Configuring EVPN
Configuring BGP-EVPN and VCS on CVX
Configuring BGP-EVPN
Configuring VNI Bundle
A VNI-aware-bundle represents a mac-VRF that contains Layer 2 route entries from all VXLAN Network Identifiers (VNI) available across multiple DCs. Use the vni-aware-bundle command available on CVX to create a mac-VRF.
Example
cvx(config)# router bgp 100
cvx(config-router-bgp)# vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)#
Configuring RD and RT in VNI Bundle
Use the rd (Router-BGP VRF and VNI Configuration Modes) command to add a Route Distinguisher (RD) for uniquely identifying Layer 2 routes for the VNI bundle. Use the route-target command to configure a well-known extended community that is attached to the routes exported by BGP-EVPN; and to import routes with the specified well-known extended community into the mac-VRF that corresponds to the VNI bundle.
Example
cvx(config)# router bgp 100
cvx(config-router-bgp)# vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)# rd 530:12
cvx(config-macvrf-bundle1)# route-target both 530:12
Enabling Redistribution of Bridging Information
After the VNI aware bundle is created, use the redistribute service VXLAN command to redistribute the Layer 2 bridging information received from VCS.
Example
cvx(config)# router bgp 100
cvx(config-router-bgp)# vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)# redistribute service VXLAN
Disabling Next-Hop Resolution in BGP-EVPN
When BGP-EVPN module receives a route from its BGP peer, it generally tries to resolve the next-hop indicated in the route. However, in the DCI topology, the routes coming from a CVX in another DC contains next-hops (VTEP addresses) that may not be reachable from the CVX receiving the route. Use the next-hop resolution disabled command to disable the next-hop resolution on routes received from BGP-EVPN peers.
Example
cvx(config)# router bgp 100
cvx(config-router-bgp)# address-family evpn
cvx(config-router-bgp-af)# next-hop resolution disabled
Configuring VCS
Enabling Redistribution of BGP-EVPN Routes
Use the redistribute bgp evpn VXLAN command to redistribute BGP-EVPN routes to VCS, which, in turn advertises them to all VTEPs within the DC.
Example
cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service VXLAN
cvx(config-cvx-VXLAN)# no shutdown
cvx(config-cvx-VXLAN)# redistribute bgp evpn VXLAN
EVPN MPLS Virtual Private Wire Service (VPWS)
Traffic to/from a given Attachment Circuit (AC) without any mac lookup/learning can be forwarded using EVPN MPLS VPWS, which uses BGP for signalling. Port-based and VLAN-based services are supported.
Configuring EVPN MPLS VPWS
Configure the patch panel to specify the ACs' connection to the VPWS service instances and then the VPWS service instance, which is part of BGP. Finally, configure the individual participating ACs.
Patch Panel Configuration
patch panel
patch port
connector 1 interface Ethernet2
connector 2 pseudowire bgp vpws evi-1 pseudowire pw1
patch panel
patch subintf
connector 1 interface Ethernet3.1
connector 2 pseudowire bgp vpws evi-1 pseudowire pw2
VPWS Service Instance Configuration
router bgp 1
neighbor 10.0.0.1 remote-as 1
neighbor 10.0.0.1 send-community extended
neighbor 10.0.0.1 maximum-routes 12000
!
vpws evi-1
rd 10.2.2.2:2
route-target import export evpn 0.0.0.0:1
mpls control-word
!
pseudowire pw1
evpn vpws id local 2001 remote 1001
!
pseudowire pw2
evpn vpws id local 2002 remote 1002
!
address-family evpn
neighbor default encapsulation mpls next-hop-self source-interface Loopback0
neighbor 10.0.0.1 activate
Attachment Circuit Configuration (double-tagged L3 subinterfaces)
interface Ethernet2
no switchport
interface Ethernet3
no switchport
interface Ethernet3.1
encapsulation dot1q vlan 1
interface Ethernet3
no switchport
interface Ethernet3.1
encapsulation vlan
client dot1q 11 network client
Flexible Encapsulation EVPN MPLS VPWS
- Remove incoming encapsulation tag(s) and forward
- Preserve incoming encapsulation tag(s) and forward
- Replace one or two tags when forwarding in encapsulation and decapsulation directions
The following table explains the encapsulation and decapsulation behaviors for the various FlexEncap options. Applying a Flexible Encapsulation with a network specification to a subinterface creates a bidirectional mapping table that is applied to the sub-interface. The mapping embodied in this table is applied from client to network in the encap direction, and network to client in the decap direction.
Example | Behavior |
client dot1q 10 |
From Client: match VLAN ID 10, consume and forward To Client: add VLAN ID 10 before transmit |
client dot1q 10 inner 20 |
From Client: match VLAN IDs 10, 20 consume and forward To Client: add VLAN ID 10, 20 before transmit |
client dot1q 10 network client |
From Client: match VLAN ID 10 and retain it. From Network: match vlan=10, retain. |
client dot1q outer 10 inner 20 network client |
From Client: match VLAN IDs 10, 20 and retain both. From Network: match vlan=10,20, retain both. |
client dot1q 10 network dot1q 100 | |
client dot1q 10 network dot1q 100 |
From Client: match VLAN ID 10, consume. Before forwarding, write vlan=100. From Network: match vlan=100, consume. Before transmit, write vlan=10. |
client dot1q outer 10 inner 20 network dot1q outer 100 inner 200 |
From Client: match VLAN IDs 10, 20, and consume them. Before forwarding, write vlan=100,200. From Network: match vlan=100, 200, consume. Before transmit, write vlan=10, 20. |
- Packets received on Ethernet3/1 with outermost 802.1q VLAN tag of 1000 get mapped to sub-interface Ethernet3/1.1000.
- The tag of 1000 is preserved and forwarded to pseudowire PW1.
- Packets terminating on PW1 get forwarded to Et3/1.1000 and get transmitted out with VLAN tag of 1000.
interface Ethernet3/1.1000
encapsulation vlan
client dot1q 1000 network client
patch panel
patch patch-1
connector 1 interface Ethernet3/1.1000
connector 2 pseudowire ldp PW1
Displaying EVPN MPLS VPWS Configuration
switch(config-if-Et3/1.1003)# show interfaces encapsulation vlan
Interface Status Client Encapsulation Network Encapsulation
------------------------- ------------ ---------------------------------------------------
Ethernet3/1.1000 active dot1q outer 1000
Ethernet3/1.1001 active dot1q outer 1001 client
Ethernet3/1.1002 active dot1q outer 1002 inner 102
Ethernet3/1.1003 active dot1q outer 1003 inner 103 client
Ethernet3/1.1004 active dot1q outer 1004 dot1q 2004
Ethernet3/1.1005 active dot1q outer 1005 inner 104 dot1q outer 2005 inner 204
switch(config-if-Et3/1.1003)# show patch panel PP_1000
Patch Connector Status
------- ------------------------------------- ------
PP_1000 1: Ethernet3/1.1000 Up
2: BGP VPWS VPWS_1 Pseudowire PW_1000
tg481.12:19:52(s2)(config-if-Et3/1.1003)#show patch panel PP_1000 detail
PW Fault Legend:
ET-IN - Ethernet receive fault
ET-OUT - Ethernet transmit fault
TUN-IN - Tunnel receive fault
TUN-OUT - Tunnel transmit fault
NF - Pseudowire not forwarding (other reason)
Patch: PP_1000, Status: Up
Connector 1: Ethernet3/1.1000
Status: Up
Connector 2: BGP VPWS VPWS_1 Pseudowire PW_1000
Status: Up
Local MPLS label: 135363
MTU: 1600, Control word: Y
Neighbor 103.37.123.72, MPLS label: 136350
Tunnel type: SR-TE Policy, Tunnel index: 132
MTU: 1600, Control word: Y
EVPN VPWS type: VLAN-based
Tag Matching Semantics
The matching rules are applied on a 'longest matching tag sequence' basis when rules are configured for multiple subinterfaces of a parent port. Considering the following rules on the same parent, the receive (encap) and transmit (decap) rule application is shown in the following tables.
interface Ethernet 10.1
encapsulation vlan
client dot1q 11 network client
interface Ethernet 10.2
encapsulation vlan
client dot1q 11 inner 20 network client
The receive (encap) matching behavior is as follows.
Received Packet | Matching Rule |
outer=11, inner=20 | Rule #2 |
single tag with 11 | Rule #1 |
double tag with 11, not 20 | Rule #1 |
The transmit (decap) matching behavior is as follows.
Forwarded Packet | Matching Rule |
outer=11, inner=20 | Rule #2 |
single tag with 11 | Rule #1 |
double tag with 11, not 20 | Rule #1 |
Configuring Multi-Homing on a Multi-Domain EVPN VXLAN-MPLS Gateway
Use the following steps to add Multi-Homing to your BGP configuration.
Configuring the Local Ethernet Segment Parameters
- Configure the EVPN address family Ethernet Segment parameters, domain
local, and enter the Ethernet Segment configuration mode:
switch(config-router-bgp-af)#evpn ethernet-segment domain local switch(config-evpn-es-domain-local)#
- Add the 10 octet identifier, 0011:1111:1111:1111 for the
local domain:
switch(config-evpn-es-domain-local)#identifier 0011:1111:1111:1111
- Add the low-order six (6) bytes of the ES-Import Route Target,
11:11:11:11:11:11:
switch(config-evpn-es-domain-local)#route-target import 11:11:11:11:11:11
Exit the domain local configuration mode.
switch(config-router-bgp-af)#
Configuring the Remote Ethernet Segment Parameters
- Configure the Ethernet Segment remote domain parameters by entering the remote domain
configuration mode:
switch(config-router-bgp-af)#evpn ethernet-segment domain remote switch(config-evpn-es-domain-remote)#
- Add the 10 octet identifier, 0022:2222:2222:2222 for the
remote domain:
switch(config-evpn-es-domain-remote)#identifier 0022:2222:2222:2222
- Add the low-order six (6) bytes of the ES-Import Route Target to the remote
domain:
Exit the remote domain configuration mode, and return to the Ethernet Segment configuration mode:switch(config-evpn-es-domain-remote)#route-target import 22:22:22:22:22:22
switch(config-evpn-es-domain-remote)#exit switch(config-router-bgp-af)#
Adding the Layer 2 and BGP FEC Parameters
- Configure the Layer 2 and BGP FEC parameters for the Ethernet Segment
configuration:
Exit to the global configuration mode:switch(config-router-bgp-af)#layer-2 fec in-place update
switch(config)#
Adding the Routing Control Functions
- Enter the routing control functions configuration mode and then the control-functions
configuration mode:
switch(config)#router general switch(config-router-general)#control-functions switch(config-router-general-control-functions)#
- Finally, add the JSON code to the configuration:
switch(config-router-general-control-functions)#code Enter RCF code. Type 'EOF' on its own line to end. function evpnDciMhBlockGwTx() { if evpn.route_type is EVPN_IMET { community add {1:1}; } return true; } function evpnDciMhBlockGwRx() { return community has_none {1:1}; } EOF
Displaying the Multihome EVPN Configuration
To display your configuration, use the show active command from the BGP configuration mode:
GW-A1(config-router-bgp)#show active
router bgp 64512
...
maximum-paths 4 ecmp 4
bgp bestpath d-path
...
!
vlan 10
rd evpn domain all 10.255.1.1:10
route-target import export 64500:10
route-target import export evpn domain remote 64501:10
redistribute learned
!
vrf red
rd 10.255.1.1:0
route-target import evpn 64500:20000
route-target export evpn 64500:20000
router-id 10.255.1.1
...
address-family evpn
neighbor WAN-RR activate
neighbor WAN-RR domain remote
neighbor RR-A activate
neighbor RR-A rcf in evpnDciMhBlockGwRx()
neighbor RR-A rcf out evpnDciMhBlockGwTx()
neighbor WAN-RR rcf in evpnDciMhBlockGwRx()
neighbor WAN-RR rcf out evpnDciMhBlockGwTx()
domain identifier 1:1
domain identifier 1:2 remote
...
!
evpn ethernet-segment domain local
identifier 0011:1111:1111:1111:1111
route-target import 11:11:11:11:11:11
!
evpn ethernet-segment domain remote
identifier 0022:2222:2222:2222:2222
route-target import 22:22:22:22:22:22
!
layer-2 fec in-place update
!
router general
control-functions
code
function evpnDciMhBlockGwTx() {
if evpn.route_type is EVPN_IMET
{
community add {1:1};
}
return true;
}
function evpnDciMhBlockGwRx() {
return community has_none {1:1};
}
- An interconnect Ethernet segment with an Ethernet Segment Identifier (ESI), 1111:1111:1111:1111:, configured for the hosts sourced from the local domain.
- An interconnect Ethernet segment with an ESI, 2222:2222:2222:2222, configured for the hosts sourced for the remote domain.
- The gateway, GW-A1, peers with a route reflector, the RR-A in the local domain, and peers with a route reflector, WAN-RR, in the remote domain.
For route loop detection, configure domain identifiers for the local and remote domain, and the domain path best path. Use the same identifier for the same domain on all gateways in one site, and configure RCF rules to reject the IMET routes from peer gateways in the same DC.