hare - e-vpn

advertisement
E-VPN on UW System
Network
Michael Hare
Purpose of presentation
• A high level introduction to E-VPN
• A simple lab demonstration
• For our documentation, see
https://kb.wisc.edu/uwsysnet/internal/page.php?id=56133
• For a deeper dive, see
http://www.juniper.net/us/en/training/jnbooks/day-one/proofconcept-labs/using-ethernet-vpns/
E-VPN
• MPLS service for loop free multipoing bridging using BGP as a control
plane
• Similar deliverable as VPLS but with some additional features such as
support for active/active CE multihoming
• Supports features such as default gateway sync, which is not
discussed in this presentation
E-VPN basic theory of operation
• EVI: E-VPN instance, as defined on a PE.
• ES: Ethernet Segment. Ethernet link(s) between customer and provider network. When LAN is
multihomed (multiple CE or multiple PE), the set of links is considered a single ES and must be
assigned a network-wide unique ESI (Ethernet Segment Identifier). Many multihoming examples
show a single CE directly connected to two PEs. However, an ES is also multihomed if a CE has a
path to more than one PE through the CE's switched network. In latter case, single-active must
be used (PEs for this ES cannot do active/active load balancing).
• ETI: Ethernet Tag Identifier, describes a unique broadcast domain in an EVI. For our purposes, ETI
is a vlan ID. Note that an ETI inside an EVI may contain multiple unique ESI.
• DF: Designated Forwarder. Only for a multihomed ESI, DF replaces spanning tree and is
responsible for forwarding multi-destination traffic (Broadcast, unknown unicast, and multicast
traffic, or BUM). Non-DFs, or Backup Forwarders, drop BUM traffic on ingress.
Learning MAC addresses
• When a PE router detects a new MAC address on its EVI access interface, it adds the address to its
appropriate local Layer 2 forwarding table, or MAC-VRF. The PE then transmits a MAC Advertisement route
using MP-BGP to all remote PEs.
• The inclusion of the ESI in the MAC Advertisement route is critical for implementing aliasing, or load
balancing. Multi-homed PEs advertise their connectivity to a common ESI by transmitting Auto-Discovery
routes to all remote PEs. When a given remote PE subsequently learns of a MAC address from that ESI, it
knows that the destination is reachable via the set of multi-homed PEs. The PE can then load balance traffic
to the multiple PEs connected to the common ES.
• 2:143.235.32.38:700::200::00:24:97:32:a7:42/304 (1 entry, 0 announced)
*BGP Preference: 170/-101
Route Distinguisher: 143.235.32.38:700
Task: BGP_65010.143.235.32.112+179
Communities: target:65010:700
Import Accepted
Route Label: 306720
ESI: 00:00:07:00:00:00:00:00:00:00
Secondary Tables: EVPN-2.evpn.0
Looking at the bridging/forwarding tables
• From the bridging perspective
m7h@r-mx104-lab-ac-re0> show bridge mac-table instance EVPN-2
…
…
MAC flags
(S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
O -OVSDB MAC, SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)
Routing instance : EVPN-2
Bridging domain : V200, VLAN : 200
MAC
MAC Logical
NH RTR
address
flags interface
Index ID
00:11:20:3e:3e:81 DC
1048594 1048594
00:11:20:3e:3e:c2 DC
1048594 1048594
00:24:97:32:a7:42 DC
1048577 1048577
…
…
Looking at the bridging/forwarding tables (2)
• From the E-VPN database perspective
m7h@r-mx104-lab-ac-re0> show evpn database instance EVPN-2 extensive
Instance: EVPN-2
VLAN ID: 200, MAC address: 00:11:20:3e:3e:81
Source: 143.235.32.113, Rank: 1, Status: Active
Timestamp: Sep 11 10:18:23 (0x55f2f0bf)
State: <Local-Adv-Allowed Local-Adv-Done>
VLAN ID: 200, MAC address: 00:11:20:3e:3e:c2
Source: 143.235.32.113, Rank: 1, Status: Active
Timestamp: Sep 11 15:29:13 (0x55f33999)
State: <Local-Adv-Allowed Local-Adv-Done>
VLAN ID: 200, MAC address: 00:24:97:32:a7:42
Source: 00:00:07:00:00:00:00:00:00:00, Rank: 1, Status: Active
Remote origin: 143.235.32.38
Timestamp: Sep 11 15:29:13 (0x55f33999)
State: <Local-Adv-Allowed Local-Adv-Done>
Routing tables
• bgp.evpn.0: contains all EVPN related routes carried in BGP. You’ll
see this on P and PE. To decode,
see https://tools.ietf.org/html/rfc7432#section-7.
• __default_evpn__.evpn.0: carries multihomed ES routes. You’ll see
this on P and PE.
• $EVI.evpn.0 is like bgp.evpn.0 but is routing-instance specific. You’ll
only see this in PE’s that are part of the given EVI.
E-VPN NLRI
In E-VPN routes, the first integer is the E-VPN NLRI Route type.
• 1 - Ethernet Auto-Discovery (A-D) route [used for multihoming]
• 2 - MAC/IP Advertisement route [endpoint reachability info]
• 3 - Inclusive Multicast Ethernet Tag route [for BUM forwarding]
• 4 - Ethernet Segment route [DF/multihoming election]
Looking at the bridging/forwarding tables (3)
•
m7h@r-mx104-lab-ac-re0> show route table EVPN-2.evpn.0 evpn-mac-address 00:24:97:32:a7:42
EVPN-2.evpn.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden) + = Active Route, - =
Last Active, * = Both
…
2:143.235.32.38:700::200::00:24:97:32:a7:42/304
*[BGP/170] 00:03:47, localpref 100, from 143.235.32.112
AS path: I, validation-state: unverified
> to 143.235.33.217 via ae0.3477
to 143.235.33.144 via xe-0/3/0.3475, Push 299888
…
Determining the DF for an ESI
• DF election is performed ESI per EVI. This facilitates load balancing of BUM traffic amongst PEs, a feature
known as Service Carving. See https://tools.ietf.org/html/rfc7432#section-8.5
m7h@r-mx104-lab-ac-re0> show evpn instance EVPN-2 esi 00:00:07:00:00:00:00:00:00:00 extensive
Instance: EVPN-2
…
…
Local interface: ae1.200, Status: Up/Blocking
Number of remote PEs connected: 1
Remote PE
MAC label Aliasing label Mode
143.235.32.38 306720 306720
single-active
Designated forwarder: 143.235.32.38
Backup forwarder: 143.235.32.106
…
…
• Here is another way to check e-vpn forwarding state on a CE link
m7h@r-mx104-lab-ac-re0# run show interfaces ae1.200 detail | match EVPN
Protocol bridge, MTU: 1522, Generation: 222, Route table: 4, Mesh Group: __all_ces__, EVPN multi-homed
status: Blocking
Config snippets: client handoff interface
m7h@r-mx104-lab-ac-re0# show interfaces ae1
apply-groups-except ethernet-standards;
description "s-lab-4 Port-channel1 uwplatteville switch 2 simulator";
enable;
per-unit-scheduler;
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
esi {
<---------- omit this if single homed
00:00:00:00:00:00:00:00:07:00;
single-active;
}
aggregated-ether-options {
link-speed 1g;
lacp {
active;
}
}
unit 200 {
description "s-lab-4 Port-channel1 uwplatteville switch 2 simulator";
family bridge {
interface-mode trunk;
vlan-id-list [ 200 201 202 ];
}
}
Config snippets: E-VPN instance
• m7h@r-mx104-lab-ac-re0# show routing-instances EVPN-2
instance-type virtual-switch;
interface ae1.200;
route-distinguisher 143.235.32.106:700;
vrf-target target:65010:700;
protocols {
evpn {
extended-vlan-list 200-202;
default-gateway advertise;
}
}
bridge-domains {
V200 {
vlan-id 200;
}
V201 {
vlan-id 201;
}
V202 {
vlan-id 202;
}
}
Tracking ESI/RD/vrf targets: https://kb.wisc.edu/uwsysnet/internal/page.php?id=55002
Config snippets: BGP
• set protocols bgp group iBGP-reflector family evpn signaling
• m7h@r-mx2010-lab-re0# show policy-options policy-statement select-iBGPreflector-routes-mx2010
…
…
term bgp-evpn {
from {
protocol bgp;
rib bgp.evpn.0;
}
then next policy;
}
Keeping it running
• Monitoring
• We track BGP NLRI counts and watch syslog.
That’s all, folks
FIN
Download