10.4. Configuring an EVPN Service With CLI
This section provides examples for configuring EVPN multihoming for VPLS services using the command line interface:
10.4.1. EVPN All-Active Multihoming Configuration Example
This section shows a configuration example for three 7705 SAR PEs, with the following assumptions.
- PE-1 and PE-2 are multihomed to CE-12, which uses a LAG to connect to the network. CE-12 is connected to LAG SAPs configured in an all-active multihoming Ethernet segment.
- PE-3 is a remote PE that performs aliasing for traffic destined for the CE-12.
The following configuration excerpt applies to a VPLS-1 on PE-1 and PE-2 and includes the corresponding ethernet-segment and lag commands.
The configuration on the remote PE (PE-3), which supports aliasing to PE-1 and PE-2 is shown below. PE-3 does not have an Ethernet segment configured. It only requires the VPLS-1 configuration and ECMP > 1 in order to perform aliasing.
10.4.2. EVPN Single-Active Multihoming Configuration Example
To use single-active multihoming on PE-1 and PE-2 instead of all-active multihoming, make the following modifications to the configuration of the EVPN All-Active Multihoming Configuration Example:
- change the LAG configuration to single-activeCE-12 will now be configured with two different LAGs; therefore, the admin-key, system-id, and system-priority must be different on PE-1 and PE-2.
- change the Ethernet segment configuration to single-active
No changes are needed at the service level on any of the three PEs.
The differences between single-active and all-active multihoming are highlighted in bold in the following configuration excerpts:
10.4.3. EVPN-MPLS r-VPLS Configuration Examples
This section contains the following configuration examples:
EVPN can be used as the unified control plane VPN technology, not only for providing Layer 2 connectivity, but also for Layer 3 (inter-subnet forwarding). EVPN for MPLS tunnels, along with multihoming and passive VRRP, provides efficient Layer 2 or Layer 3 connectivity to distributed hosts and routers.
10.4.3.1. EVPN-MPLS r-VPLS Without Multihoming
The first scenario describes r-VPLS support including IP route advertisement (BGP-EVPN route type 5) with EVPN tunnel interfaces without multihoming. VPLS 101 does not have a connected host, but the linked VPRN has SAP 1/2/1:10. Figure 172 shows an example of topology used for r-VPLS with an EVPN tunnel but without multihoming. IP prefixes are advertised.
Figure 172: r-VPLS With EVPN Tunnel, Without Multihoming
The initial configuration includes the following:
- cards, MDAs, ports
- router interface between PE-2 and PE-3
- IS-IS (or OSPF)
- LDP enabled on the router interface between PE-2 and PE-3
BGP is configured for address family EVPN on PE-2 and PE-3. The BGP configuration on PE-2 is as follows. The BGP configuration on PE-3 is similar.
The CEs are connected to SAP 1/2/1:10 in VPRN 10. r-VPLS 101 is bound to VPRN 10 and VPRN 10 has a dedicated interface “int-evi-101” for the EVPN tunnel. In general, if only one route target (RT) is used for import and export in the EVPN-VPLS, it is best to add the EVI and have the route distinguisher (RD) and RT auto-derived from the EVI; this simplifies the configuration and reduces the chance of errors. The service configuration on PE-2 is as follows:
In the preceding configuration:
- the allow-ip-int-binding command is required so that r-VPLS 101 can be bound to VPRN 10
- the service name is required and the configured name “evi-101” must match the name in the VPRN 10 VPLS interface. The service name is configured at service creation time.
- the VPRN 10 VPLS interface is configured with the keyword evpn-tunnel. This configuration has the advantage of not having to allocate IP addresses to the r-VPLS interfaces; however, it cannot be used when the r-VPLS interface has local SAPs.
The configuration is similar on PE-3. The RD must be different on PE-2 and PE-3; this is automatically the case when the RD is auto-derived from the configured EVI, as in the example. The RD on PE-2 is 192.0.2.2:101; on PE-3, the RD is 192.0.2.3:101.
PE-3 receives the following BGP-EVPN IP prefix route for prefix 172.16.2.0/24 from PE-2:
GW IP 0.0.0.0 is an indication that an EVPN tunnel is in use. With EVPN tunnels, no IRB IP address needs to be configured in the VPRN. EVPN tunnels make provisioning easier to automate and save IP addresses from the tenant IP space.
The BGP tunnel encapsulation is MPLS, but the MPLS label in the debug message is not the same as in the service, because the router strips the extra four lowest bits to get the 20-bit MPLS label. In the debug message, the label is 8388464. This is because the debug message is shown before the router can parse the label field and see if it corresponds to an MPLS label (20 bits). The MPLS label is calculated by dividing the label value by 24 (16), as follows: 8388464/16 = 524279.
The MAC next-hop extended community 04:0b:ff:ff:ff:a2 is the MAC address of the interface “int-evi-101” in VPRN 10 on PE-2, as follows:
The routing table for VPRN 10 on PE-3 contains the route for prefix 172.16.2.0/24 as the BGP-EVPN route with next-hop “int-evi-101” and interface name “ET-04:0b:ff:ff:ff:a2” (ET stands for EVPN Tunnel), as follows:
The forwarding database (FDB) for VPLS 101 on PE-3 shows an entry for MAC address 04:0b:ff:ff:ff:a2 that is learned via EVPN. The MAC address is static (S) and protected (P). The MPLS label is 524279.
When the CEs have IPv6 addresses, the VPRN configuration is similar on the PEs, but the ipv6 context must be enabled on the EVPN tunnel interface so that the router can advertise and process BGP-EVPN type 5 routes with IPv6 prefixes. The configuration of VPLS is identical for IPv4 and IPv6.
When advertising IPv6 prefixes, the GW IP field for route type 5 is always populated with the IPv6 address of the r-VPLS interface. In this example, because no specific IPv6 global address is configured, the GW IP will be populated with the auto-created link local address. The following BGP update is received by PE-3 for IPv6 prefix 2001:db8:16::2:0/120:
The IPv6 route table on PE-3 is as follows:
10.4.3.2. EVPN-MPLS r-VPLS With All-Active Multihoming
Figure 173 shows an example of the topology with all-active multihoming Ethernet segment (ES) “ESI-23”.
Figure 173: EVPN-MPLS r-VPLS With All-Active Multihoming ES
BGP is configured between PE-2, PE-3, and PE-4 for address family EVPN. The configuration on PE-2 is as follows:
All-active multihoming Ethernet segment “ESI-23” is configured on PE-2 and PE-3 as follows:
The following services are configured on the PEs:
- VPRN 20 has interfaces bound to VPLS 200 and VPLS 202. On PE-4, VPRN 20 also has an interface bound to VPLS 203.
- VPLS 200 is configured as an EVPN tunnel that connects the PEs.
- VPLS 202 and VPLS 203 have attachment circuits to CEs.
The services are configured on PE-2 as follows. The configuration on PE-3 and PE-4 is similar.
The IPv6 VRRP backup address is in the same subnet as the link local address of the interface “int-evi-202”. The IPv6 address can be set as preferred. Also for IPv6, router advertisement must be enabled and configured to use the virtual MAC address.
10.4.3.2.1. Passive VRRP
EVI 202 is configured as an r-VPLS interface with passive VRRP. A passive VRRP VRID instance suppresses the transmission and reception of keepalive messages. All PEs configured with passive VRRP become VRRP masters and take ownership of the virtual IP and MAC addresses.
Each individual r-VPLS interface has a different MAC/IP address on each PE. The MAC/IP addresses for “int-evi-202” on PE-2 are MAC 00:ca:fe:00:02:02 and IP 172.16.20.2/24 for IPv4 and the same MAC address with IPv6 2001:db8:16::20:2 and fe80::16:20:2. However, the r-VPLS interfaces on all PEs share the same VRID 1 and backup IP address 172.16.20.254, so the same vMAC/vIP 00:00:5e:00:01:01/172.16.20.254 and vMAC/vIP 00:00:5e:00:02:01/ fe80::16:20:fe are advertised by all PEs. PE-2 advertises the following EVPN MAC routes:
The three PEs advertise the same (anycast) vMAC/vIP in EVI 202 as protected, but each PE keeps its own MAC entry in the FDB. The following FDB output shows that the source identifier for vMAC 00:00:5e:00:01:01 and vMAC 00:00:5e:00:02:01 is the CPM. These two vMAC entries with source identifier CPM are seen on all PEs.
The interface MAC 00:ca:fe:00:02:02 is local, so it also has the CPM as source identifier. MAC 00:ca:fe:00:02:03 is the r-VPLS interface MAC for PE-3 and it is learned via EVPN-MPLS (eMpls) as static (S) and protected (P). MAC address 00:ca:fe:00:02:04 on PE-4 is also static and protected.
PE-4 sends the following IP prefix route (BGP-EVPN route type 5) for prefix 172.16.23.0/24 to the other PEs:
The IP prefixes are advertised with the next hop equal to the EVPN-tunnel GW MAC “int-evi-200”, as follows:
The routing table for VPRN 20 on PE-2 contains IP prefix 172.16.23.0/24 with next hop 04:0f:ff:00:00:05, as follows:
The following IPv6 routing table for VPRN 20 on PE-2 contains prefix 2001:db8:16::23:0/120, which has also been advertised by PE-4. The next hop is again “int-evi-200”, only this time the link local IPv6 address is displayed (GW IP) instead of the MAC address. The next hop is the GW IP value for route type 5, as long as it is a non-zero value. When the GW IP address is 0, route type 5 is expected to contain a mac-nh extended community. The MAC encoded in the extended community is used as the next hop in that case.
The EVPN tunnel service VPLS 200 has all the MAC addresses of the EVPN interfaces within VPRN 20 as static (S) and protected (P), as follows:
The VRRP instance in each PE is master, as follows:
10.4.3.2.2. Operation
On PE-4, VPRN 20 has one interface bound to VPLS 202 and another interface bound to VPLS 203. CE-41 is attached to VPLS 202 and CE-43 is attached to VPLS 203. When ping messages are sent from CE-41 to CE-43, or vice versa, the messages go via VPRN 20, which has routes to both CEs, as follows:
When traffic is sent between CE-11 and CE-41, which are both associated with VPLS 202, the forwarding is done by VPLS and not via the VPRN. The FDB for VPLS 202 on PE-2 is as follows:
MAC 00:00:01:00:00:11 corresponds to CE-11 and is learned on SAP lag-1:20 on PE-2 and advertised via an EVPN MAC route to the BGP peers. MAC 00:00:04:00:00:41 corresponds to CE-41 and was advertised via an EVPN MAC route from PE-4, where the MAC was learned on SAP 1/2/1:41 of VPLS 202, as shown in the following FDB:
The MAC address of CE-43 is not present in the FDB of VPLS 202. The FDB of VPLS 203 shows the MAC address of CE-43, but not of CE-41. Traffic between these two VPLS services goes via the VPRN and cannot use Layer 2 forwarding.
10.4.3.3. EVPN-MPLS r-VPLS With Single-Active Multihoming
Figure 174 shows an example of topology with single-active multihoming ES “ESI-23”. The difference between this figure and Figure 173 is that in Figure 174 the ES is single-active and SDPs are used instead of a LAG.
Figure 174: EVPN-MPLS r-VPLS With Single-Active Multihoming
The configuration is modified as follows:
- LAG 1 is removed from MTU-1, PE-2, and PE-3
- network interfaces are configured between MTU-1 and PE-2/PE-3 with IS-IS and LDP enabled
- SDPs are configured
- ES “ESI-23” is redefined as single-active multihoming. The SDP is associated with this ES.
- VPLS 202 on PE-2 and PE-3 no longer has a SAP, but has a spoke-SDP instead
- no changes are required on VPRN 20 or VPLS 200
The service configuration on PE-2 is as follows. The configuration on PE-3 is similar. No changes are required on PE-4.
PE-2 is the designated forwarder (DF) in the single-active ES, as shown in the following output:
When traffic is sent between CE-11 and CE-41, the FDB on PE-2 is as follows, where MAC address 00:00:01:00:00:11 corresponds to CE-11 and is learned on spoke-SDP 21:20, and MAC address 00:00:04:00:00:41 corresponds to CE-41 and his advertised by PE-4 in an EVPN-MAC route.
When the SDP between MTU-1 and DF PE-2 goes down, traffic from CE-41 to CE-11 is forwarded by PE-4 to DF PE-2. PE-2 cannot forward the packets to CE-11 directly and will forward the packets to its ES peer PE-3. PE-3 will forward to CE-11 even if the MAC SA matches its own vMAC. Virtual MACs bypass the r-VPLS interface protection, so traffic can be forwarded between the PEs without being dropped.