunk with Switchports and SVIs interface GigabitEthernet1/1


description --- Trunk to Catalyst-2 ---
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2000-2002
switchport mode trunk
spanning-tree portfast trunk
  Links between L3 devices defined !
interface Vlan2000

as L2 trunks with switchports description --- Global table ---


ip address 10.1.1.1 255.255.255.252
!

  Unique VLANs used for global table, interface Vlan2001


description --- Green VPN ---
ip vrf forwarding Green
Green and Red traffic ip address 11.1.1.1 255.255.255.252
!
interface Vlan2002
  Logical SVIs mapped to the Green description --- Red VPN ---
ip vrf forwarding Red
and Red VRFs ip address 12.1.1.1 255.255.255.252

Catalyst-2
Cisco Catalyst-2 interface GigabitEthernet2/2
description --- Trunk to Catalyst-1 ---
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2000-2002
Cisco Catalyst-1 g2/2 switchport mode trunk
spanning-tree portfast trunk
g1/1 !
interface Vlan2000
g1/2 description --- Global table ---
ip address 10.1.1.2 255.255.255.252
!
g2/2 interface Vlan2001
Green VRF description --- Green VPN ---
ip vrf forwarding Green
Red VRF ip address 11.11.1.2 255.255.255.252
Cisco Catalyst-3 !
interface Vlan2002
description --- Red VPN ---
ip vrf forwarding Red
SVI: Switched Virtual Interface ip address 12.1.1.2 255.255.255.252

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28
VRF-Lite End-to-End
Trunk with Routed Ports
Catalyst-1
  Links between L3 devices defined as routed interface GigabitEthernet1/1
port with subinterfaces description --- Global table ---
ip address 10.1.1.1 255.255.255.252
!
  Global table traffic is sent untagged interface GigabitEthernet1/1.2001
description --- Green VPN ---
  Each additional subinterface associated to an encapsulation dot1q 2001
unique VLAN and mapped to a separate VRF ip vrf forwarding Green
ip address 11.11.1.1 255.255.255.252
!
  Easier migration: configuration on main interface GigabitEthernet1/1.2002
interface (used for global traffic) remains description --- Red VPN ---
encapsulation dot1q 2002
unchanged ip vrf forwarding Red
ip address 12.1.1.1 255.255.255.252
  Currently supported on Cisco Catalyst 6500
Series only Catalyst-2
Cisco Catalyst-2 interface GigabitEthernet2/2
description --- Global table ---
ip address 10.1.1.2 255.255.255.252
!
Cisco Catalyst-1 g2/2 interface GigabitEthernet2/2.2001
description --- Green VPN ---
g1/1 encapsulation dot1q 2001
ip vrf forwarding Green
g1/2 ip address 11.1.1.2 255.255.255.252
!
g2/2 interface GigabitEthernet1/1.2002
description --- Red VPN ---
Green VRF encapsulation dot1q 2002
ip vrf forwarding Red
Red VRF Cisco Catalyst-3 ip address 12.1.1.2 255.255.255.252

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29
VRF-Lite End-to-End
Virtualizing the Routing Protocol

  Recommendation is to use in
each VRF the same routing
protocol already leveraged in
global table (usually EIGRP
or OSPF)
  Routing design principles
adopted in global table can
simply be replicated in each
virtual network
Summarization boundaries
IGP timer tuning
Areas definition for OSPF

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
VRF-Lite End-to-End
Virtual Routing Processes

  Each VRF instance needs a router ospf 1


network 10.0.0.0 0.255.255.255 area 0
separate IGP process (OSPF) or passive-interface default
no passive-interface vlan 2000
address family (EIGRP, RIPv2) !
router ospf 100 vrf Green
Enabled on all L3 devices network 11.0.0.0 0.255.255.255 area 0
no passive-interface vlan 2001
!
  Devices peer over separate router ospf 200 vrf Red
network 12.0.0.0 0.255.255.255 area 0
routing instances no passive-interface vlan 2002

router eigrp 100


network 10.0.0.0 0.255.255.255
passive-interface default
VRFs IGP Peering no passive-interface vlan 2000
no auto-summary
!
g1/1 g2/2 address-family ipv4 vrf Green
network 11.0.0.0 0.255.255.255
no auto-summary
VLAN 2000–2002 exit-address-family
!
Cisco Catalyst-1 Cisco Catalyst-2 address-family ipv4 vrf Red
network 12.0.0.0 0.255.255.255
Green VRF no auto-summary
exit-address-family
Red VRF

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31
VRF-Lite End-to-End
Summary
Deployment
•  End-to-End IP based Solution
•  Easy migration from existing campus architecture
•  Any to any connectivity within VPNs

L2
Routed Hop
Not Bridged
•  Enterprise scale
•  Supported on Catalyst 6500, 4500, 3700 families
•  Supported on Nexus 7000
Application and Services 802.1q

Layer 3
•  Supports both wired and wireless networks Tags
•  Multiple VRF-aware Services available
Learning Curve
•  Familiar routing protocols can be used
•  IP Alternative to MPLS

Management
•  Virtual Network Management (VNM) available

L2
with LMS 3.2 (Summer 2009)
•  Provisioning, Troubleshooting and monitoring
for VRF network
BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 32
Agenda

  What Is Network Virtualization?


  Network Virtualization Components
  Deploying Network Virtualization in the Campus
  Extending VRFs Across the MAN/WAN

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33
Extensibility over the MAN/WAN
Groups Must Be Extensible Over:
  The private MAN/WAN
  The Internet Tunnels, L2 or L3 VPNs:
GRE, RFC2547, etc.

MAN/WAN

LAN LAN

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34
MAN/WAN Extensibility
Different Options Available

  The virtual networks may need to be extended over the


MAN/WAN
  There are several technical alternatives; some examples
MPLS over L2 service
DMVPN per VRF
RFC2547 over DMVPN
Carrier-supporting-carrier (where the service is available)
  The choice depends largely on the enterprise’s MAN/WAN
contracts and platform support
  Next-generation MPLS VPN MAN/WAN design guide
http://www.cisco.com/en/US/netsol/ns656/
networking_solutions_design_guidances_list.html#anchor13

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35
Trivia

Q and A
1) Question: In GLBP, which component answers
ARPs from hosts – the AVF or the AVG?

Answer: The Active Virtual


Gateway (AVG)

2) Question: What does the acronym VRF


stand for?

Answer: Virtual Routing and


Forwarding

BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36
BRKSEC-2005 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37

You might also like