- https://networklessons.com/cisco/ccnp-route/cisco-evn-easy-virtual-network/
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book.pdf
Easy Virtual Network (EVN) is an IP-based virtualization technology that provides end-to-end virtualization of two or more Layer-3 networks.
- You can use a single IP infrastructure to provide separate virtual networks whose traffic paths remain isolated from each other.
- EVN provides enhancements in path isolation, simplified configuration and management, and improved shared service support
- EVN builds on the existing IP-based virtualization mechanism known as VRF-Lite.
- EVN is backward compatible with VRF-Lite to enable seamless network migration from VRF-Lite to EVN.
- EVN supports IPv4, static routes, OSPFv2, EIGRP for unicast, Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) for IPv4 Multicast routing.
- EVN also supports CEF and SNMP.
With VRF-Lite, if you want to send traffic for multiple virtual networks (that is, multiple VRFs) between two routers you need to create a subinterface for each VRF on each router -> VRF-Lite requires subinterfaces. However, with Cisco EVN, you instead create a trunk (called a Virtual Network (VNET) trunk) between the routers. Then, traffic for multiple virtual networks can travel over that single trunk interface, which uses tags to identify the virtual networks to which packets belong.
Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual router instances, and both technologies allow routes from one VRF to be selectively leaked to other VRFs. However, a major difference is the way that two physical routers interconnect. With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF. However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies configuration.
Route replication allows shared services because routes are replicated between virtual networks and clients who reside in one virtual network can reach prefixes that exist in another virtual network.
- To achieve connectivity between IPs from different virtual networks, routes must be exchanged among virtual networks.
Depending on whether VRF-Lite or EVN is implemented, route exchanges among VRFs are accomplished in one of the following ways:
1) If VRF-Lite is implemented, route leaking is achieved via BGP by using the route import/export feature.
2) If EVN is implemented, route replication is supported directly by the RIB; there is no dependency on BGP. After routes are replicated from a different virtual network, those routes are propagated across each virtual network through existing redistribution into the IGP.
- An EVN trunk is allowed on any interface that supports 802.1q encapsulation, such as FE, GE and port channels.
- There are additional platform and line-card restrictionsfor an EVN trunk. Check CiscoFeature Navigator,
- A single IP infrastructure can be virtualized to provide up to 32 virtual networks end-to-end.
- If an EVN trunk is configured on an interface, you cannot configure VRF-Lite on the same interface.
- OSPFv3 is not supported; OSPFv2 is supported.
- The following are not supported by EVN: IS-IS, RIP, Route replication is not supported with BGP
- Certain SNMP set operations
The following are not supported on an EVN trunk:
- Access control lists (ACLs)
- BGP interface commands are not inherited
- IPv6, except on vnet global
- Network address translation (NAT)
- NetFlow
- Web Cache Communication Protocol (WCCP)
vnet Global
- A predefined EVN known as “vnet global” is on the device. It refers to the global routing context and it corresponds to the default RIB.
- The vnet global carries untagged traffic. By default, interfaces belong to the vnet global. Furthermore, vnet global is always running on trunk interfaces.
- The vnet global is also known as the default routing table.
- Note IPv6 traffic is supported in vnet global only
LAB
 |
| Cisco EVN Lab Topology |
==========Configs
hostname Blue1
interface Gi0/0
ip address 192.168.1.1 255.255.255.0
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
hostname Blue2
interface GigabitEthernet0/0
ip address 192.168.3.3 255.255.255.0
router ospf 1
network 192.168.3.0 0.0.0.255 area 0
hostname Red1
interface GigabitEthernet0/1
ip address 192.168.2.2 255.255.255.0
router ospf 1
network 192.168.2.0 0.0.0.255 area 0
hostname Red2
interface GigabitEthernet0/1
ip address 192.168.4.4 255.255.255.0
router ospf 1
network 192.168.4.0 0.0.0.255 area 0
hostname ISP1
!
vrf definition Blue
vnet tag 10
address-family ipv4
route-replicate from vrf Green unicast all
!
vrf definition Red
vnet tag 20
address-family ipv4
route-replicate from vrf Green unicast all
!
vrf definition Green
vnet tag 30
address-family ipv4
route-replicate from vrf Red unicast all
route-replicate from vrf Blue unicast all
!
interface Loopback0
vrf forwarding Green
ip address 5.5.5.5 255.255.255.0
!
interface GigabitEthernet0/0
vrf forwarding Blue
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet0/1
vrf forwarding Red
ip address 192.168.2.254 255.255.255.0
!
interface GigabitEthernet0/3
vnet trunk
ip address 192.168.56.5 255.255.255.0
!
router ospf 1 vrf Blue
redistribute vrf Green ospf 3 subnets
network 192.168.1.0 0.0.0.255 area 0
network 192.168.56.0 0.0.0.255 area 0
!
router ospf 2 vrf Red
redistribute vrf Green ospf 3 subnets
network 192.168.2.0 0.0.0.255 area 0
network 192.168.56.0 0.0.0.255 area 0
!
router ospf 3 vrf Green
network 5.5.5.0 0.0.0.255 area 0
!
hostname ISP2
!
vrf definition Blue
vnet tag 10
address-family ipv4
!
vrf definition Red
vnet tag 20
address-family ipv4
!
interface GigabitEthernet0/0
vrf forwarding Blue
ip address 192.168.3.254 255.255.255.0
!
interface GigabitEthernet0/1
vrf forwarding Red
ip address 192.168.4.254 255.255.255.0
!
interface GigabitEthernet0/3
vnet trunk
ip address 192.168.56.6 255.255.255.0
!
router ospf 1 vrf Blue
network 192.168.3.0 0.0.0.255 area 0
network 192.168.56.0 0.0.0.255 area 0
!
router ospf 2 vrf Red
network 192.168.4.0 0.0.0.255 area 0
network 192.168.56.0 0.0.0.255 area 0
!
Single IP Address on Trunk Interfaces
A trunk interface can carry traffic for multiple EVNs. To simplify the configuration process, all the subinterfaces and associated EVNs have the same IP address assigned. In other words, a trunk interface is identified by the same IP address in different EVN contexts. This is because each EVN has a unique routing and forwarding table, thereby enabling support for overlapping IP addresses across multiple EVNs.
Configs:
ISP1# show run int GigabitEthernet0/3
!
interface GigabitEthernet0/3
vnet trunk
ip address 192.168.56.5 255.255.255.0
!
ISP1#
ISP1# show derived-config
!
interface GigabitEthernet0/3
vnet trunk
ip address 192.168.56.5 255.255.255.0
!
interface GigabitEthernet0/3.10
description Subinterface for VNET Blue
encapsulation dot1Q 10
vrf forwarding Blue
ip address 192.168.56.5 255.255.255.0
!
interface GigabitEthernet0/3.20
description Subinterface for VNET Red
encapsulation dot1Q 20
vrf forwarding Red
ip address 192.168.56.5 255.255.255.0
!
interface GigabitEthernet0/3.30
description Subinterface for VNET Green
encapsulation dot1Q 30
vrf forwarding Green
ip address 192.168.56.5 255.255.255.0
!
Interfaces brief
ISP1# sh ip int br | exc down
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.254 YES NVRAM up up
GigabitEthernet0/1 192.168.2.254 YES NVRAM up up
GigabitEthernet0/3 192.168.56.5 YES NVRAM up up
GigabitEthernet0/3.10 192.168.56.5 YES NVRAM up up
GigabitEthernet0/3.20 192.168.56.5 YES NVRAM up up
GigabitEthernet0/3.30 192.168.56.5 YES NVRAM up up
Loopback0 5.5.5.5 YES NVRAM up up
ISP1#
sh vrf ipv4 interfaces
ISP1# sh vrf ipv4 interfaces
Interface VRF Protocol Address
Loopback0 Green up 5.5.5.5
GigabitEthernet0/0 Blue up 192.168.1.254
GigabitEthernet0/1 Red up 192.168.2.254
GigabitEthernet0/3.10 Blue up 192.168.56.5
GigabitEthernet0/3.20 Red up 192.168.56.5
GigabitEthernet0/3.30 Green up 192.168.56.5
==========Basic EVN Configuration
vrf definition Blue
vnet tag 10
!
address-family ipv4
!
Compare with VRF-Lite
!
vrf definition INTERNET
description -= Internet for customers =-
rd 6548:100
route-target export 6548:100
route-target import 6548:100
!
address-family ipv4
snmp context RouteVRF
!
address-family ipv6
!
==========Route Replication (Shared Services)
Route sharing between VRFs can be done with VRF Lite but it requires the configuration of RDs (Route Distinguishers) and BGP.
EVN supports route replication which “replicates” routes from one VRF to another. It doesn’t require RDs and BGP so the configuration is a bit simpler.
Import-Export (route replicate)Check connectivity to:
ISP1(config-vrf-af)#route-replicate from vrf Green unicast ?
! all All routes
! bgp Border Gateway Protocol (BGP)
! connected Connected
! eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
! isis ISO IS-IS
! mobile Mobile routes
! odr On Demand stub Routes
! ospf Open Shortest Path First (OSPF)
! rip Routing Information Protocol (RIP)
! static Static routes
!
1) Replicated route
2) Isolated route from another VRF
Blue1#
Blue1#traceroute 5.5.5.5 numeric
1 192.168.1.254 (Blue) 7 msec * 4 msec
Blue1#
Blue1#traceroute 192.168.4.4 numeric
1 * * *
2 * * *
3 *
Blue1#traceroute 192.168.2.2 numeric
1 * * *
2 * * *
3 *
Blue1#
==========Routing Context
ISP2#routing-context vrf Red
ISP2%Red#sh ip route
Routing Table: Red
...
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
5.0.0.0/24 is subnetted, 1 subnets
O E2 5.5.5.0 [110/1] via 192.168.56.5, 00:05:40, GigabitEthernet0/3.20
O 192.168.2.0/24 [110/2] via 192.168.56.5, 21:08:22, GigabitEthernet0/3.20
192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.4.0/24 is directly connected, GigabitEthernet0/1
L 192.168.4.254/32 is directly connected, GigabitEthernet0/1
192.168.56.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.56.0/24 is directly connected, GigabitEthernet0/3.20
L 192.168.56.6/32 is directly connected, GigabitEthernet0/3.20
ISP2%Red#
ISP2%Red#ping 192.168.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds:
!!!!!
ISP2%Red#exit
ISP2#
===========VRF Debugging
debug ip ospf hello
OSPF hello debugging is on
ISP2#
*Nov 14 09:18:49.771: OSPF-1 HELLO Gi0/0: Rcv hello from 192.168.3.3 area 0 192.168.3.3
*Nov 14 09:18:50.575: OSPF-2 HELLO Gi0/3.20: Rcv hello from 192.168.2.254 area 0 192.168.56.5
*Nov 14 09:18:50.900: OSPF-1 HELLO Gi0/0: Send hello to 224.0.0.5 area 0 from 192.168.3.254
*Nov 14 09:18:52.811: OSPF-1 HELLO Gi0/3.10: Rcv hello from 192.168.56.5 area 0 192.168.56.5
*Nov 14 09:18:53.780: OSPF-1 HELLO Gi0/3.10: Send hello to 224.0.0.5 area 0 from 192.168.56.6
debug condition vrf Red
Condition 1 setvnet trunk
ISP2#
*Nov 14 09:19:29.533: OSPF-1 HELLO Gi0/0: Send hello to 224.0.0.5 area 0 from 192.168.3.254
*Nov 14 09:19:30.629: vrfmgr(0) Debug: Condition 1, vrf Red triggered, count 1
*Nov 14 09:19:31.999: OSPF-2 HELLO Gi0/1: Send hello to 224.0.0.5 area 0 from 192.168.4.254
*Nov 14 09:19:33.885: OSPF-2 HELLO Gi0/3.20: Send hello to 224.0.0.5 area 0 from 192.168.56.6
*Nov 14 09:19:35.812: OSPF-2 HELLO Gi0/1: Rcv hello from 192.168.4.4 area 0 192.168.4.4
ISP2#undeb all
All possible debugging has been turned off
ISP2#
Blue2#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/9 ms
Blue2#
How packet are visible on vnet trunk
 |
| ISP2 Gi0/3 vnet trunk interface |