Configuring EVPN

This section covers the following topics for EVPN configuration:

Configuring BGP-EVPN and VCS on CVX

Configuring BGP-EVPN

Configuring VNI Bundle

A VNI-aware-bundle represents a MAC-VRF that contains Layer 2 route entries from all VXLAN Network Identifiers (VNI) available across multiple DCs. Use the vni-aware-bundle command available on CVX to create a MAC-VRF.

Note: This command is not available on switches.

Example

cvx(config)# router bgp 100
cvx(config-router-bgp)# vni-aware-bundle bundle1 
cvx(config-macvrf-bundle1)#

Configuring RD and RT in VNI Bundle

Use the rd (Router-BGP VRF and VNI Configuration Modes) command to add a Route Distinguisher (RD) for uniquely identifying Layer 2 routes for the VNI bundle. Use the route-target command to configure a well-known extended community that is attached to the routes exported by BGP-EVPN; and to import routes with the specified well-known extended community into the MAC-VRF that corresponds to the VNI bundle.

Example

cvx(config)# router bgp 100
cvx(config-router-bgp)# vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)# rd 530:12
cvx(config-macvrf-bundle1)# route-target both 530:12

Enabling Redistribution of Bridging Information

After the VNI aware bundle is created, use the redistribute service VXLAN command to redistribute the Layer 2 bridging information received from VCS.

Example

cvx(config)# router bgp 100
cvx(config-router-bgp)# vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)# redistribute service VXLAN

Disabling Next-Hop Resolution in BGP-EVPN

When BGP-EVPN module receives a route from its BGP peer, it generally tries to resolve the next-hop indicated in the route. However, in the DCI topology, the routes coming from a CVX in another DC contains next-hops (VTEP addresses) that may not be reachable from the CVX receiving the route. Use the next-hop resolution disabled command to disable the next-hop resolution on routes received from BGP-EVPN peers.

Note: CVX is a part of the control plane, and is only connected to the VTEPs in its own DC. It does not have IP connectivity to the VTEPs in a different DC.

Example

cvx(config)# router bgp 100
cvx(config-router-bgp)# address-family evpn
cvx(config-router-bgp-af)# next-hop resolution disabled

Configuring VCS

Enabling Redistribution of BGP-EVPN Routes

Use the redistribute bgp evpn VXLAN command to redistribute BGP-EVPN routes to VCS, which, in turn advertises them to all VTEPs within the DC.

Example

cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service VXLAN
cvx(config-cvx-VXLAN)# no shutdown
cvx(config-cvx-VXLAN)# redistribute bgp evpn VXLAN

EVPN MPLS Virtual Private Wire Service (VPWS)

Traffic to/from a given Attachment Circuit (AC) without any MAC lookup/learning can be forwarded using EVPN MPLS VPWS, which uses BGP for signalling. Port-based and VLAN-based services are supported.

Configuring EVPN MPLS VPWS

Configure the patch panel to specify the ACs' connection to the VPWS service instances and then the VPWS service instance, which is part of BGP. Finally, configure the individual participating ACs.

Patch Panel Configuration

The following configures the local AC as Ethernet2 interface and the remote VPWS service instance as evi-1 and pseudowire pw1.
patch panel
            patch port
                connector 1 interface Ethernet2
                connector 2 pseudowire bgp vpws evi-1 pseudowire pw1
The following configures the local AC as Ethernet3.1 subinterface and the remote VPWS service instance as evi-1 and pseudowire pw2.
patch panel
             patch subintf
                 connector 1 interface Ethernet3.1
                 connector 2 pseudowire bgp vpws evi-1 pseudowire pw2
Note: Connector ID is optional.

VPWS Service Instance Configuration

The following configures the VPWS service instance with the BGP vpws sub-mode. This defines an EVPN instance under which any number of VPWS service instances can be configured. The BGP configuration itself can also define multiple EVPN instances under multiple vpws blocks, each with a unique name and Route-Distinguisher (RD) value. Only the mpls control-word and mtu value configuration items are optional; the rest are required for proper operation.
router bgp 1
   neighbor 10.0.0.1 remote-as 1
   neighbor 10.0.0.1 send-community extended
   neighbor 10.0.0.1 maximum-routes 12000
   !
   vpws evi-1
      rd 10.2.2.2:2
      route-target import export evpn 0.0.0.0:1
      mpls control-word
      !
      pseudowire pw1
         evpn vpws id local 2001 remote 1001
      !
      pseudowire pw2
         evpn vpws id local 2002 remote 1002
   !
   address-family evpn
      neighbor default encapsulation mpls next-hop-self source-interface Loopback0
      neighbor 10.0.0.1 activate
Note:It is strongly recommended that 'mpls control-word' is always enabled, when possible, to avoid any potential mis-forwarding where the PWE frames may be incorrectly interpreted as having an IP, as opposed to Ethernet, payload.

Attachment Circuit Configuration (double-tagged L3 subinterfaces)

The following configures the AC in Port mode.
interface Ethernet2
   no switchport
Note:Use Ethernet or Port-channel interface for Port mode.
The following configures the AC in VLAN mode.
interface Ethernet3
   no switchport
interface Ethernet3.1
   encapsulation dot1q vlan 1
Note:Use subinterfaces for VLAN mode.
The following configures the AC in Flexible Encapsulation mode. The client after 'network' preserves the corresponding client encapsulation specification.
interface Ethernet3
   no switchport
interface Ethernet3.1
   encapsulation vlan
   client dot1q 11 network client

Flexible Encapsulation EVPN MPLS VPWS

Flexible encapsulation enables the following actions for tags.
  • Remove incoming encapsulation tag(s) and forward
  • Preserve incoming encapsulation tag(s) and forward
  • Replace one or two tags when forwarding in encapsulation and decapsulation directions

The following table explains the encapsulation and decapsulation behaviors for the various FlexEncap options. Applying a Flexible Encapsulation with a network specification to a subinterface creates a bidirectional mapping table that is applied to the sub-interface. The mapping embodied in this table is applied from client to network in the encap direction, and network to client in the decap direction.

Example Behavior
client dot1q 10

From Client: match VLAN ID 10, consume and forward

To Client: add VLAN ID 10 before transmit

client dot1q 10 inner 20

From Client: match VLAN IDs 10, 20 consume and forward

To Client: add VLAN ID 10, 20 before transmit

client dot1q 10 network client

From Client: match VLAN ID 10 and retain it.

From Network: match vlan=10, retain.
client dot1q outer 10 inner 20 network client

From Client: match VLAN IDs 10, 20 and retain both.

From Network: match vlan=10,20, retain both.
client dot1q 10 network dot1q 100
client dot1q 10 network dot1q 100

From Client: match VLAN ID 10, consume. Before forwarding, write vlan=100.

From Network: match vlan=100, consume. Before transmit, write vlan=10.
client dot1q outer 10 inner 20 network dot1q outer 100 inner 200

From Client: match VLAN IDs 10, 20, and consume them. Before forwarding, write vlan=100,200.

From Network: match vlan=100, 200, consume. Before transmit, write vlan=10, 20.
The following configures FlexEncap ona subinterface as a local connector and LDP pseudowire as remote connector.
  • Packets received on Ethernet3/1 with outermost 802.1q VLAN tag of 1000 get mapped to sub-interface Ethernet3/1.1000.
  • The tag of 1000 is preserved and forwarded to pseudowire PW1.
  • Packets terminating on PW1 get forwarded to Et3/1.1000 and get transmitted out with VLAN tag of 1000. 
interface Ethernet3/1.1000
   encapsulation vlan
      client dot1q 1000 network client
patch panel
   patch patch-1
      connector 1 interface Ethernet3/1.1000
      connector 2 pseudowire ldp PW1

Displaying EVPN MPLS VPWS Configuration

This command shows both the client encapsulation and network encapsulation configured on sub-interfaces.
switch(config-if-Et3/1.1003)# show interfaces encapsulation vlan
Interface                 Status       Client Encapsulation      Network Encapsulation
------------------------- ------------ ---------------------------------------------------
Ethernet3/1.1000       active       dot1q outer 1000
Ethernet3/1.1001       active       dot1q outer 1001             client
Ethernet3/1.1002       active       dot1q outer 1002 inner 102
Ethernet3/1.1003       active       dot1q outer 1003 inner 103   client
Ethernet3/1.1004       active       dot1q outer 1004             dot1q 2004
Ethernet3/1.1005       active       dot1q outer 1005 inner 104   dot1q outer 2005 inner 204
This command shows output of a patch with sub-interface as the local connector and VPWS as the remote connector.
switch(config-if-Et3/1.1003)# show patch panel PP_1000

Patch   Connector                             Status
------- ------------------------------------- ------
PP_1000 1: Ethernet3/1.1000                Up
        2: BGP VPWS VPWS_1 Pseudowire PW_1000

tg481.12:19:52(s2)(config-if-Et3/1.1003)#show patch panel PP_1000 detail
PW Fault Legend:
   ET-IN - Ethernet receive fault
   ET-OUT - Ethernet transmit fault
   TUN-IN - Tunnel receive fault
   TUN-OUT - Tunnel transmit fault
   NF - Pseudowire not forwarding (other reason)

Patch: PP_1000, Status: Up
   Connector 1: Ethernet3/1.1000
      Status: Up
   Connector 2: BGP VPWS VPWS_1 Pseudowire PW_1000
      Status: Up
      Local MPLS label: 135363
         MTU: 1600, Control word: Y
      Neighbor 103.37.123.72, MPLS label: 136350
         Tunnel type: SR-TE Policy, Tunnel index: 132
         MTU: 1600, Control word: Y
      EVPN VPWS type: VLAN-based

Tag Matching Semantics

The matching rules are applied on a 'longest matching tag sequence' basis when rules are configured for multiple subinterfaces of a parent port. Considering the following rules on the same parent, the receive (encap) and transmit (decap) rule application is shown in the following tables.

Rule 1: 
interface Ethernet 10.1
  encapsulation vlan
    client dot1q 11 network client
Rule 2: 
interface Ethernet 10.2
  encapsulation vlan
    client dot1q 11 inner 20 network client

The receive (encap) matching behavior is as follows.

Received Packet Matching Rule
outer=11, inner=20 Rule #2
single tag with 11 Rule #1
double tag with 11, not 20 Rule #1

The transmit (decap) matching behavior is as follows.

Forwarded Packet Matching Rule
outer=11, inner=20 Rule #2
single tag with 11 Rule #1
double tag with 11, not 20 Rule #1

Configuring Multi-Homing on a Multi-Domain EVPN VXLAN-MPLS Gateway

Use the following steps to add Multi-Homing to your BGP configuration.

Configuring the Local Ethernet Segment Parameters

  • Configure the EVPN address family Ethernet Segment parameters, domain local, and enter the Ethernet Segment configuration mode: 
    switch(config-router-bgp-af)#evpn ethernet-segment domain local
switch(config-evpn-es-domain-local)#
  • Add the 10 octet identifier, 0011:1111:1111:1111 for the local domain: 
    switch(config-evpn-es-domain-local)#identifier 0011:1111:1111:1111
  • Add the low-order six (6) bytes of the ES-Import Route Target, 11:11:11:11:11:11: 
    switch(config-evpn-es-domain-local)#route-target import 11:11:11:11:11:11

    Exit the domain local configuration mode.

    switch(config-router-bgp-af)#

Configuring the Remote Ethernet Segment Parameters

  • Configure the Ethernet Segment remote domain parameters by entering the remote domain configuration mode: 
    switch(config-router-bgp-af)#evpn ethernet-segment domain remote
switch(config-evpn-es-domain-remote)#
  • Add the 10 octet identifier, 0022:2222:2222:2222 for the remote domain: 
    switch(config-evpn-es-domain-remote)#identifier 0022:2222:2222:2222
  • Add the low-order six (6) bytes of the ES-Import Route Target to the remote domain: 
    switch(config-evpn-es-domain-remote)#route-target import 22:22:22:22:22:22
    Exit the remote domain configuration mode, and return to the Ethernet Segment configuration mode: 
    switch(config-evpn-es-domain-remote)#exit
switch(config-router-bgp-af)#

Adding the Layer 2 and BGP FEC Parameters

  • Configure the Layer 2 and BGP FEC parameters for the Ethernet Segment configuration: 
    switch(config-router-bgp-af)#layer-2 fec in-place update
    Exit to the global configuration mode: 
    switch(config)#

Adding the Routing Control Functions

  • Enter the routing control functions configuration mode and then the control-functions configuration mode: 
    switch(config)#router general
switch(config-router-general)#control-functions
switch(config-router-general-control-functions)#
  • Finally, add the JSON code to the configuration: 
    switch(config-router-general-control-functions)#code
Enter RCF code. Type 'EOF' on its own line to end.
                        function evpnDciMhBlockGwTx() {
                            if evpn.route_type is EVPN_IMET
                            {
                            community add {1:1};
                            }
                            return true;
                            }
                            
                            function evpnDciMhBlockGwRx() {
                            return community has_none {1:1};
                            }
                            
                            EOF

Displaying the Multihome EVPN Configuration

To display your configuration, use the show active command from the BGP configuration mode:

GW-A1(config-router-bgp)#show active
                router bgp 64512
                ...
                maximum-paths 4 ecmp 4
                bgp bestpath d-path
                ...
                !
                vlan 10
                rd evpn domain all 10.255.1.1:10
                route-target import export 64500:10
                route-target import export evpn domain remote 64501:10
                redistribute learned
                !
                vrf red
                rd 10.255.1.1:0
                route-target import evpn 64500:20000
                route-target export evpn 64500:20000
                router-id 10.255.1.1
                ...
                address-family evpn
                neighbor WAN-RR activate
                neighbor WAN-RR domain remote
                neighbor RR-A activate
                neighbor RR-A rcf in evpnDciMhBlockGwRx()
                    neighbor RR-A rcf out evpnDciMhBlockGwTx()
                    neighbor WAN-RR rcf in evpnDciMhBlockGwRx()
                    neighbor WAN-RR rcf out evpnDciMhBlockGwTx()
                    domain identifier 1:1
                    domain identifier 1:2 remote
                ...
                !
                evpn ethernet-segment domain local
                    identifier 0011:1111:1111:1111:1111
                    route-target import 11:11:11:11:11:11
                !
                evpn ethernet-segment domain remote
                    identifier 0022:2222:2222:2222:2222
                    route-target import 22:22:22:22:22:22
                !
                layer-2 fec in-place update
                !
                router general
                    control-functions
                    code
                    function evpnDciMhBlockGwTx() {
                    if evpn.route_type is EVPN_IMET
                    {
                    community add {1:1};
                    }
                    return true;
                    }
                    
                    function evpnDciMhBlockGwRx() {
                    return community has_none {1:1};
                    }
The sample configuration displays the following parameters:
  • An interconnect Ethernet segment with an Ethernet Segment Identifier (ESI), 1111:1111:1111:1111:, configured for the hosts sourced from the local domain.
  • An interconnect Ethernet segment with an ESI, 2222:2222:2222:2222, configured for the hosts sourced for the remote domain.
  • The gateway, GW-A1, peers with a route reflector, the RR-A in the local domain, and peers with a route reflector, WAN-RR, in the remote domain.

For route loop detection, configure domain identifiers for the local and remote domain, and the domain path best path. Use the same identifier for the same domain on all gateways in one site, and configure RCF rules to reject the IMET routes from peer gateways in the same DC.