Configure Virtual Networks for Multi-tenant Service Operations
This section shows how to configure Layer 2 and Layer 3 multi-tenant network services on two virtual networks, blue and green as shown in Figure 1.
This is a typical day one operation that provides virtual network connectivity that isolates traffic between the virtual networks while allowing bridged or routed connectivity for devices in the same virtual network.
To create the Green and Blue networks in Contrail Command, we will configure the following:
Four virtual networks, two Green and two Blue
Four VPGs to add the access interfaces to the servers
Two Logical Routers (LRs) for inter-VN communication, one for the Green virtual network and one for the Blue virtual network

At this point we do not have communication between the green and blue networks. LRs cannot connect to other LRs. For inter-LR, or inter-tenant communication, you need to connect the LRs using service chaining. See Configure Service Chaining With PNF.
Create Virtual Networks
A virtual network in the Contrail environment allows hosts in the same network to communicate with each other. This is similar to assigning a VLAN to each host so that hosts on the same VLAN can reach each other.
In this section, we will create four virtual networks, two for the green network and two for the blue virtual network.

To configure a virtual network:
- Navigate to Overlay > Virtual Networks and click Create.
Table 1: Field Descriptions for Virtual Networks
Field
Description
Name
Name of the virtual network.
Allocation Mode
Method used to create the virtual network.
VXLAN Network Identifier
VNI number. The default setting is automatically generated.
Subnet Fields
Use this area to identify and manage subnets for the virtual network. You can add multiple subnets to a virtual network.
Network IPAM
IP address management method for the subnet.
CIDR
IP subnet you plan to use for this switching domain.
Gateway
Address of gateway used for this switching domain
- Fill in the following fields to define four virtual networks.
By default Contrail Networking uses the first available host ID in
the subnet for that subnet’s default gateway. As a result it’s
good practice to avoiding assigning host ID 1 to VMs or BMSs.
Name:
Allocation Mode
Subnets
Network IPAM
CIDR
Gateway
Green-1
Default setting of “User defined subnet only”
Default-domain:default-project:default
10.2.1.0/24
10.2.1.1
Green-2
Default setting of “User defined subnet only”
Default-domain:default-project:default
10.2.3.0/24
10.2.3.1
Blue-1
Default setting of “User defined subnet only”
Default-domain:default-project:default
10.2.2.0/24
10.2.2.1
Blue-2
Default setting of “User defined subnet only”
Default-domain:default-project:default
10.2.4.0/24
10.2.4.1
- When both virtual networks are created, the Virtual
Networks screen displays. You will see that both the green and
blue networks are available.
Assign Interfaces to VLANs with Virtual Port Groups
You configure VPGs to add interfaces to your virtual networks. In this section, we will add the access interfaces from the leaf devices to the servers as shown in Figure 2.

To create a VPG:
- Navigate to Overlay > Virtual Port Group and click Create.
- Create four VPGs with the values shown in the following
table.
To assign a physical interface, find the interface under Available Physical Interface. There can be multiple pages of interfaces. To move an interface to the Assigned Physical Interface, click the > next to the interface.
Name
VPG1-Green-1
VPG2-Green-2
VPG1-Blue-1
VPG2-Blue-2
Assigned Physical Interface
xe-0/0/23:0
xe-0/0/23:0
xe-0/0/23:0
xe-0/0/23:0
Network
Green-1
Green-2
Blue-1
Blue-2
VLAN ID
101
103
102
104
Enable Layer 3 Routing on Virtual Networks Using Logical Routers
CEM uses logical routers (LRs) to enable routing on virtual networks. It does so by creating a VRF routing instance for each logical router with IRB interfaces on the spine devices. After CEM configures the devices, network traffic from the blue and green networks travels over a VXLAN tunnel from the leaf devices to the spine devices. At the spine devices, the traffic is routed at Layer 3.
In this section, we will enable routing on the blue and the green virtual networks as shown in Figure 3.

To configure the logical routers:
- Navigate to Overlay > Logical Routers, and click Create.
- Create two virtual networks as shown in the following
table:
Name
LR-Blue
LR-Green
Extend to Physical Router
DC2-Spine1
DC2-Spine2
DC2-Spine1
DC2-Spine2
Logical Router Type
VXLAN Routing
VXLAN Routing
Connected Networks
Blue-1
Blue-2
Green-1
Green-2
Verify Your Virtual Network Configuration
- On a spine device, check that IRB interfaces are configured.
There are two IRBs for each virtual network.
interfaces { irb { gratuitous-arp-reply; unit 10 { proxy-macip-advertisement; virtual-gateway-accept-data; family inet { address 10.2.4.5/24 { preferred; virtual-gateway-address 10.2.4.1; } } virtual-gateway-v4-mac 00:00:5e:01:00:01; } unit 7 { proxy-macip-advertisement; virtual-gateway-accept-data; family inet { address 10.2.1.5/24 { preferred; virtual-gateway-address 10.2.1.1; } } virtual-gateway-v4-mac 00:00:5e:01:00:01; } unit 8 { proxy-macip-advertisement; virtual-gateway-accept-data; family inet { address 10.2.3.5/24 { preferred; virtual-gateway-address 10.2.3.1; } } virtual-gateway-v4-mac 00:00:5e:01:00:01; } unit 9 { proxy-macip-advertisement; virtual-gateway-accept-data; family inet { address 10.2.2.5/24 { preferred; virtual-gateway-address 10.2.2.1; } } virtual-gateway-v4-mac 00:00:5e:01:00:01; } } }
- On a spine device, check that VLANs are configured.
vlans { bd-10 { description "Virtual Network - Blue-2"; vlan-id none; l3-interface irb.10; vxlan { vni 10; } } bd-7 { description "Virtual Network - Green-1"; vlan-id none; l3-interface irb.7; vxlan { vni 7; } } bd-8 { description "Virtual Network - Green-2"; vlan-id none; l3-interface irb.8; vxlan { vni 8; } } bd-9 { description "Virtual Network - Blue-1"; vlan-id none; l3-interface irb.9; vxlan { vni 9; } } }
- On a spine device, check that VRFs are configured, one
for the green network and one for the blue network. Note that the
IRB interfaces are added to the VRFs.
routing-instances { __contrail_LR-Green_1c9709a7-ae39-4c89-a8c1-3b74e62526b2 { instance-type vrf; interface lo0.1012; interface irb.8; interface irb.7; vrf-import __contrail_LR-Green_1c9709a7-ae39-4c89-a8c1-3b74e62526b2-import; vrf-export __contrail_LR-Green_1c9709a7-ae39-4c89-a8c1-3b74e62526b2-export; routing-options { rib __contrail_LR-Green_1c9709a7-ae39-4c89-a8c1-3b74e62526b2.inet6.0 { multipath; } static { route 172.16.0.17/32 discard; } multipath; } protocols { evpn { ip-prefix-routes { advertise direct-nexthop; encapsulation vxlan; vni 12; export type5_policy; } } } } __contrail_LR-Blue_da1c6373-326a-4e6e-97ef-3d228515baee { instance-type vrf; interface lo0.1011; interface irb.10; interface irb.9; interface irb.15; vrf-import __contrail_LR-Blue_da1c6373-326a-4e6e-97ef-3d228515baee-import; vrf-export __contrail_LR-Blue_da1c6373-326a-4e6e-97ef-3d228515baee-export; routing-options { rib __contrail_LR-Blue_da1c6373-326a-4e6e-97ef-3d228515baee.inet6.0 { multipath; } static { route 172.16.0.17/32 discard; } multipath; } protocols { evpn { ip-prefix-routes { advertise direct-nexthop; encapsulation vxlan; vni 11; export type5_policy; } } } } }
- When you have finished your configuration, you can run ping between servers in the same virtual network. For example,
run ping from BMS1 to BMS3 in the green network.
host@ix-centos-s2 ~]# ping 10.2.3.101
PING 10.2.3.101 (10.2.3.101) 56(84) bytes of data. 64 bytes from 10.2.3.101: icmp_seq=1 ttl=63 time=0.331 ms 64 bytes from 10.2.3.101: icmp_seq=2 ttl=63 time=0.336 ms ^C --- 10.2.3.101 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.331/0.333/0.336/0.018 ms
- Run ping from BMS2 to BMS4 in the blue network.
host@ix-centos-s3 ~]# ping 10.2.4.101
PING 10.2.4.101 (10.2.4.101) 56(84) bytes of data. 64 bytes from 10.2.4.101: icmp_seq=1 ttl=63 time=0.626 ms 64 bytes from 10.2.4.101: icmp_seq=2 ttl=63 time=0.627 ms ^C --- 10.2.4.101 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.626/0.626/0.627/0.025 ms