The configuration of an I-ES on DCGWs with two BGP instances has the following impact on the advertisement and processing of BGP-EVPN routes.
For EVPN MAC/IP routes, the following considerations apply.
If bgp-evpn>vxlan>no auto-disc-route-advertisement and mh-mode access are configured on the access instance:
MAC/IP routes received in the EVPN-MPLS BGP instance are readvertised in the EVPN-VXLAN BGP instance with the ESI set to zero.
EVPN-VXLAN PEs and NVEs in the DC receive the same MAC from two or more different MAC/IP routes from the DCGWs, which perform regular EVPN MAC/IP route selection.
MAC/IP routes received in the EVPN-VXLAN BGP instance are readvertised in the EVPN-MPLS BGP instance with the configured non-zero I-ESI value, assuming the VXLAN instance is not in an MhStandby operational state; otherwise the MAC/IP routes are dropped.
EVPN-MPLS PEs in the WAN receive the same MAC from two or more DCGWs set with the same ESI. In this case, regular aliasing and backup functions occur as usual.
If bgp-evpn>vxlan>auto-disc-route-advertisement and mh-mode access are configured, the following differences apply to the above:
MAC/IP routes received in the EVPN-MPLS BGP instance are readvertised in the EVPN-VXLAN BGP instance with the ESI set to the I-ESI.
In this case, EVPN-VXLAN PEs and NVEs in the DC receive the same MAC from two or more different MAC/IP routes from the DCGWs, with the same ESI, therefore they can perform aliasing.
ES routes are exchanged for the I-ES. The routes should be sent only to the MPLS network and not to the VXLAN network. This can be achieved by using router policies.
AD per-ES and AD per-EVI routes are also advertised for the I-ES, and are sent only to the MPLS network and not to the VXLAN if bgp-evpn>vxlan>no auto-disc-route-advertisement is configured. For ES routes, router polices can be used to prevent these routes from being sent to VXLAN peers. If bgp-evpn>vxlan>auto-disc-route-advertisement is configured, AD routes must be sent to the VXLAN peers so that they can apply backup or aliasing functions.
In general, when I-ESs are used for redundancy, the use of router policies is needed to avoid control plane loops with MAC/IP routes. Consider the following to avoid control plane loops:
Loops created by remote MACs
Remote EVPN-MPLS MAC/IP routes are readvertised into EVPN-VXLAN routes with an SOO (Site Of Origin) EC added by a BGP peer or VSI export policy identifying the DCGW pair. The other DCGW in the pair drops EVPN-VXLAN MAC/IP routes tagged with the pair SOO. Router policies are needed to add SOO and drop routes received with self SOO.
When remote EVPN-VXLAN MAC/IP routes are readvertised into EVPN-MPLS, the DCGWs automatically drop EVPN-MPLS MAC/IP routes received with their own non-zero I-ESI.
Loops created by local SAP MACs
Local SAP MACs are learned and MAC/IP routes are advertised into both BGP instances. The MAC/IP routes advertised in the EVPN-VXLAN instance are dropped by the peer based on the SOO router policies as described above for loops created by remote MACs. The DCGW local MACs are always learned over the EVPN-MPLS destinations between the DCGWs.
The following describes the considerations for BGP peer policies on DCGW1 to avoid control plane loops. Similar policies would be configured on DCGW2.
Avoid sending service VXLAN routes to MPLS peers and service MPLS routes to VXLAN peers.
Avoid sending AD and ES routes to VXLAN peers. If bgp-evpn>vxlan>auto-disc-route-advertisement is configured AD routes must be sent to the VXLAN peers.
Add SOO to VXLAN routes sent to the ES peer.
Drop VXLAN routes received from the ES peer.
The following shows the CLI configuration.
A:DCGW1# configure router bgp
A:DCGW1>config>router>bgp# info
----------------------------------------------
family vpn-ipv4 evpn
vpn-apply-import
vpn-apply-export
rapid-withdrawal
rapid-update vpn-ipv4 evpn
group "wan"
type internal
export "allow only mpls"
neighbor 192.0.2.4
exit
neighbor 192.0.2.5
exit
exit
group "internal"
type internal
neighbor 192.0.2.1
export "allow only vxlan"
exit
neighbor 192.0.2.3
import "drop SOO-DCGW-23"
export "add SOO to vxlan routes"
exit
exit
no shutdown
----------------------------------------------
A:DCGW1>config>router>bgp# /configure router policy-options
A:DCGW1>config>router>policy-options# info
----------------------------------------------
community "mpls" members "bgp-tunnel-encap:MPLS"
community "vxlan" members "bgp-tunnel-encap:VXLAN"
community "SOO-DCGW-23" members "origin:64500:23"
// This policy prevents the router from sending service VXLAN routes to MPLS peers. //
policy-statement "allow only mpls"
entry 10
from
community "vxlan"
family evpn
exit
action drop
exit
exit
exit
This policy ensures the router only exports routes that include the VXLAN encapsulation.
policy-statement "allow only vxlan"
entry 10
from
community "vxlan"
family evpn
exit
action accept
exit
exit
default-action drop
exit
exit
This import policy avoids importing routes with a self SOO.
policy-statement "drop SOO-DCGW-23"
entry 10
from
community "SOO-DCGW-23"
family evpn
exit
action drop
exit
exit
exit
This import policy adds SOO only to VXLAN routes. This allows the peer to drop routes based on the SOO, without affecting the MPLS routes.
policy-statement "add SOO to vxlan routes"
entry 10
from
community "vxlan"
family evpn
exit
action accept
community add "SOO-DCGW-23"
exit
exit
default-action accept
exit
exit
----------------------------------------------