vxlan configuration
- Configuring the VTI
- Head End Replication configuration
- vxlan Routing configuration
- Configuring vxlan Routing with Overlay VRFs
- Configuring vxlan over MLAG
- Configuring vxlan Control Service
- Configuring vxlan Multicast Decapsulation
- vxlan Rules Support for Mirror ACLs configuration
- Configuring EVPN vxlan
- Displaying vxlan configuration
- Displaying vxlan Bridging and Routing Support
Configuring the VTI
Configuring the VTI enables vxlan bridging and is a requirement for vxlan Routing. The following sections describe the steps required to enabling vxlan bridging by bringing up the vxlan line protocol. vxlan Routing configuration describes the additional steps required to enable vxlan routing.
Instantiating the VTI and vxlan configuration Mode
The interface vxlan command places the switch in vxlan-interface configuration mode for modifying the specified vxlan Tunnel Interface (VTI). The command also instantiates the interface if it was not previously created.
vxlan interface configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.
Example
These commands create vxlan tunnel interface 1, place the switch in vxlan-interface configuration mode, and display parameters of the new VTI.
switch(config)# interface vxlan 1
switch(config-if-Vx1)# show active
interface vxlan1
vxlan udp-port 4789
switch(config-if-Vx1)#
Assigning an IP address to the VTEP
The vxlan source-interface command specifies the loopback interface from which the VTEP derives the source address (IP) that it uses when exchanging vxlan frames. This address is used by UDP headers to specify source and destination addresses of hosts that send or receive vxlan encapsulated packets.
There is no default source interface assignment. A valid vxlan configuration requires the assignment of a loopback interface to the VTEP and the assignment of a valid IP address to the specified interface.
Example
These commands configure VTI 1 to use IP address 10.25.25.3 (interface loopback 15) as the source interface in the encapsulation fields of outbound vxlan frames.
switch(config)# interface loopback 15
switch(config-if-Lo15)# ip address 10.25.25.3/24
switch(config-if-Lo15)# exit
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan source-interface loopback 15
switch(config-if-Vx1)# show active
interface vxlan1
vxlan source-interface Loopback15
vxlan udp-port 4789
switch(config-if-Vx1)#
Assigning a UDP Port to the VTEP
Packets bridged to the VTI from a VLAN are encapsulated with a vxlan header, then sent through a pre-configured UDP port. Packets that arrive through this port are assumed to be vxlan encapsulated and sent to the bridging domain of the recipient VLAN as determined by the VNI in the vxlan header and the VNI-VLAN map.
The vxlan udp-port command associates a UDP port with the configuration mode vxlan Interface (VTI). By default, UDP port 4789 is associated with the VTI.
- This command associates UDP port 5500 with
interface vxlan
1.
switch(config)# interface vxlan 1 switch(config-if-Vx1)# vxlan udp-port 5500 switch(config-if-Vx1)# show active interface vxlan1 vxlan udp-port 5500 switch(config-if-Vx1)#
- This command resets the interface vxlan 1 UDP port
association of
4789.
switch(config-if-Vx1)# no vxlan udp-port switch(config-if-Vx1)# show active interface vxlan1 vxlan udp-port 4789 switch(config-if-Vx1)#
Assigning a VNI to a VLAN
When a VLAN bridges a packet to the VTI, the packet is encapsulated with a vxlan header that includes the VNI associated with the VLAN. Packets that arrive on the VTI’s UDP socket are bridged to the VLAN that is associated with the VNI specified by the vxlan header that encapsulates the packet.
The VTI requires a one-to-one correspondence between specified VLANs and VNI values. Commands that assign a new VNI to a previously configured VLAN replace existing VLAN assignment statements in running-config. Commands that attempt to assign a VNI value to a second VLAN generate a CLI error.
The vxlan vlan vni command associates a VLAN ID with a Virtual Network Identifier (VNI).
Example
These commands associate vlan 100 to vni 100 and vlan 200 to vni 10.10.200.
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan vlan 100 vni 100
switch(config-if-Vx1)# vxlan vlan 200 vni 10.10.200
switch(config-if-Vx1)# show active
interface vxlan1
vxlan udp-port 4789
vxlan vlan 200 vni 658120
vxlan vlan 100 vni 100
switch(config-if-Vx1)# vxlan vni notation dotted
switch(config-if-Vx1)# show active
interface vxlan1
vxlan udp-port 4789
vxlan vlan 100 vni 0.0.100
vxlan vlan 200 vni 10.10.200
switch(config-if-Vx1)#
Verifying the vxlan configuration
The show interface vxlan 1 displays the configuration and connection status of the vxlan.
Example
This command indicates that the vxlan line protocol status is up.
switch(config-if-Vx1)# show interface vxlan 1
vxlan1 is up, line protocol is up (connected)
Hardware is vxlan
Source interface is Loopback15 and is active with 10.25.25.3
Static vlan to vni mapping is
[100, 0.0.100] [200, 10.10.200]
switch(config-if-Vx1)#
Head End Replication configuration
Head-end replication is a data distribution method that supports broadcast, unknown unicast traffic over vxlans by replicating BUM data locally for transmission to the set of remote VTEPs specified by a flood list. This data flooding facilitates remote MAC address learning through the forwarding of data with unknown MAC addresses.
Each vxlan flood vtep statement in running-config associates a set of VTEP addresses to an access VNI. A default flood list is also configurable that applies to all VNIs for which a flood list is not configured.
The VTEP flood list is created and modified through the vxlan flood vtep command.
- These commands create a default vxlan head-end replication flood
list.
switch(config)# interface vxlan 1 switch(config-if-Vx1)# vxlan flood vtep 10.1.1.1 10.1.1.2 switch(config-if-Vx1)# show active interface vxlan1 vxlan flood vtep 10.1.1.1 10.1.1.2 vxlan udp-port 4789 switch(config-if-Vx1)#
- These commands create vxlan head-end replication flood lists for the VNIs accessed
through vlan 101 and vlan
102.
switch(config-if-Vx1)# vxlan vlan 101-102 flood vtep 11.1.1.1 11.1.1.2 11.1.1.3 switch(config-if-Vx1)# show active interface vxlan1 vxlan flood vtep 10.1.1.1 10.1.1.2 vxlan vlan 101 flood vtep 11.1.1.1 11.1.1.2 11.1.1.3 vxlan vlan 102 flood vtep 11.1.1.1 11.1.1.2 11.1.1.3 vxlan udp-port 4789 switch(config-if-Vx1)#
vxlan Routing configuration
Implementing vxlan Routing
vxlan routing is enabled by creating a VLAN Interface (SVI) on a VLAN that is associated to a VNI. In the figure below, vxlan routing is enabled on Switch A by configuring a VLAN interface with an IP address of 10.10.10.1. Packets from Devices A-1 and B-2 that have destinations other than 10.10.10.0/28 are vxlan-bridged to the default gateway (10.10.10.1), then routed from Switch A.
switch(config)# hardware tcam profile vxlan-routing
switch(config)#
switch(config)#channel-group recirculation 1
switch(config)#
Example
These commands configure Switch A to perform vxlan routing. The example includes OSPF routing that is used for underlay routing.
switch-A(config)# route-map vxlanvlan permit 10
switch-A(config-route-map-vxlanvlan)# match interface loopb5
switch-A(config-route-map-vxlanvlan)# exit
switch-A(config)# route-map vxlanvlan permit 20
switch-A(config-route-map-vxlanvlan)# match interface vlan 100
switch-A(config-route-map-vxlanvlan)# exit
switch-A(config)# router ospf 1
switch-A(config-router-ospf)# redistribute connected route-map vxlanvlan
switch-A(config-router-ospf)# exit
switch-A(config)# interface loopback 5
switch-A(config-if-Lo5)# ip address 10.25.25.3/24
switch-A(config-if-Lo5)# exit
switch-A(config)# interface vxlan 1
switch-A(config-if-Vx1)# vxlan source-interface loopback 5
switch-A(config-if-Vx1)# vxlan vlan 100 vni 10000
switch-A(config)# interface vlan 100
switch-A(config-if-Vl100)# ip address 10.10.10.1/28
switch-A(config-if-Vl100)# exit
Configuring Direct vxlan Routing
Figure Implementing vxlan Routing , vxlan routing is enabled on Switch A only; Switch B supports vxlan bridging. Traffic from Switch B devices to the external routes must go through the core route twice: once as they are bridged to is vxlan gateway and once when routed to its next hop device.
Direct vxlan routing with vxlan enabled addresses this issue by configuring each VTEP with all VLANs. This allows packets to be vxlan-bridged to a local VTEP and routed to remote VTEPs. Indirect routing scales well but is complex to engineer efficiently, and naked routing provides the same scalability to indirect routing. Direct routing leads to the most efficient traffic flows, with the number of virtual subnets or virtual machines increasing at scale, and is thereby optimal from a data plane viewpoint.
The following sections describe conventions required to implement Direct vxlan Routing, then presents a direct vxlan routing implementation.
Configuring VARP addresses
For direct routing, an anycast IP address is used as the gateway address on the SVI for a VLAN on all hardware VTEPs associated with that VLAN.
- These commands configure an IP virtual-router and virtual MAC
address.
switch(config)# interface Vlan2417 switch(config-if-Vl2417)# ip address 1.0.4.50/24 switch(config-if-Vl2417)# ip virtual-router address 1.0.4.1 switch(config-if-Vl2417)# ip virtual-router mac-address 00:00:11:11:22:22 switch(config)#
- These commands configure an IP virtual address (instead of IP virtual-router address)
for the VLAN SVI, and a secondary address on the loopback interface for the virtual VTEP
IP. The virtual VTEP IP is the logical VTEP hosting the virtual MAC
address.
switch(config)# interface Vlan2417 switch(config-if-Vl2417)# ip address virtual 1.0.4.1/24 switch(config-if-Vl2417)# exit switch(config)# interface Loopback0 switch(config-if-Lo0)# ip address 1.0.1.1/32 switch(config-if-Lo0)# ip address 1.0.1.2/32 secondary switch(config-if-Lo0)# ip virtual-router mac-address 00:00:11:11:22:22 switch(config)#
Virtual IP and MAC Addresses
Virtual-router IP addresses can be configured on VLAN interfaces in addition to a primary address. All VTEPs in a direct vxlan network can be configured with the same virtual router address. This allows devices to use a common IP address as their vxlan gateway.
The ip address virtual command configures a specified address as the primary IPv4 address and as a virtual IP address for the configuration mode VLAN interface. This results in the virtual MAC address (ip virtual-router mac-address) assignment to the VLAN interface. In large vxlan networks, using distinct primary IP addresses for each VTEP limits the number addresses on its subnet for connected hosts. Defining a common virtual IP address for all VTEPs and using that their primary addresses conserves subnet addresses
Example
These commands specify a virtual router address of 00:00:00:00:00:48 for the switch and, for vlan 100, a primary address of 10.10.10.10/28 and a virtual IP address of 10.10.10.10.
switch(config)# ip virtual-router mac-address 00:00:00:00:00:48
switch(config)# interface vlan 100
switch(config-if-Vl100)# ip address virtual 10.10.10.10/28
switch(config-if-Vl100)# show active
interface Vlan100
ip address virtual 10.10.10.10/28
switch(config-if-Vl100)#
Virtual VTEP configuration
A virtual VTEP address is specified by configuring a secondary address on the loopback interface designated as the vxlan’s source interface. All VTEPs in the direct routing topology share the same virtual VTEP address.
You must also configure the secondary VTEP IP on the flood-list of the downstream vxlan VTEPS as shown below.
Example
These commands specify a primary (10.1.1.1) and virtual VTEP address (10.2.2.2).
switch1
switch(config)# interface loopback 5
switch(config-if-Lo5)# ip address 10.1.1.1/24
switch(config-if-Lo5)# ip address 10.2.2.2/24 secondary
switch(config-if-Lo5)# show active
interface Loopback5
ip address 10.1.1.1/24
ip address 10.2.2.2/24 secondary
switch(config-if-Lo5)# exit
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan source-interface loopback 5
switch(config-if-Vx1)# show active
interface vxlan1
vxlan source-interface Loopback5
vxlan udp-port 4789
vxlan vlan 100 vni 10000
switch(config-if-Vx1)#
switch2
switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan flood vtep 10.1.1.1
switch(config-if-Vx1)# vxlan flood vtep 10.2.2.2
Direct vxlan Topology
The following figure displays a direct vxlan topology, where each VTEP is configured with the same set of VNIs, VLAN interfaces, and virtual VTEP address.
Example
These commands configure vxlan parameters for Switch-A.
switch-A(config)# route-map vxlanvlan permit 10
switch-A(config-route-map-vxlanvlan)# match interface loopb5
switch-A(config-route-map-vxlanvlan)# exit
switch-A(config)# route-map vxlanvlan permit 20
switch-A(config-route-map-vxlanvlan)# match interface vlan 100
switch-A(config-route-map-vxlanvlan)# exit
switch-A(config)# router ospf 1
switch-A(config-router-ospf)# redistribute connected route-map vxlanvlan
switch-A(config-router-ospf)# exit
switch-A(config)# ip virtual-router mac-address 00:00:00:00:00:48
switch-A(config)# interface loopback 5
switch-A(config-if-Lo5)# ip address 10.1.1.3/24
switch-A(config-if-Lo5)# ip address 10.1.1.10/24 secondary
switch-A(config-if-Lo5)# exit
switch-A(config)# interface vxlan 1
switch-A(config-if-Vx1)# vxlan source-interface loopback 5
switch-A(config-if-Vx1)# vxlan vlan 100 vni 10000
switch-A(config)# interface vlan 100
switch-A(config-if-Vl100)# ip address virtual 10.10.10.10/28
switch-A(config-if-Vl100)# exit
Configuring vxlan VTEP Counters
The vxlan VTEP counters feature enables a device to count vxlan packets received and sent by the device on a per VTEP basis. Specifically, it enables the device to count bytes and packets that are getting encapsulated and decapsulated as they are passing through.
The counters are logically split up in the two vxlan directions. Encapsulated on the device and directed to the core, “encap” counters count packets coming from the edge. Decapsulated on the device and heading towards the edge, “decap” counters count packets coming from the core.
To be able to count vxlan packets the device has to support vxlan and have a vxlan interface correctly configured.
- This command configures the enabling of vxlan VTEP counters for
encap.
switch(config)# hardware counter feature vtep encap switch(config)#
- This command configures the disabling of vxlan VTEP counters for
encap.
switch(config)# no hardware counter feature vtep encap switch(config)#
- This commands configures the enabling of vxlan VTEP counters for
decap.
switch(config)# hardware counter feature vtep decap switch(config)#
- This commands configures the disabling of vxlan VTEP counters for
decap.
switch(config)# no hardware counter feature vtep decap switch(config)#
vxlan Auto Flood-List Construction
With the introduction of wireless Access Points (APs), vxlan flood-lists learned from the data-plane is added to or removed from the flood-lists created in the control-plane. When a vxlan packet is received on a new VNI from a VTEP, it is added to the dynamic flood-list for that VNI and the flood-list is merged with flood-lists from other sources. When all MACs behind a remote VTEP have been removed through aging, for example, the remote VTEP is removed from all dynamic vxlan flood-lists.
To restrict VTEPs from being added to dynamic flood-lists, when vxlan traffic is received from untrusted sources, use the vxlan learn-restrict command. MAC learning is disabled from the specified IP ranges. The learning restrictions is placed on all platforms including APs.
vxlan configuration for Learning Data-plane Flood-lists
The following example is applicable to all platforms.
These commands enable vxlan flood-lists learning from data-plane.
switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan flood vtep learned data-plane
The following example restricts learning from VTEPs not in a prefix range.
switch(config-if-Vx1)# vxlan learn-restrict vtep <prefixes>
The following example restricts learning to VTEPs with IP in range.
switch(config-if-Vx1)# vxlan learn-restrict vtep 1.1.1.1/24
The following command shows the vxlan flood-lists programmed in hardware.
switch(config)# switch(config)#show vxlan flood vtep
The following command shows the dynamic vxlan flood-lists.
switch(config)# switch(config)#show l2Rib input vxlan-dynamic
The following command shows the vxlan flood-lists sent to platform.
switch(config)# switch(config)#show l2Rib output floodset
The following command shows the vxlan learning restrictions for all VLANs.
switch(config)# switch(config)#show vxlan learn-restrict vtep
The following command shows the vxlan learning counters for all VLANs.
switch(config)# switch(config)#show vxlan counters learn-restrict all
Configuring vxlan Routing with Overlay VRFs
vxlan SVIs configured in non-default VRFs are supported with vxlan routing using overlay VRFs. Overlay SVIs are configured in non-default VRFs but underlay SVIs, which provide IP connectivity between VTEPs, must remain in the default VRF. vxlan routing is deployable by allowing users to configure separate overlay routing domains using VRFs per tenant, thereby allowing support for overlapping IP addresses in the overlay. This provides separation between overlay and underlay traffic, including simpler and cleaner protocol configuration, without using complicated route-maps to control distribution of prefixes to peers in the overlay VRFs and underlay SVIs. IPv4 based vxlan routing is currently supported.
Configuring vxlan over MLAG
VTI configuration must be identical on each MLAG peer for them to act as a single VTEP.
The following VTI elements must be configured identically on both MLAG peers:
VLAN-VNI Mappings
Configure identical VLAN to VNI mappings on both MLAG peers using the vxlan vlan vni command.
Example
These commands associate vlan 100 to vni 100 and vlan 200 to vni 10.10.200.
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan vlan 100 vni 100
switch(config-if-Vx1)# vxlan vlan 200 vni 10.10.200
switch(config-if-Vx1)#
VTEP IP Address of the Source Loopback Interface
Configure the same VTEP IP address for the source loopback interface on both MLAG peers using the vxlan source-interface command.
Example
These commands configure a primary VTEP address.
switch(config)# interface loopback 5
switch(config-if-Lo5)# ip address 10.1.1.1/24
switch(config-if-Lo5)# exit
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan source-interface loopback 5
switch(config-if-Vx1)#
Flood VTEP List
Configure the same VTEP flood list on both MLAG peers using the vxlan flood vtep command.
Example
These commands create a default vxlan head-end replication flood list.
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan flood vtep 10.1.1.1 10.1.1.2
switch(config-if-Vx1)#
OSPF configuration
If OSPF is in use, configure the OSPF router ID using the router-id (OSPFv2) command to prevent the switch from using the common VTEP IP address as the router ID.
Example
These commands assign 10.0.0.1 as the OSPFv2 router ID.
switch(config)# router ospf 100
switch(config-router-ospf)# router-id 10.0.0.1
switch(config-router-ospf)#
Configuring vxlan Control Service
The vxlan Control Service (VCS) provides a mechanism by which hardware VTEPs share states between each other in order to establish vxlan tunnels, without the need for a multicast control plane. This feature enables the use of a VCS client.
- These commands connect a switch to the VCS running on CVX. The server host IP
address is the management IP address of the CVX controller or the IP address
that CVX is listening on for client
connections.
switch(config)# management cvx switch(config-mgmt-cvx)# server host 172.27.6.248 switch(config-mgmt-cvx)# no shutdown switch(config-mgmt-cvx)#
- These commands configure the vxlan interface, except for the multicast group
configuration, in order to learn from the
controller.
switch(config)# interface vxlan 1 switch(config-if-Vx1)# vxlan controller-client switch(config-if-Vx1)#
Configuring vxlan Multicast Decapsulation
vxlan multicast decapsulation enables VTEPs that support Head End Replication (HER). Multicast encapsulated Broadcast/Unknown/Multicast (BUM) packets terminate VTEPs from remote VTEPs that do not support HER.
- These commands enable vxlan multicast
decapsulation.
switch(config)# interface vxlan 1 switch(config-config-if-Vx1)# vxlan multicast-group decap 230.1.1.1 switch(config-config-if-Vx1)#
- These commands disable vxlan multicast
decapsulation.
switch(config)# interface vxlan 1 switch(config-config-if-Vx1)# no vxlan multicast-group decap 230.1.1.1 switch(config-config-if-Vx1)#
vxlan Rules Support for Mirror ACLs configuration
vxlan rules support for mirror ACLs configuration permit vxlan deep inspection rules to be specified in the mirroring ACLs when the switch is operating in normal mode.
Examples
- These commands permit all vxlan traffic (udp protocol and destination
port
4789).
switch(config)# ip access-list miracl switch(config-acl-miracl)# permit vxlan any any switch(config-acl-miracl)#
- These commands permit vxlan traffic with vni 1001
only.
switch(config)# ip access-list miracl switch(config-acl-miracl)# permit vxlan any any vni 1001 0x000000 switch(config-acl-miracl)#
- These commands deny vxlan traffic with vni 0x1000
through
0x100f.
switch(config)# ip access-list miracl switch(config-acl-miracl)# permit vxlan any any vni 0x1000 0x100f switch(config-acl-miracl)#
Configuring EVPN vxlan
Static EVPN vxlan configuration
switch(config)# service routing protocols model multi-agent
switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address 172.16.1.1/32
!
switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan source-interface Loopback0
switch(config-if-Vx1)# vxlan udp-port 4789
switch(config-if-Vx1)# vxlan vrf test vni 12345
!
switch(config)# ip routing vrf test
switch(config)# Ipv6 unicast-routing vrf test
!
switch(config)# ip route vrf test 192.168.1.0/24 vtep 10.1.1.2 vni 20000 router-mac-address 00:00:78:01:00:00
switch(config)# ipv6 route vrf test 1:0:5::0/64 vtep 10.1.1.2 vni 30000 router-mac-address 00:00:80:01:00:00
vxlan Bridging and Routing configuration
switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address 172.16.1.1/32
!
switch(config)# ip virtual-router mac-address 00:02:03:04:05:06
!
switch(config)# ip routing
!
switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan source-interface Loopback0
switch(config-if-Vx1)# vxlan udp-port 65330
switch(config-if-Vx1)# vxlan vlan 300 vni 945438
switch(config-if-Vx1)# vxlan vlan 200 vni 654677
switch(config-if-Vx1)# vxlan flood vtep 172.16.1.2 172.16.1.3 172.16.1.1
EVPN vxlan All Active Multihoming
Multi-homing is activated in an EVPN environment by assigning an ethernet segment identifier to the participating Ethernet or Port-Channel interfaces.
switch(config)# interface Ethernet1
switch(config-if-Et1)# evpn ethernet-segment
switch(config-evpn-es)# identifier 00aa:bbbb:cccc:dddd:eeee
switch(config-evpn-es)# route-target import 12:23:34:45:56:67
The optional designated-forwarder election hold-time command can configure a wait time before selecting the designated forwarder and allow potential forwarders a chance to advertise their EVPN ethernet segment (type 4) routes. The default hold time is three (3) seconds, as specified in section 8.5 of RFC7432 [1].
The route target configured here is the ES import route target described in section 7.6 of RFC7432 [1]. It can be set to any MAC address, but for each Ethernet segment every participating interface in the network must use the same ES import route target. A suggested value is the MAC address of the CE connected to the multi-homing PEs via this interface.
EVPN vxlan Single-Active Multihoming
Multi-homing allows in an EVPN environment by assigning an Ethernet segment identifier or a single Customer Edge (CE) to the participating multiple Provider Edge (PE). The default mode of operation is All-active. Introduced in the eos 4.26.0F for vxlan, singe-active is another mode of operation in which only one PE per VLAN accepts traffic for that Ethernet segment.
- Manually controlled traffic flows
- Prioritizing links over others
- Connecting separate CE devices to a single Ethernet segment
- Connecting a CE that does not support link aggregation to multiple PEs.
To configure single-active multi-homing, use the redundancy single-active command on a physical Ethernet or aggregate Port-channel interface.
switch(config)# interface Ethernet1
switch(config-if-Et1)# evpn ethernet-segment
switch(config-evpn-es)# identifier 0123:0123:0123:0123:0123
switch(config-evpn-es)# route-target import 12:34:12:34:12:34
switch(config-evpn-es)# redundancy single-active
When don't preempt mode is enabled, a flag bit is included with preference value. Each VLAN specifies high/low rule with preference-based DF election. The default election rule is high and the default preference is 32767 from 0 to 65535.
interface Port-Channel1
switchport mode trunk
switchport trunk allowed vlan 100-200
evpn ethernet-segment
identifier 0123:0123:0123:0123:0123
route-target import 12:34:12:34:12:34
redundancy single-active
designated-forwarder election algorithm preference 10000 [dont-preempt]
router bgp 10
vlan 100
designated-forwarder election preference rule low
...
vlan-aware-bundle red
designated-forwarder election preference rule low
vlan 120-140
...
Show commands
show bgp evpn instance command takes the name of a configured EVPN instance to limit the output for that instance.
switch# show bgp evpn instance vlan 10
EVPN instance: VLAN 10
Route distinguisher: 10.255.0.0:10
Route target import: Route-Target-AS:64500:10
Route target export: Route-Target-AS:64500:10
Service interface: VLAN-based
Local IP address: 10.255.0.0
Encapsulation type: vxlan
Local ethernet segment:
ESI: 0011:1111:1111:1111:1111
Interface: Ethernet6
Mode: single-active
State: up
ES-Import RT: 00:01:00:01:00:01
DF election algorithm: preference
Designated forwarder: 10.255.0.0
Non-Designated forwarder: 10.255.0.1
Each Ethernet segment shows the modes, single-active or all-active, the DF election algorithm, the elected designated forwarder and all other candidate forwarders.
switch# show vlan configured
VLAN Name Status Ports
----- -------------------------------- --------- -------------------------------
1 default active Et1, Et2, Et4, Et5, Et6
10 VLAN0010 active Et6, Vx1
11 VLAN0011 active Et6#, Vx1
# indicates a port on which traffic is currently being blocked
switch# show bgp evpn route-type ethernet-segment esi 0011:1111:1111:1111:1111 detail
BGP routing table information for VRF default
Router identifier 0.0.0.1, local AS number 300
BGP routing table entry for ethernet-segment 0011:1111:1111:1111:1111 10.255.0.0, Route Distinguisher: 10.255.0.0:1
Paths: 1 available
Local
- from - (0.0.0.0)
Origin IGP, metric -, localpref -, weight 0, valid, local, best
Extended Community: TunnelEncap:tunnelTypevxlan EvpnEsImportRt:00:01:00:01:00:01
DF Election: Preference 200
BGP routing table entry for ethernet-segment 0011:1111:1111:1111:1111 10.255.0.1, Route Distinguisher: 10.255.0.1:1
Paths: 1 available
303 301
10.255.0.1 from 10.0.0.2 (0.0.1.1)
Origin IGP, metric -, localpref 100, weight 0, valid, external, best
Extended Community: TunnelEncap:tunnelTypevxlan EvpnEsImportRt:00:01:00:01:00:01
DF Election: Preference 100
Limitations
- Single-active multihoming with MPLS is not supported.
- Single-active redundancy is currently only supported on trunk ports. Access ports will not drop traffic when inactive.
- Designated forwarder can not be reset in non-revertive mode.
VARP and Virtual VTEP with vxlan Routing
interface Loopback0
ip address 172.16.1.1/32
ip address 20.0.0.1/32 secondary
!
ip virtual-router mac-address 00:02:03:04:05:06
!
ip routing
!
interface Vlan200
ipv6 address 2000:0:0:41::2/64
ip address virtual 1.0.7.1/24
ipv6 virtual-router address 2000:0:0:41::1
!
interface vxlan1
vxlan source-interface Loopback0
vxlan udp-port 65330
vxlan vlan 300 vni 945438
vxlan vlan 200 vni 654677
vxlan flood vtep 172.16.1.2 172.16.1.3 172.16.1.1 20.0.0.1
Overlay Multicast using vxlan Underlay Multicast Tree
To inject a source route, configure the ip multicast source route export command on the incoming interface.
switch(config)# interface Vlan10
switch(config-Vl10)# ip pim sparse-mode
switch(config-Vl10)# ip multicast source route export
To redistribute the source routes in the MRIB via BGP while running multi-agent protocol model, configure the redistribute attached-host command for the IPv4 multicast address-family. Activate the neighbor to establish a BGP connection.
switch(config-router-bgp)# address-family ipv4 multicast
switch(config-router-bgp-af)# neighbor 3.0.0.2 activate
switch(config-router-bgp-af)# redistribute attached-host
To redistribute the source routes in the URIB via BGP while running ribd protocol model, configure the redistribute attached-host command under the router bgp mode.
switch(config-router-bgp)# redistribute attached-host
This following is a sample configuration for a VTEP for the setup above using multi-agent protocol model.
switch(config)# service routing protocol model multi-agent
switch(config)# ip pim rp-address 15.15.15.15 225.1.1.1/32
switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address 1.1.1.1/32
switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan source-interface Loopback0
switch(config-if-Vx1)# vxlan vlan10 vni 10000
! Interface to the underlay
switch(config)# interface Ethernet1
switch(config-if-Et1)# ip address 3.0.0.1/24
switch(config-if-Et1)# ip pim sparse-mode
switch(config)# interface vlan10
switch(config-if-Vl10)# ip address 10.1.1.1/24
switch(config-if-Vl10)# ip pim sparse-mode
switch(config-if-Vl10)# ip multicast source route export
switch(config)# router bgp 10
switch(config-router-bgp)# router-id 0.0.0.2
switch(config-router-bgp)# address-family ipv4 multicast
switch(config-router-bgp-af)# neighbor 3.0.0.2 activate
switch(config-router-bgp-af)# redistribute attached-host
This following is a sample configuration for a VTEP for the setup above using the ribd protocol model.
switch(config)# service routing protocol model ribd
switch(config)# ip pim rp-address 15.15.15.15 225.1.1.1/32
switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address 1.1.1.1/32
switch(config)# interface vxlan1
switch(config-if-Vx1)# vxlan source-interface Loopback0
switch(config-if-Vx1)# vxlan vlan10 vni 10000
! Interface to the underlay
switch(config)# interface Ethernet1
switch(config-if-Et1)# ip address 3.0.0.1/24
switch(config-if-Et1)# ip pim sparse-mode
switch(config)# interface vlan10
switch(config-if-Vl1)# ip address 10.1.1.1/24
switch(config-if-Vl1)# ip pim sparse-mode
switch(config-if-Vl1)# ip multicast source route export
switch(config)# router bgp 10
switch(config-router-bgp)# router-id 0.0.0.2
switch(config-router-bgp)# redistribute attached-host
Bridging Over EVPN IPv6 vxlan Underlay
switch(config)# interface loopback 0
switch(config-if-Lo0)# ip address 20001::100/128
!
switch(config)# vlan 10
switch(config-vlan-10)#
switch(config)# vlan 20
switch(config-vlan-20)#
!
switch(config)# hardware tcam
switch(config-tcam)# system profile vxlan-v6-underlay
!
switch(config)# interface Ethernet1
switch(config-if-Et1)# switchport access vlan 10
switch(config)# interface Ethernet2
switch(config-if-Et2) #switchport access vlan 20
!
switch(config)# interface vxlan 1
switch(config-if-Vx1)# vxlan source-interface loopback 0
switch(config-if-Vx1)# vxlan encapsulation ipv6
switch(config-if-Vx1)# vxlan vlan 10 vni 10
switch(config-if-Vx1)# vxlan vlan 20 vni 20
!
Displaying vxlan configuration
The following section describes the commands that control the display format of VNIs and the commands that list vxlan configuration and transmission information.
Configuring VNI Display Format
The vxlan vni notation dotted command configures the switch to display VNIs in dotted decimal notation. VNI values range from 1 to 16777215 in decimal notation and from 0.0.1 to 255.255.255 in dotted decimal notation.
The command affects the VNI number display in all show commands, including show running-config. Commands that include VNI as a parameter may use decimal or dotted decimal notion regardless of the setting of this command. By default, show commands display VNI number in decimal notation.
- These commands configure the switch to display vni numbers in dotted decimal notation,
then displays a configuration that includes a VNI
setting.
switch(config)# vxlan vni notation dotted switch(config)# interface vxlan 1 switch(config-if-Vx1)# show active interface vxlan1 vxlan udp-port 4789 vxlan vlan 333 vni 3.4.5 switch(config-if-Vx1)#
- These commands configure the switch to display vni numbers in decimal notation, then
displays a configuration that includes a VNI
setting.
switch(config)# no vxlan vni notation dotted switch(config)# interface vxlan 1 switch(config-if-Vx1)# show active interface vxlan1 vxlan udp-port 4789 vxlan vlan 333 vni 197637 switch(config-if-Vx1)#
MAC Address Table
The MAC address table indicates a MAC address from a device on a remote host by indicating Vx interface as the port that corresponds to the address.
Example
The show mac address-table command displays a MAC address table that includes entries of devices from remote hosts by specifying Vx1 as the corresponding port.
switch> show mac address-table
Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports Moves Last Move
---- ----------- ---- ----- ----- ---------
1 0050.5682.6725 DYNAMIC Et16 1 0:02:01 ago
1 0050.568e.58e9 DYNAMIC Et23 2 0:08:53 ago
1 0050.56a0.474a DYNAMIC Et16 1 0:18:04 ago
51 0000.0051.0004 DYNAMIC Et5 1 12 days, 1:02:44 ago
51 0000.0051.0005 DYNAMIC Et5 1 12 days, 1:02:44 ago
51 0000.0051.0101 DYNAMIC Vx1 1 12 days, 0:17:30 ago
51 0000.0051.0102 DYNAMIC Vx1 1 12 days, 0:17:30 ago
61 0000.0061.0005 DYNAMIC Et5 1 12 days, 1:02:44 ago
Total Mac Addresses for this criterion: 8
Multicast Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports
---- ----------- ---- -----
Total Mac Addresses for this criterion: 0
switch>
vxlan MAC Address Table
vxlan MAC address table entries correlate MAC addresses accessible through remote VTEPs with the local VLAN and the IP address of the VTEP through which the addressed device is accessed. The VTI uses this table when constructing the vxlan encapsulation to specify the destination IP address of the recipient VTEP and the VNI segment through which the device’s remote VLAN is accessed.
The show vxlan address-table command displays the vxlan MAC address table.
Example
This command displays the vxlan address table.
switch> show vxlan address-table
vxlan Mac Address Table
----------------------------------------------------------------------
Vlan Mac Address Type Prt Vtep Moves Last Move
---- ----------- ---- --- ---- ----- ---------
51 0000.0051.0101 DYNAMIC Vx1 10.25.2.12 1 4 days, 0:37:14 ago
51 0000.0051.0102 DYNAMIC Vx1 10.25.2.12 1 4 days, 0:37:14 ago
51 0000.0051.0103 DYNAMIC Vx1 10.25.2.12 1 4 days, 0:37:14 ago
51 0000.0051.0104 DYNAMIC Vx1 10.25.2.12 1 4 days, 0:37:14 ago
51 0000.0051.0105 DYNAMIC Vx1 10.25.2.12 1 4 days, 0:37:14 ago
61 0000.0061.0103 DYNAMIC Vx1 10.25.2.12 1 4 days, 0:37:14 ago
61 0000.0061.0104 DYNAMIC Vx1 10.25.2.12 1 4 days, 0:37:14 ago
61 0000.0061.0105 DYNAMIC Vx1 10.25.2.12 1 4 days, 0:37:14 ago
switch>
vxlan MAC Address Table
The show vxlan vtep command displays information about remote VTEPs that the configured VTI has discovered and with whom it has exchanged packets.
Example
These commands display the VTEPs that have exchanged data with the configured VTI.
switch> show vxlan vtep
Remote vteps for vxlan1:
10.52.2.12
Total number of remote vteps: 1
switch>
vxlan Counters
The clear vxlan counters command resets the vxlan counters. The show vxlan counters command displays the vxlan counters.
Example
This command displays the vxlan counters
switch> show vxlan counters software
encap_bytes:3452284
encap_pkts:27841
encap_read_err:1
encap_discard_runt:0
encap_discard_vlan_range:0
encap_discard_vlan_map:0
encap_send_err:0
encap_timeout:1427
decap_bytes_total:382412426
decap_pkts_total:2259858
decap_bytes:0
decap_pkts:0
decap_runt:0
decap_pkt_filter:45128
decap_bytes_filter:5908326
decap_discard_vxhdr:0
decap_discard_vlan_map:2214730
decap_timeout:0
decap_sock_err:1
switch>
Displaying vxlan Bridging and Routing Support
All show commands applicable to prior vxlan implementations on R2 series are also available on R3 series for vxlan debugging.
The show interfaces vxlan command displays operational status and configuration information of the specified vxlan.
switch(config)# show interfaces vxlan 1
vxlan1 is up, line protocol is up (connected)
Hardware is vxlan
Source interface is Loopback0 and is active with 172.16.1.1
Replication/Flood Mode is headend with Flood List Source: CLI
Remote MAC learning via Datapath
VNI mapping to VLANs
Static VLAN to VNI mapping is
[100, 100]
Note: All Dynamic VLANs used by VCS are internal VLANs.
Use 'show vxlan vni' for details.
Static VRF to VNI mapping is not configured
Headend replication flood vtep list is:
100 172.16.1.2 10.1.1.1
MLAG Shared Router MAC is 0000.0000.0000
VTEP address mask is Non
The show arp command displays all ARP tables on the configured vxlan.
switch(config)# show arp interface vxlan 1
Address Age (sec) Hardware Addr Interface
192.168.10.1 - 0000.abab.abab Vlan100, vxlan1
The show arp interface summary command displays a summary of all ARP tables on the configured vxlan.
switch(config)# show arp interface vxlan 1 summary
Total: 1
Static: 1
Dynamic: 0
Not learned: 0
The show vxlan counters software command displays the vxlan software counters.
switch(config)# show vxlan counters software
Rx bytes for encapsulation : 0
Rx pkts for encapsulation : 0
Rx high priority bytes for encapsulation : 0
Rx high priority pkts for encapsulation : 0
Rx low priority bytes for encapsulation : 0
Rx low priority pkts for encapsulation : 0
…..
switch(config)# show vxlan vni
VNI to VLAN Mapping for vxlan1
VNI VLAN Source Interface 802.1Q Tag
--------- ---------- ------------ ----------------- ----------
100 100 static Ethernet2/1 untagged
vxlan1 100
Note: * indicates a Dynamic VLAN
The show vxlan vtep command displays information about remote VTEPs that the configured VTI has discovered and with whom it has exchanged packets.
switch(config)# show vxlan vtep
Remote VTEPS for vxlan1:
10.1.1.1
Total number of remote VTEPS: 1
switch(config)# show platform fap vxlan vtep encapsulation
Tunnel Type: R(vxlan-Routing), B(vxlan-Bridging)
D - ECMP is divergent across switching chips
------------------------------------------------------------------------------------------------------------
| VTEP Table |
|------------------------------------------------------------------------------------------------------------|
| FEC | EEDB |
|------------------------------------------------------------------------------------------------------------|
| Destination | Ecmp| Fec|Tunnel|Tunnel| Arp|SIP|TTL| Cmd | Destination | VID | MAC / CPU Code |
| |Index|Index| Index| Type |Index|Idx| | | | | |
|------------------------------------------------------------------------------------------------------------|
| 10.1.1.1| - |353900| 16382| B|65536| 0| 64|ROUTE| Et1/1 |1006 | 00:00:aa:aa:aa:aa |
| 10.1.1.1| - |353901| 16383| R|65536| 0| 64|ROUTE| Et1/1 |1006 | 00:00:aa:aa:aa:aa |
switch(config)# show cpu counters queue | grep vxlan
CoppSystemvxlanEncap 0 0 0 0
CoppSystemvxlanVtepLearn 0 0 0 0
CoppSystemvxlanEncap 0 0 0 0
CoppSystemvxlanVtepLearn 0 0 0 0
switch(config)# show platform fap vxlan mapping vni
VNI | VSI
-------------+------
100 | 100
switch# show platform pkt | egrep -i "vxlan|vni"
rxpacllog 0 rxracllog 0 rxvteplearn 0 rxvxlan_encap 0
rx_vxlanbfd 0 rxcfm 0
rxvteprestore_drop 0 rxvxlan_encap_drop 0 rxmpc_nodev 0 rx_vxlanbfderr 0 rx_nonvxlan_arp_drop 0
fab.rxvxlan_decaperr 0 rx_macsecproxyerr 0 rx_macsecproxy_prune 0
CpuCodevxlanVtepLearn: 0
CpuCodevxlanEncapRequired: 0
CpuCodevxlanArp: 0
CpuCodevxlanUnknownVtepArp: 0
vxlan : sys_port -1 traffic_class 0 fdma - fapid 0 sflow_cookie 0 mark4 0000 mark6 0000 D
vxlan vni hashtable:
h: 201, i: 0, vni: 100, vlanid: 100
vxlan enabled vlans: 100,
use the
switch# show cpu counters vxlan l2 ecmp
VTEP Group Member VTEP IP ECMP ECMP Member Next Level
ID Size FEC ID FEC ID FEC ID
-------------------------------------------------------------------------
1 172.16.1.2 2 1 91752 353907
10.1.1.1 91753 353908