Acg-Evpn Vxlan L3
Acg-Evpn Vxlan L3
Acg-Evpn Vxlan L3
In This Chapter
This section provides information about EVPN for VXLAN tunnels (Layer 3).
Applicability
This example is applicable to the 7950 XRS, 7750 SR-c4/c12, 7750 SR-7/12 and 7450 ESS-6/6v/
7/12, but it is not supported on 7750 SR-1, 7450 ESS-1 or 7710 SR. Virtual eXtensible Local Area
Network (VXLAN) requires IOM3-XP/IMM or higher-based line cards and chassis-mode D.
Ethernet Virtual Private Networks (EVPN) is a control plane technology and does not have line
card hardware dependencies.
The configuration was tested in release 12.0.R4. The EVPN for VXLAN Tunnels (Layer 2) on
page 281 example is pre-requisite reading.
Overview
As discussed in the EVPN for VXLAN Tunnels (Layer 2) on page 281 example, EVPN and
VXLAN can be enabled on VPLS or R-VPLS services in SR OS. While that example focuses on
the use of EVPN-VXLAN layer 2 services, that is how EVPN-VXLAN is configured in VPLS
services, this example describes how EVPN-VXLAN can be used to provide inter-subnet
forwarding in R-VPLS and VPRN services. Inter-subnet forwarding can be provided by regular R-
VPLS and VPRN services, however EVPN provides an efficient and unified way to populate
FDBs (Forwarding Data Bases), ARP (Address Resolution Protocol) tables and routing tables
using a single BGP address family. Inter-subnet forwarding in overlay networks would otherwise
require data plane learning and the use of routing protocols on a per VPRN basis.
The SR OS solution for inter-subnet forwarding using EVPN is based on building blocks
described in draft-sajassi-l2vpn-evpn-inter-subnet-forwarding and the use of the EVPN ip-prefix
routes (routes type-5) as explained in draft-rabadan-l2vpn-evpn-prefix-advertisement. This
example describes three supported common scenarios and provides the CLI configuration and
required tools to troubleshoot EVPN-VXLAN in each case. The scenarios tested and explained
are:
In all these scenarios redundant PEs are usually deployed. If that is the case, the interaction of
EVPN, IP-VPN and the routing table manager (RTM) may lead to some routing loop situations
that must be avoided by the use of routing policies (note that this also may happen in traditional
IP-VPN deployments when eBGP and MP-BGP interact to populate VPRN routing tables in
multi-homed networks). This section explains when those routing loops can happen and how to
avoid them.
The term IRB interface refers to an R-VPLS service bound to a VPRN IP interface. The terms IRB
interface and R-VPLS interface are used interchangeably throughout this example.
Configuration
This section describes the configuration of EVPN-VXLAN for Layer 3 services on the 7x50, as
well as the available troubleshooting and show commands. The three scenarios described in the
overview are analyzed independently.
PE-2 PE-4
192.0.2.2 192.0.2.4
.2 .4
00:ca:fe:ca:fe:02 00:ca:fe:ca:fe:04
PE-1 VPLS 101 VPRN VPRN VPLS 101 PE-6
192.0.2.1 10 10 192.0.2.6
VRRP-1 VRRP-1
VPLS 101 .254 IP-VPN MPLS .254 VPLS 101
CE-2
172.16.0.12/24
00:ca:fe:00:00:02
The network topology shows two overlay (VXLAN) networks interconnected by an MPLS
network:
A Layer 2/Layer 3 service is provided to a customer to connect CE-1, CE-2 and CE-3. In this
scenario, Layer 2 connectivity is provided within each overlay network and inter-subnet
connectivity (Layer 3) is provided between the overlay networks, hence VPLS 101 is defined
within each overlay network and VPRN 10 connects both Layer 2 services through an IP-VPN
MPLS network.
Note that the above topology can illustrate a Data Center Interconnect (DCI) example, where
Overlay-Network-1 and Overlay-Network-2 are two data centers interconnected through an
MPLS WAN. In this application, CE-1, CE-2 and CE-3 would simulate virtual machines or
appliances, PE-2/3/4/5 would act as Data Center gateways (DC GW) GWs and PE-1/6 as Network
Virtualization Edge devices (or virtual PEs running on a compute infrastructure).
The ports interconnecting the six PEs in Figure 47 are configured as network ports (or
hybrid) and will have router network interfaces defined in them. Only the ports connected
to the CEs are configured as access ports.
The six PEs are running IS-IS for the global routing table with the four core PEs
interconnected using IS-IS Level-2 point-to-point interfaces and each overlay network
using IS-IS Level-1 point-to-point interfaces.
LDP is used as the MPLS protocol to signal transport tunnel labels among PE-2, PE-3,
PE-4 and PE-5. There is no LDP running within each overlay network.
Note that the network port MTU (in all the ports sending/receiving VXLAN packets) must
be at least 50-bytes (54 if dot1q encapsulation is used) greater than the service-mtu in
order to accommodate the size of the VXLAN header.
Once the IGP infrastructure and LDP in the core are enabled, BGP has to be configured. In this
scenario, two BGP families have to be enabled: EVPN within each overlay-network for the
exchange of MAC/IP addresses and setting up the flooding domains, and VPN-IPv4 among the
four core PEs so that IP-prefixes can be exchanged and resolved to MPLS tunnels in the core.
As an example, the following CLI output shows the relevant BGP configuration of PE-1, which
only needs the EVPN family. PE-6 has a similar BGP configuration, that is, only EVPN family is
configured for its peers. Note that the use of Route-Reflectors (RRs) in these type of scenarios is
common. Although this scenario does not use RRs, an EVPN RR could have been used in
Overlay-Network-1 and Overlay-Network-2 and a separate VPN-IPv4 RR could have been used
in the core IP-VPN MPLS network.
A:PE-1>config>router>bgp# info
----------------------------------------------
vpn-apply-import
vpn-apply-export
enable-peer-tracking
rapid-withdrawal
rapid-update evpn
group "DC"
family evpn
type internal
neighbor 192.0.2.2
exit
neighbor 192.0.2.3
exit
exit
no shutdown
----------------------------------------------
The BGP configuration of PE-2 and PE-3 follows (PE-4 and PE-5 have an equivalent
configuration).
A:PE-2>config>router>bgp# info
----------------------------------------------
vpn-apply-import
vpn-apply-export
min-route-advertisement 1
enable-peer-tracking
rapid-withdrawal
rapid-update evpn
group "DC"
family vpn-ipv4 evpn
type internal
neighbor 192.0.2.1
exit
neighbor 192.0.2.3
exit
exit
group "WAN"
family vpn-ipv4
type internal
neighbor 192.0.2.4
exit
neighbor 192.0.2.5
exit
exit
no shutdown
----------------------------------------------
A:PE-3>config>router>bgp# info
----------------------------------------------
vpn-apply-import
vpn-apply-export
min-route-advertisement 1
enable-peer-tracking
rapid-withdrawal
rapid-update evpn
group "DC"
family vpn-ipv4 evpn
type internal
neighbor 192.0.2.1
exit
neighbor 192.0.2.2
exit
exit
group "WAN"
family vpn-ipv4
type internal
neighbor 192.0.2.4
exit
neighbor 192.0.2.5
exit
exit
no shutdown
----------------------------------------------
Figure 48 shows the BGP peering sessions among the PEs and the enabled BGP families. Note
that PE-1 and PE-6 only establish an EVPN peering session with their peers (only the EVPN
family is enabled on both PEs, even if the peer PEs are VPN-IPv4 capable as well).
PE-2 PE-4
192.0.2.2 192.0.2.4
VPN-IPv4 VPN-IPv4
EVPN VPN-IPv4 VPN-IPv4 EVPN
PE-1 PE-6
192.0.2.1 VPN-IPv4 VPN-IPv4 192.0.2.6
VPN-IPv4 VPN-IPv4
VPN-IPv4 VPN-IPv4 VPN-IPv4
VPN-IPv4
EVPN EVPN
PE-3 PE-5
192.0.2.3 192.0.2.5
al_0578
Once the network infrastructure is running properly, the actual service configuration, as illustrated
in Figure 47, can be carried out. The following CLI output shows the configuration for VPLS 101
and VPRN 10 in PE-1, PE-2 and PE-3. The other overlay network has a similar configuration.
*A:PE-1# configure service vpls 101
*A:PE-1>config>service>vpls# info
----------------------------------------------
vxlan vni 101 create
exit
bgp
route-distinguisher 192.0.2.1:101
route-target export target:64500:101 import target:64500:101
exit
bgp-evpn
vxlan
no shutdown
exit
exit
proxy-arp
no shutdown
exit
stp
shutdown
exit
service-name "evi-101"
sap 1/1/1:101 create
exit
no shutdown
----------------------------------------------
exit
bgp
route-distinguisher 192.0.2.3:101
route-target export target:64500:101 import target:64500:101
exit
bgp-evpn
vxlan
no shutdown
exit
exit
proxy-arp
shutdown
exit
stp
shutdown
exit
service-name "evi-101"
no shutdown
----------------------------------------------
*A:PE-3# configure service vprn 10
*A:PE-3>config>service>vprn# info
----------------------------------------------
ecmp 2
route-distinguisher 192.0.2.3:10
auto-bind mpls
vrf-target target:64500:10
interface "int-1" create
address 172.16.0.3/24
mac 00:ca:fe:ca:fe:03
vrrp 1
backup 172.16.0.254
ping-reply
traceroute-reply
mac 00:ca:fe:ca:fe:54
exit
vrrp 2
backup 172.16.0.253
priority 254
ping-reply
traceroute-reply
mac 00:ca:fe:ca:fe:53
exit
vpls "evi-101"
exit
exit
no shutdown
----------------------------------------------
For details about the EVPN and VXLAN configuration on PE-1 VPLS 101, refer to EVPN for
VXLAN Tunnels (Layer 2) on page 281. The configuration of VPLS 101 on PE-2 and PE-3 has
the following important aspects:
When configuring VPRN 10 on PE-2 and PE-3 the following considerations must be taken into
account:
remote IP interfaces are protected. Note that VRRP virtual IP/MACs are also advertised
by EVPN as static and so protected. In the example of Figure 47, the VPLS 101 FDB in
PE-1 shows the IP interface MACs and VRRP MACs as EvpnS (Static) as shown in the
following output. VPRN 10 VRRP instances and ARP entries for PE-2 are also shown:
*A:PE-1# show service id 101 fdb detail
===============================================================================
Forwarding Database, Service 101
===============================================================================
ServId MAC Source-Identifier Type Last Change
Age
-------------------------------------------------------------------------------
101 00:ca:fe:ca:fe:53 vxlan: EvpnS 07/05/14 00:02:16
192.0.2.3:101
101 00:ca:fe:ca:fe:54 vxlan: EvpnS 07/05/14 00:02:16
192.0.2.2:101
101 00:ca:fe:ca:fe:01 vxlan: Evpn 07/05/14 00:02:16
192.0.2.1:101
101 00:ca:fe:ca:fe:02 vxlan: EvpnS 07/05/14 00:02:16
192.0.2.2:101
101 00:ca:fe:ca:fe:03 vxlan: EvpnS 07/05/14 00:01:54
192.0.2.3:101
-------------------------------------------------------------------------------
No. of MAC Entries: 5
-------------------------------------------------------------------------------
Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static
===============================================================================
*A:PE-2# show router 10 vrrp instance
===============================================================================
VRRP Instances
===============================================================================
Interface Name VR Id Own Adm State Base Pri Msg Int
IP Opr Pol Id InUse Pri Inh Int
-------------------------------------------------------------------------------
int-1 1 No Up Master 254 1
IPv4 Up n/a 254 No
Backup Addr: 172.16.0.254
int-1 2 No Up Backup 100 1
IPv4 Up n/a 100 No
Backup Addr: 172.16.0.253
-------------------------------------------------------------------------------
Instances : 2
===============================================================================
*A:PE-2# show router 10 arp
===============================================================================
ARP Table (Service: 10)
===============================================================================
IP Address MAC Address Expiry Type Interface
-------------------------------------------------------------------------------
172.16.0.2 00:ca:fe:ca:fe:02 00h00m00s Oth[I] int-1
172.16.0.3 00:ca:fe:ca:fe:03 00h00m00s Evp[I] int-1
172.16.0.253 00:ca:fe:ca:fe:53 00h00m00s Oth int-1
172.16.0.254 00:ca:fe:ca:fe:54 00h00m00s Oth[I] int-1
-------------------------------------------------------------------------------
No. of ARP Entries: 4
===============================================================================
PE-2 PE-4
192.0.2.2 192.0.2.4
.2 .4
fe:02 fe:04
PE-1 VPLS 201 VPRN VPRN VPLS 201 PE-6
192.0.2.1 20
Tag 0x1 Tag 0x3 20
192.0.2.6
origin:2:1 origin:4:1
172.16.1.0/24 172.16.2.0/24
VPRN
VPLS 201 IP-VPN MPLS VPLS 201
VPRN
CE-1 20 20 CE-3
.1 .6
172.16.0.1/24 .254 fe:01 fe:06 .254 172.16.3.3/24
00:ca:fe:ca:fe:01 00:ca:fe:ca:fe:03
VPLS 201 VPRN VPRN VPLS 201
20 20
.3 Tag 0x2 Tag 0x4 .5
fe:03 PE-3 origin:3:1 origin:5:1 PE-5 fe:05 VXLAN Bind
192.0.2.3 192.0.2.5
CE-2
172.16.1.2/24
00:ca:fe:00:00:02
From a BGP peering perspective, there is no change in this scenario compared to the previous one:
PE-1 and PE-6 only support the EVPN address family. However in this scenario CE-1 is not
connected to an R-VPLS directly linked to the VPRN instances in PE-2/PE-3. As a result of that,
IP prefixes must be exchanged between PE-1 and PE-2/PE-3. EVPN is able to advertise not only
MAC routes and Inclusive Multicast routes, but also IP prefix routes that contain IP prefixes that
can be installed in the attached VPRN routing table.
As an example, the VPRN 20 and VPLS 201 configurations on PE-1, PE-2 and PE-3 are shown
below. Similar configurations are needed in PE-3, PE-4 and PE-6.
As shown in the CLI excerpt, the configuration in the three nodes (PE-1/2/3) for VPLS 201 and
VPRN 20 is very similar. The main difference is the auto-bind mpls command existing in PE-2/
3s VPRN 20. This command allows the VPRN 20 on PE-2/3 to receive IP-VPN routes from the
core and resolve them to MPLS tunnels. VPRN 20 on PE-1 does not require such command since
all its IP prefixes are resolved to local interfaces or to EVPN peers.
The advertisement of IP prefixes in EVPN, in routes type 5. All the existing IP prefixes in
the attached VPRN 20 routing table are advertised in EVPN within the VPLS 201 context
(except for the ones associated to VPLS 201 itself).
The installation of IP prefixes in the attached VPRN 20 routing table with a preference of
169 (bgp-vpn routes for IP-VPN have a preference of 170) and a next-hop of the GW-IP
(Gateway IP) address included in the EVPN IP prefix route.
For instance, the following output shows that PE-1 advertises the IP prefix 172.16.0.0/24 as a
EVPN route to PE-3 (similar route is sent to PE-2), captured by a debug router bgp update
session. The VPRN 20 routing tables in PE-1, PE-2 and PE-3 are also shown.
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
When checking the operation of EVPN in this scenario, it is important to observe that the right
next hops and prefixes are successfully installed in the VPRN 20 routing table:
EVPN IP prefixes are sent using a GW-IP matching the primary IP interface address of the
R-VPLS for which the routes are sent. For instance, as shown above, IP prefix 172.16.0.0/
24 is advertised from PE-1 with GW-IP 172.16.1.1 (the IP address configured for the
VPRN 20 VPLS interface in PE-1). In the PE-2/3 VPRN 20 routing tables, IP prefix
172.16.0.0/24 is installed with next hop 172.16.1.1. Traffic arriving at PE-2/3 on VPRN
20 with IP Destination Address (DA) in the 172.16.0.0 subnet matches the mentioned
routing table entry. As usual, the next hop is resolved by the ARP table to a MAC and the
MAC resolved by the FDB table to an egress VTEP, VNI.
IP prefixes in the VPRN 20 routing table are advertised in IP-VPN to the remote IP-VPN
MPLS peers. Received IP-VPN prefixes are installed in the VPRN 20 routing table using
the remote PE system IP address as the next hop, as usual. For instance, 172.16.3.0/24 is
installed in PE-2 VPRN 20s routing table with next hop (tunneled) 192.0.2.4 and
preference 170.
The following considerations of how the routing table manager (RTM) handles EVPN and IP-
VPN prefixes must be taken into account:
Only VPRN interface primary addresses are advertised as GW-IP in EVPN IP prefix
routes. Secondary addresses are never sent as GW-IP addresses.
EVPN IP prefixes are advertised by default as soon as the ip-route-advertisement
command is enabled and there are active IP prefixes in the attached VPRN routing table.
If the same IP prefix is received on a PE via EVPN and IP-VPN at the same time for the
same VPRN, by default the EVPN prefix is selected since its preference (169) is better
than the IP-VPN preference (170).
Since EVPN has a better preference compared to IP-VPN, when the VPRNs on redundant
PEs are attached to the same R-VPLS service, routing loops may occur. The use case
described here is an example where routing loops can occur. Check Use of Routing
Policies to Avoid Routing Loops in Redundant PEs on page 340 to avoid routing loops in
redundant PEs for more information.
When the command ip-route-advertisement is enabled, the subnet IP prefixes are
advertised in EVPN but not the host IP prefixes (/32 prefixes associated with the local
interfaces). If the user wants to advertise the host IP prefixes as well, the incl-host
keyword must be added to the ip-route-advertisement command. The following example
illustrates this. The host routes can be shown with the show router route-table all
command. When the incl-host keyword is added to PE-1s VPLS 201, PE-1 advertises the
host routes as well and these are installed in the remote PEs routing tables.
ECMP is fully supported for the VPRN for EVPN IP prefix routes coming from different
GW-IP next-hops. However ECMP is not supported for IP prefixes routes belonging to
different owners (EVPN and IP-VPN). ECMP behavior for EVPN is illustrated in the
following output. When ecmp is enabled in PE-1s VPRN 20, an additional route with a
different GW-IP as next-hop is installed in the routing table for the IP-prefixes 172.16.2.0/
24 and 172.16.3.0/24.
*A:PE-1# configure service vprn 20 ecmp 2
*A:PE-1# show router 20 route-table
===============================================================================
Route Table (Service: 20)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.16.0.0/24 Local Local 01d04h50m 0
int-PE-1-CE-1 0
172.16.1.0/24 Local Local 01d04h50m 0
int-evi-201 0
172.16.2.0/24 Remote BGP EVPN 00h00m01s 169
172.16.1.2 0
172.16.2.0/24 Remote BGP EVPN 00h00m01s 169
172.16.1.3 0
172.16.3.0/24 Remote BGP EVPN 00h00m01s 169
172.16.1.2 0
172.16.3.0/24 Remote BGP EVPN 00h00m01s 169
172.16.1.3 0
-------------------------------------------------------------------------------
No. of Routes: 6
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
PE-2 PE-4
192.0.2.2 192.0.2.4
VPRN
VPLS 301 IP-VPN MPLS VPLS 301
VPRN
EVPN-TUNNEL EVPN-TUNNEL
CE-1 30 30 CE-3
172.16.0.1/24 .254 .254 172.16.3.3/24
00:ca:fe:ca:fe:01 00:ca:fe:ca:fe:03
VPLS 301 VPRN VPRN VPLS 301
30 30
Compared to the use case in Figure 49, in this case the R-VPLS connecting the IRB interfaces in
Overlay-Network-1 (VPLS 301) does not have any connected host. If that is the case, VPLS 301
can be configured as an EVPN tunnel.
EVPN tunnels are enabled using the evpn-tunnel command under the R-VPLS interface
configured on the VPRN. EVPN tunnels bring the following benefits to EVPN-VXLAN IRB
backhaul R-VPLS services:
Easier and simpler provisioning of the tenant service: if an EVPN tunnel is configured in
an IRB backhaul R-VPLS there is no need to provision the IRB IP addresses in the VPRN.
This makes the provisioning easier to automate and saves IP addresses from the tenant IP
space.
Higher scalability of the IRB backhaul R-VPLS: if EVPN tunnels are enabled, BUM
traffic is suppressed in the EVPN-VXLAN IRB backhaul R-VPLS service (it is not
required). As a result, the number of VXLAN bindings in IRB backhaul R-VPLS services
with EVPN tunnels can be much higher.
As an example, the VPRN 30 and VPLS 301 configurations on PE-1, PE-2 and PE-3 are shown
below. Note that similar configurations are needed in PE-4, PE-5 and PE-6.
----------------------------------------------
A:PE-2# configure service vpls 301
A:PE-2>config>service>vpls# info
----------------------------------------------
allow-ip-int-binding
vxlan vni 301 create
exit
bgp
route-distinguisher 192.0.2.2:301
route-target export target:64500:301 import target:64500:301
exit
bgp-evpn
ip-route-advertisement
vxlan
no shutdown
exit
exit
stp
shutdown
exit
service-name "evi-301"
no shutdown
----------------------------------------------
A:PE-3# configure service vprn 30
A:PE-3>config>service>vprn# info
----------------------------------------------
route-distinguisher 192.0.2.3:30
auto-bind mpls
vrf-target target:64500:30
interface "int-evi-301" create
vpls "evi-301"
evpn-tunnel
exit
exit
no shutdown
----------------------------------------------
A:PE-3# configure service vpls 301
A:PE-3>config>service>vpls# info
----------------------------------------------
allow-ip-int-binding
vxlan vni 301 create
exit
bgp
route-distinguisher 192.0.2.3:301
route-target export target:64500:301 import target:64500:301
exit
bgp-evpn
ip-route-advertisement
vxlan
no shutdown
exit
exit
stp
shutdown
exit
service-name "evi-301"
no shutdown
----------------------------------------------
As shown in the output above, the configuration in the three nodes (PE-1/2/3) for VPLS 301 and
VPRN 30 is similar to the configuration of VPLS 201 and VPRN 20 in the previous scenario,
however, when the evpn-tunnel command is added to the VPRN interface, there is no need to
configure an IP interface address. Note that evpn-tunnel can be enabled independently of ip-
route-advertisement (although no route-type 5 advertisements are sent in that case).
A given VPRN supports regular IRB backhaul R-VPLS services as well as EVPN tunnel R-VPLS
services. A maximum of eight R-VPLS services with ip-route-advertisement enabled per VPRN
is supported (in any combination of regular IRB R-VPLS or EVPN tunnel R-VPLS services).
Note that EVPN tunnel R-VPLS services do not support SAPs or SDP-binds. No frames are
flooded in an EVPN tunnel R-VPLS service, and, in fact no inclusive multicast routes are
exchanged in R-VPLS services that are configured as EVPN tunnels. The show service id vxlan
command for an R-VPLS service configured as an EVPN tunnel shows <egress VTEP, VNI>
bindings excluded from the multicast list, in other words, the VXLAN bindings are not used to
flood BUM traffic:
The process followed upon receiving a route-type 5 on a regular IRB R-VPLS interface (previous
scenario) differs from the one for an EVPN tunnel type (this scenario):
Note that IP prefix routes sent for EVPN tunnel R-VPLS services do not contain a GW-IP (the
GW-IP will be zero) but convey a GW-MAC address that is used in the peer VPRN routing table.
The following output shows PE-2s VPRN 30 interface MAC address and the route-type 5 sent to
PE-1 using the MAC as GW-MAC:
Looking at the VPRN 30 routing table, since IP prefixes are shown with an EVPN tunnel next-hop
(GW-MAC) as opposed to an IP next-hop, the user may think that no ARP entries are consumed
by VPRN 30. However internal ARP entries are still consumed in VPRN 30. Although not shown
in the show router 30 arp command, the summary option shows the consumption of internal ARP
entries for EVPN.
===============================================================================
ARP Table (Service: 30)
===============================================================================
IP Address MAC Address Expiry Type Interface
-------------------------------------------------------------------------------
No Matching Entries Found
===============================================================================
*A:PE-2# show router 30 arp summary
============================================================
ARP Table Summary (Service: 30)
============================================================
Local ARP Entries : 1
Static ARP Entries : 0
Dynamic ARP Entries : 0
Managed ARP Entries : 0
Internal ARP Entries : 0
BGP-EVPN ARP Entries : 1
------------------------------------------------------------
No. of ARP Entries : 2
============================================================
The number of BGP-EVPN ARP Entries in the show router 30 arp summary command matches
the number of remote valid GW-MACs for VPRN 30.
When applying routing policies to control the distribution of prefixes between EVPN and IP-VPN,
the user must take into account that both families are completely separated as far as BGP is
concerned and that when prefixes from a family are imported in the RTM, the BGP attributes are
lost to the other family. The use of tags allows the controlled distribution of prefixes across the
two families.
Figure 51 illustrates how vpn-ipv4 routes are imported into the RTM and then passed onto EVPN
for its own processing. Note that vpn-ipv4 routes can be tagged at ingress and this tag is preserved
throughout the RTM and EVPN processing so that the tag can be matched by the egress BGP
routing policy. In this particular example, egress EVPN routes matching tag 10, are modified to
add a site-of-origin community origin:64500:1.
policy-options
begin
policy-statement imp_add_tag"
bgp entry 12
group 2 from
family vpn-ipv4 protocol bgp-vpn
neighbor 10.1.1.2 exit
type internal action accept
import imp_add_tag tag 10
exit
al_0583
Policy TAGS can be used to match EVPN IP-prefixes that were learned not only from BGP vpn-
ipv4 but also from other routing protocols. Note that the tag range supported for each protocol is
different:
Figure 52 illustrates the reverse workflow: routes imported from EVPN and exported from RTM
to BGP vpn-ipv4. In this example, EVPN routes received with community VM-mob are tagged
with TAG 200. At the egress vpn-ipv4 peers, only the routes with TAG 200 are advertised.
al_0584
The above behavior and the use of tags is also valid for vsi-import and vsi-export policies. The
behavior can be summarized in the following statements:
This use case refers to scenarios with redundant PEs and VPRNs connected to the same R-VPLS
with ip-route-advertisement. The scenarios in Figure 49 (EVPN-VXLAN for IRB Backhaul R-
VPLS services) and Figure 50 (EVPN-VXLAN in EVPN tunnel R-VPLS services) are examples
of this use case. In both scenarios the following process causes a routing loop:
This routing loop also happens in traditional multi-homed IP-VPN scenarios where the PE-CE
eBGP and MP-BGP vpn-ipv4/v6 protocols interact in the same VPRN RTM, with different router
preferences. In either case (EVPN or eBGP interaction with MP-BGP) the issue can be solved by
the use of routing policies and site-of-origin communities.
Routing policies are applied to PE-2 and PE-3 (also to PE-4 and PE-5) and allow the redundant
PEs to reject their own generated routes in order to avoid the loops. These routing policies can be
applied at vsi-import/export level or BGP group/neighbor level. The following output shows an
example of routing policies applied at BGP neighbor level for PE-2 (similar policies are applied
on PE-3/4/5). Note that neighbor or group level policies are the preferred way in this kind of use
case: a single set of policies is sufficient, as opposed to a set of policies per service (if the policies
are applied at vsi-import/export level).
*A:PE-2>config>router>bgp# info
----------------------------------------------
vpn-apply-import
vpn-apply-export
min-route-advertisement 1
enable-peer-tracking
rapid-withdrawal
rapid-update evpn
group "DC"
family vpn-ipv4 evpn
type internal
neighbor 192.0.2.1
import "add-tag_to_bgp-evpn_routes"
exit
neighbor 192.0.2.3
import "reject_based_on_SOO"
export "add-SOO_on_export"
exit
exit
group "WAN"
family vpn-ipv4
type internal
neighbor 192.0.2.4
import "add-tag_to_bgp-vpn_routes"
exit
neighbor 192.0.2.5
import "add-tag_to_bgp-vpn_routes"
exit
exit
no shutdown
----------------------------------------------
*A:PE-2>config>router>policy-options# info
----------------------------------------------
community "SOO-PE-2" members "origin:2:1"
community "SOO-PE-3" members "origin:3:1"
policy-statement "add-SOO_on_export"
entry 10
from
tag 0x1
exit
action accept
community add "SOO-PE-2"
exit
exit
entry 20
from
tag 0x2
exit
action accept
community add "SOO-PE-3"
exit
exit
exit
policy-statement "reject_based_on_SOO"
entry 10
from
community "SOO-PE-2"
exit
action reject
exit
entry 20
from
community "SOO-PE-3"
exit
action reject
exit
exit
policy-statement "add-tag_to_bgp-vpn_routes"
entry 10
from
protocol bgp-vpn
exit
action accept
tag 0x1
exit
exit
exit
policy-statement "add-tag_to_bgp-evpn_routes"
entry 10
from
family evpn
exit
action accept
tag 0x1
exit
exit
exit
----------------------------------------------
EVPN and MP-BGP routes are tagged at import and add a site-of-origin community. Routes
exchanged between the two redundant PEs are rejected if they are received by a PE with its own
site-of-origin.
If a given VPRN is connected to more than one R-VPLS with ip-route-advertisement enabled, IP
prefixes that belong to one R-VPLS are advertised into the other R-VPLS and vice versa. When
redundant PEs are used, a routing loop will occur. Figure 53 illustrates this use case. Note that the
example shows R-VPLS with an EVPN tunnel configuration but the same routing loop occurs for
regular IRB backhaul R-VPLS services.
PE-2
EVPN-VXLAN EVPN-VXLAN
Overlay-Network-1 Overlay-Network-2
al_0585
The configuration of VPRN 50 as well as VPLS 501/502 and the required policies are shown
below. For this use case, policies must be applied at vsi-import/export level since more granularity
is required when modifying the imported/exported routes.
allow-ip-int-binding
vxlan vni 501 create
exit
bgp
route-distinguisher 192.0.2.2:501
vsi-export "vsi-export-policy-501"
vsi-import "vsi-import-policy-501"
exit
bgp-evpn
ip-route-advertisement
vxlan
no shutdown
exit
exit
stp
shutdown
exit
service-name "evi-501"
no shutdown
----------------------------------------------
*A:PE-2>config>service>vpls# info
----------------------------------------------
allow-ip-int-binding
vxlan vni 502 create
exit
bgp
route-distinguisher 192.0.2.2:502
vsi-export "vsi-export-policy-502"
vsi-import "vsi-import-policy-502"
exit
bgp-evpn
ip-route-advertisement
vxlan
no shutdown
exit
exit
stp
shutdown
exit
service-name "evi-502"
no shutdown
----------------------------------------------
*A:PE-2>config>router>policy-options# info
----------------------------------------------
community "exp_RVPLS501" members "origin:2:11" "target:64500:501"
community "exp_RVPLS502" members "origin:2:11" "target:64500:502"
community "SOO-PE-2-RVPLS" members "origin:2:11"
community "SOO-PE-3-RVPLS" members "origin:3:11"
community "SOO_PE-3_RVPLS501" members "origin:3:11" "target:64500:501"
community "SOO_PE-3_RVPLS502" members "origin:3:11" "target:64500:502"
policy-statement "vsi-export-policy-501"
entry 10
from
tag 0x5
exit
action accept
community add "SOO_PE-3_RVPLS501"
exit
exit
entry 20
action accept
community add "exp_RVPLS501"
exit
exit
exit
policy-statement "vsi-export-policy-502"
entry 10
from
tag 0x5
exit
action accept
community add "SOO_PE-3_RVPLS502"
exit
exit
entry 20
action accept
community add "exp_RVPLS502"
exit
exit
exit
policy-statement "vsi-import-policy-501"
entry 10
from
community "SOO-PE-2-RVPLS"
exit
action reject
exit
entry 20
from
community "SOO_PE-3_RVPLS501"
exit
action accept
tag 0x5
exit
exit
default-action accept
exit
exit
policy-statement "vsi-import-policy-502"
entry 10
from
community "SOO-PE-2-RVPLS"
exit
action reject
exit
entry 20
from
community "SOO_PE-3_RVPLS502"
exit
action accept
tag 0x5
exit
exit
default-action accept
exit
exit
ICMP commands can also help checking the connectivity. When traceroute is used on EVPN-
VXLAN in EVPN tunnel interfaces, EVPN tunnel interface hops in the traceroute commands are
showing the VPRN loopback address or the other non evpn-tunnel interface address. In VPRN
services where all of the interfaces are of type EVPN tunnel, ICMP packets fail until an IP address
is configured. The following output shows a traceroute from VPRN 30 in PE-1 to CE-3 and from
PE-2 to CE-1 (see Figure 50):
Finally, when troubleshooting EVPN routes and routing policies, the show router bgp routes
evpn command and its filters can help:
Check that the expected routes are received, properly imported and communities/tags
added/replaced/removed.
Check that the expected routes are sent, properly exported and communities added/
replaced/removed.
Examples of EVPN IP prefix routes including communities and tags are shown below.
...
*A:PE-2# show router bgp routes evpn ip-prefix prefix 172.16.0.0/24 hunt community ori-
gin:69:11
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
Origin codes : i - IGP, e - EGP, ? - incomplete, > - best, b - backup
===============================================================================
BGP EVPN IP-Prefix Routes
===============================================================================
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
RIB Out Entries
-------------------------------------------------------------------------------
...
Network : N/A
Nexthop : 192.0.2.2
To : 192.0.2.1
Res. Nexthop : n/a
Local Pref. : 100 Interface Name : NotAvailable
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : 0
AIGP Metric : None
Connector : None
Community : origin:2:11 target:64500:502
mac-nh:d8:45:ff:00:01:33 bgp-tunnel-encap:VXLAN
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.1
Origin : IGP
AS-Path : No As-Path
EVPN type : IP-PREFIX
ESI : N/A Tag : 502
Gateway Address: d8:45:ff:00:01:33
Prefix : 172.16.0.0/24 Route Dist. : 192.0.2.2:502
MPLS Label : 0
Route Tag : 0
Neighbor-AS : N/A
Orig Validation: N/A
Source Class : 0 Dest Class : 0
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
*A:PE-2# show router bgp routes evpn ip-prefix prefix 172.16.0.0/24 detail
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
Origin codes : i - IGP, e - EGP, ? - incomplete, > - best, b - backup
===============================================================================
BGP EVPN IP-Prefix Routes
===============================================================================
-------------------------------------------------------------------------------
Original Attributes
Network : N/A
Nexthop : 192.0.2.1
From : 192.0.2.1
Res. Nexthop : N/A
Local Pref. : 100 Interface Name : NotAvailable
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : 0
AIGP Metric : None
Connector : None
Community : target:64500:201 bgp-tunnel-encap:VXLAN
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.1
Flags : Used Valid Best IGP
Route Source : Internal
AS-Path : No As-Path
EVPN type : IP-PREFIX
ESI : N/A Tag : 201
Gateway Address: 172.16.1.1
Prefix : 172.16.0.0/24 Route Dist. : 192.0.2.1:201
MPLS Label : 0
Route Tag : 0
Neighbor-AS : N/A
Orig Validation: N/A
Source Class : 0 Dest Class : 0
Modified Attributes
Network : N/A
Nexthop : 192.0.2.1
From : 192.0.2.1
Res. Nexthop : N/A
Local Pref. : 100 Interface Name : NotAvailable
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : 0
AIGP Metric : None
Connector : None
Community : target:64500:201 bgp-tunnel-encap:VXLAN
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.1
Flags : Used Valid Best IGP
Route Source : Internal
AS-Path : No As-Path
EVPN type : IP-PREFIX
ESI : N/A Tag : 201
Gateway Address: 172.16.1.1
Prefix : 172.16.0.0/24 Route Dist. : 192.0.2.1:201
MPLS Label : 0
Route Tag : 1
Neighbor-AS : N/A
Orig Validation: N/A
Source Class : 0 Dest Class : 0
------------------------------------------------------------------------------
...
Conclusion
SR OS supports not only the EVPN control plane for VXLAN tunnels in Layer 2 applications but
also the simultaneous use of EVPN and VXLAN for VPN customers (tenants) with intra and inter-
subnet connectivity requirements. R-VPLS services can be configured to provide default gateway
connectivity to hosts, IRB backhaul connectivity to VPRN services and EVPN tunnel connectivity
to VPRN services. When configured to do so, EVPN can advertise IP prefixes and interact with
the VPRN RTM to propagate IP prefix connectivity between EVPN and other routing protocols in
the VPRN, including IP-VPN. This example has shown how to configure R-VPLS services for all
these functions, as well as how to configure routing policies for EVPN-based IP prefixes.