vxlan configuration

Configuring the VTI

Configuring the VTI enables vxlan bridging and is a requirement for vxlan Routing. The following sections describe the steps required to enabling vxlan bridging by bringing up the vxlan line protocol. vxlan Routing configuration describes the additional steps required to enable vxlan routing.

Instantiating the VTI and vxlan configuration Mode

The interface vxlan command places the switch in vxlan-interface configuration mode for modifying the specified vxlan Tunnel Interface (VTI). The command also instantiates the interface if it was not previously created.

vxlan interface configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.

Example

These commands create vxlan tunnel interface 1, place the switch in vxlan-interface configuration mode, and display parameters of the new VTI.

switch(config)# interface vxlan 1
switch(config-if-Vx1)# show active
interface vxlan1
   vxlan udp-port 4789
switch(config-if-Vx1)#

Assigning an IP address to the VTEP

The vxlan source-interface command specifies the loopback interface from which the VTEP derives the source address (IP) that it uses when exchanging vxlan frames. This address is used by UDP headers to specify source and destination addresses of hosts that send or receive vxlan encapsulated packets.

There is no default source interface assignment. A valid vxlan configuration requires the assignment of a loopback interface to the VTEP and the assignment of a valid IP address to the specified interface.

Example

These commands configure VTI 1 to use IP address 10.25.25.3 (interface loopback 15) as the source interface in the encapsulation fields of outbound vxlan frames.

switch(config)# interface loopback 15
switch(config-if-Lo15)# ip address 10.25.25.3/24
switch(config-if-Lo15)# exit
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan source-interface loopback 15
switch(config-if-Vx1)#  show active
interface vxlan1
   vxlan source-interface Loopback15
   vxlan udp-port 4789
switch(config-if-Vx1)#

Assigning a UDP Port to the VTEP

Packets bridged to the VTI from a VLAN are encapsulated with a vxlan header, then sent through a pre-configured UDP port. Packets that arrive through this port are assumed to be vxlan encapsulated and sent to the bridging domain of the recipient VLAN as determined by the VNI in the vxlan header and the VNI-VLAN map.

The vxlan udp-port command associates a UDP port with the configuration mode vxlan Interface (VTI). By default, UDP port 4789 is associated with the VTI.

Note: UDP port 4789 is reserved by convention for vxlan usage. Under most typical applications, this parameter should be set to the default value.

Examples
  • This command associates UDP port 5500 with interface vxlan 1.
    switch(config)# interface vxlan 1
    switch(config-if-Vx1)# vxlan udp-port 5500
    switch(config-if-Vx1)# show active
    interface vxlan1
       vxlan udp-port 5500
    switch(config-if-Vx1)#

  • This command resets the interface vxlan 1 UDP port association of 4789.
    switch(config-if-Vx1)# no vxlan udp-port
    switch(config-if-Vx1)# show active
    interface vxlan1
       vxlan udp-port 4789
    switch(config-if-Vx1)#

Assigning a VNI to a VLAN

When a VLAN bridges a packet to the VTI, the packet is encapsulated with a vxlan header that includes the VNI associated with the VLAN. Packets that arrive on the VTI’s UDP socket are bridged to the VLAN that is associated with the VNI specified by the vxlan header that encapsulates the packet.

The VTI requires a one-to-one correspondence between specified VLANs and VNI values. Commands that assign a new VNI to a previously configured VLAN replace existing VLAN assignment statements in running-config. Commands that attempt to assign a VNI value to a second VLAN generate a CLI error.

The vxlan vlan vni command associates a VLAN ID with a Virtual Network Identifier (VNI).

Example

These commands associate vlan 100 to vni 100 and vlan 200 to vni 10.10.200.

switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan vlan 100 vni 100
switch(config-if-Vx1)# vxlan vlan 200 vni 10.10.200
switch(config-if-Vx1)# show active
interface vxlan1
   vxlan udp-port 4789
   vxlan vlan 200 vni 658120
   vxlan vlan 100 vni 100
switch(config-if-Vx1)# vxlan vni notation dotted
switch(config-if-Vx1)# show active
interface vxlan1
   vxlan udp-port 4789
   vxlan vlan 100 vni 0.0.100
   vxlan vlan 200 vni 10.10.200
switch(config-if-Vx1)#

Verifying the vxlan configuration

The show interface vxlan 1 displays the configuration and connection status of the vxlan.

Example

This command indicates that the vxlan line protocol status is up.

switch(config-if-Vx1)# show interface vxlan 1
vxlan1 is up, line protocol is up (connected)
  Hardware is vxlan
  Source interface is Loopback15 and is active with 10.25.25.3
  Static vlan to vni mapping is
    [100, 0.0.100]    [200, 10.10.200]
switch(config-if-Vx1)#

Head End Replication configuration

Head-end replication is a data distribution method that supports broadcast, unknown unicast traffic over vxlans by replicating BUM data locally for transmission to the set of remote VTEPs specified by a flood list. This data flooding facilitates remote MAC address learning through the forwarding of data with unknown MAC addresses.

Each vxlan flood vtep statement in running-config associates a set of VTEP addresses to an access VNI. A default flood list is also configurable that applies to all VNIs for which a flood list is not configured.

The VTEP flood list is created and modified through the vxlan flood vtep command.

Examples
  • These commands create a default vxlan head-end replication flood list.
    switch(config)# interface vxlan 1
    switch(config-if-Vx1)# vxlan flood vtep 10.1.1.1 10.1.1.2
    switch(config-if-Vx1)# show active
     interface vxlan1
       vxlan flood vtep 10.1.1.1 10.1.1.2
       vxlan udp-port 4789
    switch(config-if-Vx1)#

  • These commands create vxlan head-end replication flood lists for the VNIs accessed through vlan 101 and vlan 102.
    switch(config-if-Vx1)# vxlan vlan 101-102 flood vtep 11.1.1.1 11.1.1.2 11.1.1.3
    switch(config-if-Vx1)# show active
     interface vxlan1
       vxlan flood vtep 10.1.1.1 10.1.1.2
       vxlan vlan 101 flood vtep 11.1.1.1 11.1.1.2 11.1.1.3
       vxlan vlan 102 flood vtep 11.1.1.1 11.1.1.2 11.1.1.3
       vxlan udp-port 4789
    switch(config-if-Vx1)#

vxlan Routing configuration

Implementing vxlan Routing

vxlan routing is enabled by creating a VLAN Interface (SVI) on a VLAN that is associated to a VNI. In the figure below, vxlan routing is enabled on Switch A by configuring a VLAN interface with an IP address of 10.10.10.1. Packets from Devices A-1 and B-2 that have destinations other than 10.10.10.0/28 are vxlan-bridged to the default gateway (10.10.10.1), then routed from Switch A.

Figure 1. Implementing vxlan Routing

Note: For R and R2 series Arista platforms, vxlan routing must be enabled in hardware with the hardware tcam profile vxlan-routing command. This command will cause a brief data-plane interruption. It should be run while the switch is in maintenance mode, or in an interval when a brief data-plane interruption is acceptable.
switch(config)# hardware tcam profile vxlan-routing
switch(config)#

Note: For Trident2 and some Tomahawk platforms, vxlan routing requires that recirculation channels be configured with the command channel-group recirculation.
switch(config)#channel-group recirculation 1
switch(config)#

Example

These commands configure Switch A to perform vxlan routing. The example includes OSPF routing that is used for underlay routing.

switch-A(config)# route-map vxlanvlan permit 10
switch-A(config-route-map-vxlanvlan)# match interface loopb5
switch-A(config-route-map-vxlanvlan)# exit
switch-A(config)# route-map vxlanvlan permit 20
switch-A(config-route-map-vxlanvlan)# match interface vlan 100
switch-A(config-route-map-vxlanvlan)# exit
switch-A(config)# router ospf 1
switch-A(config-router-ospf)# redistribute connected route-map vxlanvlan
switch-A(config-router-ospf)# exit
switch-A(config)# interface loopback 5
switch-A(config-if-Lo5)# ip address 10.25.25.3/24
switch-A(config-if-Lo5)# exit
switch-A(config)# interface vxlan 1
switch-A(config-if-Vx1)# vxlan source-interface loopback 5
switch-A(config-if-Vx1)# vxlan vlan 100 vni 10000
switch-A(config)# interface vlan 100
switch-A(config-if-Vl100)# ip address 10.10.10.1/28
switch-A(config-if-Vl100)# exit

Configuring Direct vxlan Routing

Figure Implementing vxlan Routing , vxlan routing is enabled on Switch A only; Switch B supports vxlan bridging. Traffic from Switch B devices to the external routes must go through the core route twice: once as they are bridged to is vxlan gateway and once when routed to its next hop device.

Direct vxlan routing with vxlan enabled addresses this issue by configuring each VTEP with all VLANs. This allows packets to be vxlan-bridged to a local VTEP and routed to remote VTEPs. Indirect routing scales well but is complex to engineer efficiently, and naked routing provides the same scalability to indirect routing. Direct routing leads to the most efficient traffic flows, with the number of virtual subnets or virtual machines increasing at scale, and is thereby optimal from a data plane viewpoint.

The following sections describe conventions required to implement Direct vxlan Routing, then presents a direct vxlan routing implementation.

Configuring VARP addresses

For direct routing, an anycast IP address is used as the gateway address on the SVI for a VLAN on all hardware VTEPs associated with that VLAN.

Examples
  • These commands configure an IP virtual-router and virtual MAC address.
    switch(config)# interface Vlan2417
    switch(config-if-Vl2417)# ip address 1.0.4.50/24
    switch(config-if-Vl2417)# ip virtual-router address 1.0.4.1
    switch(config-if-Vl2417)# ip virtual-router mac-address 00:00:11:11:22:22
    switch(config)#

  • These commands configure an IP virtual address (instead of IP virtual-router address) for the VLAN SVI, and a secondary address on the loopback interface for the virtual VTEP IP. The virtual VTEP IP is the logical VTEP hosting the virtual MAC address.
    switch(config)# interface Vlan2417
    switch(config-if-Vl2417)# ip address virtual 1.0.4.1/24
    switch(config-if-Vl2417)# exit
    switch(config)# interface Loopback0
    switch(config-if-Lo0)# ip address 1.0.1.1/32
    switch(config-if-Lo0)# ip address 1.0.1.2/32 secondary
    switch(config-if-Lo0)# ip virtual-router mac-address 00:00:11:11:22:22
    switch(config)#

Virtual IP and MAC Addresses

Virtual-router IP addresses can be configured on VLAN interfaces in addition to a primary address. All VTEPs in a direct vxlan network can be configured with the same virtual router address. This allows devices to use a common IP address as their vxlan gateway.

The ip address virtual command configures a specified address as the primary IPv4 address and as a virtual IP address for the configuration mode VLAN interface. This results in the virtual MAC address (ip virtual-router mac-address) assignment to the VLAN interface. In large vxlan networks, using distinct primary IP addresses for each VTEP limits the number addresses on its subnet for connected hosts. Defining a common virtual IP address for all VTEPs and using that their primary addresses conserves subnet addresses

Example

These commands specify a virtual router address of 00:00:00:00:00:48 for the switch and, for vlan 100, a primary address of 10.10.10.10/28 and a virtual IP address of 10.10.10.10.

switch(config)# ip virtual-router mac-address 00:00:00:00:00:48
switch(config)# interface vlan 100
switch(config-if-Vl100)# ip address virtual 10.10.10.10/28
switch(config-if-Vl100)# show active
 interface Vlan100
   ip address virtual 10.10.10.10/28
switch(config-if-Vl100)#

Virtual VTEP configuration

A virtual VTEP address is specified by configuring a secondary address on the loopback interface designated as the vxlan’s source interface. All VTEPs in the direct routing topology share the same virtual VTEP address.

You must also configure the secondary VTEP IP on the flood-list of the downstream vxlan VTEPS as shown below.

Example

These commands specify a primary (10.1.1.1) and virtual VTEP address (10.2.2.2).

switch1
switch(config)# interface loopback 5
switch(config-if-Lo5)# ip address 10.1.1.1/24
switch(config-if-Lo5)# ip address 10.2.2.2/24 secondary
switch(config-if-Lo5)# show active
 interface Loopback5
   ip address 10.1.1.1/24
   ip address 10.2.2.2/24 secondary
switch(config-if-Lo5)# exit
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan source-interface loopback 5
switch(config-if-Vx1)# show active
 interface vxlan1
   vxlan source-interface Loopback5
   vxlan udp-port 4789
   vxlan vlan 100 vni 10000
switch(config-if-Vx1)#

switch2
switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan flood vtep 10.1.1.1
switch(config-if-Vx1)# vxlan flood vtep 10.2.2.2

Direct vxlan Topology

The following figure displays a direct vxlan topology, where each VTEP is configured with the same set of VNIs, VLAN interfaces, and virtual VTEP address.

Figure 2. Direct vxlan Routing

Example

These commands configure vxlan parameters for Switch-A.

switch-A(config)# route-map vxlanvlan permit 10
switch-A(config-route-map-vxlanvlan)# match interface loopb5
switch-A(config-route-map-vxlanvlan)# exit
switch-A(config)# route-map vxlanvlan permit 20
switch-A(config-route-map-vxlanvlan)# match interface vlan 100
switch-A(config-route-map-vxlanvlan)# exit
switch-A(config)# router ospf 1
switch-A(config-router-ospf)# redistribute connected route-map vxlanvlan
switch-A(config-router-ospf)# exit
switch-A(config)# ip virtual-router mac-address 00:00:00:00:00:48
switch-A(config)# interface loopback 5
switch-A(config-if-Lo5)# ip address 10.1.1.3/24
switch-A(config-if-Lo5)# ip address 10.1.1.10/24 secondary
switch-A(config-if-Lo5)# exit
switch-A(config)# interface vxlan 1
switch-A(config-if-Vx1)# vxlan source-interface loopback 5
switch-A(config-if-Vx1)# vxlan vlan 100 vni 10000
switch-A(config)# interface vlan 100
switch-A(config-if-Vl100)# ip address virtual 10.10.10.10/28
switch-A(config-if-Vl100)# exit 

Configuring vxlan VTEP Counters

The vxlan VTEP counters feature enables a device to count vxlan packets received and sent by the device on a per VTEP basis. Specifically, it enables the device to count bytes and packets that are getting encapsulated and decapsulated as they are passing through.

The counters are logically split up in the two vxlan directions. Encapsulated on the device and directed to the core, “encap” counters count packets coming from the edge. Decapsulated on the device and heading towards the edge, “decap” counters count packets coming from the core.

To be able to count vxlan packets the device has to support vxlan and have a vxlan interface correctly configured.

Examples
  • This command configures the enabling of vxlan VTEP counters for encap.
    switch(config)# hardware counter feature vtep encap
    switch(config)#

  • This command configures the disabling of vxlan VTEP counters for encap.
    switch(config)# no hardware counter feature vtep encap
    switch(config)#

  • This commands configures the enabling of vxlan VTEP counters for decap.
    switch(config)# hardware counter feature vtep decap
    switch(config)#

  • This commands configures the disabling of vxlan VTEP counters for decap.
    switch(config)# no hardware counter feature vtep decap
    switch(config)#

vxlan Auto Flood-List Construction

With the introduction of wireless Access Points (APs), vxlan flood-lists learned from the data-plane is added to or removed from the flood-lists created in the control-plane. When a vxlan packet is received on a new VNI from a VTEP, it is added to the dynamic flood-list for that VNI and the flood-list is merged with flood-lists from other sources. When all MACs behind a remote VTEP have been removed through aging, for example, the remote VTEP is removed from all dynamic vxlan flood-lists.

To restrict VTEPs from being added to dynamic flood-lists, when vxlan traffic is received from untrusted sources, use the vxlan learn-restrict command. MAC learning is disabled from the specified IP ranges. The learning restrictions is placed on all platforms including APs.

vxlan configuration for Learning Data-plane Flood-lists

The following example is applicable to all platforms.

These commands enable vxlan flood-lists learning from data-plane.

switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan flood vtep learned data-plane

The following example restricts learning from VTEPs not in a prefix range.

switch(config-if-Vx1)# vxlan learn-restrict vtep <prefixes>

The following example restricts learning to VTEPs with IP in range.

switch(config-if-Vx1)# vxlan learn-restrict vtep 1.1.1.1/24

The following command shows the vxlan flood-lists programmed in hardware.

switch(config)# switch(config)#show vxlan flood vtep

The following command shows the dynamic vxlan flood-lists.

switch(config)# switch(config)#show l2Rib input vxlan-dynamic

The following command shows the vxlan flood-lists sent to platform.

switch(config)# switch(config)#show l2Rib output floodset

The following command shows the vxlan learning restrictions for all VLANs.

switch(config)# switch(config)#show vxlan learn-restrict vtep

The following command shows the vxlan learning counters for all VLANs.

switch(config)# switch(config)#show vxlan counters learn-restrict all

Configuring vxlan Routing with Overlay VRFs

vxlan SVIs configured in non-default VRFs are supported with vxlan routing using overlay VRFs. Overlay SVIs are configured in non-default VRFs but underlay SVIs, which provide IP connectivity between VTEPs, must remain in the default VRF. vxlan routing is deployable by allowing users to configure separate overlay routing domains using VRFs per tenant, thereby allowing support for overlapping IP addresses in the overlay. This provides separation between overlay and underlay traffic, including simpler and cleaner protocol configuration, without using complicated route-maps to control distribution of prefixes to peers in the overlay VRFs and underlay SVIs. IPv4 based vxlan routing is currently supported.

Configuring vxlan over MLAG

VTI configuration must be identical on each MLAG peer for them to act as a single VTEP.

The following VTI elements must be configured identically on both MLAG peers:

VLAN-VNI Mappings

Configure identical VLAN to VNI mappings on both MLAG peers using the vxlan vlan vni command.

Example

These commands associate vlan 100 to vni 100 and vlan 200 to vni 10.10.200.

switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan vlan 100 vni 100
switch(config-if-Vx1)# vxlan vlan 200 vni 10.10.200
switch(config-if-Vx1)#

VTEP IP Address of the Source Loopback Interface

Configure the same VTEP IP address for the source loopback interface on both MLAG peers using the vxlan source-interface command.

Example

These commands configure a primary VTEP address.

switch(config)# interface loopback 5
switch(config-if-Lo5)# ip address 10.1.1.1/24
switch(config-if-Lo5)# exit
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan source-interface loopback 5
switch(config-if-Vx1)#

Flood VTEP List

Configure the same VTEP flood list on both MLAG peers using the vxlan flood vtep command.

Example

These commands create a default vxlan head-end replication flood list.

switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan flood vtep 10.1.1.1 10.1.1.2
switch(config-if-Vx1)#

OSPF configuration

If OSPF is in use, configure the OSPF router ID using the router-id (OSPFv2) command to prevent the switch from using the common VTEP IP address as the router ID.

Example

These commands assign 10.0.0.1 as the OSPFv2 router ID.

switch(config)# router ospf 100
switch(config-router-ospf)# router-id 10.0.0.1
switch(config-router-ospf)#

Configuring vxlan Control Service

The vxlan Control Service (VCS) provides a mechanism by which hardware VTEPs share states between each other in order to establish vxlan tunnels, without the need for a multicast control plane. This feature enables the use of a VCS client.

Examples
  • These commands connect a switch to the VCS running on CVX. The server host IP address is the management IP address of the CVX controller or the IP address that CVX is listening on for client connections.
    switch(config)# management cvx
    switch(config-mgmt-cvx)# server host 172.27.6.248
    switch(config-mgmt-cvx)# no shutdown
    switch(config-mgmt-cvx)#

  • These commands configure the vxlan interface, except for the multicast group configuration, in order to learn from the controller.
    switch(config)# interface vxlan 1
    switch(config-if-Vx1)# vxlan controller-client
    switch(config-if-Vx1)#

Configuring vxlan Multicast Decapsulation

vxlan multicast decapsulation enables VTEPs that support Head End Replication (HER). Multicast encapsulated Broadcast/Unknown/Multicast (BUM) packets terminate VTEPs from remote VTEPs that do not support HER.

Examples
  • These commands enable vxlan multicast decapsulation.
    switch(config)# interface vxlan 1
    switch(config-config-if-Vx1)# vxlan multicast-group decap 230.1.1.1
    switch(config-config-if-Vx1)#

  • These commands disable vxlan multicast decapsulation.
    switch(config)# interface vxlan 1
    switch(config-config-if-Vx1)# no vxlan multicast-group decap 230.1.1.1
    switch(config-config-if-Vx1)#

vxlan Rules Support for Mirror ACLs configuration

vxlan rules support for mirror ACLs configuration permit vxlan deep inspection rules to be specified in the mirroring ACLs when the switch is operating in normal mode.

Examples

The following are examples of vxlan rules specified in mirroring ACLs.
  • These commands permit all vxlan traffic (udp protocol and destination port 4789).
    switch(config)# ip access-list miracl
    switch(config-acl-miracl)# permit vxlan any any
    switch(config-acl-miracl)#

  • These commands permit vxlan traffic with vni 1001 only.
    switch(config)# ip access-list miracl
    switch(config-acl-miracl)# permit vxlan any any vni 1001 0x000000
    switch(config-acl-miracl)#

  • These commands deny vxlan traffic with vni 0x1000 through 0x100f.
    switch(config)# ip access-list miracl
    switch(config-acl-miracl)# permit vxlan any any vni 0x1000 0x100f
    switch(config-acl-miracl)#

Configuring EVPN vxlan

Static EVPN vxlan configuration

switch(config)# service routing protocols model multi-agent
switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address 172.16.1.1/32
!
switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan source-interface Loopback0
switch(config-if-Vx1)# vxlan udp-port 4789
switch(config-if-Vx1)# vxlan vrf test vni 12345
!
switch(config)# ip routing vrf test
switch(config)# Ipv6 unicast-routing vrf test
!
switch(config)# ip route vrf test 192.168.1.0/24 vtep 10.1.1.2 vni 20000 router-mac-address 00:00:78:01:00:00
switch(config)# ipv6 route vrf test 1:0:5::0/64 vtep 10.1.1.2 vni 30000 router-mac-address 00:00:80:01:00:00

vxlan Bridging and Routing configuration

switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address 172.16.1.1/32
!
switch(config)# ip virtual-router mac-address 00:02:03:04:05:06
!

switch(config)# ip routing
!
switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan source-interface Loopback0
switch(config-if-Vx1)# vxlan udp-port 65330
switch(config-if-Vx1)# vxlan vlan 300 vni 945438
switch(config-if-Vx1)# vxlan vlan 200 vni 654677
switch(config-if-Vx1)# vxlan flood vtep 172.16.1.2 172.16.1.3 172.16.1.1

EVPN vxlan All Active Multihoming

Multi-homing is activated in an EVPN environment by assigning an ethernet segment identifier to the participating Ethernet or Port-Channel interfaces.

switch(config)# interface Ethernet1
switch(config-if-Et1)# evpn ethernet-segment
switch(config-evpn-es)# identifier 00aa:bbbb:cccc:dddd:eeee
switch(config-evpn-es)# route-target import 12:23:34:45:56:67

The optional designated-forwarder election hold-time command can configure a wait time before selecting the designated forwarder and allow potential forwarders a chance to advertise their EVPN ethernet segment (type 4) routes. The default hold time is three (3) seconds, as specified in section 8.5 of RFC7432 [1].

The route target configured here is the ES import route target described in section 7.6 of RFC7432 [1]. It can be set to any MAC address, but for each Ethernet segment every participating interface in the network must use the same ES import route target. A suggested value is the MAC address of the CE connected to the multi-homing PEs via this interface.

EVPN vxlan Single-Active Multihoming

Multi-homing allows in an EVPN environment by assigning an Ethernet segment identifier or a single Customer Edge (CE) to the participating multiple Provider Edge (PE). The default mode of operation is All-active. Introduced in the eos 4.26.0F for vxlan, singe-active is another mode of operation in which only one PE per VLAN accepts traffic for that Ethernet segment.

Single-active multihoming is useful for:
  • Manually controlled traffic flows
  • Prioritizing links over others
  • Connecting separate CE devices to a single Ethernet segment
  • Connecting a CE that does not support link aggregation to multiple PEs.

To configure single-active multi-homing, use the redundancy single-active command on a physical Ethernet or aggregate Port-channel interface.

switch(config)# interface Ethernet1
switch(config-if-Et1)# evpn ethernet-segment
switch(config-evpn-es)# identifier 0123:0123:0123:0123:0123
switch(config-evpn-es)# route-target import 12:34:12:34:12:34
switch(config-evpn-es)# redundancy single-active

When don't preempt mode is enabled, a flag bit is included with preference value. Each VLAN specifies high/low rule with preference-based DF election. The default election rule is high and the default preference is 32767 from 0 to 65535.

interface Port-Channel1
   switchport mode trunk
   switchport trunk allowed vlan 100-200
   evpn ethernet-segment
      identifier 0123:0123:0123:0123:0123
      route-target import 12:34:12:34:12:34
      redundancy single-active
      designated-forwarder election algorithm preference 10000 [dont-preempt]

router bgp 10
   vlan 100
      designated-forwarder election preference rule low
      ...
   vlan-aware-bundle red
      designated-forwarder election preference rule low
      vlan 120-140
      ...

Show commands

show bgp evpn instance command takes the name of a configured EVPN instance to limit the output for that instance.

switch# show bgp evpn instance vlan 10
EVPN instance: VLAN 10
  Route distinguisher: 10.255.0.0:10
  Route target import: Route-Target-AS:64500:10
  Route target export: Route-Target-AS:64500:10
  Service interface: VLAN-based
  Local IP address: 10.255.0.0
  Encapsulation type: vxlan
  Local ethernet segment:
    ESI: 0011:1111:1111:1111:1111
      Interface: Ethernet6
      Mode: single-active
      State: up
      ES-Import RT: 00:01:00:01:00:01
      DF election algorithm: preference
      Designated forwarder: 10.255.0.0
      Non-Designated forwarder: 10.255.0.1

Each Ethernet segment shows the modes, single-active or all-active, the DF election algorithm, the elected designated forwarder and all other candidate forwarders.

When a port/VLAN is inactive, it is not shown by show vlan command. It is possible to see configured but inactive VLANs in show vlan configured command.
switch# show vlan configured
VLAN  Name                         	Status	Ports
----- -------------------------------- --------- -------------------------------
1 	default                      	active	Et1, Et2, Et4, Et5, Et6
10	VLAN0010                     	active	Et6, Vx1
11	VLAN0011                     	active	Et6#, Vx1

# indicates a port on which traffic is currently being blocked

show bgp evpn detail command shows the EVPN routes contributing to the multihoming state of a device with route-type ethernet-segment and any other appropriate filters.
switch# show bgp evpn route-type ethernet-segment esi 0011:1111:1111:1111:1111 detail
BGP routing table information for VRF default
Router identifier 0.0.0.1, local AS number 300
BGP routing table entry for ethernet-segment 0011:1111:1111:1111:1111 10.255.0.0, Route Distinguisher: 10.255.0.0:1
 Paths: 1 available
  Local
	- from - (0.0.0.0)
  	Origin IGP, metric -, localpref -, weight 0, valid, local, best
  	Extended Community: TunnelEncap:tunnelTypevxlan EvpnEsImportRt:00:01:00:01:00:01 
DF Election: Preference 200
BGP routing table entry for ethernet-segment 0011:1111:1111:1111:1111 10.255.0.1, Route Distinguisher: 10.255.0.1:1
 Paths: 1 available
  303 301
	10.255.0.1 from 10.0.0.2 (0.0.1.1)
  	Origin IGP, metric -, localpref 100, weight 0, valid, external, best
  	Extended Community: TunnelEncap:tunnelTypevxlan EvpnEsImportRt:00:01:00:01:00:01 
DF Election: Preference 100

Limitations

  • Single-active multihoming with MPLS is not supported.
  • Single-active redundancy is currently only supported on trunk ports. Access ports will not drop traffic when inactive.
  • Designated forwarder can not be reset in non-revertive mode.

VARP and Virtual VTEP with vxlan Routing

interface Loopback0
   ip address 172.16.1.1/32
   ip address 20.0.0.1/32 secondary
!
ip virtual-router mac-address 00:02:03:04:05:06
!
ip routing
!
interface Vlan200
   ipv6 address 2000:0:0:41::2/64
   ip address virtual 1.0.7.1/24
   ipv6 virtual-router address 2000:0:0:41::1
!
interface vxlan1
   vxlan source-interface Loopback0
   vxlan udp-port 65330
   vxlan vlan 300 vni 945438
   vxlan vlan 200 vni 654677
   vxlan flood vtep 172.16.1.2 172.16.1.3 172.16.1.1 20.0.0.1

Overlay Multicast using vxlan Underlay Multicast Tree

To inject a source route, configure the ip multicast source route export command on the incoming interface.

switch(config)# interface Vlan10
switch(config-Vl10)# ip pim sparse-mode
switch(config-Vl10)# ip multicast source route export

To redistribute the source routes in the MRIB via BGP while running multi-agent protocol model, configure the redistribute attached-host command for the IPv4 multicast address-family. Activate the neighbor to establish a BGP connection.

switch(config-router-bgp)# address-family ipv4 multicast
switch(config-router-bgp-af)# neighbor 3.0.0.2 activate
switch(config-router-bgp-af)# redistribute attached-host

To redistribute the source routes in the URIB via BGP while running ribd protocol model, configure the redistribute attached-host command under the router bgp mode.

switch(config-router-bgp)# redistribute attached-host

This following is a sample configuration for a VTEP for the setup above using multi-agent protocol model.

switch(config)# service routing protocol model multi-agent

switch(config)# ip pim rp-address 15.15.15.15 225.1.1.1/32

switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address 1.1.1.1/32

switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan source-interface Loopback0
switch(config-if-Vx1)# vxlan vlan10 vni 10000

! Interface to the underlay
switch(config)# interface Ethernet1
switch(config-if-Et1)# ip address 3.0.0.1/24
switch(config-if-Et1)# ip pim sparse-mode

switch(config)# interface vlan10
switch(config-if-Vl10)# ip address 10.1.1.1/24
switch(config-if-Vl10)# ip pim sparse-mode
switch(config-if-Vl10)# ip multicast source route export

switch(config)# router bgp 10
switch(config-router-bgp)# router-id 0.0.0.2

switch(config-router-bgp)# address-family ipv4 multicast
switch(config-router-bgp-af)# neighbor 3.0.0.2 activate
switch(config-router-bgp-af)# redistribute attached-host

This following is a sample configuration for a VTEP for the setup above using the ribd protocol model.

switch(config)# service routing protocol model ribd

switch(config)# ip pim rp-address 15.15.15.15 225.1.1.1/32

switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address 1.1.1.1/32

switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan source-interface Loopback0
switch(config-if-Vx1)# vxlan vlan10 vni 10000

! Interface to the underlay
switch(config)# interface Ethernet1
switch(config-if-Et1)# ip address 3.0.0.1/24

switch(config-if-Et1)# ip pim sparse-mode

switch(config)# interface vlan10
switch(config-if-Vl1)# ip address 10.1.1.1/24
switch(config-if-Vl1)# ip pim sparse-mode
switch(config-if-Vl1)# ip multicast source route export

switch(config)# router bgp 10
switch(config-router-bgp)# router-id 0.0.0.2
switch(config-router-bgp)# redistribute attached-host

Bridging Over EVPN IPv6 vxlan Underlay

The following example configuration is for vxlan bridging over EVPN IPv6 vxlan underlay.
switch(config)# interface loopback 0
switch(config-if-Lo0)# ip address 20001::100/128
!
switch(config)# vlan 10
switch(config-vlan-10)#
switch(config)# vlan 20
switch(config-vlan-20)#
!
switch(config)# hardware tcam 
switch(config-tcam)# system profile vxlan-v6-underlay
!
switch(config)# interface Ethernet1
switch(config-if-Et1)# switchport access vlan 10
switch(config)# interface Ethernet2
switch(config-if-Et2) #switchport access vlan 20
!
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan source-interface loopback 0
switch(config-if-Vx1)# vxlan encapsulation ipv6
switch(config-if-Vx1)# vxlan vlan 10 vni 10
switch(config-if-Vx1)# vxlan vlan 20 vni 20
!

Displaying vxlan configuration

The following section describes the commands that control the display format of VNIs and the commands that list vxlan configuration and transmission information.

Configuring VNI Display Format

The vxlan vni notation dotted command configures the switch to display VNIs in dotted decimal notation. VNI values range from 1 to 16777215 in decimal notation and from 0.0.1 to 255.255.255 in dotted decimal notation.

The command affects the VNI number display in all show commands, including show running-config. Commands that include VNI as a parameter may use decimal or dotted decimal notion regardless of the setting of this command. By default, show commands display VNI number in decimal notation.

Examples
  • These commands configure the switch to display vni numbers in dotted decimal notation, then displays a configuration that includes a VNI setting.
    switch(config)# vxlan vni notation dotted
    switch(config)# interface vxlan 1
    switch(config-if-Vx1)# show active
    interface vxlan1
       vxlan udp-port 4789
       vxlan vlan 333 vni 3.4.5
    switch(config-if-Vx1)#

  • These commands configure the switch to display vni numbers in decimal notation, then displays a configuration that includes a VNI setting.
    switch(config)# no vxlan vni notation dotted
    switch(config)# interface vxlan 1
    switch(config-if-Vx1)# show active
    interface vxlan1
       vxlan udp-port 4789
       vxlan vlan 333 vni 197637
    switch(config-if-Vx1)#

MAC Address Table

The MAC address table indicates a MAC address from a device on a remote host by indicating Vx interface as the port that corresponds to the address.

Example

The show mac address-table command displays a MAC address table that includes entries of devices from remote hosts by specifying Vx1 as the corresponding port.

switch> show mac address-table
          Mac Address Table
------------------------------------------------------------------

Vlan    Mac Address       Type        Ports      Moves   Last Move
----    -----------       ----        -----      -----   ---------
   1    0050.5682.6725    DYNAMIC     Et16       1       0:02:01 ago
   1    0050.568e.58e9    DYNAMIC     Et23       2       0:08:53 ago
   1    0050.56a0.474a    DYNAMIC     Et16       1       0:18:04 ago
  51    0000.0051.0004    DYNAMIC     Et5        1       12 days, 1:02:44 ago
  51    0000.0051.0005    DYNAMIC     Et5        1       12 days, 1:02:44 ago
  51    0000.0051.0101    DYNAMIC     Vx1        1       12 days, 0:17:30 ago
  51    0000.0051.0102    DYNAMIC     Vx1        1       12 days, 0:17:30 ago
  61    0000.0061.0005    DYNAMIC     Et5        1       12 days, 1:02:44 ago
Total Mac Addresses for this criterion: 8

          Multicast Mac Address Table
------------------------------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       ----        -----
Total Mac Addresses for this criterion: 0
switch>

vxlan MAC Address Table

vxlan MAC address table entries correlate MAC addresses accessible through remote VTEPs with the local VLAN and the IP address of the VTEP through which the addressed device is accessed. The VTI uses this table when constructing the vxlan encapsulation to specify the destination IP address of the recipient VTEP and the VNI segment through which the device’s remote VLAN is accessed.

The show vxlan address-table command displays the vxlan MAC address table.

Example

This command displays the vxlan address table.

switch> show vxlan address-table
          vxlan Mac Address Table
----------------------------------------------------------------------

Vlan  Mac Address     Type     Prt  Vtep             Moves   Last Move
----  -----------     ----     ---  ----             -----   ---------
  51  0000.0051.0101  DYNAMIC  Vx1  10.25.2.12       1       4 days, 0:37:14 ago
  51  0000.0051.0102  DYNAMIC  Vx1  10.25.2.12       1       4 days, 0:37:14 ago
  51  0000.0051.0103  DYNAMIC  Vx1  10.25.2.12       1       4 days, 0:37:14 ago
  51  0000.0051.0104  DYNAMIC  Vx1  10.25.2.12       1       4 days, 0:37:14 ago
  51  0000.0051.0105  DYNAMIC  Vx1  10.25.2.12       1       4 days, 0:37:14 ago
  61  0000.0061.0103  DYNAMIC  Vx1  10.25.2.12       1       4 days, 0:37:14 ago
  61  0000.0061.0104  DYNAMIC  Vx1  10.25.2.12       1       4 days, 0:37:14 ago
  61  0000.0061.0105  DYNAMIC  Vx1  10.25.2.12       1       4 days, 0:37:14 ago
switch>

vxlan MAC Address Table

The show vxlan vtep command displays information about remote VTEPs that the configured VTI has discovered and with whom it has exchanged packets.

Example

These commands display the VTEPs that have exchanged data with the configured VTI.

switch> show vxlan vtep
Remote vteps for vxlan1:
10.52.2.12
Total number of remote vteps:  1
switch>

vxlan Counters

The clear vxlan counters command resets the vxlan counters. The show vxlan counters command displays the vxlan counters.

Example

This command displays the vxlan counters

switch> show vxlan counters software
encap_bytes:3452284
encap_pkts:27841
encap_read_err:1
encap_discard_runt:0
encap_discard_vlan_range:0
encap_discard_vlan_map:0
encap_send_err:0
encap_timeout:1427
decap_bytes_total:382412426
decap_pkts_total:2259858
decap_bytes:0
decap_pkts:0
decap_runt:0
decap_pkt_filter:45128
decap_bytes_filter:5908326
decap_discard_vxhdr:0
decap_discard_vlan_map:2214730
decap_timeout:0
decap_sock_err:1
switch>

Displaying vxlan Bridging and Routing Support

All show commands applicable to prior vxlan implementations on R2 series are also available on R3 series for vxlan debugging.

The show interfaces vxlan command displays operational status and configuration information of the specified vxlan.

switch(config)# show interfaces vxlan 1
vxlan1 is up, line protocol is up (connected)
  Hardware is vxlan
  Source interface is Loopback0 and is active with 172.16.1.1
  Replication/Flood Mode is headend with Flood List Source: CLI
  Remote MAC learning via Datapath
  VNI mapping to VLANs
  Static VLAN to VNI mapping is
    [100, 100]
  Note: All Dynamic VLANs used by VCS are internal VLANs.
        Use 'show vxlan vni' for details.
  Static VRF to VNI mapping is not configured
  Headend replication flood vtep list is:
   100 172.16.1.2 10.1.1.1
  MLAG Shared Router MAC is 0000.0000.0000
  VTEP address mask is Non

The show arp command displays all ARP tables on the configured vxlan.

switch(config)# show arp interface vxlan 1
Address         Age (sec)  Hardware Addr   Interface
192.168.10.1              -  0000.abab.abab  Vlan100, vxlan1

The show arp interface summary command displays a summary of all ARP tables on the configured vxlan.

switch(config)# show arp interface vxlan 1 summary
Total: 1
Static: 1
Dynamic: 0
Not learned: 0

The show vxlan counters software command displays the vxlan software counters.

switch(config)# show vxlan counters software
Rx bytes for encapsulation                           :  0
Rx pkts for encapsulation                            :  0
Rx high priority bytes for encapsulation             :  0
Rx high priority pkts for encapsulation              :  0
Rx low priority bytes for encapsulation              :  0
Rx low priority pkts for encapsulation               :  0
…..

switch(config)# show vxlan vni
VNI to VLAN Mapping for vxlan1
VNI       VLAN       Source       Interface         802.1Q Tag
--------- ---------- ------------ ----------------- ----------
100       100        static       Ethernet2/1       untagged
                                  vxlan1            100

Note: * indicates a Dynamic VLAN

The show vxlan vtep command displays information about remote VTEPs that the configured VTI has discovered and with whom it has exchanged packets.

switch(config)# show vxlan vtep
Remote VTEPS for vxlan1:
10.1.1.1
Total number of remote VTEPS:  1

switch(config)# show platform fap vxlan vtep encapsulation
Tunnel Type: R(vxlan-Routing), B(vxlan-Bridging)
D - ECMP is divergent across switching chips
 ------------------------------------------------------------------------------------------------------------
|                                                   VTEP Table                                               |
|------------------------------------------------------------------------------------------------------------|
|                        FEC                            |                        EEDB                        |
|------------------------------------------------------------------------------------------------------------|
|  Destination  | Ecmp|  Fec|Tunnel|Tunnel|  Arp|SIP|TTL| Cmd |     Destination    | VID |   MAC / CPU Code  |
|               |Index|Index| Index| Type |Index|Idx|   |     |                    |     |                   |
|------------------------------------------------------------------------------------------------------------|
|       10.1.1.1|  -  |353900| 16382|     B|65536|  0| 64|ROUTE| Et1/1              |1006 | 00:00:aa:aa:aa:aa |
|       10.1.1.1|  -  |353901| 16383|     R|65536|  0| 64|ROUTE| Et1/1              |1006 | 00:00:aa:aa:aa:aa |

switch(config)# show cpu counters queue | grep vxlan
CoppSystemvxlanEncap              0          0          0          0
CoppSystemvxlanVtepLearn          0          0          0          0
CoppSystemvxlanEncap              0          0          0          0
CoppSystemvxlanVtepLearn          0          0          0          0

switch(config)# show platform fap vxlan mapping vni
    VNI      | VSI
-------------+------
         100 |  100

switch# show platform pkt | egrep -i "vxlan|vni"
rxpacllog 0 rxracllog 0 rxvteplearn 0 rxvxlan_encap 0
rx_vxlanbfd 0 rxcfm 0
rxvteprestore_drop 0 rxvxlan_encap_drop 0 rxmpc_nodev 0 rx_vxlanbfderr 0 rx_nonvxlan_arp_drop 0
fab.rxvxlan_decaperr 0 rx_macsecproxyerr 0 rx_macsecproxy_prune 0
CpuCodevxlanVtepLearn:  0
CpuCodevxlanEncapRequired:      0
CpuCodevxlanArp:        0
CpuCodevxlanUnknownVtepArp:     0
     vxlan :  sys_port   -1 traffic_class 0 fdma - fapid 0 sflow_cookie 0 mark4 0000 mark6 0000 D
vxlan vni hashtable:
h: 201, i: 0, vni: 100, vlanid: 100
vxlan enabled vlans: 100,

use the

switch# show cpu counters vxlan l2 ecmp
VTEP Group     Member VTEP IP     ECMP    ECMP      Member    Next Level
ID                         	Size    FEC ID    FEC ID    FEC ID
-------------------------------------------------------------------------
1        	172.16.1.2        2       1  	 91752    353907
                10.1.1.1                   	   91753    353908