Ciscoのシミュレータ(CML)を使ってCisco NexusでコネクテッドのVRFルートリークを検証します。
構成図
事前確認
コンフィグ(事前)
Nexus9000
nxos9000-0# show running-config
!Command: show running-config
!Running configuration last done at: Sun Feb 25 04:45:23 2024
!Time: Sun Feb 25 04:50:55 2024
version 9.3(8) Bios:version
hostname nxos9000-0
vdc nxos9000-0 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource u4route-mem minimum 248 maximum 248
limit-resource u6route-mem minimum 96 maximum 96
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
feature interface-vlan
no password strength-check
username admin password 5 $5$DMJNOB$FPbte5i/ZCmXEPgFz6qrs8qk2GelFlFzSci17/WufF/ role network-admin
username cisco password 5 $5$HHOOPD$Z9yNM/8wCpqcbrbatVxgX33IgaKd3tt/CNi0g13qrH1 role network-admin
username cisco passphrase lifetime 99999 warntime 14 gracetime 3
ip domain-lookup
snmp-server user admin network-admin auth md5 49526421E583DA77F5AC18D6C33EEDE11C78 priv 21450F4890F8D52BE3D351E9D010FEF50C7E localizedV2key
snmp-server user cisco network-admin auth md5 49763829F2AFF508D69922D59C77F2FB1839 priv 52231B4A8FB6A303EFF92BBECF0EE8EB5430 localizedV2key
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
vlan 1,10-11,20-21
vrf context VRF-1
vrf context VRF-2
vrf context management
interface Vlan1
interface Vlan10
no shutdown
vrf member VRF-1
ip address 10.0.10.254/24
interface Vlan11
no shutdown
vrf member VRF-1
ip address 10.0.11.254/24
interface Vlan20
no shutdown
vrf member VRF-2
ip address 10.0.20.254/24
interface Vlan21
no shutdown
vrf member VRF-2
ip address 10.0.21.254/24
interface Ethernet1/1
switchport access vlan 10
interface Ethernet1/2
switchport access vlan 11
interface Ethernet1/3
switchport access vlan 20
interface Ethernet1/4
switchport access vlan 21
interface Ethernet1/5
! <省略>
interface Ethernet1/64
interface mgmt0
vrf member management
icam monitor scale
line console
exec-timeout 0
line vty
exec-timeout 0
boot nxos bootflash:/nxos.9.3.8.bin sup-1
no logging console
ルーティングテーブル(事前)
VRF-1のルーティングテーブル
nxos9000-0# show ip route vrf VRF-1
IP Route Table for VRF "VRF-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.0.10.0/24, ubest/mbest: 1/0, attached
*via 10.0.10.254, Vlan10, [0/0], 00:39:24, direct
10.0.10.254/32, ubest/mbest: 1/0, attached
*via 10.0.10.254, Vlan10, [0/0], 00:39:24, local
10.0.11.0/24, ubest/mbest: 1/0, attached
*via 10.0.11.254, Vlan11, [0/0], 00:39:24, direct
10.0.11.254/32, ubest/mbest: 1/0, attached
*via 10.0.11.254, Vlan11, [0/0], 00:39:24, local
VRF-2のルーティングテーブル
nxos9000-0# show ip route vrf VRF-2
IP Route Table for VRF "VRF-2"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.0.20.0/24, ubest/mbest: 1/0, attached
*via 10.0.20.254, Vlan20, [0/0], 00:40:44, direct
10.0.20.254/32, ubest/mbest: 1/0, attached
*via 10.0.20.254, Vlan20, [0/0], 00:40:44, local
10.0.21.0/24, ubest/mbest: 1/0, attached
*via 10.0.21.254, Vlan21, [0/0], 00:40:44, direct
10.0.21.254/32, ubest/mbest: 1/0, attached
*via 10.0.21.254, Vlan21, [0/0], 00:40:44, local
疎通確認(事前)
- alpine-0 → alpine-1 Ping OK
alpine-0:~$ ping 10.0.11.1 PING 10.0.11.1 (10.0.11.1): 56 data bytes 64 bytes from 10.0.11.1: seq=0 ttl=42 time=2.417 ms 64 bytes from 10.0.11.1: seq=1 ttl=42 time=2.293 ms 64 bytes from 10.0.11.1: seq=2 ttl=42 time=3.042 ms 64 bytes from 10.0.11.1: seq=3 ttl=42 time=2.406 ms ^C --- 10.0.11.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 2.293/2.539/3.042 ms - alpine-0 → alpine-2 Ping NG
alpine-0:~$ ping 10.0.20.1 PING 10.0.20.1 (10.0.20.1): 56 data bytes ^C --- 10.0.20.1 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss - alpine-0 → alpine-3 Ping NG
alpine-0:~$ ping 10.0.21.1 PING 10.0.21.1 (10.0.21.1): 56 data bytes ^C --- 10.0.21.1 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss
ルートリーク設定追加
※VRF-1(10.0.10.0/24)とVRF-2(10.0.20.0/24)間のVRF間通信を許可
ip route 宛先ネットワーク 宛先所属インタフェース 宛先VRF名
nxos9000-0# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
nxos9000-0(config)# vrf context VRF-1
nxos9000-0(config-vrf)# ip route 10.0.20.0/24 Vlan20 vrf VRF-2
nxos9000-0(config-vrf)# vrf context VRF-2
nxos9000-0(config-vrf)# ip route 10.0.10.0/24 Vlan10 vrf VRF-1
nxos9000-0(config-vrf)# end
事後確認
コンフィグ(事後)
Nexus9000
nxos9000-0# show running-config
!Command: show running-config
!Running configuration last done at: Sun Feb 25 05:02:14 2024
!Time: Sun Feb 25 05:11:33 2024
version 9.3(8) Bios:version
hostname nxos9000-0
vdc nxos9000-0 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource u4route-mem minimum 248 maximum 248
limit-resource u6route-mem minimum 96 maximum 96
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
feature interface-vlan
no password strength-check
username admin password 5 $5$DMJNOB$FPbte5i/ZCmXEPgFz6qrs8qk2GelFlFzSci17/WufF/ role network-admin
username cisco password 5 $5$HHOOPD$Z9yNM/8wCpqcbrbatVxgX33IgaKd3tt/CNi0g13qrH1 role network-admin
username cisco passphrase lifetime 99999 warntime 14 gracetime 3
ip domain-lookup
snmp-server user admin network-admin auth md5 49526421E583DA77F5AC18D6C33EEDE11C78 priv 21450F4890F8D52BE3D351E9D010FEF50C7E localizedV2key
snmp-server user cisco network-admin auth md5 49763829F2AFF508D69922D59C77F2FB1839 priv 52231B4A8FB6A303EFF92BBECF0EE8EB5430 localizedV2key
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
vlan 1,10-11,20-21
vrf context VRF-1
ip route 10.0.20.0/24 Vlan20 vrf VRF-2
vrf context VRF-2
ip route 10.0.10.0/24 Vlan10 vrf VRF-1
vrf context management
interface Vlan1
interface Vlan10
no shutdown
vrf member VRF-1
ip address 10.0.10.254/24
interface Vlan11
no shutdown
vrf member VRF-1
ip address 10.0.11.254/24
interface Vlan20
no shutdown
vrf member VRF-2
ip address 10.0.20.254/24
interface Vlan21
no shutdown
vrf member VRF-2
ip address 10.0.21.254/24
interface Ethernet1/1
switchport access vlan 10
interface Ethernet1/2
switchport access vlan 11
interface Ethernet1/3
switchport access vlan 20
interface Ethernet1/4
switchport access vlan 21
interface Ethernet1/5
! <省略>
interface Ethernet1/64
interface mgmt0
vrf member management
icam monitor scale
line console
exec-timeout 0
line vty
exec-timeout 0
boot nxos bootflash:/nxos.9.3.8.bin sup-1
no logging console
ルーティングテーブル(事後)
VRF-1のルーティングテーブル
nxos9000-0# show ip route vrf VRF-1
IP Route Table for VRF "VRF-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.0.10.0/24, ubest/mbest: 1/0, attached
*via 10.0.10.254, Vlan10, [0/0], 01:29:00, direct
10.0.10.254/32, ubest/mbest: 1/0, attached
*via 10.0.10.254, Vlan10, [0/0], 01:29:00, local
10.0.11.0/24, ubest/mbest: 1/0, attached
*via 10.0.11.254, Vlan11, [0/0], 01:29:00, direct
10.0.11.254/32, ubest/mbest: 1/0, attached
*via 10.0.11.254, Vlan11, [0/0], 01:29:00, local
10.0.20.0/24, ubest/mbest: 1/0, attached
*via 10.0.20.254%VRF-2, Vlan20, [1/0], 00:34:46, static ← 追加された
VRF-2のルーティングテーブル
nxos9000-0# show ip route vrf VRF-2
IP Route Table for VRF "VRF-2"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.0.10.0/24, ubest/mbest: 1/0, attached
*via 10.0.10.254%VRF-1, Vlan10, [1/0], 00:36:48, static ← 追加された
10.0.20.0/24, ubest/mbest: 1/0, attached
*via 10.0.20.254, Vlan20, [0/0], 01:31:03, direct
10.0.20.254/32, ubest/mbest: 1/0, attached
*via 10.0.20.254, Vlan20, [0/0], 01:31:03, local
10.0.21.0/24, ubest/mbest: 1/0, attached
*via 10.0.21.254, Vlan21, [0/0], 01:31:03, direct
10.0.21.254/32, ubest/mbest: 1/0, attached
*via 10.0.21.254, Vlan21, [0/0], 01:31:03, local
疎通確認(事後)
- alpine-0 → alpine-1 Ping OK
alpine-0:~$ ping 10.0.11.1 PING 10.0.11.1 (10.0.11.1): 56 data bytes 64 bytes from 10.0.11.1: seq=0 ttl=42 time=2.375 ms 64 bytes from 10.0.11.1: seq=1 ttl=42 time=2.509 ms 64 bytes from 10.0.11.1: seq=2 ttl=42 time=2.540 ms 64 bytes from 10.0.11.1: seq=3 ttl=42 time=2.528 ms ^C --- 10.0.11.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 2.375/2.488/2.540 ms - alpine-0 → alpine-2 Ping OK ※設定変更により疎通可能になった
alpine-0:~$ ping 10.0.20.1 PING 10.0.20.1 (10.0.20.1): 56 data bytes 64 bytes from 10.0.20.1: seq=0 ttl=42 time=2.719 ms 64 bytes from 10.0.20.1: seq=1 ttl=42 time=2.316 ms 64 bytes from 10.0.20.1: seq=2 ttl=42 time=2.637 ms 64 bytes from 10.0.20.1: seq=3 ttl=42 time=2.411 ms ^C --- 10.0.20.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 2.316/2.520/2.719 ms - alpine-0 → alpine-3 Ping NG
alpine-0:~$ ping 10.0.21.1 PING 10.0.21.1 (10.0.21.1): 56 data bytes ^C --- 10.0.21.1 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss