Enabling Routing Between Virtual Networks
In this section, you’ll enable routing between the blue and the green virtual networks so that servers in either network can reach each other. Contrail Command activates a logical router and uses centrally-routed bridging to place IRB interfaces on the spine devices. After Contrail Command configures the devices, network traffic from the blue and green networks travels over a VXLAN tunnel from the leaf devices to the spine devices. At the spine devices, the traffic is routed at Layer 3 to interconnect the blue and green networks.
Figure 1 provides a high-level illustration of the resulting network that enables ESX-VM01 (blue) to reach BMS2 and BMS4 (green) by way of the EVPN/VXLAN overlay.
Configuring Routing Between Virtual Networks
This section sets up Contrail Networking and enables routing so that different VLAN subnets and VXLAN VNIs can reach each other. To use Contrail Command to configure routing between networks, do the following:
- Navigate to the Logical Routers screen at Overlay > Logical Routers, as shown in Figure 2.
- Click Create, as shown in Figure 3.
- Fill in the following fields to define the logical router,
as shown in Table 1.
Table 1: Logical Router Fields
Field
Explanation
Values used in this example
Name
Name of your logical router
logical-router-1
Admin State
Administrative state you want the logical router to have when activated
Up
Extend to Physical Router
Add the devices that will provide routing services
Note: For CRB, select the spine devices to provide routing.
qfx10K2-11
qfx10K2-12
External Gateway
Specify a gateway to reach networks external to the fabric
None
Connected networks
Add the virtual networks (VLANs or VNIs) that you want to connect through the logical router
blue
green
VxLAN Network Identifier
VNI(s) to assign to the logical router
Note: If you use the default value, Contrail Command automatically selects VNIs for you.
Default value (1 - 167...)
Figure 4 shows the values used in this example.
- Click Create. The logical router is generated and activated, as shown in Figure 5.
- Confirm the routing configuration was pushed to the fabric
devices. The following configuration excerpts show the logical router-based
configurations generated by Contrail Command:
Leaf 4:
set groups __contrail_overlay_evpn__ protocols evpn vni-options vni 11 vrf-target target:64512:8000004set groups __contrail_overlay_evpn__ protocols evpn vni-options vni 10 vrf-target target:64512:8000003set groups __contrail_overlay_evpn__ protocols evpn encapsulation vxlanset groups __contrail_overlay_evpn__ protocols evpn extended-vni-list allset groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-import term t1 from community target_64512_8000005set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-import term t1 from community target_64512_8000004set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-import term t1 then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-export term t1 then community add target_64512_8000005set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-export term t1 then community add target_64512_8000004set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-export term t1 then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-import term t1 from community target_64512_8000005set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-import term t1 from community target_64512_8000003set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-import term t1 then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-export term t1 then community add target_64512_8000005set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-export term t1 then community add target_64512_8000003set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-export term t1 then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement import-evpn term esi-in from community community-esi-inset groups __contrail_overlay_evpn__ policy-options policy-statement import-evpn term esi-in then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement import-evpn term default-term then rejectset groups __contrail_overlay_evpn__ policy-options community target_64512_8000005 members target:64512:8000005set groups __contrail_overlay_evpn__ policy-options community target_64512_8000004 members target:64512:8000004set groups __contrail_overlay_evpn__ policy-options community target_64512_8000003 members target:64512:8000003set groups __contrail_overlay_evpn__ policy-options community community-esi-in members target:64512:1set groups __contrail_overlay_evpn__ switch-options vtep-source-interface lo0.0set groups __contrail_overlay_evpn__ switch-options route-distinguisher 192.168.255.4:1set groups __contrail_overlay_evpn__ switch-options vrf-import _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-importset groups __contrail_overlay_evpn__ switch-options vrf-import _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-importset groups __contrail_overlay_evpn__ switch-options vrf-import import-evpnset groups __contrail_overlay_evpn__ switch-options vrf-target target:64512:1Spine 2:
set groups __contrail_overlay_evpn__ protocols evpn vni-options vni 11 vrf-target target:64512:8000004set groups __contrail_overlay_evpn__ protocols evpn vni-options vni 10 vrf-target target:64512:8000003set groups __contrail_overlay_evpn__ protocols evpn encapsulation vxlanset groups __contrail_overlay_evpn__ protocols evpn extended-vni-list allset groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-import term t1 from community target_64512_8000005set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-import term t1 from community target_64512_8000004set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-import term t1 then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-export term t1 then community add target_64512_8000005set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-export term t1 then community add target_64512_8000004set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-export term t1 then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-import term t1 from community target_64512_8000005set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-import term t1 from community target_64512_8000003set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-import term t1 then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-export term t1 then community add target_64512_8000005set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-export term t1 then community add target_64512_8000003set groups __contrail_overlay_evpn__ policy-options policy-statement _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-export term t1 then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement import-evpn term esi-in from community community-esi-inset groups __contrail_overlay_evpn__ policy-options policy-statement import-evpn term esi-in then acceptset groups __contrail_overlay_evpn__ policy-options policy-statement import-evpn term default-term then rejectset groups __contrail_overlay_evpn__ policy-options community target_64512_8000005 members target:64512:8000005set groups __contrail_overlay_evpn__ policy-options community target_64512_8000004 members target:64512:8000004set groups __contrail_overlay_evpn__ policy-options community target_64512_8000003 members target:64512:8000003set groups __contrail_overlay_evpn__ policy-options community community-esi-in members target:64512:1set groups __contrail_overlay_evpn__ switch-options vtep-source-interface lo0.0set groups __contrail_overlay_evpn__ switch-options route-distinguisher 192.168.255.101:1set groups __contrail_overlay_evpn__ switch-options vrf-import _contrail_blue-7bc4a8a1-2679-495e-b021-41c079da83af-l2-11-importset groups __contrail_overlay_evpn__ switch-options vrf-import _contrail_green-07afaf2d-0f27-47a0-b888-ade3f0a55b59-l2-10-importset groups __contrail_overlay_evpn__ switch-options vrf-import import-evpnset groups __contrail_overlay_evpn__ switch-options vrf-target target:64512:1set groups __contrail_overlay_evpn_gateway__ interfaces irb gratuitous-arp-replyset groups __contrail_overlay_evpn_gateway__ interfaces irb unit 10 proxy-macip-advertisementset groups __contrail_overlay_evpn_gateway__ interfaces irb unit 10 virtual-gateway-accept-dataset groups __contrail_overlay_evpn_gateway__ interfaces irb unit 10 family inet address 192.168.10.5/24 preferredset groups __contrail_overlay_evpn_gateway__ interfaces irb unit 10 family inet address 192.168.10.5/24 virtual-gateway-address 192.168.10.1set groups __contrail_overlay_evpn_gateway__ interfaces irb unit 10 virtual-gateway-v4-mac 00:00:5e:01:00:01set groups __contrail_overlay_evpn_gateway__ interfaces irb unit 11 proxy-macip-advertisementset groups __contrail_overlay_evpn_gateway__ interfaces irb unit 11 virtual-gateway-accept-dataset groups __contrail_overlay_evpn_gateway__ interfaces irb unit 11 family inet address 192.168.11.5/24 preferredset groups __contrail_overlay_evpn_gateway__ interfaces irb unit 11 family inet address 192.168.11.5/24 virtual-gateway-address 192.168.11.1set groups __contrail_overlay_evpn_gateway__ interfaces irb unit 11 virtual-gateway-v4-mac 00:00:5e:01:00:01set groups __contrail_overlay_evpn_gateway__ vlans bd-10 vlan-id 10set groups __contrail_overlay_evpn_gateway__ vlans bd-10 l3-interface irb.10set groups __contrail_overlay_evpn_gateway__ vlans bd-10 vxlan vni 10set groups __contrail_overlay_evpn_gateway__ vlans bd-11 vlan-id 11set groups __contrail_overlay_evpn_gateway__ vlans bd-11 l3-interface irb.11set groups __contrail_overlay_evpn_gateway__ vlans bd-11 vxlan vni 11 - Verify connectivity between the blue and green VLANs by
issuing a ping command. If you can reach the blue network by sending
a ping to the green network, routing services are working properly.
The output below shows a successful ping from servers BMS2 and BMS4 to server ESX-VM01 and vice versa.
BMS2:
[user@BMS2 ~]# ping 192.168.11.110 PING 192.168.11.110 (192.168.11.110) 56(84) bytes of data. 64 bytes from 192.168.11.110: icmp_seq=1 ttl=63 time=0.535 ms 64 bytes from 192.168.11.110: icmp_seq=2 ttl=63 time=0.436 ms 64 bytes from 192.168.11.110: icmp_seq=3 ttl=63 time=0.414 ms ^C --- 192.168.11.110 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 0.414/0.461/0.535/0.058 ms
BMS4:
[user@BMS4 ~]# ping 192.168.11.110 PING 192.168.11.110 (192.168.11.110) 56(84) bytes of data. 64 bytes from 192.168.11.110: icmp_seq=1 ttl=63 time=0.619 ms 64 bytes from 192.168.11.110: icmp_seq=2 ttl=63 time=0.607 ms 64 bytes from 192.168.11.110: icmp_seq=3 ttl=63 time=0.636 ms ^C --- 192.168.11.110 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.607/0.620/0.636/0.031 ms
ESX-VM01:
[user@ESX-VM01 ~]# ping 192.168.10.20 PING 192.168.10.20 (192.168.10.20) 56(84) bytes of data. 64 bytes from 192.168.10.20: icmp_seq=1 ttl=63 time=0.403 ms 64 bytes from 192.168.10.20: icmp_seq=2 ttl=63 time=0.528 ms 64 bytes from 192.168.10.20: icmp_seq=3 ttl=63 time=0.521 ms ^C --- 192.168.10.20 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.403/0.484/0.528/0.057 ms
[user@ESX-VM01 ~]# ping 192.168.10.40 PING 192.168.10.40 (192.168.10.40) 56(84) bytes of data. 64 bytes from 192.168.10.40: icmp_seq=1 ttl=63 time=0.360 ms 64 bytes from 192.168.10.40: icmp_seq=2 ttl=63 time=0.475 ms 64 bytes from 192.168.10.40: icmp_seq=3 ttl=63 time=0.487 ms ^C --- 192.168.10.40 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.360/0.440/0.487/0.062 ms
- Verify connectivity between the spine and leaf devices
across the VXLAN tunnel.
The output below shows a successful ping from Spine 1 to Leaf 2 and Leaf 4, and vice versa.
Spine 1:
user@qfx10k2-11> ping 192.168.255.2 PING 192.168.255.2 (192.168.255.2): 56 data bytes 64 bytes from 192.168.255.2: icmp_seq=0 ttl=64 time=6.747 ms 64 bytes from 192.168.255.2: icmp_seq=1 ttl=64 time=9.664 ms 64 bytes from 192.168.255.2: icmp_seq=2 ttl=64 time=1.667 ms ^C --- 192.168.255.2 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.667/6.026/9.664/3.304 ms
user@qfx10k2-11> ping 192.168.255.4 PING 192.168.255.4 (192.168.255.4): 56 data bytes 64 bytes from 192.168.255.4: icmp_seq=0 ttl=64 time=1.229 ms 64 bytes from 192.168.255.4: icmp_seq=1 ttl=64 time=72.999 ms 64 bytes from 192.168.255.4: icmp_seq=2 ttl=64 time=1.387 ms ^C --- 192.168.255.4 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.229/25.205/72.999/33.796 ms
Leaf 2:
user@qfx5100-8> ping 192.168.255.101 PING 192.168.255.101 (192.168.255.101): 56 data bytes 64 bytes from 192.168.255.101: icmp_seq=0 ttl=64 time=11.518 ms 64 bytes from 192.168.255.101: icmp_seq=1 ttl=64 time=11.158 ms 64 bytes from 192.168.255.101: icmp_seq=2 ttl=64 time=11.150 ms ^C --- 192.168.255.101 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 11.150/11.275/11.518/0.172 ms
Leaf 4:
user@qfx5110-8> ping 192.168.255.101 PING 192.168.255.101 (192.168.255.101): 56 data bytes 64 bytes from 192.168.255.101: icmp_seq=0 ttl=64 time=39.511 ms 64 bytes from 192.168.255.101: icmp_seq=1 ttl=64 time=1.486 ms 64 bytes from 192.168.255.101: icmp_seq=2 ttl=64 time=2.897 ms ^C --- 192.168.255.101 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.486/14.631/39.511/17.602 ms
Enabling Routing Between Virtual Networks — Release History
Table 2 provides a history of all of the features in this section and their support within this reference design.
Table 2: Enabling Routing Between Virtual Networks in the Contrail Enterprise Multicloud—Release History
Release | Description |
---|---|
Stage 1 | All features documented in this section are supported on all devices within the reference design running Junos OS Release 17.3R3-S3 or later, and Contrail 5.0.2 or later. |