5. EVPN-VXLAN for layer 3
The EVPN Layer 3 configuration model builds on the model for EVPN routes described in Chapter 4, EVPN-VXLAN for layer-2 and multi-homing. Understanding the concepts in the EVPN-VXLAN Layer-2 chapter is required to understand this chapter.
This chapter addresses connectivity between subnets across multiple Broadcast Domains (BDs) of the same tenant as defined in the EVPN Interface-less (IFL) model [draft-ietf-bess-evpn-prefix-advertisement]. It is based on the advertisement and processing of IP prefixes using EVPN type 5 routes. This chapter defines how CEs or servers can be multi-homed to multiple leaf nodes in an EVPN IFL network. It also describes other EVPN L3 topics such as:
- IRB subinterface extensions for EVPN-VXLAN Layer 3
- unicast routing PE-CE
- layer 3 host mobility
5.1. Applicability
The information and configuration in this chapter are based on SR Linux Release 21.6.
5.2. Overview
Figure 8 shows four leaf routers attached to the same tenant or IP-VRF domain. Servers are connected to different subnets and, therefore, different BDs. The leaf routers provide inter-subnet forwarding by using the EVPN IFL model as defined in [draft-ietf-bess-evpn-prefix-advertisement]. The SR Linux implementation is fully standard and third-party routers, such as LEAF-4, can be connected to the same IP-VRF domain as SR Linux routers.
Figure 8: EVPN IP-VRF domain in a multi-tenant DC
The procedures in this chapter define the configuration and operation for:
- the EVPN IFL model for EVPN-VXLAN Layer 3 and the EVPN IP prefix routes
- multi-homing in an EVPN-VXLAN Layer 3 solution
- host route mobility aspects
- PE-CE unicast routing on EVPN-VXLAN Layer 3 networks
- EVPN-VXLAN Layer 3 feature parity for IPv6 prefixes
5.3. Configuring EVPN-VXLAN IP-VRF domains
Figure 9 shows the configuration of an EVPN-VXLAN IP-VRF-10 distributed in three leaf routers, with different subnets, and multi-homing for SERVER-1.
Figure 9: Example of EVPN-VXLAN IP-VRF domain
5.3.1. Preconfiguring the underlay network
Prior to configuring the overlay BD, the underlay connectivity must be configured.
This chapter uses the same underlay configuration defined for EVPN-VXLAN Layer-2 and Multi-Homing. Refer to section 4.3.1 Configuring the underlay network in chapter 4 and review this section to understand the underlay configuration before proceeding.
5.3.2. Configuring the LEAF-3 IP-VRF domain
Once LEAF-3 is pre-configured as defined in Preconfiguring the underlay network, use the following steps to enable EVPN-VXLAN on LEAF-3.
As shown in Figure 9, LEAF-3 is attached to IP-VRF-10 and HOST-3 is connected to BD3. BD3 is mapped to subnet 103.1.1.0/24 and its IRB sub-interface is the default-gateway to all hosts in BD3.
- In candidate mode, create the interfaces and bridged sub-interfaces that will connect LEAF-3 BD3 to HOST-3. In this example:
- Ethernet-1/2 connects HOST-3 to LEAF-3. Although this interface could be defined untagged, this example configures the interface as tagged (vlan-tagging true).
- A sub-interface with index 3 is created under the interface and must be configured as type bridged. Bridged sub-interfaces can be associated to MAC-VRF instances as described in Chapter 4.
- The sub-interface uses vlan-id any, which captures any traffic that is not specified in other sub-interfaces of the same interface.
Note: The IRB sub-interface will expect no vlan tags so that traffic forwarded from HOST-3 can be routed. If HOST-3 sends frames tagged with a vlan-id, the frames would be classified in the BD3 context, but the sub-interface will not strip off the vlan tag, and frames will not be routed.
--{ [FACTORY] + candidate shared default }--[ interface ethernet-1/2 ]--# infoadmin-state enablevlan-tagging truesubinterface 3 {type bridgedadmin-state enablevlan {encap {single-tagged {vlan-id any}}}} - After creating the access sub-interfaces, create the vxlan-interfaces. This allows MAC-VRFs of the same BD to be connected throughout the IP fabric.In this example, no other leaf router is attached to BD3, so no vxlan-interface is needed in BD3. The configuration of the vxlan-interface is only shown for completeness. Reference Chapter 4 for details on vxlan-interfaces and their characteristics.Example: vxlan1 vxlan-interface 3 configuration--{ [FACTORY] + candidate shared default }--[ tunnel-interface vxlan1 ]--# infovxlan-interface 3 {type bridgedingress {vni 3}}
- IP-VRF instances in the leaf routers are also connected by VXLAN tunnels, therefore, vxlan-interfaces of type routed must be created.In this example, tunnel-interface vxlan2 vxlan-interface 10 is configured. While the configuration of the routed vxlan-interface is similar to the bridged vxlan-interface, this type ensures a routed vxlan-interface only attaches to an ip-vrf, and a bridged vxlan-interface only attaches to a mac-vrf.Example: VXLAN tunnel configuration--{ [FACTORY] + candidate shared default }--[ tunnel-interface vxlan2 ]--# infovxlan-interface 10 {type routedingress {vni 10}}
- Configure the IRB interface and sub-interface that links BD3 and IP-VRF-10 together to allow packets from/to subnet 103.1.1.0/24 to route to/from remote subnets in the local or remote leaf routers of the same tenant.Note that since BD3 is not present in another leaf, the IRB sub-interface is not configured as an anycast-gw sub-interface. However, an operator may want to configure all IRB sub-interfaces as anycast-gw in case the BD is extended later. Reference section 5.3.3, Configuring the IP-VRF Domain on LEAF-2 and LEAF-4 for anycast-gw configuration details.Example: IRB configuration--{ [FACTORY] + candidate shared default }--[ interface irb0 ]--# infosubinterface 3 {ipv4 {address 103.1.1.254/24 {}}}
- Configure the network-instance type mac-vrf and associate it with the bridged IRB interfaces and the vxlan-interface. In the example that follows, BD3 is connected to HOST-3 and to the IRB sub-interface that is also attached to IP-VRF-10.Although the B is not needed, in this example, the bgp-evpn and vxlan configuration is shown for completeness. For details about bgp-vpn, bgp-evpn, and vxlan-interface configuration, refer to chapter 4.Example: mac-vrf configuration and bridged interface association--{ [FACTORY] + candidate shared default }--[ network-instance BD3 ]--# infotype mac-vrfinterface ethernet-1/2.3 {}interface irb0.3 {}vxlan-interface vxlan1.3 {}protocols {bgp-evpn {bgp-instance 1 {admin-state enablevxlan-interface vxlan1.3evi 3ecmp 2}}bgp-vpn {bgp-instance 1 {route-target {export-rt target:64500:3import-rt target:64500:3}}}}
- Configure IP-VRF-10 with bgp-evpn enabled using the EVPN IFL model. In this example, IP-VRF is configured with the irb0.3 interface for connectivity to BD3 and vxlan2.10. This allows the extension of IP-VRF-10 to remote leaf routers. A loopback interface is configured in the IP-VRF to test connectivity among IP-VRFs of the same tenant.Once configured, all local routes learned on IP-VRF-10 route-table will be advertised in IP Prefix routes (or IPv6 Prefix routes for local IPv6 routes).Example: Enable EVPN IFL model on IP-VRF-10--{ [FACTORY] + candidate shared default }--[ network-instance IP-VRF* ]--# infonetwork-instance IP-VRF-10 {type ip-vrfinterface irb0.3 {}interface lo10.2 {}vxlan-interface vxlan2.10 {}protocols {bgp-evpn {bgp-instance 1 {vxlan-interface vxlan2.10evi 10ecmp 2}}bgp-vpn {bgp-instance 1 {route-target {export-rt target:64500:10import-rt target:64500:10}}}}}The bgp-vpn instance is configured as described in Chapter 4 (with a network-instance of type ip-vrf). Likewise, the bgp-evpn container enables EVPN in the ip-vrf and associates it to the routed vxlan-interface. The RD and RT can be auto-derived from the evi just like they can in mac-vrfs. Explicitly configured RD/RTs can override the auto-configured ones. Import and export policies are supported.
- Review the changes. If correct, commit the changes.# commit stay--{ candidate shared default }--[ ]--
5.3.3. Configuring the IP-VRF Domain on LEAF-2 and LEAF-4
LEAF-2 and LEAF-4 are configured in the same way as LEAF-3, but with the addition of multi-homing, anycast-gw interfaces, and related configurations.
Use the following procedure to enable EVPN-VXLAN Layer 3 on LEAF-2 and LEAF-4. Considerations for configuring the IRB sub-interfaces (Step 4) are provided in section 5.3.3.1 IRB sub-interface considerations, if needed.
- In candidate mode, create the interfaces, and bridged sub-interfaces (including LAG) to connect HOST-2, HOST-4, SERVER-1, and CE-3.In this example, Ethernet Segment ES-1 is associated to lag1 and is multi-homed to SERVER-1 lag. LACP is enabled on lag1 (but can be disabled) and the admin-key, system-id-mac, and system-priority match on both LEAF-2 and LEAF-4.Example (1 of 2): Interfaces and bridged sub-interfaces configuration (LEAF-2)// interfaces in Leaf-2--{ [FACTORY] + candidate shared default }--[ interface * ]--# infointerface ethernet-1/11 {description ES-1ethernet {aggregate-id lag1}}interface ethernet-1/12 {description to-host-2admin-state enablevlan-tagging truesubinterface 24 {type bridgedvlan {encap {single-tagged {vlan-id any}}}}}interface ethernet-1/22 {description to-CE-3vlan-tagging truesubinterface 2 {type bridgedadmin-state enablevlan {encap {single-tagged {vlan-id 2}}}}}interface lag1 {admin-state enablevlan-tagging truesubinterface 24 {type bridgedvlan {encap {single-tagged {vlan-id 24}}}}lag {lag-type lacpmember-speed 100Glacp {interval FASTlacp-mode ACTIVEadmin-key 24system-id-mac 00:00:00:00:00:24system-priority 24}}}Example (2 of 2): Interfaces and bridged sub-interfaces configuration (LEAF-4)// Interfaces in Leaf-4--{ [FACTORY] + candidate shared default }--[ interface * ]--# infointerface ethernet-1/4 {description ES-1ethernet {aggregate-id lag1}}interface ethernet-1/13 {description to-host-4admin-state enablevlan-tagging truesubinterface 4 {type bridgedadmin-state enablevlan {encap {single-tagged {vlan-id any}}}}}interface lag1 {admin-state enablevlan-tagging truesubinterface 24 {type bridgedvlan {encap {single-tagged {vlan-id 24}}}}lag {lag-type lacpmember-speed 100Glacp {interval FASTlacp-mode ACTIVEadmin-key 24system-id-mac 00:00:00:00:00:24system-priority 24}}}
- Create the all-active Ethernet Segment ES-1 that is attached to LEAF-2 and LEAF-4. Details about the ES configuration and operation can be found in Chapter 4. Note that the following example only shows the Ethernet Segment configuration. The bgp-vpn>bgp-instance 1 must also be configured as described in Chapter 4.Example: ES configuration// ES-1 on Leaf-2--{ [FACTORY] + candidate shared default }--[ system network-instance protocolsevpn ethernet-segments ]--# infobgp-instance 1 {ethernet-segment ES-1 {admin-state enableesi 01:24:24:24:24:24:24:00:00:01interface lag1multi-homing-mode all-active}}// ES-1 on Leaf-4--{ [FACTORY] + candidate shared default }--[ system network-instance protocolsevpn ethernet-segments ]--A:dut4# infobgp-instance 1 {ethernet-segment ES-1 {admin-state enableesi 01:24:24:24:24:24:24:00:00:01interface lag1multi-homing-mode all-active}}
- Once the access bridged sub-interfaces are created, create the vxlan-interfaces to facilitate connectivity between network-instances across the IP fabric. The mac-vrf network-instances require both vxlan-interfaces of type bridged and ip-vrfs of type routed.In the following example, all the vxlan-interfaces for all network-instances on LEAF-2 and LEAF-4 nodes are configured as follows:Example: vxlan-interface configuration// vxlan-interfaces on Leaf-2--{ [FACTORY] + candidate shared default }--[ tunnel-interface * ]--# infotunnel-interface vxlan1 {vxlan-interface 2 {type bridgedingress {vni 2}}vxlan-interface 24 {type bridgedingress {vni 24}}}tunnel-interface vxlan2 {vxlan-interface 10 {type routedingress {vni 10}}}// vxlan-interfaces on Leaf-4--{ [FACTORY] + candidate shared default }--[ tunnel-interface * ]--# infotunnel-interface vxlan1 {vxlan-interface 4 {type bridgedingress {vni 4}}vxlan-interface 24 {type bridgedingress {vni 24}}}tunnel-interface vxlan2 {vxlan-interface 10 {type routedingress {vni 10}}}
- Configure the IRB sub-interfaces that will link the mac-vrf and ip-vrf network-instances for inter-subnet-forwarding. Refer to section 5.3.3.1 IRB sub-interface considerations, for details on configuring IRB sub-interfaces.Example: IRB sub-interface configuration// IRB interfaces in Leaf-2--{ [FACTORY] + candidate shared default }--[ interface irb* ]--# infointerface irb0 {subinterface 2 {ipv4 {address 20.1.1.2/24 {}arp {learn-unsolicited true]}}anycast-gw {}}subinterface 24 {ipv4 {address 101.1.1.2/24 {}address 101.1.1.254/24 {anycast-gw trueprimary}address 102.1.1.254/24 {}arp {learn-unsolicited truedebug [messages]host-route {populate dynamic {}}evpn {advertise dynamic {}}}}anycast-gw {}}}// IRB interfaces in Leaf-4--{ [FACTORY] + candidate shared default }--[ interface irb* ]--# infointerface irb0 {subinterface 4 {ipv4 {address 104.1.1.4/24 {}address 104.1.1.254/24 {anycast-gw trueprimary}arp {learn-unsolicited truedebug [messages]}}anycast-gw {}}subinterface 24 {ipv4 {address 101.1.1.4/24 {}address 101.1.1.254/24 {anycast-gw trueprimary}arp {learn-unsolicited truedebug [messages]host-route {populate dynamic {}}evpn {advertise dynamic {}}}}anycast-gw {}}
- Configure the network-instances of type mac-vrf and associate the bridged sub-interfaces, irb sub-interfaces, and vxlan-interfaces. Then enable bgp-evpn.Example: network instance configuration and association// MAC-VRFs in Leaf-2--{ [FACTORY] + candidate shared default }--[ network-instance BD* ]--# infonetwork-instance BD2 {type mac-vrfinterface ethernet-1/22.2 {}interface irb0.2 {}vxlan-interface vxlan1.2 {}protocols {bgp-evpn {bgp-instance 1 {admin-state enablevxlan-interface vxlan1.2evi 2ecmp 2}}bgp-vpn {bgp-instance 1 {route-target {export-rt target:64500:2import-rt target:64500:2}}}}}network-instance BD24 {type mac-vrfinterface ethernet-1/12.24 {}interface irb0.24 {}interface lag1.24 {}vxlan-interface vxlan1.24 {}protocols {bgp-evpn {bgp-instance 1 {admin-state enablevxlan-interface vxlan1.24evi 24ecmp 2}}bgp-vpn {bgp-instance 1 {route-target {export-rt target:64500:24import-rt target:64500:24}}}}}// MAC-VRFs in Leaf-4--{ [FACTORY] + candidate shared default }--[ network-instance BD* ]--# infonetwork-instance BD24 {type mac-vrfinterface irb0.24 {}interface lag1.24 {}vxlan-interface vxlan1.24 {}protocols {bgp-evpn {bgp-instance 1 {admin-state enablevxlan-interface vxlan1.24evi 24ecmp 2}}bgp-vpn {bgp-instance 1 {route-target {export-rt target:64500:24import-rt target:64500:24}}}}}network-instance BD4 {type mac-vrfinterface ethernet-1/13.4 {}interface irb0.4 {}vxlan-interface vxlan1.4 {}protocols {bgp-evpn {bgp-instance 1 {admin-state enablevxlan-interface vxlan1.4evi 4ecmp 2}}bgp-vpn {bgp-instance 1 {route-target {export-rt target:64500:4import-rt target:64500:4}}}}}
- Configure IP-VRF-10 with bgp-evpn enabled with the EVPN IFL model. The IP-VRF is configured with the IRB sub-interfaces previously created for BD2, BD4, and BD24. The IP-VRF instances are connected VXLAN tunnels, so routed vxlan-interfaces need to be associated to IP-VRF-10. A loopback interface is configured in the IP-VRF to test connectivity among IP-VRFs of the same tenant.In the following example, LEAF-2's IP-VRF is configured with a BGP PE-CE neighbor to CE-3.Example: IP-VRF-10 configuration// IP-VRF-10 in Leaf-2--{ [FACTORY] + candidate shared default }--[ network-instance IP-VRF* ]--# infonetwork-instance IP-VRF-10 {type ip-vrfinterface irb0.2 {}interface irb0.24 {}interface lo10.2 {}vxlan-interface vxlan2.10 {}protocols {bgp-evpn {bgp-instance 1 {vxlan-interface vxlan2.10evi 10ecmp 2}}bgp {admin-state enableautonomous-system 645002router-id 2.2.2.2group eBGP-PE-CE {admin-state enableexport-policy export-allimport-policy import-allipv4-unicast {admin-state enable}}neighbor 20.1.1.3 {peer-as 645003peer-group eBGP-PE-CElocal-as 645002 {}transport {local-address 20.1.1.2}}}bgp-vpn {bgp-instance 1 {route-target {export-rt target:64500:10import-rt target:64500:10}}}}}// IP-VRF-10 in Leaf-4--{ [FACTORY] + candidate shared default }--[ network-instance IP-VRF* ]--# infonetwork-instance IP-VRF-10 {type ip-vrfinterface irb0.4 {}interface irb0.24 {}interface lo10.2 {}vxlan-interface vxlan2.10 {}protocols {bgp-evpn {bgp-instance 1 {vxlan-interface vxlan2.10evi 10ecmp 2}}bgp-vpn {bgp-instance 1 {route-target {export-rt target:64500:10import-rt target:64500:10}}}}}
- Review the changes. If correct, commit the changes.A:dut2# commit stay--{ candidate shared default }--[ ]--
5.3.3.1. IRB sub-interface considerations
The following are considerations for configuring IRB sub-interfaces (performed in Step 4).
IRB sub-interfaces on BDs that are distributed to multiple leaf nodes must be configured with at least one anycast-gw IP address and an anycast-gw MAC address. When the anycast-gw container is configured, the anycast-gw MAC address is auto-derived as 00:00:5E:00:01:01 in all the leaf nodes. The MAC address can also be explicitly configured if desired. In addition:
- The same anycast-gw IP and MAC address must be configured on all IRBs of the same BD.
- All the hosts attached to the same BD use the same default-gateway (that is, the anycast-gw IP) irrespective of the leaf they are connected to. For example, irb0 sub-interfaces 24 are configured with the same anycast-gw IP on LEAF-2 and LEAF-4 (101.1.1.254) in the configuration example.
- Default gateway redundancy in DCs is realized using anycast-gws, and not VRRP. Anycast-gws avoid upstream tromboning for hosts that are multi-homed to multiple leaf nodes or for single-homed hosts that move to other leaf nodes of the same BD.
IRB sub-interfaces on BDs that are distributed may also be configured with non-anycast-gw IP addresses. This is only done when separate IPs are needed to check connectivity per leaf. For example, when LEAF-2 is configured with non-anycast-gw IPs 101.1.1.2 and 102.1.1.254, and LEAF-4 is configured with 104.1.1.4. and anycast-gw IPs exist in multiple nodes, the anycast-gw IPs should not be used in ICMP tools to check the availability of a leaf. Non-anycast-gw IPs should be used instead.
IRB sub-interfaces on distributed BDs should be configured with the following commands, as shown for subinterface 24 in LEAF-2 and LEAF-4 in the configuration example:
- arp learn-unsolicited true - Triggers the learning of ARP entries out of any ARP packet arriving at the IRB sub-interface, regardless of whether there was an ARP-Request issued from the IRB.
- arp host-route populate dynamic - Creates host routes (arp-nd) in the IP-VRF route-table from learned dynamic ARP entries in the IRB. The arp-nd host routes are then advertised to the remote leaf nodes. This assists the routing of downstream traffic to a given host without hair-pinning traffic via another leaf connected to the same BD of the host, but not connected to the host directly.
- arp evpn advertise dynamic - Advertises EVPN MAC/IP routes that include the MAC and the IP of the dynamic ARP entries. The advertisement of these routes synchronizes the ARP caches in all the IRB sub-interfaces of the same BD.
IRB sub-interfaces on BDs that are not distributed (that is, BDs attached to only one Leaf node) do not need to be configured with the following:
- arp host-route-populate dynamic as downstream routing is always direct to the connected leaf
- arp evpn advertise dynamic as ARP entries do not need to be synchronized with any other node
Examples of non-distributed BDs are BD2, BD4, and BD3 as shown in Figure 9. Their corresponding IRB sub-interfaces do not create host-routes or advertise EVPN MAC/IP routes for the ARP entries.
5.3.4. Configuring EVPN IFL interoperability to EVPN IFF unnumbered model
While EVPN IFL for VXLAN is supported by most DC vendors, Nuage WBX or VSC/VRS use the EVPN IFF Unnumbered model. By default, the SR Linux EVPN IFL (interface-less) model does not inter-operate with the EVPN IFF (interface-full) model. However, it is possible to configure the SR Linux EVPN IFL model to inter-operate with the EVPN IFF model.
For more information about EVPN IFL vs EVPN IFF models, see the SR Linux EVPN-VXLAN User Guide and draft-ietf-bess-evpn-prefix-advertisement.
To configure inter-operability in IP-VRF-10, configure the advertise-gateway-mac command as shown in the following example.
Example: EVPN IFF inter-operability in IP-VRF-10 configuration
When set to true, the node advertises a MAC/IP route using all of the following:
- Gateway-mac for IP-VRF-10 (that is, the system-mac)
- RD/RT, next-hop, and VNI of IP-VRF-10, and
- Null IP address, ESI or Ethernet Tag ID
Example: MAC/IP route advertisement
In this example, the MAC/IP route advertised is from LEAF-3. The MAC address matches the system-mac advertised in any local RT5s.
For IPv6, Nuage WBX devices support two EVPN L3 IPv6 modes: IFF unnumbered and IFF numbered. The SR Linux interoperability mode enabled by the advertise-gateway-mac command only works with devices that use EVPN IFF unnumbered. This is because EVPN IFL and EVPN IFF unnumbered models both use the same format in the IP prefix route, and differ only in the additional MAC/IP route for the gateway-mac. EVPN IFL and EVPN IFF numbered models have different IP prefix route formats, and cannot inter-operate.
5.3.5. Checking the EVPN IFL model in IP-VRFs
Once configured, the state of the IP-VRF-10 on the three leaf nodes and basic connectivity should be checked.
When the leaf nodes attached to IP-VRF-10 exchange at least one EVPN IP-Prefix route on all leaf nodes of the tenant, the bgp_mgr will request the fib_mgr to create a VXLAN tunnel to each next-hop of the received EVPN routes type 5 (RT5s). This assumes the tunnel had not already been created.
When a VXLAN tunnel to the remote VTEP exists, the bgp_mgr requests the next-hop resolution to the fib_mgr, and if it resolves, the RT5 is installed in the IP-VRF route-table. Using LEAF-3 as a reference, you can check that RT5s are received from the two remote leaf nodes, and then verify that VXLAN tunnels exist to their VTEPs and the RT5s are installed in the route-table. Loopbacks are configured on each IP-VRF-10 instance to verify reachability.
Example: Check IP-VRF-10 state and connectivity
The following can check RT5s for the loopbacks 22.22.22.22 and 44.44.44.44 advertised by the remote leaf nodes. You can check that the routes contain the expected IP-VRF-10 VNI, route-target, and the mac-nh which is used as the inner destination MAC when sending VXLAN packets to the prefix.
Example: Check for VXLAN tunnel creation
Once the routes are correct, the VXLAN tunnels are created.
Example: Check for remote VTEPs and associated destinations
The following commands show the remote VTEPs and the associated destinations. A destination is the combination of the VTEP and VNI that is created when the EVPN routes are received and the VXLAN tunnel is created. IP destinations are created from RT5s.
Example: Check IP-VRF-10 route table
The following command checks the IP-VRF-10 route table to ensure all the remote subnets and hosts are received and installed. All interface and local routes are automatically advertised in RT5s. Since ECMP=2 is configured in the IP-VRF-10, there are two ECMP paths for the 101.1.1.0/24 subnet, which is attached to both LEAF-2 and LEAF-4.
Example: Check route-table state for a RT5
Use the following command to check the route-table state for a RT5. This can be useful to understand how the RT5 is resolved to a vxlan tunnel and what vxlan VNI, inner source, and destination MACs are be used when sending VXLAN packets to that route. The following uses ECMP route 101.1.1.0/24 on LEAF-3. The route's next-hop group has two separate next-hops pointing at the remote LEAF-2 and LEAF-4 VTEPs:
Example: Monitor pings
The following command monitors pings between the local LEAF-3 loopback and LEAF-2's loopback (22.22.22.22), the inner source, and destination MACs that are associated to the RT5's next-hop that are used in the actual packets. Note that the source-mac is the chassis MAC advertised in the mac-nh of the local RT5s:
The received EVPN IFL IP Prefix routes are only installed in the IP-VRF-10 route-table if:
- the import route-target matches the RT5 route-target
- the RT5's VNI matches the VNI of the vxlan-interface in the IP-VRF-10
- the RT5's gateway-ip is zero
Additional guidelines:
- Importing an RT5 into multiple ip-vrf network-instances is not supported due to the VNI restriction: an ip-vrf can only use a single VNI for ingress and egress VXLAN packets. This is a TD3 limitation.
- The route next-hop cannot be changed in ip-vrf network-instances. It is always the system-ip in this release.
- The ip-vrf bgp-evpn bgp instance can be oper-down for the same reasons as the bgp-evpn bgp instance can be down in mac-vrfs. Refer to Chapter 4 for details.
- VXLAN statistics are also accounted for when EVPN-IFL is used.
- No MTU checks are done for VXLAN in EVPN-IFL. If the routed packet plus the VXLAN overhead exceeds the underlay interface MTU of the egress interface in the default network-instance, the packet is still encapsulated and sent to the remote leaf. No statistics increment or drops occur.
- Outer TTL for VXLAN packets is always initialized to 255 and not copied or propagated from or to the inner IP packet.
5.3.6. Checking PE-CE routing on an IP-VRF with EVPN-IFL
In an EVPN-VXLAN Layer 3 network, PE-CE routing refers to the unicast routing between a CE connected to a BD in a leaf node and the IRB sub-interface of the IP-VRF connected to the same BD. Static or BGP routing is supported in SR Linux. BFD can also be used between the IRB and the CE.
Example: Check PE-CE routing on IP-VRF
Figure 9 depicts a PE-CE BGP session between CE-3 and IP-VRF-10 in LEAF-2. This configuration is needed in IP-VRF-10 to enable a PE-CE BGP session to CE-3.
Example: PE-CE EBGP session: import and export policies
By default, all local routes to the IP-VRF route-table are automatically advertised in EVPN-IFL routes. This includes static routes, local routes, IGP routes, arp-nd host routes, etc. Consider the following for routes coming from or going to a PE-CE EBGP session.
- EVPN-IFL to PE-CE EBGP: An export policy must be configured so that EVPN IFL routes can be re-advertised to a CE on the PE-CE BGP session.
- PE-CE EBGP to EVPN-IFL: Either an import policy to accept the routes or ebgp-default-policy import-reject-all false must be configured so that the BGP routes are re-advertised to EVPN-IFL.
For example, the following two policies are configured to import and export all routes:
5.3.6.1. Additional PE-CE considerations
BGP PE-CE sessions can only be established with primary IP addresses. Therefore, in an IRB with both an anycast-gw-ip and a non-anycast-gw-ip, the BGP session can be setup against the non-anycast-gw-ip only if it is configured as primary.
A BGP session is not established if the configured BGP local-address for that session is a non-primary address. Adding a secondary address on an interface where the primary address has established a BGP session is supported.
Example: BGP PE-CE sessions and primary IP addresses
In the following, the local IP address is primary, but not an anycast-gw IP:
In SR Linux, the route selection across BGP families (EVPN-IFL vs PE-CE IPv4/v6) occurs based on the route-table preference. For example, if the same prefix 31.31.31.31/32 is received on the IP-VRF-10's route-table via BGP PE-CE (ipv4 family) and via EVPN-IFL, the route with lowest route-table preference will win. By default, the preference for both EVPN-IFL and BGP PE-CE is set to 170. Therefore, for the PE-CE route to be selected, change the preference for the PE-CE routes to a value lower than 170 as shown in the following example.
Example: Changing the route preference
In R21.6, there is no ECMP across different owners (for instance across EVPN-IFL and PE-CE BGP), only within the same routing owner.
Note the following is not supported:
- BGP PE-CE is not supported on CEs that make use of Ethernet Segments, i.e. EVPN Multi-Homing. This is because BGP PE-CE routes resolution using EVPN IFL routes, is blocked. The CE can still use non-EVPN multi-homing (L3 multi-homing). The CE can have a link connected to a sub-interface in LEAF-1/MAC-VRF-1 and another link to a sub-interface in LEAF-2/MAC-VRF-2, because MAC-VRF-1 and MAC-VRF-2 attached to different subnets.
- BGP PE-CE is not supported when the BGP session is established via VXLAN. That is, the BGP CE is connected to a leaf that is connected via vxlan to another leaf that hosts the IRB sub-interface where the BGP PE session is established.
5.3.7. Checking multi-homing in an EVPN-VXLAN Layer 3 network
A EVPN-VXLAN Layer 3 network needs to provide a multi-homing solution where upstream and downstream traffic is always routed efficiently, without hair-pinning. As shown in Figure 10, LEAF-2 and LEAF-4 are all-active multi-homed to SERVER-1. The use of IRB anycast-gw IP and MAC addresses, along with the synchronization of MACs and ARPs on the multi-homed leaf nodes, provides efficient routing.
Figure 10: Example of EVPN-VXLAN layer 3 multi-homing
5.3.7.1. anycast-gw IPs
The configuration of the anycast-gw must be consistent in the IRB sub-interfaces of LEAF-2 and LEAF-4. This can be checked on the state of the sub-interface:
Example: Check configuration consistency
The anycast-gw-mac address is automatically derived by default as 00:00:5e:00:01:VRID per draft-ietf-bess-evpn-inter-subnet-forwarding. It can also be manually configured. Either way, the anycast-gw IP and MAC must match in the two leaf nodes.
In the next example, HOST-12 is configured with default-gw 101.1.1.254 (the anycast-gw IP address of BD24). When HOST-12 ARPs for the default-gw IP, the ARP Request can be hashed to either leaf. Regardless which leaf gets the ARP Request, the ARP reply contains the anycast-gw MAC. Unicast traffic from HOST-12 can now be hashed to either leaf (for example, LEAF-2 in Figure 10) and the receiving leaf node will always route the traffic directly to LEAF-3 without sending it to the peer leaf first (LEAF-4 in the example). Using no anycast-gw IPs or MAC addresses causes hair-pinning and uses unnecessary spine bandwidth.
Example: anycast-gw IP address resolution
The following shows the resolution of the anycast-gw IP from HOST-12 and upstream routed traffic.
As shown in Figure 10, downstream routed traffic from LEAF-3 to HOST-12 is routed directly by LEAF-2 or LEAF-4 without hair-pinning, regardless of who gets the packets. This occurs because HOST-12's ARP and the MAC entries are synchronized in both multi-homed leaf nodes. LEAF-2 learns 101.1.1.1->00:00:64:01:01:01 (host-12 ip and mac) as dynamic and advertises both in MAC/IP routes that are imported by LEAF-4. LEAF-4 installs the HOST-12 ARP and MAC entries as evpn. However, the MAC points at the local ES lag interface, and forwarding is direct to HOST-12.
Example: Synchronization in both multi-home leaf nodes
5.3.7.2. Non-anycast-gw IP addresses
In addition to using anycast-gw IPs for the routed traffic, the multi-homed leaf nodes also have non-anycast-gw IPs that can be used for ICMP. The examples that follow check the availability of each individual Leaf IRB (LEAF-2 and LEAF-4).
Example: Check LEAF-2 IRB availability
Leaf-2 has a non-anycast-gw IP 101.1.1.2:
Example: Check LEAF-4 IRB availability
LEAF-4 has a non-anycast-gw IP 101.1.1.4 in the same IRB:
Both non-anycast-gw IPs are reachable from HOST-12. ARP Requests to non-anycast-gw IPs reply with the chassis mac of the leaf and not with the anycast-gw MAC of the IRB. This allows using the non-anycast-gw IPs for troubleshooting purposes when there are anycast-gw IPs on the same IRBs. The example output from HOST-12 demonstrates this:
Example: non-anycast-gw IPs reachability from host
5.3.7.3. Additional anycast gateway considerations
The following guidelines also apply for using anycast-gw in SR Linux.
In a bgp-evpn-enabled MAC-VRF with an IRB sub-interface, the following applies regardless if the IPs are configured as primary, anycast-gw, or neither of these.
- All IPv4 and IPv6 addresses associated to the IRB sub-interface are advertised in separate MAC/IP routes.
- The anycast-gw-mac and its corresponding anycast-gw IP address are advertised in a MAC/IP route.
- Any other existing non-anycast-gw IP will be advertised along with the interface MAC (hw-mac) in a MAC/IP route.For example, if irb0.24 is configured in LEAF-2 with anycast-gw (ip,mac)=(101.1.1.254/24, 00:5e:00:00:01:01), and 101.1.1.2/24 is also configured as non-anycast-gw IP, two MAC/IP routes are advertised in the context of BD24: MAC/IP route (101.1.1.254, 00:5e:00:00:01:01), and MAC/IP route (101.1.1.2, hw-mac-1).
For IPv6, Local Link Addresses (LLDs) are also advertised in addition to global addresses.
When the IRB sub-interface is admin disabled, the IRB MAC addresses are removed from the mac-table (and withdrawn from EVPN). ARP Requests and Neighbor Solicitation messages for the IRB sub-interface IP addresses from the hosts connected to the Broadcast Domain are only processed when coming from local sub-interfaces. These messages cannot be processed when received over VXLAN, so each of the Leaf routers attached to the same BD need to have their anycast IRB sub-interface operationally up to process the requests for the local hosts.
The IRB MAC addresses are protected in the mac-table if they are not anycast-gw-MACs. Protection means that received frames are dropped if their MAC SA match a protected MAC. The mac-table state shows the protection flag per MAC.
Example: mac-table state
5.4. Testing and checking Layer 3 host mobility
In EVPN-VXLAN Layer 3 networks, multiple leaf nodes are attached to the same BD. Hosts of the same subnet can be connected to any of those leaf nodes. They can also move between leaf nodes of the same BD. In either case, the upstream and downstream traffic must be efficient and avoid hair-pinning. This is shown in Figure 11, where LEAF-2 and LEAF-4 configurations are modified (no ES) and HOST-12 was originally connected to LEAF-2.
Upstream traffic from HOST-12 to HOST-3 must be routed by LEAF-2 to LEAF-3 directly. If HOST-12 later moves to LEAF-4, upstream traffic to HOST-3 must be routed by LEAF-4 to LEAF-3 directly. This is accomplished using anycast-gw IPs and MACs on the IRB interfaces.
When HOST-12 is attached to LEAF-2, downstream traffic from HOST-3 must be sent from LEAF-3 to LEAF-2 directly. If HOST-12 later moves to LEAF-4, the routers need to update their tables quickly so that LEAF-3 routes the traffic to LEAF-4 directly, and no bandwidth is wasted on the spines due to unnecessary hair-pinning. This is achieved by learning HOST-12's IP address in the route-table of the connected leaf as a /32 route and advertising that host route in an EVPN IFL route.
Upon a mobility event to LEAF-4, LEAF-2 will withdraw the host route as fast as possible and LEAF-4 will then advertise the HOST-12 host route in an EVPN IFL route.
Figure 11: Example of L3 host mobility
5.4.1. Initial configuration - efficient host routing
In the initial configuration, HOST-12 is connected to LEAF-2. For LEAF-3 to route traffic (to HOST-12) directly to LEAF-2, LEAF-2 needs to learn HOST-12's IP and advertise its host route in an EVPN-IFL route.
In next example, the following parameter definitions apply.
- learn-unsolicited true - Triggers the node to snoop/process all solicited and unsolicited ARP messages received on sub-interfaces (no vxlan) and learns the corresponding ARP/ND entries as 'dynamic'. By default, the command is false and only solicited entries are learned, which does not guarantee host mobility.When enabled, dynamic ARP/ND entries are learned from the following messages received on the sub-interfaces (if the IPs fall into the local subnets):
- ARP and Neighbor Solicitation requests
- Gratuitous ARP requests and unsolicited neighbor advertisements
- host-route populate dynamic -Triggers the creation of arp-nd host routes in the IP-VRF-10 route-table out of dynamic ARP entries. These are disabled by default. The arp-nd host routes are not installed in the FIB, They are only used in the control plane and advertised to the EVPN-IFL network to attract traffic from LEAF-3. The arp-nd host routes can be exported in any routing protocol, such as EVPN-IFL routes, BGP IPv4/IPv6 routes, OSPF, and ISIS. They are supported in network-instances ip-vrf and default.
- evpn advertise dynamic - Triggers the advertisement of EVPN MAC/IP routes for the dynamic learned ARP entries and allows the synchronization of the ARP entries in all IRB sub-interfaces of the same BD. This is only supported on IRB sub-interfaces.The MAC/IP routes that are advertised for ARP/ND entries will contain the S bit set if the corresponding MAC entry in the mac-table is static.
Note that an equivalent command can be used for ND entries.
Example: Efficient host routing model
The next examples show how an ARP Request from HOST-12 to a random IP in the subnet is enough for the irb0.24 to learn the dynamic ARP. It can then create a host route that is advertised as an EVPN IFL route, and imported by LEAF-3.
Example: LEAF-2 - HOST-12 unsolicited ARP Request
Example: Debug messages - ARP request received
Example: Triggered learning of RT5 and RT2 advertisements
Example: LEAF-3 imports routes as bgp-evpn host route
5.4.2. Mobility event - efficient host routing
When HOST-12 is attached to LEAF-2, the ARP entry must be maintained even if HOST-12 does not send any traffic. If the entry is removed or ages out, the associated arp-nd host route in IP-VRF-10 is removed and the EVPN-IFL route withdrawn. This can cause hair-pinning for traffic routed from LEAF-3. To maintain the HOST-12 ARP entry (and other dynamic ARP/ND entries), the system supports timer-based ARP/ND refreshes (ARP-Request for the host IP).
Timer-based refreshes are triggered 30 seconds before the ARP age-out timer expires, and irrespective of the arrival of packets requiring resolution for the entry. Note that in SROS, the arp-proactive-refresh command is needed so that entries are always refreshed irrespective of the arrival of packets that hit the entry. In SR Linux, this is the default behavior, so there is no command to enable the timer-based refreshes.
When HOST-12 moves from LEAF-2 to LEAF-4, LEAF-4 must advertise the host route for 101.1.1.1/32 in EVPN-IFL as fast as possible and LEAF-2 withdraws its EVPN-IFL route for it. The process used by LEAF-2 and LEAF-4 to update their ARP/route-tables once HOST-12 moves between them is called "EVPN Layer 3 host mobility". SR Linux provides this support per section 4 of draft-ietf-bess-evpn-inter-subnet-forwarding. EVPN Layer 3 host mobility supports the three cases specified in the draft:
- HOST-12 moves to LEAF-4 and generates a GARP
- HOST-12 moves to LEAF-4 and generates traffic, but not ARP
- HOST-12 moves to LEAF-4 and remains silent
To support fast mobility, SR Linux supports triggered refreshes. Triggered refreshes (ARP-Requests on events and not based on timer expiration) are issued from irb0.24 leaf nodes, for the existing dynamic ARP entry 101.1.1.1>00:00:64:01:01:01. The following events apply:
- an EVPN MAC/IP route for 101.1.1.1-> 00:00:64:01:01:01 is received
- an EVPN route for 00:00:64:01:01:01 (no IP) is received
- 00:00:64:01:01:01 ages out in the mac-table (or the entry in the MAC table is cleared manually)
As shown in Figure 11, when HOST-12 moves to LEAF-4, and if it issues a GARP or ethernet traffic, the advertised routes immediately updates the ARP/route tables on both leaf nodes. LEAF-3 then changes its next-hop for HOST-12 from LEAF-2 to LEAF-4.
Example: Silent move - HOST-2 initially attached to LEAF-2
Example: Silent move - initial LEAF-4
Example: Silent move - watch command output for LEAF-3
Example: Silent move - move HOST-12 to LEAF-2
In this example, HOST-12 is moved to LEAF-4 to simulate a silent move. Immediately after flushing MAC 00:00:64:01:01:01 in LEAF-2, the MAC/IP routes are withdrawn and LEAF-2 issues three triggered refreshes.
Example: Silent move - LEAF-2 updates
When the refreshes arrive at HOST-12 in LEAF-4, the ARP reply is consumed by LEAF-4 (since the MAC destination address matches the anycast-gw MAC address). LEAF-4 then advertises the MAC/IP routes and IP Prefix route for HOST-12.
After the move, LEAF-2 and LEAF-4 tables are updated, and LEAF-3 points at LEAF-4 as the next-hop for the HOST-12 route.
Example: Silent move - LEAF-2 tables
Example: Silent move - LEAF-4 tables
Example: Silent move - watch command output for LEAF-3
5.5. EVPN-VXLAN Layer 3 feature parity for IPv6 prefixes
All the features discussed in this chapter are supported for IPv6 prefixes and hosts. EVPN IFL works for Prefix IPv6 routes without enabling a separate BGP family. EVPN supports IPv4 and IPv6 routes. In addition, all IRB sub-interfaces must be configured with the IPv6 container using the same commands used earlier in this chapter, but performed under “neighbor-discovery”.
Example: IPv6 container configuration
5.5.1. Additional feature parity considerations
The anycast-gw container is common for IPv4 and IPv6. Therefore, the anycast-gw mac is the same for both families. Only one anycast-gw MAC is programmed in the interface, and IPv4 and IPv6 packets will use this anycast-gw-mac as MAC SA when sourcing packets to the BD.
LLA and global addresses are advertised in EVPN. The command neighbor-discovery learn-unsolicited both includes global and link local addresses.
The following example shows that when anycast-gw is enabled, an anycast-gw LLA is automatically generated. The anycast-gw ipv6 link local address is based off the anycast-gw-mac when the anycast-gw and the ipv6 containers are present. The logic to compute this new anycast-gw ipv6 link local address is the same as is used for computing the regular ipv6 LLA except the anycast-gw-mac is used instead of the interface mac. This new ipv6 LLA appears in the list of ipv6 addresses associated with the sub-interface, but with the attribute anycast-gw true.
Multicast NS messages will use the anycast-gw LLA and anycast-gw MAC. Unicast NS will use the global IPv6 and hw-address.
Example: LLA generation