The configuration of an I-ES on DC GWs with two BGP-instances has the following impact on the advertisement and processing of BGP-EVPN routes.
For EVPN MAC/IP routes, the following considerations apply.
If bgp-evpn>vxlan>no auto-disc-route-advertisement and mh-mode access are configured on the access instance:
MAC/IP routes received in the EVPN-MPLS BGP-instance are readvertised in the EVPN-VXLAN BGP-instance with the ESI set to zero.
EVPN-VXLAN PEs and NVEs in the DC receive the same MAC from two or more different MAC or IP routes from the DC GWs, which perform regular EVPN MAC or IP route selection.
MAC or IP routes received in the EVPN-VXLAN BGP-instance are readvertised in the EVPN-MPLS BGP-instance with the configured non-zero I-ESI value, assuming the VXLAN instance is not in an MhStandby operational state; otherwise the MAC/IP routes are dropped.
EVPN-MPLS PEs in the WAN receive the same MAC from two or more DC GWs set with the same ESI. In this case, regular aliasing and backup functions occur as usual.
If bgp-evpn>vxlan>auto-disc-route-advertisement and mh-mode access are configured, the following differences apply to the above:
MAC or IP routes received in the EVPN-MPLS BGP-instance are readvertised in the EVPN-VXLAN BGP-instance with the ESI set to the I-ESI.
In this case, EVPN-VXLAN PEs and NVEs in the DC receive the same MAC from two or more different MAC or IP routes from the DGWs, with the same ESI, therefore they can perform aliasing.
ES routes are exchanged for the I-ES. The routes should be sent only to the MPLS network and not to the VXLAN network. This can be achieved by using router policies.
AD per-ES and AD per-EVI are also advertised for the I-ES, and should be sent only to the MPLS network and not to the VXLAN if bgp-evpn>vxlan>no auto-disc-route-advertisement is configured. For ES routes, router polices can be used to prevent AD routes from being sent to VXLAN peers. If bgp-evpn>vxlan>auto-disc-route-advertisement is configured, AD routes must be sent to the VXLAN peers so that they can apply backup or aliasing functions.
In general, when I-ESs are used for redundancy, the use of router policies is needed to avoid control plane loops with MAC/IP routes. Consider the following to avoid control plane loops:
Loops created by remote MACs
Remote EVPN-MPLS MAC/IP routes are re-advertised into EVPN-VXLAN routes with an SOO (Site Of Origin) EC added by a BGP peer or VSI export policy identifying the DGW pair. The other DGW in the pair drops EVPN-VXLAN MAC routes tagged with the pair SOO. Router policies are needed to add SOO and drop routes received with self SOO.
When remote EVPN-VXLAN MAC/IP routes are re-advertised into EVPN-MPLS, the DC GWs automatically drop EVPN-MPLS MAC/IP routes received with their own non-zero I-ESI.
Loops created by local SAP MACs
Local SAP MACs are learned and MAC/IP routes are advertised into both BGP instances. The MAC/IP routes advertised in the EVPN-VXLAN instance are dropped by the peer based on the SOO router policies as described above for loops created by remote MACs. The DGW local MACs are always learned over the EVPN-MPLS destinations between the DC GWs.
The following describes the considerations for BGP peer policies on DGW1 to avoid control plane loops. Similar policies would be configured on DC GW2.
Avoid sending service VXLAN routes to MPLS peers and service MPLS routes to VXLAN peers.
Avoid sending AD and ES routes to VXLAN peers. If bgp-evpn>vxlan>auto-disc-route-advertisement is configured AD routes must be sent to the VXLAN peers.
Add SOO to VXLAN routes sent to the ES peer.
Drop VXLAN routes received from the ES peer.
The following shows the CLI configuration.
A:DCGW1# configure router bgp
A:DCGW1>config>router>bgp# info
----------------------------------------------
family vpn-ipv4 evpn
vpn-apply-import
vpn-apply-export
rapid-withdrawal
rapid-update vpn-ipv4 evpn
group "wan"
type internal
export "allow only mpls"
neighbor 192.0.2.4
exit
neighbor 192.0.2.5
exit
exit
group "internal"
type internal
neighbor 192.0.2.1
export "allow only vxlan"
exit
neighbor 192.0.2.3
import "drop SOO-DCGW-23"
export "add SOO to vxlan routes"
exit
exit
no shutdown
----------------------------------------------
A:DCGW1>config>router>bgp# /configure router policy-options
A:DCGW1>config>router>policy-options# info
----------------------------------------------
community "mpls" members "bgp-tunnel-encap:MPLS"
community "vxlan" members "bgp-tunnel-encap:VXLAN"
community "SOO-DCGW-23" members "origin:64500:23"
// This policy prevents the router from sending service VXLAN routes to MPLS peers. //
policy-statement "allow only mpls"
entry 10
from
community "vxlan"
family evpn
exit
action drop
exit
exit
exit
// This policy ensures the router only exports routes that include the VXLAN encapsulation. //
policy-statement "allow only vxlan"
entry 10
from
community "vxlan"
family evpn
exit
action accept
exit
exit
default-action drop
exit
exit
// This import policy avoids importing routes with a self SOO. //
policy-statement "drop SOO-DCGW-23"
entry 10
from
community "SOO-DCGW-23"
family evpn
exit
action drop
exit
exit
exit
// This import policy adds SOO only to VXLAN routes. This allows the peer to drop
routes based on the SOO, without affecting the MPLS routes. //
policy-statement "add SOO to vxlan routes"
entry 10
from
community "vxlan"
family evpn
exit
action accept
community add "SOO-DCGW-23"
exit
exit
default-action accept
exit
exit
----------------------------------------------